Hacking TrustZoneHax on 3.x and below

Kioku

猫。子猫です!
Member
Joined
Jun 24, 2007
Messages
11,987
Trophies
2
Location
In the Murderbox!
Website
www.twitch.tv
XP
16,079
Country
United States
Those "yahoos" don't care for piracy.
They want to implement stable homebrew platform for everyone to enjoy.
Not for pirate kiddies to satisfy their need.

Besides, you got a choice to update or not, hell you even got the choice to go for homebrew or not.
Don't go blame them for your mistakes.
A tease is a tease is a tease. A curious tease at that. Still that's not to say we'll see nothing of it. Just unlikely from their end. Considering that piracy is an inevitable outcome no matter the route? Not really a justified reaction? Unless they're trying to not be the ones to lead to that outcome? To each their own. I'm fine where I'm at. Still curious.
 
Last edited by Kioku,
  • Like
Reactions: TotalInsanity4

DinohScene

Gay twink catboy
Global Moderator
Joined
Oct 11, 2011
Messages
22,515
Trophies
4
Location
Восторг
XP
22,643
Country
Antarctica
A tease is a tease is a tease. A curious tease at that. Still that's not to say we'll see nothing of it. Just unlikely from their end. Considering that piracy is an inevitable outcome no matter the route? Not really justified. To each their own. I'm fine where I'm at. Still curious.

Eventually, every hacked platform will succumb to piracy.
Actually, every platform will succumb to piracy if you want to say it properly.

Yeh, it's just a matter of time before DRM circumvention is enabled on the consoles.
Regardless of the work done to prevent it.
 

notimp

Well-Known Member
Member
Joined
Sep 18, 2007
Messages
5,779
Trophies
1
XP
4,419
Country
Laos
Those "yahoos" don't care for piracy.
They want to implement stable homebrew platform for everyone to enjoy.
Not for pirate kiddies to satisfy their need.

Lets get this straight. TZ checks firmware before boot. (Without owning TZ you cant modify it, you cant tell the switch to laod it from a sdcard (emunand).) With Kernelhax "alone" will it be possible to interrupt a coldboot and run an exploit, that would then allow you to start homebrew right away? Also, if yes - will this survive suspend states? Because - if no, the three guys on stage at 34c3 just worsened usability for apparently an entire quarter of Switch users in the scene, by recommending the update to 3.0.0. (As of now - said as a hypothetical.).

Also - on the 3DS emunand apparently was used to give people access to an "up to date" version of firmware that was "unmodified" from N's perspective, that allowed people to still access the app store, and play online (I presume).
 
Last edited by notimp,
  • Like
Reactions: weatMod

Resaec

Well-Known Member
Member
Joined
Dec 19, 2017
Messages
409
Trophies
0
XP
885
Country
Germany
With so many "why then tell ppl to update to 3.0.0" and "i will never see homebrew" posts excuse me if I just missed this, but here is what I take from this.

Right now those awesome dudes get up to EL3 on 1.0.0 to 2.x which is an awesome feat.
With the speed they show in improving the situation for warmboot (non persistant) CFW I'm sure we will see TrustZoneHax (vote for better hack names) on 3.x soon too.
Taking from the presentation they have to have DMA to temper with the warmboot stuff to elevate to EL3, which they get using nvhax.
This should still be the case because they said that there is virtually nothing running in EL3 except for "OYASUMI" and "OHAIO" ;D

Assuming there was no information leak the security related to warmboot should have stayed the same or changed very little until after the talk happened or Nintendo found out themselves.
This leaves the impression that it should be possible to use this technique up until FW 4.1.0 and maybe beyond as Nintendo struggles to find a way to prevent this exploit.

Did I miss something in here?
 

DinohScene

Gay twink catboy
Global Moderator
Joined
Oct 11, 2011
Messages
22,515
Trophies
4
Location
Восторг
XP
22,643
Country
Antarctica
Lets get this straight. TZ checks firmware before boot. (Without owning TZ you cant modify it, you cant tell the switch to laod it from a sdcard (emunand).) With Kernelhax "alone" will it be possible to interrupt a coldboot and run an exploit, that would then allow you to start homebrew right away?

Also - on the 3DS emunand apparently was used to give people access to an "up to date" version of firmware that was "unmodified" from N's perspective, that allowed people to still access the app store, and play online (I presume).

Pretty much yep.
However, if you got userland access, you can already run your own code.
Which can touch the same hardware as games.
Basically all you need when it comes to homebrew.
Kernel access give you more privileges yes.
Not particularly useful for homebrew aside from more systemcalls and resources.
Trustzone isn't interesting for homebrew as it adds nothing of value, other then an emunand solution to "dual boot" the console.

Piracy can't happen in userland mode.
Which is why plutoo and the rest advised others to get to 3.0.
Which isn't a bad thing at all, considering the vast majority attending C3 aren't pirates.
 

Resaec

Well-Known Member
Member
Joined
Dec 19, 2017
Messages
409
Trophies
0
XP
885
Country
Germany
With Kernelhax "alone" will it be possible to interrupt a coldboot and run an exploit
No, Kernelhax is a method to get kernel privilege. This requires the system to be booted and thus you can't speak of a coldboot exploit.
There is also no way I can see to place a coldboot exploit within the running OS bc everything you write to the system memory (which gets executed on boot) needs to be signed and won't get executed or even brick your Switch bc the CoT failed.
 
Last edited by Resaec,

notimp

Well-Known Member
Member
Joined
Sep 18, 2007
Messages
5,779
Trophies
1
XP
4,419
Country
Laos
@DinohScene: Thank you for clarifying.

Recommending an upgrade to 3.0.0, knowing (/assuming in hindsight) that this will take away peoples access to piracy/dualboot is taking some freedoms in exchange for an overall "vision" on how the scene should look like at an early stage - but to be fair, people take/make those decisions for a purpose I suppose. As with all (limitations to) freedoms.

Its basically "nudging" to modify user behaviors.

No, Kernelhax is a method to get kernel privilege. This requires the system to be booted and thus you can't speak of a coldboot exploit.
Ok, conflicting information. :)

Thats what I thought - and if it turns out to be the case, usability was sacrificed by advising people to update to 3.0.0. Will see how it develops, and all of this turns out in the end... But, yeah..

edit: (I suppose you could boot and interrupt before the GUI and then exploit, once the kernel is loaded, which would have the same effect, but not qualify as a "cold boot" exploit technically? ;) )
 
Last edited by notimp,

DinohScene

Gay twink catboy
Global Moderator
Joined
Oct 11, 2011
Messages
22,515
Trophies
4
Location
Восторг
XP
22,643
Country
Antarctica
@DinohScene: Thank you for clarifying.

Recommending an upgrade to 3.0.0, knowing (/assuming in hindsight) that this will take away peoples access to piracy/dualboot is taking some freedoms in exchange for an overall "vision" on how the scene should look like at an early stage - to be fair, but people take/make those decisions for a purpose I suppose. As with all freedoms.

Its basically "nudging" to modify user behaviors.

There's nothing wrong with suggesting to update to 3.0, if they're creating a stable homebrew platform for everyone to enjoy.
The end user still has to confirm the update on the switch, which means that it's the end users own responsibility to update or not.
i.e. you can also not update and wait for it to be matured before making a decision.

Besides, piracy is wrong and in some countries, it's even illegal.
C3 isn't a hosting of criminals teaching others to steal information.
It's a hosting of talented hackers and like minded individuals sharing their knowledge of various subjects.

Edit: no problem.
 
  • Like
Reactions: TotalInsanity4

linuxares

The inadequate, autocratic beast!
Global Moderator
Joined
Aug 5, 2007
Messages
13,138
Trophies
2
XP
17,849
Country
Sweden
Jesus... 3.0 is the best for homebrew, at that moment. That's what Plutoo etc. meant. Just because this exploit has been found afterwards doesn't really make it possible to rewind back and remove it right?
 

Resaec

Well-Known Member
Member
Joined
Dec 19, 2017
Messages
409
Trophies
0
XP
885
Country
Germany
If this indeed was his idea behind it, he sould have clearly said so.
"You should update 3.0.0 as this will be the first major fw on which hb will be presented on. We chose this version because of the wide availability and to prevent piracy."
There would have been no space for criticism. Anyway they do a great job and in the end, if the pressure is high, there will be solutions for this, too.
 

DinohScene

Gay twink catboy
Global Moderator
Joined
Oct 11, 2011
Messages
22,515
Trophies
4
Location
Восторг
XP
22,643
Country
Antarctica
If this indeed was his idea behind it, he sould have clearly said so.
"You should update 3.0.0 as this will be the first major fw on which hb will be presented on. We chose this version because of the wide availability and to prevent piracy."
There would have been no space for criticism. Anyway they do a great job and in the end, if the pressure is high, there will be solutions for this, too.

Saying that will leave the pirates to bitch about piracy.

It's a double edged sword no matter how you look at it ;/


What does trustzonehax give us that kernel doesn't? What can it be used for?

Right now?
Coldboot CFW/Emunand.

Saw it somewhere on temp.
 

notimp

Well-Known Member
Member
Joined
Sep 18, 2007
Messages
5,779
Trophies
1
XP
4,419
Country
Laos
There's nothing wrong with suggesting to update to 3.0, if they're creating a stable homebrew platform for everyone to enjoy.
The end user still has to confirm the update on the switch, which means that it's the end users own responsibility to update or not.
i.e. you can also not update and wait for it to be matured before making a decision.
With suggesting it - no, withholding information at that stage is not so clear cut. ;) (But you'd have to prove intent, which is always a hazzle.. ;) ). In the end, in any case, I agree that it was ok to do so.

But its a "creationist" role you are taking on from there. :) Sure 3.0.0 may be more stable - but people could have booted it via emunand. (At which point complexity explodes, and the discussion doesnt go anywhere.. ;) )

All in all, even in hindsight, it was fine. Just not as clear cut - ethically. Maybe.. ;)

edit: To be blunt, I always find it somewhat odd if hackers want to be perceived as "ethical" by the standards of the very company whose products they are reversing. In the end it always creates a strange philosophical dilemma, because companies never play by those rules. That said, implying or inducing their ethics onto the "users realm" is fine. I know, I'm such a deep thinker.. ;)
 
Last edited by notimp,
  • Like
Reactions: Resaec

Resaec

Well-Known Member
Member
Joined
Dec 19, 2017
Messages
409
Trophies
0
XP
885
Country
Germany
It's a double edged sword no matter how you look at it ;/

Coldboot CFW/Emunand.
1. Yep. But as you said its the enduser updating, not the ones saying you should.
2. Are you sure? I dont know how he does it this time, but if it is the same as before it is "only" a warmboot exploit and with this non persistant.
 

DinohScene

Gay twink catboy
Global Moderator
Joined
Oct 11, 2011
Messages
22,515
Trophies
4
Location
Восторг
XP
22,643
Country
Antarctica
With suggesting it - no, withholding information at that stage is not so clear cut. ;) (But you'd have to prove intent, which is always a hazzle.. ;) ). In the end, in any case, I agree that it was ok to do so.

But its a "creationist" role you are taking on from there. :) Sure 3.0.0 may be more stable - but people could have booted it via emunand. (At which point complexity explodes, and the discussion doesnt go anywhere.. ;) )

All in all, even in hindsight, it was fine. Just not as clear cut - ethically. Maybe.. ;)

I would welcome a world where Ninty, Sony and MS open their doors and allow Linux to be installed on their hardwares by default.
Much like Sony had with the PS3.
Sole reason why the PS3 stayed unhacked for all that time was that it already ran Linux.
It was only due to Sony removing it that people started to poke around.

But yeh, trying to prevent piracy as much as possible is a good thing.
It'll come eventually.


1. Yep. But as you said its the enduser updating, not the ones saying you should.
2. Are you sure? I dont know how he does it this time, but if it is the same as before it is "only" a warmboot exploit and with this non persistant.

f0f demo'd a coldboot sploit.
TX managed to replace the iconic Nintendo logo with the Xecuter logo in Ninty's style.

That tied together with the info available.
Put one and two together.
 

ccrider

Member
Newcomer
Joined
Dec 17, 2017
Messages
14
Trophies
0
Age
34
XP
51
Country
United States
Bleem only make play official retail copy legal.

Emulation is piracy. No bitch about eBay prices. Get money and shut up.

Emulation no for angel. Emulation used make steal.

Say so and stop lie.
 

8BitWonder

Small Homebrew Dev
Member
Joined
Jan 23, 2016
Messages
2,488
Trophies
1
Location
47 4F 54 20 45 45 4D
XP
5,315
Country
United States
They wanted piracy, not homebrew.
CFW doesn't automatically mean piracy. Many like myself want to be able to use homebrew on lower firmware, while being able to play physically purchased games that require higher firmware. That being said it's undeniable that a large majority are hungry for warez, but it's a little rude to box all of them together.
 
  • Like
Reactions: weatMod

Site & Scene News

Popular threads in this forum

General chit-chat
Help Users
    Xdqwerty @ Xdqwerty: uoiea