9.0.0-20

From 3dbrew
Revision as of 10:51, 7 October 2014 by Plutooo (talk | contribs) (→‎FIRM)
Jump to navigation Jump to search

The 9.0.0-20 system update was released on October 6, 2014.

Change-log

Official change-log:

  • Users can now use themes to customize the design and sounds of the HOME Menu
  • Five themes are pre-installed and additional themes can be purchased from the Theme Shop
  • Themes can be changed by using settings located within the HOME Menu settings
  • A feature has been added that allows users to capture screenshots of their HOME Menu
  • The Nintendo eShop Title Information page has been updated to provide easier access to any available videos, demos, user reviews, and other information
  • Further improvements to overall system stability and other minor adjustments have been made to enhance the user experience

System Titles

3DS

The following system-modules were updated: AM, camera, cfg, codec, gsp, hid, ac, cecd, CSND, dlp, http, ndm, NIM, NWM, SOC, SSL, PS, friends, IR, BOSS, news(notifications), RO, NS, and act.

The following applications were updated: System Settings, Download Play, Nintendo 3DS Camera, eShop, System Transfer, and NNID settings.

The following "applets" were updated: ErrDisp, Home Menu, camera, Instruction Manual, Game Notes, Friend List, Notifications, error, Software Keyboard, appletEd, PNOTE_AP, SNOTE_AP, extrapad, mint, Miiverse, and Miiverse memolib.

An applet with TID-low 00008B02 was added, "solv3". The description from the ExeFS icon is "Post to Miiverse".

The following titles were also updated: 0004009B00012302, EULA CFA, NGWord bad word list CFA, Nintendo Zone hotspot list CFA, NVer, CVer, 0004001B00018002, 0004001B00018102, and 0004001B00018202.

NS_CFA was updated, the following new file was added to the RomFS: "qtm_black_list".

NATIVE_FIRM was also updated.

New3DS

New3DS versions of most sysmodules were added with this upgrade.

This upgrade included 3 new sysmodules:

  • NFC -- talking to NFC hardware (over I2C).
  • MVD
  • QTM -- camera headtracking? (over I2C).

FIRM

For New3DS firmwares (NATIVE_FIRM, TWL_FIRM, ..), the ARM9 binary has an additional layer of crypto. At the end of each ARM9 binary, there's a plaintext loader.

If (u8*)0x10000000 bit 1 is clear (which means that this happens only on hard reboots), it does the following things:

  • Hashes data from the region 0x10012000-0x10012090 using SHA2.
  • Initializes AES keyslot 0x11 keyX, keyY to the lower and higher portion of that hash, respectively.
  • Decrypts arm9_bin_buf+0 using keyslot 0x11, and initialises keyX for keyslot 0x15 with it.
  • Initialises KeyX for keyslots 0x18-0x20 with the output of encrypting a certain binary sequence using keyslot 0x11. These are presumably New3DS-specific keys.

It sets KeyY for keyslot 0x15 to arm9_bin_buf+16, the IV to arm9_bin_buf+32. It then proceeds to decrypt the binary. When done, it decrypts arm9_bit_buf+64 using a fixed key and makes sure it's all zeroes. It it is, it jumps to the decrypted addr. Otherwise it will just loop forever.

OFFSET SIZE DESCRIPTION
0x000 16 Encrypted KeyX
0x010 16 KeyY
0x020 16 IV
0x030 16 ?
0x040 16 Control block

See Also

System update reports:

Retrieved from "https://www.3dbrew.org/w/index.php?title=9.0.0-20&oldid=10080"