Homebrew safefirmraunchhax - new Arm9 exploit discussion

[uyjulian]

what is up with the font? it's hard to read

ｉｔ＇ｓ　ａｃｔｕａｌｌｙ　ｆｕｌｌ－ｗｉｄｔｈ　ｃｈａｒａｃｔｅｒｓ．　Ｉ＇ｍ　ｌａｚｙ　ｔｏ　ｃｈａｎｇｅ　ｔｈｅ　ｋｅｙｂｏａｒｄ　ｍｏｄｅ．

 

[Kyubnyan]

what is up with the font? it's hard to read

not a font, they are probably just doing the A E S T H E T I C S meme. (incorrectly I might add)

 

[leerpsp]

And just to let every one know there is a working fasthax/fbi file out now that lets you install legit cia's... https://gbatemp.net/threads/request...his-me-this-github.455417/page-3#post-6970698 its working on new 3DS.. you need to have both files on sd card and run fbi only and some times works a few times fells. this should hold others over tell the other stuff comes out.

 

[TheOverseer]

I don't recommend doing it until people who don't have to worry about bricking try it.

I do have ARM9LoaderHax, but I don't know how exactly to set up my 3DS so it'll not grant automatic ARM9 access, so I can actually....you know. Test.

 

[Deleted User]

not a font, they are probably just doing the A E S T H E T I C S meme. (incorrectly I might add)

i knew it wasn't a font, but i wasn't sure if it was full-width or not

 

[uyjulian]

Ｐｌｅａｓｅ　ｏｎｌｙ　ｔｅｓｔ　ｗｉｔｈ　ｈａｒｄｍｏｄｓ　ｏｒ　ａｒｍ９ｌｏａｄｅｒｈａｘ　ｆｏｒ　ｎｏｗ

 

[Apache Thunder]

Sighax and ARM9LoaderHax are two different exploits with similar ends.

ARM9LoaderHax uses a secret processor password called the OTP to gain code execution extremely early in the boot process.

Sighax on the other hand, uses cryptography exploits to set up a scenario where it views code we want to execute as properly signed, simply booting it instead of a normal firmware. So we'd gain execution where we'd normally get a firmware, and then boot into the normal firmware.

This is why a Bootmii like solution is fairly likely.

Uhhm...no. OTP is used only once to allow altering the secret sector on NAND that stores the n3DS keys for the arm9 encryption of NATIVE_FIRM. (for o3DS it installs the secret sector since it doesn't exist on o3DS). This allows altering a key in the secret sector keystore to intentionally corrupt decryption of arm9 of NATIVE_FIRM. This results in a controlled jump to a payload elsewhere on NAND because Kernel9Loader (the section of NATIVE_FIRM that handles the decryption process among other things) has a flaw where it doesn't check that the key slot in question is valid. (hence why I among others like to call it Kernel9LoaderHax instead of Arm9Loaderhax since the exploit involves a flaw in Kernel9Loader) OTP is not used after the key is installed. I could go into detail on how the payload in question is created and where it's placed, but that is not necessary in this instance

So long story short....OTP isn't directly used as an exploit. It's used only once to gain access to something. After that it serves no further use.

 

[TheOverseer]

Ｐｌｅａｓｅ　ｏｎｌｙ　ｔｅｓｔ　ｗｉｔｈ　ｈａｒｄｍｏｄｓ　ｏｒ　ａｒｍ９ｌｏａｄｅｒｈａｘ　ｆｏｒ　ｎｏｗ

...How exactly would one test with ARM9LoaderHax? lol

Like...doesn't it already grant ARM 9 Access? So how would I know if I get ARM 9 Access or not?

--------------------- MERGED ---------------------------

Uhhm...no. OTP is used only once to allow altering the secret sector on NAND that stores the n3DS keys for the arm9 encryption of NATIVE_FIRM. (for o3DS it installs the secret sector since it doesn't exist on o3DS). This allows altering a key in the secret sector keystore to intentionally corrupt decryption of arm9 of NATIVE_FIRM. This results in a controlled jump to a payload elsewhere on NAND. OTP is not used after the key is installed.

So long story short....OTP isn't directly used as an exploit. It's used only once to gain access to something. After that it serves no further use.

I am corrected by someone who knows much more than I do. That being said, the rest of my post has validity. lol. Thank you for the lesson though, I'll describe it more accurately next time.

 

[proflayton123]

...How exactly would one test with ARM9LoaderHax? lol

Like...doesn't it already grant ARM 9 Access? So how would I know if I get ARM 9 Access or not?

Turn off firm patches

 

[TheOverseer]

Turn off firm patches

Is there a way to do that which allows me to keep my FIRMProtect so testing can't kill A9LH?

 

[AHP_person]

tfw people think i made a bricktool

 

[TheOverseer]

tfw people think i made a bricktool

I'm pretty new on the scene, so forgive me for being (overly?) cautious. That said, with A9LH installed, it's a bit less worrying for me than the average person.

 

[Kyubnyan]

tfw people think i made a bricktool

you can never be too cautious.

 

[WaterBotttle]

Just found this on reddit! Someone has an implementation using waithax already, (not sure if it works fully yet)
https://www.reddit.com/r/3dshacks/comments/5llxmx/safefirmlaunchhax_unimplemented_arm9_exploit_on/
https://github.com/TiniVi/safehax

 

[AHP_person]

you can never be too cautious.

You could always read the code and compile yourself, though...

 

[uyjulian]

Ｉ　ｃｈｅｃｋｅｄ　ｏｕｔ　ｃｏｍｍｉｔ　ｏｎｅ　ｆｒｏｍ　ＨＥＡＤ．
Ｈｅｒｅ＇ｓ　ｔｈｅ　ｒｅｓｕｌｔ：　https://u.nya.is/tsqfxn.zip
Ｉ　ｈａｄ　ｔｏ　ｒｕｎ　３ｄｓｘｔｏｏｌ　ｉｎ　ｌｌｄｂ　ｆｏｒ　ｔｈｅ　３ｄｓｘ　ｔｏ　ｂｕｉｌｄ　ｅ＿ｅ

 

[dkabot]

Ｉ　ｃｈｅｃｋｅｄ　ｏｕｔ　ｃｏｍｍｉｔ　ｏｎｅ　ｆｒｏｍ　ＨＥＡＤ．
Ｈｅｒｅ＇ｓ　ｔｈｅ　ｒｅｓｕｌｔ：　https://u.nya.is/tsqfxn.zip
Ｉ　ｈａｄ　ｔｏ　ｒｕｎ　３ｄｓｘｔｏｏｌ　ｉｎ　ｌｌｄｂ　ｆｏｒ　ｔｈｅ　３ｄｓｘ　ｔｏ　ｂｕｉｌｄ　ｅ＿ｅ

Since it looks like this includes waithax, I'll throw an arm9 payload on my card and try it.
I have A9LH, but if I turn off the SVC check patches I should be able to run it, theoretically.

 

[AHP_person]

Since it looks like this includes waithax, I'll throw an arm9 payload on my card and try it.
I have A9LH, but if I turn off the SVC check patches I should be able to run it, theoretically.

luma reboot patches break safehax

 

[dkabot]

luma reboot patches break safehax

Ah, damn.
Never mind then, I'll leave it to others to have fun.

Last time I didn't have those patches, I forgot and bricked, so I'll avoid touching that.

 

[Kyubnyan]

TFW fasthax prelaunch will be tonight for n3ds.