The first is 'SoundHAX' allowing for the first time an offline exploit, not needing 'purchased' game using nothing but the native 3DS sound player, next up was 'FastHAX' which is better direct faster way of exploiting the Kernel 11 then the previously released SlowHAX, but the best part was saved for last, the new 'SigHAX' a breakthru on how Nintendo does its RSA checking on 3DS firmwares, allowing now developers to sign their own CFW, which will led soon to better things just like the last year release of A9LH at the 32c3 conference.

Soundhax and Fasthax!
The talk started with the announcement of both Soundhax and Fasthax. Soundhax is an exploit which was presented by hacker nedwill that relies on the 3DS’ sound player. As is the case with many exploits on the 3DS, it is a buffer overflow exploit. For what you care about, Soundhax means now you will have a free exploit that works offline! That’s great news since the discovery of exploits in games usually leads to horrible price gouging (this was mentioned by nedwill in the presentation). An good example of this is how games like Cubic Ninja shot from $5 to values like $80 just because of Ninjhax.

Fasthax is kernel11 exploit which we can assume will work on all current firmwares (so that’s up to 11.2 at least). While I don’t understand the nitty-gritty of it, I do know it will allow for CIA installation on the exploitable firmwares and if it goes like last year, probably more.

BootROM dumped! Sighax!
This is when derrekr took to the stage to talk about the BootROM. He spent a good time talking about the entire process of hacking the BootROM and how it is protected. He said that half of it is visible and the other half isn’t and they used that as a starting point. It was mentioned there is a flaw in the 3DS hardware in which some RAM is not cleared on a reboot. That allowed for injection of code that led to the dumping of the BootROM. Pretty neat!

This next part however is when everyone got really hyped. After a long explanation about the CPU of the 2DS and the RSA signatures Nintendo uses, he talks about how they were able to figure out that it doesn’t look for an entire signature, but only part of it. With this enormous flaw figured out, they were able to bruteforce their way into the valid part of the signature. This means that from now on, if this gets released, developers will be able to sign their own firmwares. This is even bigger than a9lh that only allowed us to patch code as it was loaded. This means that the 3DS might have complete custom firmware on boot. Let us hope this gets released!

BootROM11 dumped too!
At this point the only thing left to do was dumping the BootROM of the ARM11 processor (the previous was the ARM9 processor’s BootROM). derrekr said they could have tried the same process as earlier, but went with something different. When looking at the unprotected part of the ARM11 BootROM, they noticed there were references to the ARM11 RAM. So they tried overwriting data on Boot11 and discovered it was not blacklisted! Instant dump. As the slide said: “That was easy”.

Lastly, it was noted that all this was discovered back in Summer of 2015, but since big 'N' didn't do anything about it, they decided it was now ok to release the info, of course most likely between this and Nintendo's new Bug Bounty program now running, I am sure soon we will soon a more secure Nintendo 3DS firmware rolled out that fixes alot of this, hopefully not until we the users can get to enjoy it for a while first on our 3DS handhelds, now that we will soon have the freedom of fully signed installable custom firmwares.



Posted: Dec 28, 2016 11:37 pm
Related Forum: Gaming Discussion

Source: http://www.maxconsole.com/threads/33c3-3ds-digest-bootrom-cracked-ability-to-sign-firmwares.43628/