Hacking 3DS Hacking Ideas: Post Your Ideas Here!

lambstone

lambstone

No. Nyet. 不. Non. Nein.
Banned
Level 3
Joined
Aug 14, 2011
Messages
614
Trophies
0
XP
310
Country
migles said:
and i forgot about eshop.. it is not possible to packet inject it? or edit packets which are sent to the 3ds? i am aware about probably having something like SSL protection but come on, how it is not possible to manipulate messages if we are the courier who delivered letters from the beggining...

i mean, let's say, all your communication to your friend goes through me, if you send crypted letters, your friend will not be able to read it, unless you send him the keys and that keys must go through me...
Click to expand...

Yes. I get what you mean.

However from what I understand, when you inject/add/sideload/install other stuff onto your 3DS, there will be a file signature verification to ensure that the file is legit. Now to generate a legit file signature is impossible because of the heavy encryption etc etc. Long story short, you'll need a couple of quantum computers to break the encryption to be able to generate a legit signature.

So what the current solution is to disable the file signature verification which allows you to inject/add/sideload/install anything you want. It works because the system no long checks for a legit signature.

"Wait. You're telling me there is a current solution?"

Yes! Of course! However it will never see the daylights because of somewhat misaligned piracy fears.

"What should I do then?"

You should wait for SSSpwn because that'll allow you to sideload a specific library of apps and games.
 
migles

migles

All my gbatemp friends are now mods, except for me
Member
Level 15
Joined
Sep 19, 2013
Messages
8,033
Trophies
0
Location
Earth-chan
XP
5,299
Country
China
lambstone said:
Yes. I get what you mean.

However from what I understand, when you inject/add/sideload/install other stuff onto your 3DS, there will be a file signature verification to ensure that the file is legit. Now to generate a legit file signature is impossible because of the heavy encryption etc etc. Long story short, you'll need a couple of quantum computers to break the encryption to be able to generate a legit signature.

So what the current solution is to disable the file signature verification which allows you to inject/add/sideload/install anything you want. It works because the system no long checks for a legit signature.

"Wait. You're telling me there is a current solution?"

Yes! Of course! However it will never see the daylights because of somewhat misaligned piracy fears.

"What should I do then?"

You should wait for SSSpwn because that'll allow you to sideload a specific library of apps and games.
Click to expand...


That makes sense, and of course the 3ds could get out of nintendo factory with some kind of connection key...

and since no one so far was able to use ds download play (on nds) for send software to the console whithout a flashcart (except the first ones)... it is harder...
 
A

Arsen Tufankjian

New Member
Newbie
Level 1
Joined
Mar 28, 2014
Messages
3
Trophies
0
Age
29
XP
41
Country
United States
migles said:
i mean, let's say, all your communication to your friend goes through me, if you send crypted letters, your friend will not be able to read it, unless you send him the keys and that keys must go through me...
Click to expand...

SSL certificates yo

If the packets are SSL encrypted, you're not reading that. I used to shark packets off my school network a while ago. Anything that was SSL encrypted (everything https) was useless to me. SSL encrypts for each session and I highly doubt you'd be able to encrypt and send the proper packets to the 3DS.
 
migles

migles

All my gbatemp friends are now mods, except for me
Member
Level 15
Joined
Sep 19, 2013
Messages
8,033
Trophies
0
Location
Earth-chan
XP
5,299
Country
China
Arsen Tufankjian said:
SSL certificates yo

If the packets are SSL encrypted, you're not reading that. I used to shark packets off my school network a while ago. Anything that was SSL encrypted (everything https) was useless to me. SSL encrypts for each session and I highly doubt you'd be able to encrypt and send the proper packets to the 3DS.
Click to expand...

can you explain basically how it works? i mean, if SSL encrypts in every session, how do the destination will read that? wouldn't you be able to capture SSL handshakes?
 
Reisyukaku

Reisyukaku

Onii-sama~
Developer
Level 16
Joined
Feb 11, 2014
Messages
1,534
Trophies
2
Website
reisyukaku.org
XP
5,422
Country
United States
Arsen Tufankjian said:
SSL certificates yo

If the packets are SSL encrypted, you're not reading that. I used to shark packets off my school network a while ago. Anything that was SSL encrypted (everything https) was useless to me. SSL encrypts for each session and I highly doubt you'd be able to encrypt and send the proper packets to the 3DS.
Click to expand...
Was it protected against MitM attacks?
 
Reisyukaku

Reisyukaku

Onii-sama~
Developer
Level 16
Joined
Feb 11, 2014
Messages
1,534
Trophies
2
Website
reisyukaku.org
XP
5,422
Country
United States
Duo8 said:
Even if we could inject something in how are we going to run unsigned stuff?
Click to expand...
I'm just saying, decrypting SSL or even TSL isnt impossible.. in fact, there's currently a TSL vulnerability that allows MitM.. Although no one can say for sure if 3DS uses the same implementation. Packet injection type stuff would only be good for wonder trade hax anyways.
 
A

Arsen Tufankjian

New Member
Newbie
Level 1
Joined
Mar 28, 2014
Messages
3
Trophies
0
Age
29
XP
41
Country
United States
Reisyukaku said:
Was it protected against MitM attacks?
Click to expand...

Yep, that's exactly what I was doing a few years ago. Cain & Able was what I used, Wireshark can do the same thing. You can use the network card of a computer to intercept wireless transmissions while it's inbetween the client and the server. Everything is encrypted by the time it flys off the target's network card, so it's impossible to do anything. I was aiming for unencrypted transmissions (passwords sent to the insecure mail server)
 
Celice

Celice

Well-Known Member
Member
Level 5
Joined
Jan 1, 2008
Messages
1,920
Trophies
1
XP
628
Country
United States
How do any flashcarts/exploits handle a DS virtual console game?


http://tinycartridge.com/post/65520237149/advance-wars-days-of-ruin-weirdness-one-of
A while back, a small interesting thing occurred where the last DS Advance Wars game was finally released to Japan, but as a 3DS downloadable title for club Nintendo members.​
It just struck me that I'm not sure how this title actually works on the 3DS side of things. I'm guessing it would just launch into the DS mode... but is there the infrastructure to have a full game launch from3DS mode but run sustained in DS mode?​
Anyone have any ideas or have tried this game yet, if a dump exists?​

I posted this in this forum a couple days ago but forgot about this thread. I'm wondering if there's any strange handling of DS/3DS mode stuff that could be useful for payloads, just as some are speculating on DS download play also being used as a payload.
 
Funklord

Funklord

New Member
Newbie
Level 1
Joined
Apr 10, 2014
Messages
1
Trophies
0
Age
44
XP
51
Country
Read this whole thread, but I couldn't find much mention about running a modified bootloader.
Where exactly is the console-unique key located?
It doesn't seem to be a feature of either ARM9 nor ARM11 dies.

If it's some sort of SoC bootrom addition, is it likely to be real rom (expensive) or an nvram type?
Any links to the vendor who provides the solution?
 
saphris

saphris

Member
Newcomer
Level 1
Joined
Apr 14, 2014
Messages
14
Trophies
0
Age
37
XP
88
Country
United States
I'm wondering if theres some way to trick the 3ds into thinking that you actually bought the digital game off of the eshop that is put on the sd card. maybe like some sort of app that syncs and signs it for you. or a program that could be added to the ds, that gives you your key, or reads the key and then automatically adds it to anything you load up that would normally require the eshop or nintendo servers to do it..

or maybe something that tricks the 3ds into thinking your actually contacting the eshop servers, but instead some sort of homebrew/hacking community's server which holds the raw data of the games on it, and then having some program on the 3ds or on the server that would sign it to your 3ds when you were downloading it.

maybe using the browser on the dashboard(via 3ds) could be the start of something in it for those who dont purchase or have flashcarts or those who don't want to use the flash carts due to the wear and tear they do on the console.
such as a program that loads in the browser, that then finds some sort of glitch or loop hole or opening in the security of the system, or maybe doing that while deleting the whole OS on the 3ds and rebooting it with like a tethered or untethered way of a hack exploit. ???
(of course, in any event, backing up everything prior to deleting the os would be the best thing. and maybe causing a begining program that always runs prior to actually starting the 3ds software up, and allow it to have a feature to restore from a saved back up??? .. or with a tethered expliot type of hack, it wouldn't be a concrete thing. as soon as the 3ds died, or got turned off (maybe even in sleep mode), it would revert to the original state, until the person turned it on using the tethered version, and let it run its course.. or maybe have a "demo" game that launches from the sd card, but its only masked as a demo, and the ids and everything that makes the 3ds think that its the real demo, and then within the "demo" you can use a hack and it works like a tethered version, just minus the computer plugging in everytime, and would only require the person to reload the demo each time the system gets turned on to use the hacked verison of 3ds.?)
 
BobDoleOwndU

BobDoleOwndU

Well-Known Member
Member
Level 10
Joined
Dec 28, 2013
Messages
1,178
Trophies
1
Age
29
XP
2,159
Country
Canada
saphris said:
I'm wondering if theres some way to trick the 3ds into thinking that you actually bought the digital game off of the eshop that is put on the sd card. maybe like some sort of app that syncs and signs it for you. or a program that could be added to the ds, that gives you your key, or reads the key and then automatically adds it to anything you load up that would normally require the eshop or nintendo servers to do it..

or maybe something that tricks the 3ds into thinking your actually contacting the eshop servers, but instead some sort of homebrew/hacking community's server which holds the raw data of the games on it, and then having some program on the 3ds or on the server that would sign it to your 3ds when you were downloading it.

maybe using the browser on the dashboard(via 3ds) could be the start of something in it for those who dont purchase or have flashcarts or those who don't want to use the flash carts due to the wear and tear they do on the console.
such as a program that loads in the browser, that then finds some sort of glitch or loop hole or opening in the security of the system, or maybe doing that while deleting the whole OS on the 3ds and rebooting it with like a tethered or untethered way of a hack exploit. ???
(of course, in any event, backing up everything prior to deleting the os would be the best thing. and maybe causing a begining program that always runs prior to actually starting the 3ds software up, and allow it to have a feature to restore from a saved back up??? .. or with a tethered expliot type of hack, it wouldn't be a concrete thing. as soon as the 3ds died, or got turned off (maybe even in sleep mode), it would revert to the original state, until the person turned it on using the tethered version, and let it run its course.. or maybe have a "demo" game that launches from the sd card, but its only masked as a demo, and the ids and everything that makes the 3ds think that its the real demo, and then within the "demo" you can use a hack and it works like a tethered version, just minus the computer plugging in everytime, and would only require the person to reload the demo each time the system gets turned on to use the hacked verison of 3ds.?)
Click to expand...

The app would need to be signed with the private key in order to work on the 3DS, and if we already knew the private key to sign the app, it would make the app useless. Nobody knows how to decrypt the private key in any reasonable amount of time, so the only way to actually hack the 3DS is to find some sort of exploit, that tricks it into running a custom app without checking if it's signed.
 
  • Like
Reactions: saphris
C

cloud1250000

Well-Known Member
Newcomer
Level 2
Joined
Dec 18, 2008
Messages
81
Trophies
0
XP
209
Country
Canada
you can retrieve private key with heartbleed, that mean we can sign data and then send it to 3ds. And you can repeat it the amount of time you want (so no 64kb limit)
 

Site & Scene News

Go to forum More news

Popular threads in this forum

Hacking Homebrew  A new way to experience StreetPass

Is it possible...?

Hacking Hardware  New Nintendo 3DS XL Louvre

Emulation  i have citra, i have my aes keys installed, how do i get the home menu

Hardware  Why does my 3DS take so long to turn off?

Translation Project  DQM2SP translation

Hacking Misc  VCRUNTIME140.dll UCRTBASED.dll Master Thread

3DS won't boot into DS Mode, Extended Memory Mode and more

General chit-chat
Help Users
    K3Nv2 @ K3Nv2: It's a shame some people's cake always resort to the same taste