|
| ||
| Views: 1,396,436 | Main | Rules/FAQ | Memberlist | Active users | Last posts | Calendar | Stats | Online users | Search | 04-26-24 02:28 PM |
| Guest: | ||
| Main - Posts by Syphurith |
| Syphurith |
| ||
|
Member Normal user Level: 18 Posts: 41/59 EXP: 25252 Next: 4645 Since: 10-26-15 Last post: 3025 days ago Last view: 2975 days ago |
Posted by d0k3 Indeed there are more homebrews using the XML and perhaps with arguements.. Such as CHMM2, ftbrony, installer, menuhax_manager, qtm.. For example? However i do suggest you to ask smea or others on #3dsdev for help on this. BTW, what you suppose to do with the arguements? RxTools just loads a static payload and it's fine. Yes if this could be loaded using CN or other *hax, those 8.1 users may have a way for xorpads.. |
| Syphurith |
| ||
|
Member Normal user Level: 18 Posts: 42/59 EXP: 25252 Next: 4645 Since: 10-26-15 Last post: 3025 days ago Last view: 2975 days ago |
Posted by d0k3 Quite good news to hear. So it would load successfully from HBL then? Yup. |
| Syphurith |
| ||
|
Member Normal user Level: 18 Posts: 43/59 EXP: 25252 Next: 4645 Since: 10-26-15 Last post: 3025 days ago Last view: 2975 days ago |
Why would use use a Zero key? For the re-encryption: You can just generate the correct xorpads from decrypted contents.
Just get xorpad of a small file and rebuild it to enlarge its romfs/exefs, and compare this to the one for new file. The begining would be the same. Also there is Zero Key fix, I used that to fix the sh*tty ZeroCrypto that stops the usage for CFWs. -- produces no valid signatures, neither. And, since ZeroKey is now only supported by GW or its fakes.. Unless ZeroKey adjustments are done for CFW, you can have the possibility to run.. However even the signature is valid for a dev unit, it is still invalid for a retail one. So you still need to patch signatures check. Why you need this? Note: There is leaked contents of dev unit keys and certs.. |
| Syphurith |
| ||
|
Member Normal user Level: 18 Posts: 44/59 EXP: 25252 Next: 4645 Since: 10-26-15 Last post: 3025 days ago Last view: 2975 days ago |
Eh.. I wanna try the question of lib installation.
Posted by Inside My DevKitPro FolderYou can easily get what i installed by compare the list above with your own. You can: make INSTALL it to DevKitPro root. And include that as -lctru or something else. Or Simply to merge some into existing libraries. Such as copying all include/lib/tools/data/share/bin to devKitARM.. I don't know how to load cgfx, nor GL or C++. And i can not ensure the installation tips always correct.. |
| Syphurith |
| ||
|
Member Normal user Level: 18 Posts: 45/59 EXP: 25252 Next: 4645 Since: 10-26-15 Last post: 3025 days ago Last view: 2975 days ago |
Posted by d0k3 1.There is a "extdata_tool" somewhere. Compiled binary can be found somewhere. extdata_tool -m IMG -x -i -t -l title.db.out
This can parse the file, but can not manipulate it. So no offline installation..
2.To make things easier, i suggest you do such steps. A.dump xorpad for those dbs (import, title) on SD card. B.backup the the dbs. let's say, "clean". C.install a title, and backup the dbs as "installed". D.remove the previous title you installed, say "removed". And xor those dbs from SD with the xorpad. Get all decrypted to compare with WinMerge2011. Soon you would see what is modified. Yes this is not for NAND, but that is quite similar. That's all what i wanna say. Hope you good luck. |
| Syphurith |
| ||
|
Member Normal user Level: 18 Posts: 46/59 EXP: 25252 Next: 4645 Since: 10-26-15 Last post: 3025 days ago Last view: 2975 days ago |
Posted by gudenau You could contact 173210 and others on github, from those repos of CFWs under active development. And i would say good for this too. |
| Syphurith |
| ||
|
Member Normal user Level: 18 Posts: 47/59 EXP: 25252 Next: 4645 Since: 10-26-15 Last post: 3025 days ago Last view: 2975 days ago |
I've built a private update server yesterday, and released its source (surely without ninty files). To my surprise, the TitleHash and FsSize inside GetSystemUpdate SOAP isn't actually verified. And no way for me to make a really good GetSystemUpdate reply...
Now i have two questions, looking for someone to answer. So mind you please think for a while? 1. Is there any way to patch the nim module for those update urls, on 9.3+? I do know that eshop.3dsx does something similar but i am not sure about those. Maybe HANS could do this? yeah i have method to pack exefs and romfs.. 2. How much could it benefit with a lower MSET or Spider on those 9.3+? The server can still easily go wrong. Hope someone would like it. Original link is in strikethrough. Alternative link. Server Tool: https://dropfile.to/cvHd1, access: FqdU1Rt. Curl Test: https://dropfile.to/ekeJG, access: KEnFOxs. The previous package is the files to construct the server, written in PHP7.x and Nodejs. The latter one is the Test scripts with curl to test the server output. @d0k3 It is released. Found out you haven't seen the conversation there i just post its links here. |
| Syphurith |
| ||
|
Member Normal user Level: 18 Posts: 48/59 EXP: 25252 Next: 4645 Since: 10-26-15 Last post: 3025 days ago Last view: 2975 days ago |
Posted by Opposing Force Well OK. Indeed using google translation isn't hard, but i would update the main post to add attachments. Eh.. this forum doesn't support attachment. I would have to find a free file hosting website first.. EDIT: OK now it is on dropfile.io i hope you can download it easier then. |
| Syphurith |
| ||
|
Member Normal user Level: 18 Posts: 49/59 EXP: 25252 Next: 4645 Since: 10-26-15 Last post: 3025 days ago Last view: 2975 days ago |
Posted by profi200 Thanks much for your reply. Heat down I played with my 9.8 emunand yesterday, and my console is directly updated from 4.1 to 9.2 first with your sysupdator. Well and i used the version spoofed MSET from 9.0 and it gets installed. So it still need to disable the signature checks.. It would be surprised me much if they do not actually check those spoofed ones. Posted by Shared Result But now, i think there should be some checks other than the TMD reading itself. If it is that easy to downgrade i think they would just knock their head with $. (orz) I developed this myself after the ronhero on gbatemp states he has done that can provides a paid service for n00b. Since this is quite risky i didn't post the server there. Even you told them that is there would always be some careless guys (lol). Random upload sites: well cause i can not access those famous upload sites easily from the country normally. I thought of a 3dsx version of sysupdater and now it sounds not of much use then (i mean here it is the server). Hope you a good day. |
| Syphurith |
| ||
|
Member Normal user Level: 18 Posts: 50/59 EXP: 25252 Next: 4645 Since: 10-26-15 Last post: 3025 days ago Last view: 2975 days ago |
Posted by profi200 My mistake. I've checked the signature at the beginning of the TMDs of different titles, and that the whole TMD is protected by signature, thus it deserve a signature patch to install a spoofed CIA. So the hope to downgrade the SysNand on a firmware without sig-patch isn't real. Thanks as lead me the way off the wrong path. Then this can only be useful to play with emunand, or update the sysnand, with untouched CIAs. EDIT: I would update the posts above to strikethrough the wrong statements. |
| Syphurith |
| ||
|
Member Normal user Level: 18 Posts: 51/59 EXP: 25252 Next: 4645 Since: 10-26-15 Last post: 3025 days ago Last view: 2975 days ago |
@profi200 Sorry to disturb you but.. I'd like to hear your opinion about "where the TitleHash is".
I could not find the TitleHash inside all those modules' ram dumped using NTR, nor the extracted contents from decrypted emunand. It checks if the TitleHash different from maybe "stored" one, and also the hash inside GetSystemUpdate reply and GetTitleHash must match. Once you enter the MSET or other special apps, the wifi would not be kept functional thus NTR lost its connection. So i can not dump mset ones out. It should be in NAND or RAM. But i didn't know where it might be stored. Orz. Dreaming of this get stored in a title and the tmd changes. Yes tmd should not change. It doesn't check tmd of installed ones much. Oh why dreaming? lol Have a good time with your research and life! Also here is a way to generate the TitleHash to keep it different every minute. //Create a 16 bytes random TitleHash to easily issue an update. Or else comment this off and use the line below to give it a value. //This is generated using the client hostname and a date-time string, thus it would change per minute. $TitleHash = md5(gethostname().date('YmdHi')); //$TitleHash = '14C4B935FCB69959B88B7003A5326D2B'; //Wrong TitleHash, this is actually the one of 9.8.0-25J |
| Syphurith |
| ||
|
Member Normal user Level: 18 Posts: 52/59 EXP: 25252 Next: 4645 Since: 10-26-15 Last post: 3025 days ago Last view: 2975 days ago |
This is just a question and conception so If I've said something wrong, point it out please, thanks. If the "not restorable" is totally a hoax, thanks very much for inform me that. (Very glad to hear) UPDATE: I've heard from someone that the 1.21GB NAND can be restored, just most shops don't want to help them. (Feeling good) All i know about the NAND chip in 3ds: 1.Pinouts Connection for dumping and restoring the NAND dump access it like a SD/MMC. Normal NAND connection would be at least 8+3 pins, counting its I/O pins. 2.The size of the NAND dump is much smaller than the NAND chip size itself, especially for N3DS. 3.A bare NAND can not be accessed (W) via FAT filesystems without data loss unless a FTL is implemented. Cause FAT is designed for Block Device not NAND. 4.FTL implementation consumes page OOBs or pages outside the mounted size as algorithm usage. 5.The dump and xorpad are generated not the same time, but it can be decrypted correctly. Yes maybe just for most dumps (at least my O3DS can be restored with GW method, and yes it should be restorable via hardmod). And my notes: 1.There is a NAND FTL implemention in 3ds hardware level (Oops. Or bootrom.), and the current pinout connections R/W nand through it. 2.The NAND chip must contains its page translations or block/hybrid ones in its chip. For N3DS, not all the space is used/translated. But if pages inside dump is in a same order (such as those of O3DS, all pages in the dump are translated) of that it is read or written, then the restoration would not break the translation, otherwise (ie, dump of incomplete read/write and pages are not translated) it would result a brick. 3.If NAND chip is connected without FTL, and accessed as a bare NAND chip the dump size should be exactly the size of chip, counting all bad blocks inside. So the conclusion: The image we can get from 3ds may be incomplete (including GW dumps), contains no translation tables. If the NAND dump isn't a translated result this would cause it not restorable with those incomplete dumps. If a direct connection to NAND pinouts could be performed, the chips should always be restorable (except damaged or huge bad blocks). However it might be done in a more complex way (needs special device to R/W the bare chip). |
| Syphurith |
| ||
|
Member Normal user Level: 18 Posts: 53/59 EXP: 25252 Next: 4645 Since: 10-26-15 Last post: 3025 days ago Last view: 2975 days ago |
Posted by Mikle0x 1.The most content of the file should be encrypted. Just try load it into a IDA (you can find 6.6). 2.No those Dev Cert marks such as "CP00000004" or "XS0000000A" is involved. Oh this is only for those NCCHs. 3.There are dev keys leaked very long ago, including AES and RSA types. The amount of those is finite. 4.This file isn't found in NW4C:NW4F, or leaked 4.2.8 SDK. Since i don't find any clue about where this file comes from, i don't know what it belongs. You may just want to write a tiny program to try all those keys for you, but this may be not enough. If you have a dev console, write a program to let it try all its keyslots. Let me guess. If a file is designed to be used inside a system with many keys, it may at least tell the system which key should be used. Otherwise it could not be decrypted well. I don't know if the 0x31=49 is a slot number. Good luck. Hope you could eventually play with it. |
| Syphurith |
| ||
|
Member Normal user Level: 18 Posts: 54/59 EXP: 25252 Next: 4645 Since: 10-26-15 Last post: 3025 days ago Last view: 2975 days ago |
1.Decapping Fundraiser that started by Jl12 was late proven to be fake. So no fundraiser now.
2.OTP dumping is not possible at current research level. Well and i don't know more info about it. 3.Key scramber? Oh this is totally left cause the research on the hardware. BTW i'm not the guy that certificated to show any proofs - i'm not REing it. Nor do I have hardware skill. And this kind of development is not so fashion as the exploit finding, and I don't think you can get someguys to raise the money. Yes i do doubt if there is anyone tried that in private. And, those pirates don't care really about homebrew or even RE it - well they're just gamers. That's all what i know about your question. Yes. |
| Syphurith |
| ||
|
Member Normal user Level: 18 Posts: 55/59 EXP: 25252 Next: 4645 Since: 10-26-15 Last post: 3025 days ago Last view: 2975 days ago |
Posted by gudenau Quite sorry for replying this late. 1.Version Spoofing itself is not hard, just edit the Version inside TMD. However this would break the TMD signatures so you would need sig-patch environment - except Injected APP that isn't checked for the signature tightly. 2.The main reason you can not access Eshop due to the Service URL changed. Thanks to Smea that already a homebrew based on HANS can give you the access. Hope you could find something interesting next time. |
| Syphurith |
| ||
|
Member Normal user Level: 18 Posts: 56/59 EXP: 25252 Next: 4645 Since: 10-26-15 Last post: 3025 days ago Last view: 2975 days ago |
Posted by gudenau Okey.. First the eShop changed their server URLs so the eShop spoofing is done by HANS. In my own understanding the Version itself is only a number checked mostly, that marked in the TMD of the title, to say it is a certain version - not really mean that version, if modified - yes that is it so you can disable some update notice for some certain games that modified. If you patch a game to make its Version be the same of its update, and the system would think it is updated - well i've done that when i bundled an update to a game and it doesn't pop for update notice for that game. If without other checks, a title would be regarded as "update" by system if the version is simply higher than the current one. But this won't always work - i tried to downgrade the emunand with spoofed TMDs for the whole system titles and yes failed. To change a version is easy, but remake a valid signature isn't. And i don't think Ninty would enable fake-sign (as wii) again. Even you can fake the signature, when the application is so complex that related tightly with other services of the newer system version, or with a newly updated web server, that would not work. And eShop is just this type, so the modification of exefs/romfs is needed for them - and that's the reason why that's HANS enhanced. Most time for a not that important title, the system would just check if that is updated, compare the current installed version to the latest version. For System Titles, this isn't handled this way, even the console would only accept higher version except removed first, there are more checks. And for eShop, this is quite important, and web related. The actual obstacle for them is the changed service urls. I think the main purpose of dealing with the eShop has already come to an end. Hope my poor speaking can deal with your question this time. |
| Syphurith |
| ||
|
Member Normal user Level: 18 Posts: 57/59 EXP: 25252 Next: 4645 Since: 10-26-15 Last post: 3025 days ago Last view: 2975 days ago |
Posted by gudenau The firmware version? This version is inside exheader of CXI of CIA/CCI, telling what minimum version of firmware is needed for running it. See this page: http://3dbrew.org/wiki/NCCH/Extended_Header#ARM11_Kernel_Capabilities Posted by Masks This is actually kernel release version. The version spoof for those 9.5+ titles that changed this value and system just run those. Cause till now there are many FIRMs updates that just for "stability" and not infects the functionality much, so this spoofing likely works for games. However for eShop and other titles on 10.3, the firmware set up a bitmask and the apps asks for it - just check those title decrypted with ctrtool. If just modify the kernel version it wouldn't work (tried). But i haven't tried if i remove this mark, and you can test it alone if you have decrypt9. You might know already that GW can partially update some titles and get eShop access without HANS, thinking of those GW patches, it might patched kernel to produce the false bitmask for those. I've heard about GW heavily patched the system and even a running thread in ARM11, but i don't know really about that. This is just like the region free for games, the era of just modify the exheader/what leaves us after ninty introduced a new mechiasm to check the region, so only GW/NTR locale emulation could work. I'm quite noob at RE so I can not reveal how that is done, nor this for kernel release version. |
| Syphurith |
| ||
|
Member Normal user Level: 18 Posts: 58/59 EXP: 25252 Next: 4645 Since: 10-26-15 Last post: 3025 days ago Last view: 2975 days ago |
What type of title you want to check?
1.System Titles: just look at yellows8 server record: http://yls8.mtheall.com/ninupdates/reports.php 2.SD Application: Sorry you have to use AM to get Titles that installed, and this needs am service access. No FAT16 xorpad generations.. only except you are sure that is a preinstalled System Title that not on CDN. |
| Syphurith |
| ||
|
Member Normal user Level: 18 Posts: 59/59 EXP: 25252 Next: 4645 Since: 10-26-15 Last post: 3025 days ago Last view: 2975 days ago |
I'm sorry but there seems to be InstallMii already.
BTW this could be possible, once you can persuade a guy into developing it. Good luck! (Sorry i won't anticipate this..) |
| Main - Posts by Syphurith |
|
Page rendered in 0.033 seconds. (2048KB of memory used) MySQL - queries: 22, rows: 97/97, time: 0.007 seconds. ![[powered by Acmlm]](img/poweredbyacmlm.png "powering nostalgia")
Acmlmboard 2.064 (2018-07-20)© 2005-2008 Acmlm, Xkeeper, blackhole89 et al. |
.