Hacking freakin magnethax; how does it work???

MaverickWellington · Jan 6, 2018

I'm curious about NTRBoothax, specifically in how the hell it even works. I've got a couple questions regarding it and was wondering if anyone could help me find answers for them.

How did anyone find out how this works?
Are there any examples of service carts that Nintendo uses? I'm curious what they look like and if they've leaked online anywhere.
Lastly, why is it this works for DS mode flash carts specifically?

zoogie · Jan 6, 2018

MaverickWellington said:
I'm curious about NTRBoothax, specifically in how the hell it even works. I've got a couple questions regarding it and was wondering if anyone could help me find answers for them.

How did anyone find out how this works?
Are there any examples of service carts that Nintendo uses? I'm curious what they look like and if they've leaked online anywhere.
Lastly, why is it this works for DS mode flash carts specifically?

Read this
https://sciresm.github.io/33-and-a-half-c3/
That's your best chance at understanding it.

MaverickWellington · Jan 6, 2018

zoogie said:
Read this
https://sciresm.github.io/33-and-a-half-c3/
That's your best chance at understanding it.

Thanks!

Hucz · Jan 6, 2018

"Upon disassembling boot9, we notice another huge flaw in the bootrom that wasn't mentioned at 33c3. Before trying to boot from NAND, the bootrom checks to see if a key combination (Start + Select + X) is being held, and whether the shell is closed. If so, it tries to boot from an inserted NTR (Nintendo DS) cartridge.

Combined with sighax/boot9strap, this allows one to make a malicious fake DS cartridge, so that holding down a button combination on boot gives you bootrom code execution. Nintendo tried to make it not possible to abuse by requiring the shell to be closed... But you can just use a magnet. This, like sighax, is also not fixable. The NTR cartridge was likely meant to be used for either the factory setup or as a means of recovering bricked NANDs. However, we'll never know for sure."

nl255 · Jan 6, 2018

Hucz said:
"Upon disassembling boot9, we notice another huge flaw in the bootrom that wasn't mentioned at 33c3. Before trying to boot from NAND, the bootrom checks to see if a key combination (Start + Select + X) is being held, and whether the shell is closed. If so, it tries to boot from an inserted NTR (Nintendo DS) cartridge.

Combined with sighax/boot9strap, this allows one to make a malicious fake DS cartridge, so that holding down a button combination on boot gives you bootrom code execution. Nintendo tried to make it not possible to abuse by requiring the shell to be closed... But you can just use a magnet. This, like sighax, is also not fixable. The NTR cartridge was likely meant to be used for either the factory setup or as a means of recovering bricked NANDs. However, we'll never know for sure."

Wasn't there a report quite a while ago about someone who when they got their 3DS back from Nintendo's repair facility found it came with a weird DS style cart that Nintendo was very eager to get back but most people at the time thought it was fake news?

Hucz · Jan 6, 2018

nl255 said:
Wasn't there a report quite a while ago about someone who when they got their 3DS back from Nintendo's repair facility found it came with a weird DS style cart that Nintendo was very eager to get back but most people at the time thought it was fake news?

Haha that's hilarious if true! If you can find more information on this report, I'd be interested in reading it

nl255 · Jan 7, 2018

Hucz said:
Haha that's hilarious if true! If you can find more information on this report, I'd be interested in reading it

Yeah. Too bad it took so long to find Pandorahax.

Zaphod77 · Mar 4, 2019

tl:dr;

nintendo put a backdoor in the bootrom to let them unbrick consoles.

they attempted to secure it, by having it do a signature check.

But because the bootrom has a flawed signature check, we can fakesign, running our own code off of a pirate flashcart, instead of nintendo's own signed code that's on their unbricker carts.

PWNed.

KHANV1CT · Mar 5, 2019

Upon disassembling boot9, we notice another huge flaw in the bootrom that wasn't mentioned at 33c3.

Before trying to boot from NAND, the bootrom checks to see if a key combination (Start + Select + X) is being held, and whether the shell is closed.

If so, it tries to boot from an inserted NTR (Nintendo DS) cartridge.

Combined with sighax/boot9strap, this allows one to make a malicious fake DS cartridge, so that holding down a button combination on boot gives you bootrom code execution.

Nintendo tried to make it not possible to abuse by requiring the shell to be closed...

But you can just use a magnet.

That's so cool, I wish I had the time to learn stuff like that.

WiiHomebrew+Snes · Mar 5, 2019

Water fire air earth?

BaamAlex · Mar 7, 2019

WiiHomebrew+Snes said:
Water fire air earth?

Go with that to the last airbender xD
Maybe he manages to teach you to tame all 4 elements

Hacking freakin magnethax; how does it work???

No.

playing around in the end of life

No.

Well-Known Member

Well-Known Member

Well-Known Member

Well-Known Member

Well-Known Member

Well-Known Member

Member of GBAtemp's shadow district

UDE GA NARU ZE!

Similar threads

Popular threads in this forum