Hacking Nintendo 3DS Hack Compilation

[ShadowSora13]

Where is a Problem there is always a solution.... I think the firm check can be bypassed so no worries...


Edit: BUT this^ applies only if the 3ds scene doesn't become a monetizing technique for the china companies.... (look those ugly stupid ps3 dongles -.-)

 

[Syphurith]

The SSL protocol is probably just one of the security layers when communicating with the eShop. The system info sent to Nintendo should contain key information they need in order to uniquely sign software for your 3DS. They don't want us to have access to that information, so I don't think it's something we can middle man.

i said it can not capture SSL/v3. In fact my skills on network is very low. I was just planned to capture something transferred.
If we cheat one connection from head to end and replay the packages.. use sockets not http/ftp so that no headers is sent.
I know why they encrypted with SSL/v3 but they can never know whether that is a 3ds or not if replay.
that is Proxy-middle-man. Oh yes i may have left some knowledges behind.
But is there any hints for you guys.

 

[Rydian]

true enough, the trouble with this update is. if you want to use the shop, you have to update there is no way around it. I know cause mine is updating right now, oh well no use complaining about it.

But it's how it's been since the DSi. Want eshop stuff, gotta' update.

Well what if the cert could be captured?

The cert is never sent out of their property.

 

[Syphurith]

But it's how it's been since the DSi. Want eshop stuff, gotta' update.
The cert is never sent out of their property.

Well good. 3ds connect us and then we connect to target using two fake certs playing as server and 3ds.
But then what 's that '.response' files with size more than 1KB?
There is 'OpenSSL Generated Certificate' String or other things in them so i do wonder what are they.

In fact what's the correct certs of a 3ds?
Oh i understand the packages i collected are only the encrypted data and 'cert'. They are legit if not modified.

 

[Eerpow]

i said it can not capture SSL/v3. In fact my skills on network is very low. I was just planned to capture something transferred.
If we cheat one connection from head to end and replay the packages.. use sockets not http/ftp so that no headers is sent.
I know why they encrypted with SSL/v3 but they can never know whether that is a 3ds or not if replay.
that is Proxy-middle-man. Oh yes i may have left some knowledges behind.
But is there any hints for you guys.

It should be possible, I'm just saying we'll probably not get anything from reading the information sent/received, I don't think the info containing firmware version sent to Nintendo can be opened let alone edited by us.

 

[nexuspunk]

I guess your right, I just think nintendo is using the eshop to shove updates down our throats. I love the games for the 3ds do not get me wrong, but having to update just to play games? sony is already doing that enough with the ps3, dont be a sony clone nintendo

 

[Syphurith]

It should be possible, I'm just saying we'll probably not get anything from reading the information sent/received, I don't think the info containin firmware version sent to Nintendo can be opened let alone edited by us.

Well but when and how did the firmware version send to e-shop? use UDP? or SSL/v3?
I doubt that is the second because it resets the connection to stop me capture.
>>Well if i can decrypt such things i can know if that is sent during the SSL/v3 connection.

Quoted one file====


J F
QQ-f,���H(М�;ȱ ��z�`t6��@� �=4BQ���uB��<���{Ԛ���Z���ks�� 5 
� � � �0��0��


0
*�H��


 0m10UUS10U
Washington1!0U
Nintendo of America Inc.10UIS10UNintendo CA - G30
100726225145Z
380110225145Z0z10UJP10UKyoto10UKyoto10U
Nintendo Co.,Ltd.10
UNBD1!0U*.c.app.nintendowifi.net0�
"0
*�H��



 �
 0�

�

�ˆ�"��D���CqI<����>����
W��
d>Ÿv
3U���ZUL�_��I�],��a���&f�``�*���(��2���c<
�Xχ�m��e�Y�0{N;v�>���2uWY(�%���+��H�*�����7_f���~NjĔ��<w��k0/w�)���ewt�Kf�VUD,֤�F��NJ�P���]I�)���S�=~�]�|ub�†���M���ՠ���.�W 2�7����W�E�R*���"<�o(�

��
30�
/0U0 0,`�H
��B

OpenSSL Generated Certificate0U%s�?4d���c�^DYT�0��U#��0�����������Y����>r����q�o0m10UUS10U
Washington1!0U
Nintendo of America Inc.10UIS10UNintendo CA - G3�

0;U40200�.�,�*http://crl.nintendo.com/nintendo-ca-g3.crl0
*�H��


 �

("��`;Ipþ��Z�!
���9N�4$sT��^�!�w�#��r���8��B�EH�y�X���e���b~��L�5��|�U,s��N�ES�u�8���ؕe��S3fJ��F9�z�}�R��qzI@�j�
O�d���&��J%!�r�
�e�ӭ�W�-4d�W��x�����ՙ-٢(�9��E�?Vuv㪋��R�ft�揉1jLa/���2�Y��&U@\����0ѫ�����KB�M=a��Aν\i���U0� $0� 0��


0
*�H��


 0m10UUS10U
Washington1!0U
Nintendo of America Inc.10UIS10UNintendo CA - G30
100128171611Z
491228120000Z0m10UUS10U
Washington1!0U
Nintendo of America Inc.10UIS10UNintendo CA - G30�
"0
*�H��



 �
 0�

�

�"tTW(�o�����Ơ��82
�Ŷ�G����r��(5I)?���w�g�u@��B`sj����GcO�d/��qjM��>�k��y-ą�U�Һw
�
���!׸��l�y�����>���a��z��,�=)lj��ԑ{���]ޢ��U�A8�����uzŸ�����Z�˅,�W�����X�
JU6e�@Gn-@s�������A*���4��a��D��WN�ۜǍ���v��Cj�F�R�>4��M�

���0��0U��������Y����>r���0��U#��0�����������Y����>r����q�o0m10UUS10U
Washington1!0U
Nintendo of America Inc.10UIS10UNintendo CA - G3�

0U0

�0
*�H��


 �

���z{## �r��Z,
��4n���Rh�C
�-9�����uj���I�y% B��˚�����7��� ]�'�ψi<F�9��*�(Y�g���<�:�iO9z:0.}QWIx��9��g��K���c��..��@�v�լ��ɸ�k�a�e��1�.��N_��rde��@L¨���� G��6�߆��o$�z�k|5�ܮ�uV4zK8���.�Ø*�@�=�hic)9�U��D�t�(�f��A���
�
�
 � o0m10UUS10U
Washington1!0U
Nintendo of America Inc.10UIS10UNintendo CA - G3 ]0[10UJP10UKyoto10U
Nintendo Co.,Ltd.10
UNBD10UNBD_bravo

====
then what is it? Original File name in that log is '[1364274567080]@192.168.1.3@[email protected]@[email protected]'

Nintendo is itself a CA. so if we can make a CA root too, what happens?

But it's how it's been since the DSi. Want eshop stuff, gotta' update.
The cert is never sent out of their property.

ALSO an example of the 3ds sent.


� � � �0��0���

0
*�H��


 0m10UUS10U
Washington1!0U
Nintendo of America Inc.10UIS10UNintendo CA - G30
100513191946Z
371222191946Z0��10UUS10U
Washington10URedmond1"0 U
Nintendo of America, Inc.10UIS10UCTR Common Prod 11"0 *�H��


[email protected]0�
"0
*�H��



 �
 0�

�

�Us�}���6��(6�M�N\oc�m��$xH�14��a$��a{‰�Ί)w����콚OvRҞ����1Am��ǁ���q+�,bY�S(�F���:�đY�,�Ꜻ�|Zx@܅s�˼�H
�RQ$p"J
=�^#�p΃����Ϫ�DuE�H�}�&���j����<{�T�tU>6T1_�R�c_�
�bʤ����O��o2ՠ�,����U�>�J �u��R�*���r��!'�j+[osn�W|�'

��
30�
/0U0 0,`�H
��B

OpenSSL Generated Certificate0U���s�:<v�k����au��m0��U#��0�����������Y����>r����q�o0m10UUS10U
Washington1!0U
Nintendo of America Inc.10UIS10UNintendo CA - G3�

0;U40200�.�,�*http://crl.nintendo.com/nintendo-ca-g3.crl0
*�H��


 �

C�g�ȐۅQ�q����9è�<���l����Z��{s6�cVZ
>�i��v�s7qu�Q�&�"��u��O��O�z�*��@)����|�N�{��G^Z0�6]� {�Հ�g��k����������ej�—��q�4乜�x!�(��~u�� 9�q��IrX�!�U�4/�88j`fp!ϊw��XN�no��5��8��me�%�P+�WW�
aҏ��0�{�'�8oi&��4���_�)å[�7 $0� 0��


0
*�H��


 0m10UUS10U
Washington1!0U
Nintendo of America Inc.10UIS10UNintendo CA - G30
100128171611Z
49122812

it seems to be two parts (forgive my not able to connect those). This is sent too. however i don't know if that is finished naturally.

0000Z0m10UUS10U
Washington1!0U
Nintendo of America Inc.10UIS10UNintendo CA - G30�
"0
*�H��



 �
 0�

�

�"tTW(�o�����Ơ��82
�Ŷ�G����r��(5I)?���w�g�u@��B`sj����GcO�d/��qjM��>�k��y-ą�U�Һw
�
���!׸��l�y�����>���a��z��,�=)lj��ԑ{���]ޢ��U�A8�����uzŸ�����Z�˅,�W�����X�
JU6e�@Gn-@s�������A*���4��a��D��WN�ۜǍ���v��Cj�F�R�>4��M�

���0��0U��������Y����>r���0��U#��0�����������Y����>r����q�o0m10UUS10U
Washington1!0U
Nintendo of America Inc.10UIS10UNintendo CA - G3�

0U0

�0
*�H��


 �

���z{## �r��Z,
��4n���Rh�C
�-9�����uj���I�y% B��˚�����7��� ]�'�ψi<F�9��*�(Y�g���<�:�iO9z:0.}QWIx��9��g��K���c��..��@�v�լ��ɸ�k�a�e��1�.��N_��rde��@L¨���� G��6�߆��o$�z�k|5�ܮ�uV4zK8���.�Ø*�@�=�hic)9�U��D�t�(�f��A���

after that 3ds seemed to send some data encrypted (asking for the remote firmware version?) and got one short (remote newest?) then send one (telling the remote its version?) and get a long one (update data url?) then it is cut (find me using a connection not SSL?)

 

[Syphurith]

That is what i tried to open e-shop. There is several files that look strange (as a cert?), and i'll give u the name of them.
you can get those files in that zip of logs i uploaded ago. 'request' means get from 3ds and 'response' means from eshop

Started Connection
[1364274567080]@192.168.1.3@[email protected]@[email protected]
[1364274567221]@192.168.1.3@[email protected]@[email protected]
[1364274567396]@192.168.1.3@[email protected]@[email protected]

CDN
[1364274569681]@192.168.1.3@[email protected]@[email protected]

eSHOP
[1364274616573]@192.168.1.3@[email protected]@[email protected]
[1364274616700]@192.168.1.3@[email protected]@[email protected]
[1364274616927]@192.168.1.3@[email protected]@[email protected]

[1364274618629]@192.168.1.3@[email protected]@[email protected]
[1364274618704]@192.168.1.3@[email protected]@[email protected]
[1364274618891]@192.168.1.3@[email protected]@[email protected]

Maybe there are some files similiar i mean some of 3ds sent to contact to remote.
You can easily use 'grep -R "OpenSSL Generated Certificate" .'(Linux/Posix/Mingw) to find them.

Update: Some files are exactly the same

[1364274616700]@192.168.1.3@[email protected]@[email protected]
= [1364274618704]@192.168.1.3@[email protected]@[email protected]

While other may need to be connected. I hate the pipe or socket.. It just not hang up so i can not know when should i stop a file.

 

[nexuspunk]

that is very interesting information, but I cannot make heads or tails of what it means. Guess my technical know how is a little rusty.

 

[Syphurith]

In fact what i want is just decrypt them to let me see.
Now getting the Fiddler and it can be used as a debug-enabled proxy on SSL.
Well. But the problem is decrypt them not capture them.
I'll refer to someone who is talented in network to tell me if i can perfume that.

I understand why it is not. the file i captured may only contains the key for decryption. that's RSA.
Well it only goes possible when we have got access to our 3ds private key for encryption.

 

[Technicmaster0]

how did they not expect that to happen? it was obvious,even if no rat told the game to nintendo by giving them 3 months they let them fix this, many people here say that it would be too difficult to know which game it is,yeah i bet they would find the way and they did.

what does that mean now? europe will get fire emblem demo in 2 days, game in early april ,many gamers who have the 3ds here in europe want to play this game like crazy,count me with them too. but i want my console at its full potential ,bought a 3ds day 1 with the premise of it being hacked to have a 3d video player and many more like 3d emulators etc . will this be released now? will they still "document" the 3ds? will people still put their hopes and money in the fundraiser? i know they dont owe us anything but they put our hopes up,you dont go say i hacked the 3ds and then leave.

Nintendo hasn't found the game.

<yellows8> [06:46:26] http://3dbrew.org/wiki/5.0.0-11#NATIVE_FIRM_and_other_titles "Multiple NATIVE_FIRM code execution vulnerabilities was fixed." <- code exec hax used by this savegame hax was fixed.
[17:50] <yellows8> all currently known usable NATIVE_FIRM code exec vulns were fixed.
[17:53] <Muzer> the thing is, that exploit is useless without a savegame exploit, right?
[17:53] <Muzer> and the savegame exploit presumably still exists
[17:56] <yellows8> "savegame exploit presumably still exists" not sure if they tried adding any code somewhere for blocking this savehax at all.

That means (as far as I can understand it): the parts in the firmware that allow the exploit to execute other things are fixed, not the exploit itself.

[18:24] <yellows8> yeah there's other potential code exec vulns, didn't get anywhere with those so far though.

He will search another exploit. I think that I read somewhere that he didn't wanted to release this exploit but search another one to release. But I don't find the quote any more.

 

[nexuspunk]

so yellow says that the save game exploit still exists, but even then its a small 1 percent chance you will have the save data needed to work it. you would have to buy a bunch of games, to be able to find that one piece of data. eh i am gonna go see if i could snatch a demo off the ehop, i am sonic generationed out. and i am stuck in paper mario sticker star at the moment.

 

[Zanark11]

To stay it clear, I don´t know anything about hack and stuff, but how the flashcards for DS can work in 3DS( the last update) and it is hard to create a flashcard to 3DS roms that can win this ''nintendo block'' on 3ds?

 

[eosia]

I think its better to let the 3DS unhackeable for more years, so we can get a good amount of great games.

 

[JPnintendo]

With this update i think is time to release it. If it got patched, then ¿why dont releae it to prevente people to update their consoles?

 

[nexuspunk]

I think its better to let the 3DS unhackeable for more years, so we can get a good amount of great games.

hacked or unhacked, due to the 3ds being fairly new we will still get great games for it. until a new hand held system, comes out and wows the crowd. We should get 3ds titles for a while, well at least until the new year comes closer maybe a little longer.

 

[Rydian]

I think its better to let the 3DS unhackeable for more years, so we can get a good amount of great games.

Because when the DS and Wii were hacked they stopped getting good games, right?

Because you've been able to play ROMs/ISOs on those systems for years, but they still put out games, so no. That's just fearmongering.

 

[Zanark11]

The Nintendo DS was released in 2004/2005 then he ''died'' in 2011, and I only discover about DS hack in 2007 , so hacked or not hacked the 3DS will live the same time ( in my opinion... =D )

 

[eosia]

Rly ?
Dont you think that Devs are just waiting to see if this console gets hacked or not, so they can release their games for this generation consoles?

 

[nexuspunk]

Rly ? Dont you think that Devs are just waiting to see if this console gets hacked or not, so they can release their games for this generation consoles?

Not really

 

[henn64]

Well what if the cert could be captured? (If this is impossible then i should say i had captured the wrong one) I can see it is 'Openssl'.
I'm thinking about a middle-man attack. How many requirements should we have to perfume that.

Oh that is what the proxy logged. It's a pity it fails when trying to handshark (it doesn't support UDP/SSL)
Yes please could you help me checking some files in log ends with ".response" ok?
There is '.request' that 3ds sends via TCP.

TCP? Ewww.

Well but when and how did the firmware version send to e-shop? use UDP? or SSL/v3?
I doubt that is the second because it resets the connection to stop me capture.
>>Well if i can decrypt such things i can know if that is sent during the SSL/v3 connection.

Quoted one file========
then what is it? Original File name in that log is '[1364274567080]@192.168.1.3@[email protected]@[email protected]'

Nintendo is itself a CA. so if we can make a CA root too, what happens?



ALSO an example of the 3ds sent.

it seems to be two parts (forgive my not able to connect those). This is sent too. however i don't know if that is finished naturally.

after that 3ds seemed to send some data encrypted (asking for the remote firmware version?) and got one short (remote newest?) then send one (telling the remote its version?) and get a long one (update data url?) then it is cut (find me using a connection not SSL?)

I'd pay more attention to the IP address, not that it would really do anything. Unless there is a mass takeover of Nintendo servers.