Its on 3dbrew since 14 May 2015......They did in 2015 but I wouldnt call it publicy known although it was known for a minority.
People here on this thread were still doubting it 1 week ago.
https://3dbrew.org/wiki/3DS_System_Flaws
Its on 3dbrew since 14 May 2015......They did in 2015 but I wouldnt call it publicy known although it was known for a minority.
People here on this thread were still doubting it 1 week ago.
you will need this link https://3dbrew.org/w/index.php?title=3DS_System_Flaws&diff=12601&oldid=12581
great but actually you still need a custom firmware (+ that's what it is actually) and that actually doesn't change much from now
My concern is that hacking a hard modded dump is going to need something from the donor 3ds besides the dump? or am i wrong to think that with sighax?
smea and other users here have said yes when i asked if we can : factory -> hard mod -> dump -> modify dump -> restore -> boot with no issues. this means we can potentially fix bricks with no prior backups.
I basically want to rebuild the 3ds nand from PC - that is the ultimate hack. then no matter what you do to that 3ds file system, it is always 100% able to be restored with proper hard mod. this is what i need to repair a broken 3ds i own.
You need to know the console's FIRM xorpad.
You can determine the xorpad if you know the version of FIRM that is installed and the FIRM is not corrupted.
That's just for installing sighax, nothing about restoring the filesystem afterwards
you need a localfriendseed, a secureinfo, the otp of the console, etc
i know about that lolHi Mrrraou,
SigHax does provide a change; The FIRM0 that gets loaded is your own from byte 0.
Which means Kernel9Loader need never be loaded.
Which means OTP is not locked out.
SigHax also makes it much easier to create custom FIRM0 that simplifies bootrom dumps, such as:
0. set up exception vectors
1. set up branch sleds
2. signal via I2C that you're about to reboot
3. reboot with much tighter timing
Of course, step 2 presumes you're automating your glitching attempts, and snooping on the I2C bus to help synchronize timing-related attacks on the CPU during its boot....
if you have your console's otp and a b9 dump you'll likely be able to decrypt it and have the correct keys for nand encryption and stuffAs with many things, the answer is complicated by the lack of exactness in the language used. With a hardmod, ....
Goal A: Restore an o3ds/n3ds/2ds to a prior configuration
Requirements: nand image
Goal B: Change firmware from known version A to another version B
Requirements:
[] if major versions of kernel match and FIRM B is smaller:
XOR the two files (both encrypted, or both decrypted) to get a FIRM XORPAD
XOR this XORPAD against the FIRM partition
viola! known-plaintext attack results in FIRM B ....
[] else, you need xorpoad for at least the FIRM partition
(i.e., most of the time, Metroid Maniac's response)
Goal C: Change files on NAND image, but valid only for same 3ds
Requirements:
[] NAND XORPAD + NAND dump (i.e., Metroid Maniac's response)
Goal D: Create a NAND image from system A that can be used on system B
Requirements:
[] For offline use (no Nintendo network), it may be possible.
[] See Mrrraou's response... and note that some information cannot be self-generated, even with sighax and bootroms, but must come from a "donor" system.
Goal E: Create a NAND image from scratch that can be used on a system with no NAND image
Requirements:
[] For offline use (no Nintendo network), it may be possible.
[] For any online use, see note above ... "donor" system still required for some data due to cryptographic signatures checked by online services...
As with many things, the answer is complicated by the lack of exactness in the language used. With a hardmod, ....
Goal A: Restore an o3ds/n3ds/2ds to a prior configuration
Requirements: nand image
Goal B: Change firmware from known version A to another version B
Requirements:
[] if major versions of kernel match and FIRM B is smaller:
XOR the two files (both encrypted, or both decrypted) to get a FIRM XORPAD
XOR this XORPAD against the FIRM partition
viola! known-plaintext attack results in FIRM B ....
[] else, you need xorpoad for at least the FIRM partition
(i.e., most of the time, Metroid Maniac's response)
Goal C: Change files on NAND image, but valid only for same 3ds
Requirements:
[] NAND XORPAD + NAND dump (i.e., Metroid Maniac's response)
Goal D: Create a NAND image from system A that can be used on system B
Requirements:
[] For offline use (no Nintendo network), it may be possible.
[] See Mrrraou's response... and note that some information cannot be self-generated, even with sighax and bootroms, but must come from a "donor" system.
Goal E: Create a NAND image from scratch that can be used on a system with no NAND image
Requirements:
[] For offline use (no Nintendo network), it may be possible.
[] For any online use, see note above ... "donor" system still required for some data due to cryptographic signatures checked by online services...
Well, I was about two weeks late in my prediction. Can I at least have half a cookie?This info is definitely originating from Rumorville, Kentucky, but I think there's a pretty good chance yellows8 is planning some sort of BOSS(spotpass) hax to coincide with 33c3. Praise me if I'm right, don't mind me if I'm wrong.
And Merry Christmas hax fans. : )
Well, I was about two weeks late in my prediction. Can I at least have half a cookie?
I'm convinced yellows8's brain is nothing but a single oversized left hemisphere.Who complained about the *hax names........
ctpkpwn_tfh
Who is ever going to pull that one off the top of their heads, why no herohax or triforcehax or something nice and catchy
(But yeah I get that it's ctpkpwn (for the spot pass exploit) and _tfh for triforce heroes implementation ......still, I kinda liked the *hax naming scheme
What?!
- WiiU stuff, mostly not interesting given full privilege access on latest firm already.
Actually, it turns out I wasn't wrong technically. @ihaveamacThis info is definitely originating from Rumorville, Kentucky, but I think there's a pretty good chance yellows8 is planning some sort of BOSS(spotpass) hax to coincide with 33c3. Praise me if I'm right, don't mind me if I'm wrong.
And Merry Christmas hax fans. : )
Eh, you have a point I guess. I still stand by my assertion that the wiiu portion wasn't interesting.What?!
What kind of trolling bullshit is this?
The Wii U is in need of a boot1 hack so that it can be on pair with the 3DS in terms of CFW.
The current options make use of the coldboothax which isn't really a hack but a simple modification of a XML file.
Boot1 on the other hand would greatly give an advantage and hopefully flash a permanent CFW into the system, like the 3DS can with a9lh and the upcoming exploits.