4dsdev
Views: 613,192 Main | Rules/FAQ | Memberlist | Active users | Last posts | Calendar | Stats | Online users | Search 11-17-17 12:38 PM
Guest:

Main - Posts by Normmatt


Normmatt
Posted on 05-08-16 09:58 PM, in no$gba v2.8c update - with more DSi emulation and DSi specs (rev. 2 of 05-08-16 10:03 PM) Link | #1004
You put "http://4dsbrew.org" instead of "http://4dsdev.org/" in the change log.

I'm also still getting some debug prompts like "aes key ZERO" and trying to load anything from the menu results in an error has occured power off the system prompt
[image]

Normmatt
Posted on 05-08-16 11:16 PM, in no$gba v2.8c update - with more DSi emulation and DSi specs Link | #1007
It shows up during the health/safety screen.

I will verify that my BIOS dumps include all the keys... I must have missed one...

Normmatt
Posted on 05-09-16 01:47 AM, in no$gba v2.8c update - with more DSi emulation and DSi specs (rev. 3 of 05-09-16 02:57 AM) Link | #1009
I missed the
ROM:00008308h / 3DS:01FFD200h 80h some AES keys

however it still shows that error same as before on any software i try to load from the menu.
Posted by Opposing Force
Post some hashes too please! Like to see if we're on the same page here.
BIOSDSI7.ROM - 2e17b63fc7ad43763f11226c96240ef1
BIOSDSI9.ROM - 3fbb3f39bd9a96e5d743f138bd4b9907
(md5)

I'm simply getting a black bootrom error screen:

[image]


Make sure you do both both lists
First list search for the bytes in 3ds itcm and copy them across.
ROM:FFFF87F4h / TCM:1FFC400h (400h) (C3 02 93 DE ..) Whatever, 8x80h RSA?
ROM:FFFF9920h / TCM:1FFC800h (80h) (30 33 26 D5 ..) Whatever
ROM:FFFF99A0h / TCM:1FFC894h (1048h) (99 D5 20 5F ..) Blowfish/NDS-mode
ROM:FFFFA9E8h / TCM:1FFD8DCh (1048h) (D8 18 FA BF ..) Blowfish/unused?
ROM:00008188h / RAM:3FFC400h (200h) (CA 13 31 79 ..) Whatever, 32x10h AES?
ROM:0000B5D8h / RAM:3FFC600h (40h) (AF 1B F5 16 ..) Whatever, "common key"?
ROM:0000C6D0h / RAM:3FFC654h (1048h) (59 AA 56 8E ..) Blowfish/DSi-mode
ROM:0000D718h / RAM:3FFD69Ch (1048h) (54 86 13 3B ..) Blowfish/unused?

On a 3DS, the following "DSi ROM data" can be dumped from the 2470h-byte DSi key area in 3DS memory at ARM9 ITCM 01FFD000h..01FFF46F (via 3DS exploits that are capable of executing code on ARM9 side):
ROM:FFFF87F4h / 3DS:01FFD000h 200h RSA key 0..3
ROM:00008308h / 3DS:01FFD200h 80h some AES keys
ROM:FFFF9920h / 3DS:01FFD280h 80h whatever
ROM:0000B5D8h / 3DS:01FFD300h 40h AES keys and values (common etc)
ROM:? / 3DS:01FFD340h A0h misc "Nintendo" string etc.
ROM:0000C6D0h / 3DS:01FFD3E0h 1048h Blowfish for DSi-mode
ROM:FFFF99A0h / 3DS:01FFE428h 1048h Blowfish for DS-mode

my bios md5's are

BIOSDSI7.ROM - 559DAE4EA78EB9D67702C56C1D791E81
BIOSDSI9.ROM - 87B665FCE118F76251271C3732532777

EDIT:
Look like if I don't use my WIFI-DSI.BIN it works properly :)

EDIT2:
no$gba doesn't appear to like the sdmmc code used in sudokuhax I get
"notyet supported sd/mmc command 00000000"
"notyet supported sd/mmc command 00000008"
"notyet supported sd/mmc command 00000037" <-|
"notyet supported sd/mmc command 00000029" --| loops these last two over and over

Normmatt
Posted on 05-09-16 07:16 PM, in no$gba v2.8c update - with more DSi emulation and DSi specs Link | #1014
You can also probably dump them using an IS-TWL-DEBUGGER as that seems like a full jtag debugger.

Normmatt
Posted on 05-15-16 11:48 PM, in no$gba v2.8c update - with more DSi emulation and DSi specs Link | #1029
Posted by gudenau
I *might* be able to make a stack that makes a directory act like a FAT partition.

DeSmuME already does that... so he could look at how that works and re-implement it.

Normmatt
Posted on 09-06-16 05:42 AM, in Get BOOTROM/Key Scrambler? Link | #1080
or your executing the exploit too late and that area is already locked down...

could check if the keys have been copied into ram... oh wait no you can't because it can't write to ram...

maybe you need to just block writes to the vector addresses and not all of ram.


Main - Posts by Normmatt

Page rendered in 0.030 seconds. (2048KB of memory used)
MySQL - queries: 22, rows: 71/71, time: 0.021 seconds.
[powered by Acmlm] Acmlmboard 2.064 (2015-10-07)
© 2005-2008 Acmlm, Xkeeper, blackhole89 et al.