Hacking Hack 3DS by Memory Dump?

Kirito-kun · Jul 24, 2013

Has anyone thought about uncovering the system encryption's private key by performing a memory dump? The private key has to exist in the system's memory at some point, if it's being used. A memdump will allow the privkey to be accessed while encrypted.

The original RAM chip can be removed and a reversed engineered version of the chip that allows interface with a PC can be attached in it's place. After connecting the modified RAM chip to a PC, we can scan system memory until we find the key.

Once you have they key, you'll be able to run any code you want on the system. The storage NAND is a separate chip on the PCB, so replacing the RAM shouldn't effect it. This seems like a possible method to hack the system.

Anyone thought about trying?

ZhangYang · Jul 24, 2013

http://www.flickr.com/photos/neimod/

Kirito-kun · Jul 24, 2013

ZhangYang said:
http://www.flickr.com/photos/neimod/

So... Why is 3DS homebrew still at such a primitive stage? Are they having trouble finding the keys from the memory dumps?

ZhangYang · Jul 24, 2013

Kirito-kun said:
So... Why is 3DS homebrew still at such a primitive stage? Are they having trouble finding the keys from the memory dumps?

*I am not sure about this but I'll answer this using stuff I read*
Basically, it's somewhere in the ram but we don't know where it is. The ram is encrypted, and we need something to decrypt that.
EDIT:
You shouldn't use logic with hacking, because it doesn't usually work out.

evandixon · Jul 24, 2013

Only the common key would be in memory, and if I remember correctly, it's only there for an instant, making it super hard to find (there's probably some other obstacle too).

[edit] Ninja'd by ZhangYang. I don't get this kind of thing at my usual forum... Oh well, this is bigger.

redact · Jul 24, 2013

there is a different key used to sign content than there is to confirm that it is correctly signed.
the 3ds would not have the signing key stored anywhere because it doesn't need it

RachelB · Jul 24, 2013

The private key has to exist in the system's memory at some point, if it's being used.

Not necessarily. Keys can be stored solely in the cpu, and nowhere else. See TRESOR.

Kirito-kun · Jul 24, 2013

mercluke said:
there is a different key used to sign content than there is to confirm that it is correctly signed.
the 3ds would not have the signing key stored anywhere because it doesn't need it

We don't need the signing key right now. As long as you crack the FS encryption private key, you'll have access to the FS. This will make it much easier to run code on the system, including code which remove the need to sign games.

Coto · Jul 24, 2013

but ARM11 features XN (execute never) bit, that will throw an exception if the code jumps to an area with XN's set to 1 (and cannot be set to 0 without kernel access.. see user mode or privileged, but some guys already reached that point..)

xblackdemonx · Jul 24, 2013

Kirito-kun said:
We don't need the signing key right now. As long as you crack the FS encryption private key, you'll have access to the FS. This will make it much easier to run code on the system, including code which remove the need to sign games.

Please do it for us then

Kirito-kun · Jul 24, 2013

xblackdemonx said:
Please do it for us then

Would you like to provide me with a 3DS to tear down? The method I am describing requires the destruction of the system.

RedCoreZero · Jul 24, 2013

Smells like lock bait!

Snailface · Jul 24, 2013

Kirito-kun said:
So... Why is 3DS homebrew still at such a primitive stage? Are they having trouble finding the keys from the memory dumps?

3ds homebrew is not at a primitive stage for yellows8 and neimod. They have full kernel control on firmware 4.5.

It really seems like you have missed the last 2.5 years of 3ds hacking and are now just waking up to make useless and simplistic generalizations about 3ds security.

WhiteMaze · Jul 24, 2013

Snailface said:
3ds homebrew is not at a primitive stage for yellows8 and neimod. They have full kernel control on firmware 4.5.

It really seems like you have missed the last 2.5 years of 3ds hacking and are now just waking up to make useless and simplistic generalizations about 3ds security.

Wow. Easy there.

I think we all understood what he meant by that.

Ericthegreat · Jul 24, 2013

The real question is what happened to the pics that people donated 2k for, I would think they would make them public if they had them.... Not nice to get people to donate for them and not share....

Edit: So this hasnt been done due to $300....

3DSGuy · Jul 24, 2013

Kirito-kun said:
So... Why is 3DS homebrew still at such a primitive stage? Are they having trouble finding the keys from the memory dumps?

The keys are never actually in the RAM. All AES keys except decrypted Title keys, are never stored in their "final" form, instead the key is descrambled by a hardware AES engine embedded in the SoC, when it is required for decrypting something.

Kirito-kun said:
We don't need the signing key right now. As long as you crack the FS encryption private key, you'll have access to the FS. This will make it much easier to run code on the system, including code which remove the need to sign games.

Signature checks are done by the bootldr to verify the FW stored in the NAND. So yes, you do need the signing key.

muskieratboi · Jul 25, 2013

13ds said:
if the data in the memory,can be dump very easy!

Getting Data? Very Easy!

DECRYPTING that Data? Nigh-Impossible, without some kind of exploit, which is exactly what we've been looking for all these years.

RE-ENCRYPTING It to actually execute the data (barring unsigned code execution which could require another exploit entirely) without access to the private key? Nope.

WhiteMaze · Jul 25, 2013

muskieratboi said:
Getting Data? Very Easy!

DECRYPTING that Data? Nigh-Impossible, without some kind of exploit, which is exactly what we've been looking for all these years.

RE-ENCRYPTING It to actually execute the data (barring unsigned code execution which could require another exploit entirely) without access to the private key? Nope.

Not that I wan't to cause any flaming, and neither am I trying to offend anyone here. I know these things can be quite complicated and very hard to achieve.

But that is exactly the kind of "thinking" that if the Gateway team had done, we would not have a cart that can play 3DS roms today..

muskieratboi · Jul 25, 2013

WhiteMaze said:
Not that I wan't to cause any flaming, and neither am I trying to offend anyone here. I know these things can be quite complicated and very hard to achieve.

But that is exactly the kind of "thinking" that if the Gateway team had done, we would not have a cart that can play 3DS roms today..

The difference is that the Gateway team (apparrently, since we STILL have yet to see the physical cartridge itself in the wild) know what the heck they are doing, and this found said unsigned code execution exploit.

In other words, Read Rydian's thread, namely this:

"Why not look into the 3DS and find the key?"

The key to sign things is not in the 3DS. The 3DS has a "common/public" key which is used to decrypt things and check signatures. Only Nintendo has the "secret/private" key/data needed to sign things. See here or here for the basic idea of how asymmetric encryption works.

muskieratboi · Jul 25, 2013

Posts merged.

Hacking Hack 3DS by Memory Dump?

Disciple of GabeN

Member

Disciple of GabeN

Member

PMD Researcher

‮҉

Well-Known Member

Disciple of GabeN

-

Active Member

Disciple of GabeN

Creativity is Power

My frothing demand for 3ds homebrew is increasing

Well-Known Member

Not New Member

No longer in scene

Rydian's got some competition!

Well-Known Member

Rydian's got some competition!

Rydian's got some competition!

Similar threads

Popular threads in this forum