33c3 Nintendo Hacking 2016 is over & here is what you need to know.

Yep, the 33c3 talk is over. It came, punched Ninty in the face for 1 hour and went like it came. It was brilliant. This year 33c3 Talk was presented by Derrek, Naehrwert and Nedwill and did I mention it was great?

This years talk was started with everyones favorite the WiiU. After getting talked through how they achieved code execution with ioctlvhax for kernel execution and mqhax for IOSU Exectution they began elaborating on boot0 and boot1 which are still left to be hacked. As Information Boot0 loads Boot1 and then locks out Boot0 and Boot1 at early Boot. Since they didn’t find any bugs in boot1 or boot0 they said “Hey, If there are no bugs let’s create some” so they began with fault injection which helped them get to their goal of dumping Boot1key.  This was done by glitching the Boot1 Size Check at early boot which then allowed them to dump the Key.
33c3 WiiU Boot0

So now you may be wondering “Hey I don’t care about the WiiU, It has no games anyway” you won’t be dissappointed as shortly after this announcement the 3DS Talk began with nedwill. We were introduced to Soundhax which gives us Arm11 Usermode Access on latest Firmware but since that isn’t enough he also introduced Fasthax which gives us Arm11 Kernel Access on latest FW ^^. The real Bombshell dropped though when nedwill gave the word back to derrek who then began talking about the 3DS Bootroms. Some Facts about the 3DS Bootroms:
– Two bootroms. One for Arm9 and one for Arm11.
– Consists of 32kb unprotected Bootrom and Protected Bootrom locked at early Boot.
– Unprotected Bootrom has Hardcoded ARM Exception Vendors

The Fact that the Unprotected Bootrom has Hardcoded Exception Vectors and the cute Fact that RAM doesn’t get cleared at a MCU triggered Reboot allowed them to Set-Up custom Exception Vectors which where then jumped to by the Bootrom Vectors and allowed them to DUMP THE 3DS ARM9 BOOTROM 😀
3DS 33c3 Talk Arm9 Bootrom Dumped
Yes, Ladys and Gentleman the 3DS Bootrom is finally compromised. We have all the Keys and can sign our own Firmwares

And now to quote derrek: “For the sake of completeness let’s also dump the Arm11 Bootrom even though it probably won’t be of much use”

So what now? Well…. Nothing for the 3DS. We are at the end. It is fully blown open and to make it even funnier derrek mentioned that they already cracked the Bootrom in Summer 2015 xD
There’s just one thing left which would be the forgotten console called WiiU which still needs the Boot0 Key. But we can already happily buy the Nintendo Switch and await the Greatness that derrek, naehrwert smealum and nedwill will bring to the Switch 😀

Source: 33c3 Talk

About Darthsternie

Interested in everything Technical. Loves self-repairing Tech. Collector of Firmwares. Enthusiast Gamer and Anime Fan ^^


  1. Sweet. I wonder if Gateway is going to sign their own firmware. I have a Gateway card and wouldn’t want it to go to waste, but I hear good things about Luma.

  2. Good. Glad to see this is just beginning.

Leave a Reply

Your email address will not be published. Required fields are marked *