Toggle sidebar

Hacking How does Nintendo patch their systems to block flashcarts?

  • Thread starter Thread starter RemixDeluxe
  • Start date Start date
  • Views Views 6,428
  • Replies Replies 37
RemixDeluxe said:
One more thing.

I didn't really get involved into the homebrew community until just a few years ago. I have no knowledge how things were for the GBA or even the DS. How long did it take for both systems to get their 1st flashcart? Is the wait time normal in comparison to the 3DS?
Click to expand...

The GBA and DS had the advantage (to the flash cart teams) that the console's firmware was not updatable. Once an exploit was found it worked for the life of the system.
From the DSI on it has been a cat and mouse game with console firmware updates vs flash cart firmware updates/new flashcarts.
 
Ziver.W said:
or you think they can block the flashcard just by thinking or guessing?
Click to expand...
They managed to block some kernel-mode exploit that neimods/yellows8 was using in the 5.x update...

These things bypass security holes, and security holes get found and fixed all the time.
 
Snailface said:
There's no special trick to it really. Nintendo knew the exact nature of the upcoming hack attempt was a 1:1 cartridge clone exploit. So they simply bolstered the number of security checks dealing with cart authentication on update 6.x.x-x. One of those added checks was one that the Gateway team either didn't/couldn't account for and the card wound up blocked. Nintendo essentially carpet bombed the attack vector and, lo and behold, one of their bombs struck the target.
Click to expand...

So what was stopping Nintendo from including these additional security checks in the initial 3DS firmware? Even if Gateway can't compensate for this updated firmware I could still buy a 3DS XL right now and be able to play any game released up to this point. That's over a dozen quality titles for 80 dollars. Still a solid deal in my opinion.
 
Prior22 said:
So what was stopping Nintendo from including these additional security checks in the initial 3DS firmware?
Click to expand...
What was stopping Microsoft from patching every known and used security hole that allowed the 360 to be hacked from the initial softmod point until now?

What was stopping Sony from patching all the PS3 holes and adding all the hack detection?

etc.
 
Rydian said:
They managed to block some kernel-mode exploit that neimods/yellows8 was using in the 5.x update...

These things bypass security holes, and security holes get found and fixed all the time.
Click to expand...
I don't think they can block the flashcard without analysising it.
 
Rydian said:
What was stopping Microsoft from patching every known and used security hole that allowed the 360 to be hacked from the initial softmod point until now?

What was stopping Sony from patching all the PS3 holes and adding all the hack detection?

etc.
Click to expand...

I think its a legitimate question to ask. Without even getting hold of a gateway cart nintendo was able to block the security hole. So clearly the hole couldn't have been that had to figure out.
 
Prior22 said:
I think its a legitimate question to ask. Without even getting hold of a gateway cart nintendo was able to block the security hole. So clearly the hole couldn't have been that had to figure out.
Click to expand...
Once you have the entrance type narrowed down, sure.
 
RodrigoDavy said:
Sorry, but you're wrong. Flashcards boot just like they were legit game cards, they don't take advantage of flaws in the firmware anymore. You see, flashcards nowadays use something called No Pass, which uses the common key for licensed DS games that was discovered a long time ago. So flashcards don't use a flaw in the firmware, but instead boot as if they were licensed software.

Nintendo blocks flashcards by doing a blacklist, they try to check if the flash card is trying to pass for a licensed game. For example if a flashcard try to identify itself as a Mario Kart game Nintendo will double-check every "Mario Kart" game to see if they are indeed the legit game or a impostor flashcard. Other way to identify it is to detect hardware that is unique to a flashcard or hardware that is missing from the flashcard. If you go to the NDS flashcard section this subject is more well discussed there
Click to expand...

So can't there just double check every DS game, which would then stop every flash card from working? (What happens when flash carts run out of licensed games to pass as?)
 
Chaossaturn said:
So can't they just double check every DS game, which would then stop every flash card from working? (What happens when flash carts run out of licensed games to pass as?)
Click to expand...

The general idea is that prior to the DSi it was as free reign as anything, starting with the DSi the games carried an uncrackable signature meaning however many thousand games were already out there were the lot. Nintendo were supposed to have all the known games released before then on a whitelist and for the most part that is what happened.
Rydian already linked the link of choice explaining the workaround, still it was found that the overlay checks were sub par and if you can inject more than a few bytes of code into DS mode you own the lot. Overlays are small bits of code that get loaded in by the game to extend abilities while they are loaded without costing memory to have them there. Typically they are reserved for things the game might not do often, starting up is something they do not do often so rather nicely a lot of overlays load right at the start and you have your in.
First checks were just for the custom icons they used, later checks were basic token checks that the game is what it was supposed to be (if you know the question and the answer then it is easy enough to fake it), later updates swapped to "random" checks which is when all the teams started changing their games every time (before a few of the better teams stuck with it) and the latest proper flash cart killer stuff apparently checks the saves too which not all carts could emulate.
At the same time though I mentioned that some overlays load right away there are others that take a few seconds (and at 66 million clocks per second that is a lot of operations) hence a couple of carts got "DSi/3ds intended" updates but took a few seconds more to boot with them on.

To this end flash cart teams are limited to only the pre DSi stuff and they want games that load overlays early on there and now they ideally want games without saves unless the hardware can handle it.

They could check all the games but it would take ages (unforgivable by most end users of these devices), take lots of memory (not great for developers of the kernel/loader/firmware) and still be tricky. Despite the hardline approach put on by companies they realise it is a risk/effort reward situation and if you can just frustrate Joe "what's an R4?" Q Public you are doing well enough.
 
  • Like
Reactions: Chaossaturn and RodrigoDavy
Rydian said:
They managed to block some kernel-mode exploit that neimods/yellows8 was using in the 5.x update...

These things bypass security holes, and security holes get found and fixed all the time.
Click to expand...

To be fair, we don't really know what the Gateway took advantage of. I sincerely doubt it was the kernel exploit as the creators clearly stated that there was no chance it would run unsigned code unless another exploit was found and adapted for Gateway use - if anything, I'd be pointing my fingers at the particular exploitable hardware components as the Gateway was a hardware solution after all.
 
Foxi4 said:
To be fair, we don't really know what the Gateway took advantage of. I sincerely doubt it was the kernel exploit as the creators clearly stated that there was no chance it would run unsigned code unless another exploit was found and adapted for Gateway use - if anything, I'd be pointing my fingers at the particular exploitable hardware components as the Gateway was a hardware solution after all.
Click to expand...
It was an example of how Nintendo can patch holes stuff is using without having the stuff.
 
This may be a very stupid question but, do you think that the dstwo will ever be definitely blocked? I mean, even the update that it's supposed to detect the save IC to block FC had a solution.
 

Site & Scene News

Go to forum More news

Popular threads in this forum

Help on 3DS prices...

Homebrew app Emulator  [Release] 3DS-CLI - Run a real RISC-V Linux environment on the Nintendo 3DS

Hardware  2 Broken 3DSes, need help

Website for finding alternative games for 3DS

Homebrew  My Secret World DS: is there a way to bypass the password lock?

Homebrew Homebrew app  [Release] GridLauncher Rosalina

please help, wont boot

Hardware  I Have 2 THQ Dev Kit 3DSes (Panda), Need Help On Preserving What’s Inside