Homebrew [33c3] Console Hacking 2016 (3DS/WiiU) talk Dec 27-30: smea, derrek, nedwill, naehrwert

[hacksn5s4]

is sound hax kinda unpatchable because they would have to change how it plays the music to fix it and have they ever updated the sound app i don't think so i also don't think they update system titles that are on the home menu with firmware updates mii plaza only gets updated in the app

 

[DavidRO99]

is sound hax kinda unpatchable because they would have to change how it plays the music to fix it and have they ever updated the sound app i don't think so

.... You that they can just update it right? Even if they didnt update it in the past they still can, like they own the damn thing

 

[hacksn5s4]

.... You that they can just update it right? Even if they didnt update it in the past they still can, like they own the damn thing

but they can't do the thing like the browser where it locks you out unless you update

 

[einhuman197]

sighax is a modification of the FIRM partition, which is the same place that arm9loaderhax is installed to. The bootrom isn't modified and cannot be modified.

Oh K

 

[gkoelho]

No, nothing has changed. It has always been possible ever since the arm9 was pwned. Using sighax is no different to using a9lh, and it opens up no new possibilities. The only difference is that it's easier to install because it does not rely on the OTP hash for encrypting a arm9loader key.

Doesnt bootrom has more access to hardware than arm9? I remember a flow chart of the 3ds architeture that showed something alike it.

Edit: Also arm9 only allow to patch code as its loaded and Sighax can have entire new code and calls permanently.

 

[hacksn5s4]

thing is nintedos not going to bother to patch a9lh so whats point of sign hax we still need a free way to get cfw like last year

 

[metroid maniac]

Doesnt bootrom has more access to hardware than arm9? I remember a flow chart of the 3ds architeture that showed something alike it.

Eh sort of, but only to the extent that you can dump the bootrom and OTP as well. It's hard to go much more into detail without tediously correcting all the terminology.

 

[hacksn5s4]

the problem is theirs no eur old version of sudoku hax so you have to pay more money to downgrade 3ds since you need to buy a bigger game that can fit exdia hax

 

[Mrrraou]

wow this thread definitely is full of bullshit
but not as much as when 32c3 happened
you guys need to try harder

 

[einhuman197]

the problem is theirs no eur old version of sudoku hax so you have to pay more money to downgrade 3ds since you need to buy a bigger game that can fit exdia hax

Come on you jerk you save hundreds of euros/dollars/whatever with piracy and you cry because you have to buy a 7 euros/dollars/whatever game? Are you kidding me?

 

[mathieulh]

You do not need luma with sighax, or any CFW at all because signatures will be signed.

You can only forge FIRM signature, and only for boot9 (Process9 isn't vulnerable), this means you can't just forge cia signatures and whatnot so you will still need "CFW". The 3DS isn't a Playstation 3.

 

[mathieulh]

Could the CtCert be taken from another console, say a Wii or WiiU?

No, well not quite, the CtCert is stored in the OTP area (you just don't see it when dumping your OTP because it's stored in encrypted form), the OTP is copied by boot9 to the ITCM and decrypted, later on the part of the decrypted OTP which does not contain CtCert is wiped by boot9 from memory. This means the original place where the CtCert is stored (assuming you have the means to encrypt it) cannot be overwritten.

It is however possible to read the CtCert from the memory of an exploited unit (or from a decrypted OTP) and overwrite it in another console (in memory) early enough in the boot chain so that the firmware uses it instead of the one that's written in the OTP.

Needless to say you can't just craft your own CtCert for obvious reasons and need a real one generated by Nintendo.

--------------------- MERGED ---------------------------

no one is gonna bruteforce an hash for a patched firmware though. however there will definitely be some kind of payload chainloader i assume.

I agree, a universal loader is the way to go. if just for safety and convenience, something small and straightforward that does not require much (if any) changes over time.

 

[Mrrraou]

I agree, a universal loader is the way to go. if just for safety and convenience, something small and straightforward that does not require much (if any) changes over time.

definitely, plus people have already been doing this with k9lh so i assume it to be easy enough, as there's not that much difference between the post-k9l environment and the post-boot9 environment

 

[metroid maniac]

I agree, a universal loader is the way to go. if just for safety and convenience, something small and straightforward that does not require much (if any) changes over time.

I bet it'll even execute arm9loaderhax.bin as default just for maximum interoperability

 

[Tenshi_Okami]

is it 2004 again
please tell me it is

I mean, the song fits well for a fast paced fight

But for reals tho, I got one question, what would someone get from a ARM11 bootroom dump? I'm curious :3

 

[metroid maniac]

I mean, the song fits well for a fast paced fight

But for reals tho, I got one question, what would someone get from a ARM11 bootroom dump? I'm curious :3

It doesn't seem that useful. I guess it's just nice to have all the secrets.

 

[Mrrraou]

But for reals tho, I got one question, what would someone get from a ARM11 bootroom dump? I'm curious :3

nothing

 

[mathieulh]

I mean, the song fits well for a fast paced fight

But for reals tho, I got one question, what would someone get from a ARM11 bootroom dump? I'm curious :3

One word: Keys

Envoyé de mon SM-G935F en utilisant Tapatalk

 

[Mrrraou]

One word: Keys

Envoyé de mon SM-G935F en utilisant Tapatalk

on boot11 ? keys?

 

[mathieulh]

on boot11 ? keys?

Let's assume for a second that boot11 acts as a storage for boot9 (you know, expensive die space and all that)... Just an assumption of course

Envoyé de mon SM-G935F en utilisant Tapatalk