Hacking Post your ideas regarding how to hack the 3DS, here

[FAST6191]

I would not be so quick.

3ds- processor based on an ARM processor and presumably not that different from the GBA and DS before it (one of the many first rules of engineering is do not design anything "new" if you do not have to) so http://nocash.emubase.de/gbatek.htm would be a start or maybe going right to the source (do a search for ARM datasheet). Still assuming that nicety is lacked the following exists
http://www.youtube.com/watch?v=Q9ezff6LIoI

Better yet if it is coming from an exploit all the truly annoying stuff that comes from assembly (memory management is easy enough at first and the real trick is in all the necessary IO routines which have all be taken care of (see how 99% of rom hacking works) or at least available for perusal).

But of course this is "trivial" in the grand scheme of things so some fiddling around to discover the way memory is mapped (again see gbatek for some of the examples and if you want an example of what happens when it goes wrong see some of the threads on GBA and DS rom hacking when people miss something dealing with the graphics memory) and some of the IO (which things are mapped to memory and how the extra hardware works- probably using a variation on the youtube video's methods) will have to be figured out to get far which is tricky and turned into a usable library (this is one of the reasons there is often a fairly large gap between "legit" homebrew and "unlawful" homebrew on the likes of the xbox with the other being the console SDK developers do occasionally create a nice library with formats and such or simply the effective (or simple) use of hardware- see the porting of SDL, if viable to do so, being a fairly key step in the homebrew life of a system).

Unlikely it may be but end users have found things before that became useful at some level- in my own experience I have been playing with video programs written by developers I consider truly good coders that were using full specs and all known bastardisations and I still find video sources that frustrate it. Game/hardware developers are in possibly in a worse position than this.

 

[Luigi2012SM64DS]

new theory. run a ds game or 3ds eject the cartridge then do something while it says cartridge removed

Like what? Immediately slam another game into it and ummm crash your 3DS?
I don't think that's abusable.

Good theory:
Run a DS game > Eject Cartridge > Do something (e.g. start moonwalking)

correct

 

[Maav]

Well.
Are the games sandboxed or the browser, after all?
The 3DS can run flash/youtube, right?
If it does, maybe exploiting a video would be plausible? (Not straight from youtube, you'd need a proxy to intercept the connection from youtube and load the exploited FLV into the player)

 

[rondoh70]

that makes no sense period the 3ds is not capable of any online video except netflix

 

[alphamule]

Here's a little example of a classic buffer overrun exploit. Once you find a packet that crashes a service running on a specific port, then you try to find out where in memory the service was overwritten. Knowing the location helps you figure out what code to insert. On a system without access to the service's binary, you have to just guess. This a pain but possible.

TL;DR version
Just use random data until something breaks. Then go and break it some more until it 'works' the way you want. Heh

 

[loco365]

I think everyone is looking at the wrong kind of exploit. I think what should be done is look for a hardware-based leak, not a software-based one. Then, once a leak in the hardware is found, we can create a payload that can be delivered to make the system do what we want. Then, once that payload is created, we can create a modchip (Like the first Wii exploits) and allow the modchip to be able to hook up through some kind of cord to a computer to update the payload if a new system menu is released.

 

[alphamule]

Unless special steps are done to prevent it, 'random' data with the right patterns (not remotely random) on the CPU's power, clock, and I/O lines can cause glitches that can be used to get access to the information hidden in a chip. Imagine that there's a fence around your yard but that it's higher in some places than others, multiple gates, etc. If one exploit is blocked, there's tons more to find. Hardware, software, doesn't matter.

 

[Maav]

that makes no sense period the 3ds is not capable of any online video except netflix

Thats why I ASKED stuff to confirm if what I was saying was right.

And, sure. It's impossible to intercept data from netflix and upload an exploited file. Forgot that detail.

 

[BrianJ64]

What we really need here is reverse engineering. What also made the ps3 exploitable.A by then totally unknown ps3 cell processor was reverse-engineered, so some Pica200 chip shouldn't be so hard?

 

[alphamule]

Not so much impossible as not feasible? With the keys and encryption algorithm, it's kind of trivial to en/decode it. Good luck getting that private key, though!

Yeah, if you control the atoms, no amount of black box protection method is secure. The goal right now in securing chips seems to be making the chips harder to take apart without destroying the very information that reverse engineers are looking for. Originally it was more along the lines of storing firmware in memory that (in theory) can't be read from the device's pins once you blow a protection fuse or a mask ROM that is never readable outside of the private data bus. Restore the protection fuse, examine the mask ROM itself (visually after decapping), and abusing timing/cold bugs are just a few ways to defeat that. I remember talking to someone about looking for RF/analog leaks of information under the theory that every time an opcode goes through a CPU, it makes a specific sequence of radiation from specific angles/positions(RF attack). There's also the possibility of incomplete isolation in poorly designed latches that leak very small voltages (analog attack). These issues are supposedly fixed but the people who know for sure aren't talking.

 

[Luigi2012SM64DS]

create a mod chip. only option now

 

[alphamule]

Granted, if you replace the firmware then it doesn't matter what protection is used. Of course, the firmware that we'd need to change is probably Mask ROM that only checks the signed Flash ROM. Wait, isn't this what the original Gameboy used but with carts instead of Flash ROM? DER!!! (LOL, if an exploit exists for the checker, it's pretty much unfixable without new CPU dies and not always even then)

Well, I'll wait a while and see what happens. I imagine we'll see a heated race between modders and system manufacturers in the next few years with the Vita and 3DS. I'm curious as to what they'll do.

 

[TerraPhantm]

Is the 3DS browser designed by nintendo from the ground up, or is it based on webkit or something like that? And can the 3DS load anything like PDFs? I don't have the skills to do anything like this, but I'm thinking perhaps exploits can be made using vulnerabilities similar to some of the userland vulns in the iPhone (I think there was one with TIFF based images and a few PDF exploits). I know Nintendo probably paid close attention to those, but no system is perfect.

 

[loco365]

Is the 3DS browser designed by nintendo from the ground up, or is it based on webkit or something like that? And can the 3DS load anything like PDFs? I don't have the skills to do anything like this, but I'm thinking perhaps exploits can be made using vulnerabilities similar to some of the userland vulns in the iPhone (I think there was one with TIFF based images and a few PDF exploits). I know Nintendo probably paid close attention to those, but no system is perfect.

No. It can only view certain images in it's browser. No flash or PDF functionality.

 

[alphamule]

I also assume they're smart enough not to let you keep filling up a text buffer until you hang the machine like TI-85 calculators with the string/function conversion bug followed by going into list editor... It would be hilarious if they used a buggy string library like some of the C runtime libraries reacting to "%s" or other such nonsense. I'd hope for malware prevention's sake that they checked for all potential buffer overruns and such. It would stink to get your 3DS bricked like the old Dark Fader bricker did by some rogue/fake game site! Sadly, the reality will probably turn out that you only have to miss one. :/

Edit: Well rereading that file for the TI-85 shows that I was actually thinking of 2 bugs that I probably tried together. Still, it was a neat trick to do it with no extra hardware - just your hands and eyes.

 

[Deleted member 282441]

Forgive me if this has been posted before. To refrain from sounding like a complete noob, I'll say right now that I have little or no knowledge about this subject, I'm just throwing this out there.

I've seen people post ideas about attempting to inject code by using a proxy to download a modded firmware to the 3DS. This could be a good idea imo if you just took out the mods. Download a 100% legit firmware to the 3DS and find some way to use the computer/proxy as a scanner as it goes through to the 3DS. Again, I have no real knowledge here, but in theory it could reveal some clues as to how the 3DS manages its encryption.

Furthermore, would it not be possible to trick the NUS servers, (I'm assuming that's still where all this is kept) into thinking your computer is a 3DS, in a way tricking the firmware into revealing the encryption keys?

Again, I have very little knowledge on this subject, I'm just making a suggestion. Feel free to troll me now.

User agent faking? Anyone can do that. But we don't have the keys to make the servers give us data, and nintendo will hate our guts for "hacking" our server.

 

[Deleted member 282441]

What we really need here is reverse engineering. What also made the ps3 exploitable. A by then totally unknown ps3 cell processor was reverse-engineered, so some Pica200 chip shouldn't be so hard?

Except the guy who hacked the PS3 is banned from using one ever again. I say we should build a modchip to intercept the code, then make a softmod from it so we can run unsigned code.　(read: homebrew) I don't want to get banned from using a 3DS, so I guess the hack can be anonymous?

 

[rondoh70]

wouldn't we be able to get the private key if we somehow cracked the console key of an encrypted nand dump. i know its a stupid idea but it seams possible

 

[Luigi2012SM64DS]

maybe we can have an exploit that is in the sav file and when it is loaded it loads boot.3ds and we can run the hack3ds installer

like using the r4 save dongle

 

[Edgewalker_001]

What we really need here is reverse engineering. What also made the ps3 exploitable. A by then totally unknown ps3 cell processor was reverse-engineered, so some Pica200 chip shouldn't be so hard?

Except the guy who hacked the PS3 is banned from using one ever again. I say we should build a modchip to intercept the code, then make a softmod from it so we can run unsigned code.　(read: homebrew) I don't want to get banned from using a 3DS, so I guess the hack can be anonymous?

How did they bust him? Or was he stupid enough to actually go live with it?