Some hacking concepts and links

Discussion in '3DS - Homebrew Development and Emulators' started by FAST6191, Apr 8, 2011.

  1. JaronMatthewHigg

    JaronMatthewHigg Advanced Member

    Newcomer
    81
    7
    Mar 26, 2012
    United States
    Just a thought>>> I know this is not 3DSWare Targeted, but what if someone were to unpack a Nintendo DS homebrew ROM and find a folder to put it in, and the 3DS will be a flashcart itself?
     


  2. Rydian

    Rydian Resident Furvert™

    Member
    27,883
    8,104
    Feb 4, 2010
    United States
    Cave Entrance, Watching Cyan Write Letters
    No, there's multiple things standing in the way of that, too many for me to even start listing.
     
    1 person likes this.
  3. Misterke

    Misterke Newbie

    Newcomer
    3
    0
    Aug 23, 2012
    Belgium
    Can anyone point me to some technical info on the actual ROM cartridges used by the 3ds? I'm wondering how Nintendo checks the validity of those cartridges instead of the validity of the content of them. I mean: if only the image stored on the cartridge would be signed, then copying that image completely to another cartridge would still ensure a valid indistinguishable signature. So somehow there must be an additional check by the console to guarantee that the cartridge is a legitimate one. Understanding that check can help exploit it: ex. if the check is only at startup, then you rig some hardware that at startup just passes everything through to a legit cartridge and only after startup reroutes to its own image. Depending on how the 3ds (or even the legit game) loads code (at startup or dynamically) this could then allow your own code-injection.

    So, does anyone know of some docs on how the 3ds verifies its cartridges?
     
  4. Ulices Nieto
    This message by Ulices Nieto has been removed from public view by raulpica, Jan 31, 2013.
    Jan 31, 2013
  5. airwow

    airwow Newbie

    Newcomer
    1
    0
    Mar 23, 2013
    Switzerland
    oh.. I am waitting
     
  6. Metoroid0

    Metoroid0 GBAtemp Maniac

    Member
    1,415
    206
    Nov 2, 2012
    United States
    K-2L
    Hm..since 3DS can run home-brew in DS mod (via flashcards like DSTWO for example)
    why not use that as an opened door to inject 3DS hacks to crack 3DS security somehow? ...somehow

    (just an idea...)
     
  7. SifJar

    SifJar Not a pirate

    Member
    6,022
    891
    Apr 4, 2009
    Because it is "sandboxed" i.e. cut off from accessing all hardware and resources not available on a DS. In DS mode, the 3DS acts exactly like a DS i.e. no 3D, decreased CPU and RAM, decreased resolution etc. There are careful protections in place to prevent being able to re-enable the disabled hardware.
     
  8. Metoroid0

    Metoroid0 GBAtemp Maniac

    Member
    1,415
    206
    Nov 2, 2012
    United States
    K-2L
    Sandboxed like GC mode in Wii?
    Yeah, but maybe there is some hole in the sandbox to inject hacks...​
    I mean, is that possibility checked or is it a theory?​
    (sorry for being a noob..again :P )
    [​IMG]
     
  9. SifJar

    SifJar Not a pirate

    Member
    6,022
    891
    Apr 4, 2009
    Yeah, similar to GC mode on the Wii. And yeah, I'm pretty sure it's been investigated and found to be fairly air-tight.
     
    Metoroid0 likes this.
  10. Shade Tempest

    Shade Tempest Flying First Stike Bob-omb Force

    Newcomer
    12
    4
    Mar 15, 2013
    If it acts exactly like a DS, then how does the home button work?
     
    Metoroid0 likes this.
  11. msansom

    msansom Member

    Newcomer
    12
    2
    May 26, 2013
    This is going to sound like a ridiculous question, but if all gateway 3ds does is mimics a 3ds game, what is stopping us making our own at home? What is actually preventing us from opening up a really crappy 3ds cart (sims 3 for example ;)), desoldering the memory chip that is used to store the game image, and replacing it with a micro sd holder? the sd card would have the rom dumped to it in the same file system format that the previous memory used and be formatted to the correct size? apart from the sd card not being compatible the only issue I can see here is the save game.
     
  12. FAST6191
    OP

    FAST6191 Techromancer

    pip Reporter
    22,928
    8,601
    Nov 21, 2005
    We do have a hacking theories thread -- http://gbatemp.net/threads/post-your-ideas-regarding-how-to-hack-the-3ds-here.307018/

    Generally though, assuming you have a complete dump and there are no extra security measures, you also have to consider that microSD does not read in the same way as another type of memory-- the way you read memory can differ greatly between chips and SD for that matter is quite different to raw NAND (which is why you can get XD cards and sometimes add them to devices) or some other type of memory (memory speeds, some memory will only read 8,16 or 32 bit packets at once, some memory will require a reading confirmed command....).

    It has happened in the past (the XD memory thing being used on the 360 for dual nand for instance) and http://www.ziegler.desaign.de/readplus.htm#Home made carts for the GBC but it does not mean it will happen here. You might be able to chain a logic device to a memory card format but at that point you have pretty much made a flash cart and might as well have just got one made for you.

    On top of that you also have the save issue (various types of save with different sizes, different read/write methods ( http://nocash.emubase.de/gbatek.htm#gbacartbackupids ) and more. Some are speculating this is what is troubling the teams in question but I am not so sure.
     
  13. Searinox

    Searinox <3

    Member
    1,731
    154
    Dec 16, 2007
    Romania
    Since it's so popular and discussed now, might also wanna update the first post with explanation of a stack smash.
     
  14. FAST6191
    OP

    FAST6191 Techromancer

    pip Reporter
    22,928
    8,601
    Nov 21, 2005
    So add a synonym in the buffer overflow part?
     
  15. Searinox

    Searinox <3

    Member
    1,731
    154
    Dec 16, 2007
    Romania
    More like explain this particular variation of BO because I see nothing mentioning alteration of the return address.
     
  16. Metoroid0

    Metoroid0 GBAtemp Maniac

    Member
    1,415
    206
    Nov 2, 2012
    United States
    K-2L
    Could Gateway 3DS be used an 3DS hacking tool, to make job of hacking the console easier?
    Or if not easier, maybe to hawe one more option for hacking?
     
  17. isaac52

    isaac52 GBAtemp Regular

    Member
    277
    37
    Sep 22, 2008
    United States
    MD, USA
    Would editing the code of a DS game pokemon then transferring it to X/Y possibly cause it to crash and open up possibilities?

    Just a thought, depends heavily on just how well the pokebank sorts out hacks.
     
  18. FAST6191
    OP

    FAST6191 Techromancer

    pip Reporter
    22,928
    8,601
    Nov 21, 2005
    We do have an ideas thread but OK.
    Any time there is input into a game (including by the controls themselves) there is the potential for an crash and thus/also the potential for some type of exploit. As you say though they appear to be doing some kind of sanitisation on the data (even if it is not for device security it will likely frustrate device hacking efforts) and on top of that the 3ds already has a not unreasonable amount of protection against hacks delivered in this manner. To that end and for my money the best you can hope for by attempting to exploit the transfer options is a shortcut to making good pokemon.
    That said I am curious to see what kinds of sanitisation and/or checks they try, improved general tools aside it would probably be one of the more interesting things to come out of pokemon hacking in some time.
     
  19. Mr_Pichu

    Mr_Pichu かわいいね!

    Member
    169
    54
    Dec 10, 2013
    United States
    Of late there is a lot of work being done around side channel attacks to hack encryption keys.

    Here is a great video that describes an EM method:


    An acoustical method is described at this link:
    http://www.cs.tau.ac.il/~tromer/acoustic/
     
    Cyberdrive likes this.
  20. WaryLouka

    WaryLouka Official Representative of the SuperCard Team

    Banned
    216
    91
    Jun 22, 2013
    United States
    NO RECORDS
    I don't know if the bug can run code or anything, as it's not depending on a file, but

    On the Youtube app, if you open a video with subtitles, and you put in the subtites, and then you start spamming the very right down corner, the Youtube app will "crash" by showing the homescreen for 3 seconds and displaying a black screen.
    I doubt if you guys can reproduce it but whatever, I just feel like posting it
     
  21. Metoroid0

    Metoroid0 GBAtemp Maniac

    Member
    1,415
    206
    Nov 2, 2012
    United States
    K-2L
    Did smea basically said You have to buy Gateway if you want to play rom's....??!

    [​IMG]