Hacking Neimod making progress, nothing released

[CollosalPokemon]

So, if this does go anywhere, should I get Lego Star Wars 3 soon in case they patch it?

This doesn't mean Lego Star Wars 3 is exploitable, and even if it is, it'd be purely by chance. Just about any cartridge save game can be modified (except the few saves which use the newer encryption method, because we can't decrypt them yet).
neimod just happened show an example modification in Lego Star Wars 3.

 

[flamepanther]

So, if this does go anywhere, should I get Lego Star Wars 3 soon in case they patch it?

Why wouldn't anyone tell you not to buy a game, of course you should get Lego wars. Why sit on a device you own just because eventually you might be able to use it for free. Which is no where in sight. So if lego wars is something you want to play I say buy it.

I think he's not especially interested in the game itself, and wants to know whether he should buy it now, just in case it can be used for an exploit and later versions can't. If he wants the game itself and not just for a possible future exploit, then by all means he should get it now. Otherwise, like everyone else has said, he should wait and see.

 

[Ericthegreat]

prob you'll be able to find it used for years

 

[McHaggis]

I don't know if the 3DS will be exploitable via game saves at all. Neimod said that stuff about loading executable code via a software hack being impossible, not sure if he would consider a game save modification to be a software or hardware exploit.

But even so, Nintendo probably won't update the save file signing for a least a few more updates since, if they rush it, it's more likely to not be as safe for them as they may like it. And even if they do update it, I doubt they would use it on older games. (like the newer save encryption method didn't get implemented into older games)

Yeah, that would break game compatibility on systems with older firmware because the update containing the newer signature/method would not be included on the game card. If they do it, they'll just quietly introduce it in a newer version of the SDK.

well its just a firmware update
it happened before with super mario 3D Land in update 2.1.0-3
if you try to boot the game it says, not without update 2.1.0-3 and will ask if you wish to install it
they will most likely do this again when the new xor key is released
but Lego Star Wars III was an older game that came out at launchi thought?

The only difference is that those games already carry the update data on the game card. This can't be retroactively written to older games, so I don't think they'll change the signature or signing method for those older games.

As for finding the new XOR key, there is no the new XOR key. Every game card has a unique XOR key, your game card will have a different key to mine even if we have the same game. So it's not something that can be released for everyone to use. It's also unlikely that the same exploit could be used to get the new key because the old vulnerability relied on chunks of data the same size as the XOR key being 0x00 filled. Since the XOR key is bigger for those newer games, there'd have to be multiple chunks the same size as the new key in order to reliably exploit the vulnerability.

 

[elisherer]

... Every game card has a unique XOR key, your game card will have a different key to mine even if we have the same game...

Not true. You can exchange game saves of new carts as well as old carts even with the new encryption, suggesting that the encryption is unique per region-locked-game. This is also backed up by 3dbrew.org latest updates..

 

[McHaggis]

Not true. You can exchange game saves of new carts as well as old carts even with the new encryption, suggesting that the encryption is unique per region-locked-game. This is also backed up by 3dbrew.org latest updates..

I see... that's how I thought it worked in the past, but I was corrected and told that it is unique per cartridge. I guess that changes things slightly, then (although still probably no possible exploit). So does the game header/information specify the key, or is it stored in the game's code?

 

[elisherer]

I see... that's how I thought it worked in the past, but I was corrected and told that it is unique per cartridge. I guess that changes things slightly, then (although still probably no possible exploit). So does the game header/information specify the key, or is it stored in the game's code?

Every game of every region has a unique KeyY which can be generated using some flags on the cart's header. The savefile itself is encrypted using AES-CTR where the key is that KeyY and the IV (=CTR) is all zeros (unless the game is a DLC like NSMB2 and then I guess the CTR will be the one used on the SD)

 

[McHaggis]

Every game of every region has a unique KeyY which can be generated using some flags on the cart's header. The savefile itself is encrypted using AES-CTR where the key is that KeyY and the IV (=CTR) is all zeros (unless the game is a DLC like NSMB2 and then I guess the CTR will be the one used on the SD)

Well, consider me educated. So we just need neimod to share how he decrypted the header and then hacking saves for newer games should be possible.

 

[elisherer]

Not quite, neomid has rom access, so he can get the already generated key and not go through the other stages,
but after you decrypt the savefile you need to sign it again after you make the changes (see hashes sections on the savegames wikipage)

we already have decrypted all the games prior to 2.2.0 firmware so it wasn't the thing that held us back. it was the common and unit keys that are needed.
thanks to neimod we now know what we need.

But! an exploit would be better, using keys and decrypting is somewhat piratey, an exploit is perfectly legal.

 

[3DSGuy]

Every game of every region has a unique KeyY which can be generated using some flags on the cart's header. The savefile itself is encrypted using AES-CTR where the key is that KeyY and the IV (=CTR) is all zeros (unless the game is a DLC like NSMB2 and then I guess the CTR will be the one used on the SD)

What if I told you, DLC doesn't use save data (Well at least NSMB2 DLC doesn't use save data)

 

[3DSGuy]

Well, consider me educated. So we just need neimod to share how he decrypted the header and then hacking saves for newer games should be possible.

Well with game ROMs dumped, the NCSD header (or as you say 'cart header') isn't encrypted in ROM form. The *real* trick here is generating a new MAC for the edited save. I wouldn't expect a method to be revealed until a save hack is found, and even then I have my doubts the MAC generation method would become public.

 

[elisherer]

Well with game ROMs dumped, the NCSD header (or as you say 'cart header') isn't encrypted in ROM form. The *real* trick here is generating a new MAC for the edited save. I wouldn't expect a method to be revealed until a save hack is found, and even then I have my doubts the MAC generation method would become public.

I agree. The method of getting the exploit shouldn't be public. I don't think you could ever alter save games unless a method of getting the keys from the unit would be available.

 

[justinkb]

I think the first few posts on the first page are correct assessments of what has been achieved here.

Modified some values in RAM on his hacked device, saved game, transferred saved game to unmodified device, take picture.

All speculation in the other pages is quite likely just false.

 

[3DSGuy]

I think the first few posts on the first page are correct assessments of what has been achieved here.

Modified some values in RAM on his hacked device, saved game, transferred saved game to unmodified device, take picture.

All speculation in the other pages is quite likely just false.

What if I told you, you're wrong and they can resign saves?

 

[Vampire Lied]

I would love to be able to hack saves. Kid Icarus weapon modifications would be great, let alone stuff for other games.
Can't wait for an Icarusgen program.
Seriously though, from what you're saying, sounds like things are a lot farther along than we think.
Probably still a long way away from anything usable by the common person though.
Can't help from rambling, reading about this stuff is so exciting.

 

[Anacobra]

There is probably much more progress being made than what appears. It's just most of it just isn't worth telling people until you hit a sort of certain achievement. A stepping stone. Most of what they do just isn't really, I suppose 'decipherable' or worth the effort to decipher for the layman.

This is a hobby -- and sometimes more for these people. Telling someone 'Sum your hobby up in one word' just isn't going to cut it because while those with the hobby are interested, other people would get bored and stop reading after the first two minutes or just not comprehend/understand.. So, wasted effort.

 

[synce]

I'm pretty sure it's already hacked if you're part of the right crowd, but nothing will be publicly released until someone goes rogue and sells the info to the Chinese. That's what happened with the seemingly non-existent PS3 scene. Everyone was stuck on 3.55 firmware (DS games in this case) while a select few with the latest keys and such were enjoying the new games and releasing fixes at their leisure (3DS rips)

 

[RodrigoDavy]

People are still discussing the Neimod new picture's thread? The fact that there is a fundraising for the 3ds decapping in 3d brew, must mean there's not any hack coming for now. Consider helping with the fundraising if you want the 3ds to be hacked so badly

 

[Technicmaster0]

People are still discussing the Neimod new picture's thread? The fact that there is a fundraising for the 3ds decapping in 3d brew, must mean there's not any hack coming for now. Consider helping with the fundraising if you want the 3ds to be hacked so badly

But atm it's not possible to donate...

 

[Thorhian]

You know.... I wonder if Codejunkies has hit up neimod about this at all... Just a thought...