Homebrew ARM9Loader -- Technical Details and Discussion

[173210]

1. Exploit ARM9
2. Prepare for the hack

• Write the testing code to the exception vector
• Fill FIRM0 with invalid code
• Write arm9loader v2 to FIRM1
• Destroy the special NAND sector

3. Reboot
4. The FIRM1 decrypted with the corrupted key causes an exception
5. Testing code will be executed

• If the LR indicates FIRM0, proceed to the next step.
• If the LR doesn't indicate FIRM0, modify the special NAND sector and reboot again.

6. Installing code will be executed

• Relocate the primary payload
• Write the primary payload to FIRM0 for the next boot
• Execute the primary payload

7. The primary payload will be executed

• Load the secondary payload from the rest of FIRM0
• Execute the secondary payload

8. The secondary payload will be executed

• Initialize SDMMC
• Initialize FAT
• Load the binary
• Execute it

Hmm, it should work. But isn't it too difficult?

 

[173210]

My question: isn't homemenuhax enough?

 

[Syphurith]

--Snip--

Thanks for your tips regarding this. ARM9 access is required for at least generations for keyslot 0x11 related keys.
However i don't know if arm9 access can be reached that easy from ARM11 memchunkhax2 without ntrcardhax.
Once that is done, you may need the original FIRM and keys to perform a firmlaunch and also you may need to relocate the position where FIRM is duing system updates.
There is at least one system version required to get keyslot 0x11 uncleared, and a <10.3 for the actual trick.
BTW, good to see you again, here.

--------------------- MERGED ---------------------------

My question: isn't homemenuhax enough?

IIRC that is a good user-land exploit. Don't mean you can downgrade or get the kernel access, as Memchunkhax2.

Sorry i'm ill now and may forget some important points. Thus my expression may sounds weird.
Once that is implemented fully on one console you can port that to another, if Key#2 and FIRM is correct.

 

[shinyquagsire23]

My question: isn't homemenuhax enough?

It's shit compared to kernel9loaderhax.

 

[Suiginou]

It's shit compared to kernel9loaderhax.

Everyone speaks 32c3 terminology, get with the times and call it arm9loaderhax already, grandpa.

 

[shinyquagsire23]

Everyone speaks 32c3 terminology, get with the times and call it arm9loaderhax already, grandpa.

The module literally has "K9L2" in the header.

 

[julian20]

My question: isn't homemenuhax enough?

First arm9Loaderhax gives you pre arm 9 Kernel(on latest firmware). Second it´s boot time is likely instant after boot

In my opinion, its much better

 

[Ekaitz]

First arm9Loaderhax gives you pre arm 9 Kernel(on latest firmware). Second it´s boot time is likely instant after boot

In my opinion, its much better

I think the same, it would be a great progress for n3DS.

I don't need a hard mod and arm9loaderhax is great but I won't use it if it requires me to hard mod my n3DS, I'll just keep menuhax.
But anyways, for people who have hard mod, it would be really great.

 

[Pacheko17]

Can someone translate this to peasant language?

 

[173210]

arm9loaderhax is actually ARM9 exploit, but it doesn't have keys to decrypt FIRMs, so you CANNOT launch any FIRM with unknown keys, such as 9.6+.
I don't think it has advantage on downgraded 9.2 + homemenuhax + firmlaunchax.

 

[Syphurith]

arm9loaderhax is actually ARM9 exploit, but it doesn't have keys to decrypt FIRMs, so you CANNOT launch any FIRM with unknown keys, such as 9.6+.
I don't think it has advantage on downgraded 9.2 + homemenuhax + firmlaunchax.

Hi 173210 try contact reisyukaku please, OTP for N3DS has been dumped and some keys were calculated.
Maybe you can learn about how to do that. Good luck to you.

I dumped OTP registers on N3DS, which gave me access to 0x200 bytes of NAND keys , which let me generate all the keys from 0x15, 0x16 and all keyXs for 0x18, 0x19..0x1F so i can decrypt 9.6+. I honestly dont think nintendo would be able to lock us out again. lol
Took me longer than I expected to get this done because my n3ds was acting weird from downgrade. So SciresM was my beta tester

And maybe, counting the actual level of that exploit is useless currently since it hasn't be publicly done and described.

 

[AHP_person]

Hi 173210 try contact reisyukaku please, OTP for N3DS has been dumped and some keys were calculated.
Maybe you can learn about how to do that. Good luck to you.

And maybe, counting the actual level of that exploit is useless currently since it hasn't be publicly done and described.

OTP has been dumped by multiple people on n3ds now. That itself makes arm9loaderhax way easier to pull off (not to mention gives you access to firmlaunching 9.6+). My testing procedure was just to power off the 3ds so it'd be apparent when/if code execution happened. The only downside is the lack of execution space to do much else...

 

[173210]

Hi 173210 try contact reisyukaku please, OTP for N3DS has been dumped and some keys were calculated.
Maybe you can learn about how to do that. Good luck to you.

And maybe, counting the actual level of that exploit is useless currently since it hasn't be publicly done and described.

It's very interesting. Yes, I'll do so.
Anyway, it will allow emuNAND 9.6+, so I think homemenuhax + ARM9 exploit + emuNAND 9.6+ is enough. No need of arm9loaderhax.

 

[Syphurith]

It's very interesting. Yes, I'll do so.
Anyway, it will allow emuNAND 9.6+, so I think homemenuhax + ARM9 exploit + emuNAND 9.6+ is enough. No need of arm9loaderhax.

And please, try use google to find a spreadsheet named as "3ds aes keys" on docs.google.com. Quite plenty of interesting things, thanks Rei for that.
BTW arm9loaderhax would enable you to use direct SysNAND, once the update procedure is modified correctly, so "no need for EmuNAND".
Still ill myself. Already have a master degree and preparing for leave. Hope you glory school experience!

 

[173210]

And please, try use google to find a spreadsheet named as "3ds aes keys" on docs.google.com. Quite plenty of interesting things, thanks Rei for that.

I couldn't find anything with '3ds aes keys site:docs.google.com'. How can I find?

BTW arm9loaderhax would enable you to use direct SysNAND, once the update procedure is modified correctly, so "no need for EmuNAND".
Still ill myself. Already have a master degree and preparing for leave.

Hope you glory school experience!

It may be nice or not. homemenuhax and emuNAND is really safe. arm9loaderhax is not worth implementing for me. I have other things to do.
Congratulations on the degree! I'm considering even dropping out my university. LOL

 

[Vappy]

I couldn't find anything with '3ds aes keys site:docs.google.com'. How can I find?

If you use the search on docs.google.com it should find it.

 

[Syphurith]

I couldn't find anything with '3ds aes keys site:docs.google.com'. How can I find?
It may be nice or not. homemenuhax and emuNAND is really safe. arm9loaderhax is not worth implementing for me. I have other things to do.
Congratulations on the degree! I'm considering even dropping out my university. LOL

On Rei pastebin: ucqXGq6E. If you can access that. Well you might not need that much if you've learned how to extract those, yup. Yeah EmuNAND is super safe.

 

[Deleted User]

How was the OTP dumped on n3ds?

 

[173210]

Rei told me he keeps the hack secret for the future use. It's a right decision, I think.

--------------------- MERGED ---------------------------

On Rei pastebin: ucqXGq6E. If you can access that. Well you might not need that much if you've learned how to extract those, yup. Yeah EmuNAND is super safe.

Hmm, so he really did that. Thanks.

 

[Vappy]

How was the OTP dumped on n3ds?

N3DS downgraded to 1.0 allegedly.

Rei told me he keeps the hack secret for the future use. It's a right decision, I think.

Once the OTP has been dumped, is there any other use for it?
EDIT: Especially since multiple people have publicly pulled it off, the information isn't exactly a closely guarded secret at this point.