Hacking freakin magnethax; how does it work???

[MaverickWellington]

I'm curious about NTRBoothax, specifically in how the hell it even works. I've got a couple questions regarding it and was wondering if anyone could help me find answers for them.

How did anyone find out how this works?
Are there any examples of service carts that Nintendo uses? I'm curious what they look like and if they've leaked online anywhere.
Lastly, why is it this works for DS mode flash carts specifically?

 

[zoogie]

I'm curious about NTRBoothax, specifically in how the hell it even works. I've got a couple questions regarding it and was wondering if anyone could help me find answers for them.

How did anyone find out how this works?
Are there any examples of service carts that Nintendo uses? I'm curious what they look like and if they've leaked online anywhere.
Lastly, why is it this works for DS mode flash carts specifically?

Read this
https://sciresm.github.io/33-and-a-half-c3/
That's your best chance at understanding it.

 

[MaverickWellington]

Read this
https://sciresm.github.io/33-and-a-half-c3/
That's your best chance at understanding it.

Thanks!

 

[Hucz]

"Upon disassembling boot9, we notice another huge flaw in the bootrom that wasn't mentioned at 33c3. Before trying to boot from NAND, the bootrom checks to see if a key combination (Start + Select + X) is being held, and whether the shell is closed. If so, it tries to boot from an inserted NTR (Nintendo DS) cartridge.

Combined with sighax/boot9strap, this allows one to make a malicious fake DS cartridge, so that holding down a button combination on boot gives you bootrom code execution. Nintendo tried to make it not possible to abuse by requiring the shell to be closed... But you can just use a magnet. This, like sighax, is also not fixable. The NTR cartridge was likely meant to be used for either the factory setup or as a means of recovering bricked NANDs. However, we'll never know for sure."

 

[nl255]

"Upon disassembling boot9, we notice another huge flaw in the bootrom that wasn't mentioned at 33c3. Before trying to boot from NAND, the bootrom checks to see if a key combination (Start + Select + X) is being held, and whether the shell is closed. If so, it tries to boot from an inserted NTR (Nintendo DS) cartridge.

Combined with sighax/boot9strap, this allows one to make a malicious fake DS cartridge, so that holding down a button combination on boot gives you bootrom code execution. Nintendo tried to make it not possible to abuse by requiring the shell to be closed... But you can just use a magnet. This, like sighax, is also not fixable. The NTR cartridge was likely meant to be used for either the factory setup or as a means of recovering bricked NANDs. However, we'll never know for sure."

Wasn't there a report quite a while ago about someone who when they got their 3DS back from Nintendo's repair facility found it came with a weird DS style cart that Nintendo was very eager to get back but most people at the time thought it was fake news?

 

[Hucz]

Wasn't there a report quite a while ago about someone who when they got their 3DS back from Nintendo's repair facility found it came with a weird DS style cart that Nintendo was very eager to get back but most people at the time thought it was fake news?

Haha that's hilarious if true! If you can find more information on this report, I'd be interested in reading it

 

[nl255]

Haha that's hilarious if true! If you can find more information on this report, I'd be interested in reading it

Yeah. Too bad it took so long to find Pandorahax.

 

[Zaphod77]

tl:dr;

nintendo put a backdoor in the bootrom to let them unbrick consoles.

they attempted to secure it, by having it do a signature check.

But because the bootrom has a flawed signature check, we can fakesign, running our own code off of a pirate flashcart, instead of nintendo's own signed code that's on their unbricker carts.

PWNed.

 

[KHANV1CT]

• Upon disassembling boot9, we notice another huge flaw in the bootrom that wasn't mentioned at 33c3.

• Before trying to boot from NAND, the bootrom checks to see if a key combination (Start + Select + X) is being held, and whether the shell is closed.

• If so, it tries to boot from an inserted NTR (Nintendo DS) cartridge.

• Combined with sighax/boot9strap, this allows one to make a malicious fake DS cartridge, so that holding down a button combination on boot gives you bootrom code execution.
• Nintendo tried to make it not possible to abuse by requiring the shell to be closed...
• But you can just use a magnet.

That's so cool, I wish I had the time to learn stuff like that.

 

[WiiHomebrew+Snes]

Water fire air earth?

 

[BaamAlex]

Water fire air earth?

Go with that to the last airbender xD
Maybe he manages to teach you to tame all 4 elements