23
edits
Changes
Jump to navigation
Jump to search
Line 54:
Line 54: + + + + + + + + + + + + + + + + + + + + + + + + + + + + + − + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
→Nintendo Channel demos: Many of these were archived.
:::::"what would i need to learn..." You could learn to read/write ARM assembly, and learn reverse engineering. --[[User:Yellows8|Yellows8]] 07:38, 22 April 2013 (CEST)
:::::"what would i need to learn..." You could learn to read/write ARM assembly, and learn reverse engineering. --[[User:Yellows8|Yellows8]] 07:38, 22 April 2013 (CEST)
::::::Thanks. Confirmed~ That's clear to me now. --[[User:Syphurith|Syphurith]] 11:53, 22 April 2013 (CEST)
::::::Thanks. Confirmed~ That's clear to me now. --[[User:Syphurith|Syphurith]] 11:53, 22 April 2013 (CEST)
Eh. Yellows8, i got some n00b questions about the ARM execution.
There is non-executable sections in the memory layout, but where did these "This can be executed" flags got initialized (I mean that is made of hardware circuits or bios or other software section)? If that is not changable, would all those ARM cores use the same non-execution flags settings(possibly no so we may change the core to keep that work?). Even more, can we sniffer the data app to core and change its execution length then inject.
Also, is there any method to let the core execute those commands (that you detected) and use that to produce something you interested in?
:The ARM11 kernel [[Memory_layout#ARM11_User-land_memory_regions|initializes]] the MMU tables. "Also, is there any method to let the core execute those commands (that you detected) and use that to produce something you interested in?" By running code on a 3DS of course. --[[User:Yellows8|Yellows8]] 17:27, 17 June 2013 (CEST)
::Thanks. But still feeling strange of that strategy. I think at least the Home Menu may be able to re-map or deactive this mark.
::-snip- Sorry for being noob (i would try learning arm soon). Hope you good work.--[[User:Syphurith|Syphurith]] 02:46, 19 June 2013 (CEST)
Home Menu starts application processes via [[NS]], terminating and "suspending" process execution(the process is still running with that, the application threads wait for a [[NS]] notification for resuming actual execution) is done via NS as well. The ARM11 kernel handles mapping the processes' virtual memory for .text, .rodata, and .data. The ARM11 kernel handles terminating processes as well of course. The only process which has access to [[SVC|svcControlProcessMemory]] for mapping memory or changing memory permissions, is [[RO_Services|RO]] module, and of course that module will only map R-X .text pages for the signed [[CRO0|CRO]] .text. --[[User:Yellows8|Yellows8]] 03:16, 19 June 2013 (CEST)
:I can still remember ns/ro is also a title in title list. (if manually start that may fails/cause failure) if you launch a title with those commands manually, would it be exposed (in ram?)(, if so we may dump the firmware/modules)? MPS let multiple processes can share the same resources (with home menu?). or have we to modify the real memory externally? There are just thoughts, if interesting please think for a while; if not just tell me "NONE".--[[User:Syphurith|Syphurith]] 05:17, 19 June 2013 (CEST)
:I saw you update the AES page recently. you can confirm some keyslots are with the same data, but how had you done that (by comparing the data, or just the same memory location)? Can you even fetch those keys to decrypt the CDN TMD key strings? if so that would be a potential way to go.. BTW you're disasm those in-memory content not the decrypted Romfs right?
:I do wonder if contents decrypted succussfully, shall we need any customed disassembler? --[[User:Syphurith|Syphurith]] 16:51, 26 June 2013 (CEST)
::"some keyslots are with the same data" I encrypted an all-zero block with each AES engine keyslot with CTR=0, and encrypted that data again with each keyslot with keyY=0. When the output block for the former is the same for multiple keyslots, those keyslots use the same keyX/keyY. When the latter output block is the same for multiple keyslots, those keyslots use the same keyX. "decrypt the CDN TMD key strings" TMDs have nothing to do with decrypting the ticket titlekey. [[RomFS]] does not contain code(besides [[CRO0]] for web browser), that's stored in [[ExeFS]]:/.code. There's no need to dump code from memory when one can just use the [[AES]] engine. --[[User:Yellows8|Yellows8]] 17:40, 26 June 2013 (CEST)
:::oh well. sorry for been n00b again. then have you ever found something that you can execute to decrypt those CDN data? i badly wanna try it.. ExeFS.. okey.. hope good work--[[User:Syphurith|Syphurith]] 08:04, 27 June 2013 (CEST)
:::-snip- --[[User:Syphurith|Syphurith]] 08:36, 27 June 2013 (CEST)
::::You do not "call" crypto functions here, this is a hardware [[AES]] engine with a hardware key-scrambler. "found something that you can execute to decrypt those CDN data" Not sure what you mean when we had system-version v4.5 total-control code exec haxx since December. --[[User:Yellows8|Yellows8]] 09:52, 27 June 2013 (CEST)
:::::I forgot that hours ago. sorry. I thought we would be able to feed those raw data we got from CDN, and let it decrypt and extract for us. then at least we may be able to find those differences in modules implemented between two nearby versions. Some just fix crash - stablility, and some would fix some vulnerables we may use, and some would indicates those internal logical process of the module's implementation. we can not always rely on those ROP or other black-box methods. when we get the opportunity to build a CFW or a special homebrew that would affect the original behaviours of the system, we may need to modify it right? also that should show us some interesting points if we have ones dedicated on analysing those. --[[User:Syphurith|Syphurith]] 14:51, 27 June 2013 (CEST)
::::::Total-control code exec haxx = access to the [[AES]] engine obviously. "build a 'CFW'" That's not possible because of [[NCCH|RSA]], the only way around that would be to exploit software while the system is booting or exploit Home Menu. And patching the NCCH signature checks(from like savegame haxx with a game) is rather pointless, because you would have to re-patch *every* time you boot your 3DS(there's no need to run a regular homebrew application via NCCH this way either tbh). --[[User:Yellows8|Yellows8]] 16:06, 27 June 2013 (CEST)
:::::Thx. That's exactly how cfw works. (sorry i only have psp and 3ds) procfw on psp, have ipl flashed (psp has one special section inside its battery) can auto-patch the cfw code into the system while booting. But have no news for how those men repair customer's device i definitely have no clubs about the existence of similiar mechism. Besides, patching is not that easy, well. i know you have full access to AES engine, and i just want to know have you ever tried or thought of using contents from CDN and decrypt them and disassemble to seek something interesting. --[[User:Syphurith|Syphurith]] 05:31, 28 June 2013 (CEST)
::::::Using the AES engine is basically the only way to obtain cleartext NCCH for updated titles, without finalizing the install for titles. That's obviously where stuff like the new [[6.0.0-11|savegame]] keyY info came from. --[[User:Yellows8|Yellows8]] 07:16, 28 June 2013 (CEST)
:::::Okey, good. you can take use of that (however still not related to exefs..) have a good day.
::There is ClCertA on CDN. Important keys are stored in hardware key-scrambler right? A.ClCertA's private key stored in hardware and there is api called with write access in the package. B.ClCertA's key stored in NAND or somewhere else so we can eventually grab that and setup a proxy to remote while replacing the original ninty ones to our own self-sign ones (Then we would be able to decode the data transfers between proxy to 3ds and proxy to remote). C.ClCertA.. The workers think their private key can never be leaked so no CRL and just stored in hardware with a package cheating their boss. Which one you think would be the best answer? BTW i do really think there is ones with R/W access to the hardware.. Hope you find new apis.--[[User:Syphurith|Syphurith]] 02:35, 4 July 2013 (CEST)
:::ClCertA contains the SSL client RSA cert/private-key, when one has that one can only access their servers(like with a PC) with that, *nothing* more. I'm not sure why they store that data in a CFA seperate from SSL module, those two files stored in the ClCertA RomFS use additional encryption to begin with. "BTW i do really think there is ones with R/W access to the hardware" I'm not sure what you mean by that. --[[User:Yellows8|Yellows8]] 03:24, 4 July 2013 (CEST)
::::-snip-
:::::I don't think you understand what "SSL client certificate authentication" is, you should google it etc. A fake server would require the SSL server private-key from the real server, which you can't obtain of course. The AES engine has *nothing* to do with this besides being used to decrypt those two files in that CFA RomFS. This CFA is a system title so it's obviously stored in NAND, but of course you can't change any NCCH data due to RSA signing of course(modifying ClCertA is pointless anyway). There's not much point changing the SSL client cert/private-key, each 3DS prior to that update would be using the old ClCertA, and system updates require that SSL client auth for SOAP(besides SOAP that stuff isn't really interesting tbh). SSL module is the only process which uses ClCertA. "... write/read which section of memory" I have no use for that. --[[User:Yellows8|Yellows8]] 17:30, 4 July 2013 (CEST)
::::::oh well thanks. So only SSL module then. Without the ability to modify the original data, even a tunnel proxy would not work properly..(what annoying the rsa signature is - maybe as me to you. i means, 3ds with replaced, child cert and key of a self-signed, connects to a proxy with self-signed cert and key; the proxy takes the original cert and key that of 3ds client, to connects to ninty CDN. the two connections are all connecting with proper key and cert, that client signed by server; but 3ds's original cert and key must be replaced by one signed by our proxy's server cert and key, as what ninty does with 3ds. cause inability to change the content, it is nothing now.)(maybe better quick head to learning disasm and someday to have a try) BTW haven't seen Jl12 for long, seeing someone impeach him for just taking $ away lol. (even i don't think about that before. oh no this is your page and i should not be short to you) --[[User:Syphurith|Syphurith]] 02:16, 5 July 2013 (CEST)
::::::So please let me say that. "Sorry". also hope you find something today.
===Spam attack===
===Spam attack===
I guess the simple captcha isn't enough, do you have an idea what to do? (i'm asking you because you are the most active admin here).<br/>
I guess the simple captcha isn't enough, do you have an idea what to do? (i'm asking you because you are the most active admin here).<br/>
I think we should adopt a method of registration and waiting for an admin to approve it. the recent changes page is spammed hard and a lot of google pages, I guess, are being created linking to those pages. --[[User:Elisherer|Elisherer]] 09:40, 31 May 2013 (CEST)
I think we should adopt a method of registration and waiting for an admin to approve it. the recent changes page is spammed hard and a lot of google pages, I guess, are being created linking to those pages. --[[User:Elisherer|Elisherer]] 09:40, 31 May 2013 (CEST)
:Mha is the only one that can do anything about changing the external-links CAPTCHA for anti-spam, I can't do much about it myself. Mha said that he would work on this tomorrow. --[[User:Yellows8|Yellows8]] 22:19, 31 May 2013 (CEST)
:Mha is the only one that can do anything about anti-spam, I can't do much about it myself. Mha said that he would work on this tomorrow. --[[User:Yellows8|Yellows8]] 22:19, 31 May 2013 (CEST)
::A. Stop registeration for several weeks (NOT GOOD).
::B. Ajax to load captcha (maybe reCAPTCHA?). Not well-made bots will have trouble loading the javascript code or lose the speed (there is ones with javascript but can not act so quickly)(MAYBE USEFUL). This method is widely used ''it may be not so useful'' (against latest tools).
::C. Use auto filter to auto check those suspicious content and block those users, given an access for those by accident closed guys to talk about their opinion. (I do wonder if the wiki admin backdoor provide you such a tool)(Hey Regex~)
::D.find their IP and block the IP section for a while.(Similiar as A)
::E. Use man-made Email to validate (I means, instead of the system writing mail to user to validate, let user write mails to admin or other trusted -- use SPAM filter)(NOT WELL PRATICAL, Haven't tested, SO..)
::F. Calls for someone can trust and give him only those block and delete power (DIFFICULT). Well just a little tries..
::G. Try to update your wiki version first, i mean the version of this website framework. (MAYBE USEFUL? DOUBT..)
::If you tried the actions of blocking and the spam still flow in you need to update or call wiki program's supporters (may be exploit..) But i do wonder why they tried to attack here, a (script) guy (with latest tool)?(if so he should try to improve his skill first).
::Oh well, Recent changes. Guys have a good day (International Children's Day).--[[User:Syphurith|Syphurith]] 09:39, 1 June 2013 (CEST)
:We are able to mark those pages as spam but however no effects in deed if no one comes to remove those spam accounts. Well.--[[User:Syphurith|Syphurith]] 10:17, 17 June 2013 (CEST)
===Fundraiser===
Hello Yellows8,
I know you're not the one that is responsible for the chip decapping fundraiser, but I didn't manage to contact Jl12 via E-Mail (He's not responding). So, have you guys noticed that the donations hit the 2000$ last week? Will the decapping start anytime soon or do you need some more money for buying the 3DS itself?
Best regards
:Jl12 has had a broken 3DS for decapping before the fundraiser even started. And of course we noticed that, however since Jl12 is usually very busy it might be a while before he sends his 3DS for decapping. --[[User:Yellows8|Yellows8]] 00:26, 5 June 2013 (CEST)
Hi again,
anything regarding the chip decapping happened in the past week? Will the images be released to the public?
Best regards
:We still haven't heard anything from Jl12. --[[User:Yellows8|Yellows8]] 19:34, 15 June 2013 (CEST)
So Still no news from Jl12? Seems not seeing him for long.--[[User:Syphurith|Syphurith]] 02:35, 4 July 2013 (CEST)
Hi Yellows8,
sorry to bother you again, but I would like to know, if you heard something from Jl12 since July. As far as I know [http://gbatemp.net/members/mercluke.109574/ mercluke] donated the remaining 300$ months ago. Has this money never arrived or is this whole thing nothing but a scam after all and Jl12 ran off with the money? This would be really disappointing for all donaters and a very sad end for a very promising project.
:"if you heard something from Jl12 since July" Nope, he's very busy. When we do hear anything from him he would presumably update the donate page anyway, so no need to ask here. --[[User:Yellows8|Yellows8]] 17:14, 5 November 2013 (CET)
http://n-dev.net/donate.php is gone.
== I have tried to send you an email ==
I don't know if it will go through though. It is about help with dumping a 3DS kiosk demo, which is an earlier build than the final game. --[[User:Hiccup|Hiccup]] 16:15, 31 May 2015 (CEST)
== Contact ==
Look, I'm sorry to bother you, but I was wondering, how would I get in contact with you? --[[User:MassExplosion213|MassExplosion213]] 06:20, 9 September 2015 (CEST)
:EFNet IRC is preferred. --[[User:Yellows8|Yellows8]] 06:24, 9 September 2015 (CEST)
== The [[Games]] page ==
Could you explain its purpose. Also, I think it needs to be remade, because it seems to be based around the idea that there should only be one row per game, but it doesn't take into account the existence of revisions and region-free games. --[[User:Hiccup|Hiccup]] ([[User talk:Hiccup|talk]]) 21:57, 4 January 2016 (CET)
:Not sure why a homebrew wiki really needs an official-games-list tbh, there's more complete list(s) elsewhere anyway. --[[User:Yellows8|Yellows8]] ([[User talk:Yellows8|talk]]) 23:07, 4 January 2016 (CET)
::Do you think [[Title_list/eShop_Titles]] is needed? If you do, I will continue to add titles to it. --[[User:Hiccup|Hiccup]] ([[User talk:Hiccup|talk]]) 14:59, 6 January 2016 (CET)
:::Likewise for that page, there's much more complete list(s) elsewhere. --[[User:Yellows8|Yellows8]] ([[User talk:Yellows8|talk]]) 15:44, 6 January 2016 (CET)
::::Could you link me to these lists? The only thing I can think of is No-intro, but that probably doesn't cover some system titles and it doesn't list the "v" versions. --[[User:Hiccup|Hiccup]] ([[User talk:Hiccup|talk]]) 15:49, 6 January 2016 (CET)
== Nintendo Channel demos ==
Is it still possible to use [https://code.google.com/archive/p/wmb-asm/wikis/NintendoChannel.wiki these tools] to download Nintendo Channel demos? Or are the servers offline? Did you (or anyone else) ever download any ROMs? It'd be a shame if they were lost. --[[User:Hiccup|Hiccup]] ([[User talk:Hiccup|talk]]) 15:02, 17 February 2017 (CET)
:Don't think so, likewise @ downloading ''all'' of those demos. --[[User:Yellows8|Yellows8]] ([[User talk:Yellows8|talk]]) 16:11, 17 February 2017 (CET)
::Do you still have any download(s) you made to test it? --[[User:Hiccup|Hiccup]] ([[User talk:Hiccup|talk]]) 14:46, 18 February 2017 (CET)
:Many of these were archived and are included in the No-Intro "Nintendo - Nintendo DS (Download Play)" DAT. [[User:Vague Rant|Vague Rant]] ([[User talk:Vague Rant|talk]]) 15:04, 18 February 2017 (CET)