Hacking [WIP] KARL3DS - Kernel access on N3DS via Ninjhax + Loadcode

[guitarheroknight]

Yup, it's been at pretty much 100% since the day after I posted the video of it working. You don't need to restore NAND to downgrade mset.

Thats nice but you got me wrong - I was asking when the MSET gets downgraded can you lets say update to the latest firmware or do you need to restore your clean old NAND image then update?

 

[Oishikatta]

Thats nice but you got me wrong - I was asking when the MSET gets downgraded can you lets say update to the latest firmware or do you need to restore your clean old NAND image then update?

What you're asking doesn't make any sense. MSET is just an entry point, you can't update or it becomes meaningless. Also updating would replace it.

 

[WulfyStylez]

Thats nice but you got me wrong - I was asking when the MSET gets downgraded can you lets say update to the latest firmware or do you need to restore your clean old NAND image then update?

NIM updates the system title by title - if a single title's version doesn't match the current version, it'll be updated. Thus installing things like these are safe since they will be removed with any system updates. (the DS whitelist hax is different though, and I'd strongly recommend just downgrading the whitelist instead of installing a broken one)

 

[guitarheroknight]

What you're asking doesn't make any sense. MSET is just an entry point, you can't update or it becomes meaningless. Also updating would replace it.

Actually it does, but I guess I complicated things way too much. Lets say i decide to downgrade it then sell my console to someone else, would he be able to update his console sagely without any brick risks or would I need to restore my un-modified NAND image just to be sure a f up doesnt occur in the future.

NIM updates the system title by title - if a single title's version doesn't match the current version, it'll be updated. Thus installing things like these are safe since they will be removed with any system updates. (the DS whitelist hax is different though, and I'd strongly recommend just downgrading the whitelist instead of installing a broken one)

This is what I wanted to hear. Thanks!

 

[Myria]

I don't even think that the boot ROM of a New 3DS would actually be all that interesting or useful. What we really need is that write-once console-unique area of a single New 3DS. Then we could decrypt the security sector of its NAND, which would provide the contents needed for generating keyslots.

One attack that could work is something along the lines of the 360's Reset Glitch Hack. Glitch the ARM9's clock line right as the ARM9 on 9.2.0 is writing 2 to REG_SYSPROT9 so that the per-console key data area doesn't get hidden. Do firmlaunchhax and grab its data.

 

[Gadorach]

I don't even think that the boot ROM of a New 3DS would actually be all that interesting or useful. What we really need is that write-once console-unique area of a single New 3DS. Then we could decrypt the security sector of its NAND, which would provide the contents needed for generating keyslots.

One attack that could work is something along the lines of the 360's Reset Glitch Hack. Glitch the ARM9's clock line right as the ARM9 on 9.2.0 is writing 2 to REG_SYSPROT9 so that the per-console key data area doesn't get hidden. Do firmlaunchhax and grab its data.

That kind of a hardware attack is highly dependent on the architecture. For the Xbox 360, it just so happened that pulling down the hardware reset line to ground on the CPU during boot caused the currently active thread to be dropped and return a "correct" looking error. That effectively disabled the security on the boot-code, letting unsigned code to be started from there. I think you're thinking more like the Wii U hardware attack that was used to retrieve the secure keys. The clock line would likely not be susceptible, as it is likely inside the SOC with a built-in crystal, and only a clock-out for sync with the other chips on the board. You'd have better luck cutting the input voltage line and modifying the voltage until it has only just enough to start. From there, you'd have to hope it makes the SOC go wonky, and yet still boots enough to launch the attack and retrieve whatever did go though. If we had a datasheet on the SOC, it would be much more viable, of course. I somehow doubt we'll see one anytime soon though.

 

[gamesquest1]

NIM updates the system title by title - if a single title's version doesn't match the current version, it'll be updated. Thus installing things like these are safe since they will be removed with any system updates. (the DS whitelist hax is different though, and I'd strongly recommend just downgrading the whitelist instead of installing a broken one)

yeah but at the time that the ds whitelist stuff was made there was no way of uninstalling system titles, and even now its a bit finicky with BRM, unless nintendo has some change of heart and decides checking the white-list is correct and if it isn't crashing the system (effectively bricking it) they would pretty much have to be actively trying to do that, when instead they could just check for the missmatched/corrupted title and replace it with a legit one......as it stands unless nintendo decide to play some nasty trick the corrupt whitelist is kind of arguably better as even if you update sysnand the whitelist still remains corrupt and as such the flashcard still remain unblocked.....but ofc its not as legit but unless something changes its actually kind of more effective than simply downgrading

ofc all of these points are kind of moot when exploitable consoles usually sell for more than non-exploitable ones, and with 8.1-9.2 n3DS consoles likely becoming another 4.x story it would be a bit silly to update to 9.3+ when you could just sell it specifically as a 9.0-9.2 console which would be more desirable to some....and if you did plan to do that, you should really just have a nand dump from before you ran any sort of hacks and restore it to stock

 

[Apache Thunder]

I'd still recommend against using a bad whitelist file. Though in the end if you have it on a 9.2 sysnand you never plan to update, I can't foresee issues. But there may be a time when you want to update it in the future (perhaps a new exploit gets found or something) and that new update may not get along with the bad DS Cart White list file and you end up with a brick. You never know. It's better off not having broken things installed to sysnand. It's just better in the long term.

I got my Gateway blue card to work on my 9.2 sysnand by updating sysnand via CIAs while excluding any CIAs to update TWL_NAND and the DS Cart Whitelist. That way the ones I still have are just older versions that are legit and not broken. I suppose if a new update comes out that has a new exploit that is better then the 9.2 one, then I could then update to that in the same way that I have done in the past.

Of coarse n3DS users can't go back to 4.5. So they'd have to uninstall the DS Cart White list before they can downgrade it properly. I'm not sure there's any homebrew that does this correctly at the moment. But Karl3DS may provide an option for that since they've already downgraded n3DS's System Settings to a 6.x version that still has MSETT entry point. So obviously the same can be done with DS Cart White list.

 

[gamesquest1]

I'd still recommend against using a bad whitelist file. Though in the end if you have it on a 9.2 sysnand you never plan to update, I can't foresee issues. But there may be a time when you want to update it in the future (perhaps a new exploit gets found or something) and that new update may not get along with the bad DS Cart White list file and you end up with a brick. You never know. It's better off not having broken things installed to sysnand. It's just better in the long term.

I got my Gateway blue card to work on my 9.2 sysnand by updating sysnand via CIAs while excluding any CIAs to update TWL_NAND and the DS Cart Whitelist. That way the ones I still have are just older versions that are legit and not broken. I suppose if a new update comes out that has a new exploit that is better then the 9.2 one, then I could then update to that in the same way that I have done in the past.

Of coarse n3DS users can't go back to 4.5. So they'd have to uninstall the DS Cart White list before they can downgrade it properly. I'm not sure there's any homebrew that does this correctly at the moment. But Karl3DS may provide an option for that since they've already downgraded n3DS's System Settings to a 6.x version that still has MSETT entry point. So obviously the same can be done with DS Cart White list.

oh yeah sure i know its not some sort of super safe solution, but tbh its the easiest/simplest method for people to do it, its not like there is any super straight forward methods atm to just downgrade the white-list, if karl3DS integrate white-list downgrading then sure its a better way, but for the masses who simply want to use their blue card right now....it does the job, and all theoretical "future problems" its pretty much perfectly safe

 

[shinyquagsire23]

I'd still recommend against using a bad whitelist file. Though in the end if you have it on a 9.2 sysnand you never plan to update, I can't foresee issues. But there may be a time when you want to update it in the future (perhaps a new exploit gets found or something) and that new update may not get along with the bad DS Cart White list file and you end up with a brick. You never know. It's better off not having broken things installed to sysnand. It's just better in the long term.

I got my Gateway blue card to work on my 9.2 sysnand by updating sysnand via CIAs while excluding any CIAs to update TWL_NAND and the DS Cart Whitelist. That way the ones I still have are just older versions that are legit and not broken. I suppose if a new update comes out that has a new exploit that is better then the 9.2 one, then I could then update to that in the same way that I have done in the past.

Of coarse n3DS users can't go back to 4.5. So they'd have to uninstall the DS Cart White list before they can downgrade it properly. I'm not sure there's any homebrew that does this correctly at the moment. But Karl3DS may provide an option for that since they've already downgraded n3DS's System Settings to a 6.x version that still has MSETT entry point. So obviously the same can be done with DS Cart White list.

That's why you downgrade properly (like many have done with MSET with BRM it seems) rather than break the whitelist by attempting to spoof a downgraded version's version higher.

 

[WulfyStylez]

That kind of a hardware attack is highly dependent on the architecture. For the Xbox 360, it just so happened that pulling down the hardware reset line to ground on the CPU during boot caused the currently active thread to be dropped and return a "correct" looking error. That effectively disabled the security on the boot-code, letting unsigned code to be started from there. I think you're thinking more like the Wii U hardware attack that was used to retrieve the secure keys. The clock line would likely not be susceptible, as it is likely inside the SOC with a built-in crystal, and only a clock-out for sync with the other chips on the board. You'd have better luck cutting the input voltage line and modifying the voltage until it has only just enough to start. From there, you'd have to hope it makes the SOC go wonky, and yet still boots enough to launch the attack and retrieve whatever did go though. If we had a datasheet on the SOC, it would be much more viable, of course. I somehow doubt we'll see one anytime soon though.

The 3DS SoC has an external clock. Also, fault injection hacks can be done in a LOT of ways - through not only reset glitching but voltage glitching, clock glitching, and even blasting a device with light or radiation.

Also can you guys move all this bootrom-haxxy stuff to another thread? It's kinda cluttering ours and we're not looking into hardware hax right now anyways.

 

[mikeylevi]

This thread is all hype...what exactly do you devs have left to do? Theres a lot of updates and new DLC being released, I've actually lost all use for my 3ds when ORAS version 1.3 came out. can't play online anymore and I don't want to update yet so I can use this. (and don't tell me to just update emunand).

 

[Zidapi]

This thread is all hype...what exactly do you devs have left to do? Theres a lot of updates and new DLC being released, I've actually lost all use for my 3ds when ORAS version 1.3 came out. can't play online anymore and I don't want to update yet so I can use this. (and don't tell me to just update emunand).

What version emuNAND are you on? You might not need to update emuNAND to download the latest ORAS patch.

 

[shinyquagsire23]

This thread is all hype...what exactly do you devs have left to do? Theres a lot of updates and new DLC being released, I've actually lost all use for my 3ds when ORAS version 1.3 came out. can't play online anymore and I don't want to update yet so I can use this. (and don't tell me to just update emunand).

Quite a bit actually considering that we don't have our own process going still.

 

[mikeylevi]

Emunand isn't a possibility as I'm on an O3DS 9.4.
Waiting for KARL for that...

 

[gamesquest1]

Emunand isn't a possibility as I'm on an O3DS 9.4.
Waiting for KARL for that...

karl isnt going to add support for emunand for 9.4 users

 

[VinsCool]

Emunand isn't a possibility as I'm on an O3DS 9.4.
Waiting for KARL for that...

You are going to wait for a very long time then.

 

[mikeylevi]

I love this forum.

 

[TotalInsanity4]

Emunand isn't a possibility as I'm on an O3DS 9.4.
Waiting for KARL for that...

Unless I'm mistaken, you've missed out on code execution if you're not <9.2.0...

 

[mikeylevi]

I'm just gonna buy a gateway for my 4.5 O3DS.