Hacking 3DS Hacking Ideas: Post Your Ideas Here!

[lightenup]

erm.. not to smash your hopes, but have a look here: https://en.wikipedia.org/wiki/Return-oriented_programming
without access to the 3ds software, you can't possibly know what you are doing.. granted: you can enumerate ROP-chains and may find one that dumps and prints RAM, but the search space for brute force is just too large (try exponentially large: e.g., between 2^32^5 to 2^32^100 depending very much on the available library code) and enumerating ROP-chains might have other possibly bricking effects that you want to avoid (although very unlikely that you hit those )

 

[Boy12]

erm.. not to smash your hopes, but have a look here: https://en.wikipedia.org/wiki/Return-oriented_programming
without access to the 3ds software, you can't possibly know what you are doing.. granted: you can enumerate ROP-chains that dump and print RAM, but the search space for brute force is just too large (try exponentially large: e.g., between 2^32^5 to 2^32^100 depending very much on the available library code) and enumerating ROP-chains might have other possibly bricking effects that you want to avoid (although very unlikely that you hit those )

Thank's for the info!

 

[Boy12]

Here's another idea:
Maybe we can create a freeze/buffer overflow by loading a corrupted image file (just like chickHEN for psp), or loading a large video file in the 3DS Photo App.
EDIT: As for the photo, maybe with a .tiff image?

 

[Naridar]

Seems like a good idea, but 15m would never get raised. Maybe in 2 years if it got advertised EVERYWHERE and offered to be used for other consoles as well.

Or maybe we could just rent one such computer for a week or so. I doubt that would cost more than let's say, 10.000$ which is a lot more reasonable.

 

[ichichfly]

erm.. not to smash your hopes, but have a look here: https://en.wikipedia.org/wiki/Return-oriented_programming
without access to the 3ds software, you can't possibly know what you are doing.. granted: you can enumerate ROP-chains that dump and print RAM, but the search space for brute force is just too large (try exponentially large: e.g., between 2^32^5 to 2^32^100 depending very much on the available library code) and enumerating ROP-chains might have other possibly bricking effects that you want to avoid (although very unlikely that you hit those )

no the space where the code is located is 0x00100001 - 0x0018D5DD so we don't need so much calls only about 289518 you can most likely use the 2-10 functions before and something like printf is most likely mirrored and and called at may points so I guess 50 times --> 579
this is were the code is located there are also multiple possibility's in this arrear

 

[lightenup]

no the space is 0x00100001 - 0x0018D5DD
this is were the code is located

what code do you expect there and why? also, how do you pass the parameters to that function you expect there? On ARM you cannot do this simply via stack. How do you return to a point where the original program can safely continue without crashing?

 

[Boy12]

no the space where the code is located is 0x00100001 - 0x0018D5DD so we don't need so much calls only about 289518 you can most likely use the 2-10 functions before and something like printf is most likely mirrored and and called at may points so I guess 50 times --> 579
this is were the code is located there are also multiple possibility's in this arrear

As for the sound file, should i test it for you, or is it not worth it?
I think it isn't worth it, from what you explained, what do you think?

 

[ichichfly]

what code do you expect there and why? also, how do you pass the parameters to that function you expect there? On ARM you cannot do this simply via stack. How do you return to a point where the original program can safely continue without crashing?

All code sections are located before the data section. The 0x0018D5DC is a pointer into the data section(most likely) 0x00100000 comes from the 3dswiki

so there is were the code is

first I would search for the printf function

second I search fore some code that pop r0 and the code at the end of a function witch in most cases use pop pc it should be very easy to find such a code.

 

[RedCoreZero]

These are 2 good ideas.
So, if i get it right, ichichfly want's to try this with someone?
Too bad i can't program (i only know very little of C++)
I will start learning more when 3DS homebrew becomes possible though.

No, they are horrible ideas.

 

[ichichfly]

As for the sound file, should i test it for you, or is it not worth it?
I think it isn't worth it, from what you explained, what do you think?

If you have a file that produce a crush sure.

 

[ichichfly]

No, they are horrible ideas.

that is why it is here this is like EOF. I never thought someone would try it.

 

[Boy12]

No, they are horrible ideas.

Mmm, yeah you're right :-/

 

[Boy12]

If you have a file that produce a crush sure.

Okay, i will play around for a bit with some sound/video files for now (not picture files, it think that's not going to work out).
I will post something if i found crash, and then PM you the file ichichfly.

 

[Boy12]

Alright, i'm now converting a 10 Hour music video to a .mp3 format, let's see what the 3DS will do.

 

[Boy12]

Well, it didn't work, the 3DS just said that it doesn't support the audio file.
The extension is MP3, and i tried it with another MP3 (which was 5 minutes long), so i guess it's the timestamp.
Maybe i can try to manipulate the timestamp, and see what it does.

 

[ichichfly]

Well, it didn't work, the 3DS just said that it doesn't support the audio file.
The extension is MP3, and i tried it with another MP3 (which was 5 minutes long), so i guess it's the timestamp.
Maybe i can try to manipulate the timestamp, and see what it does.

I checked it and the 3ds use some library for displaying videos and playing sound so there is most likely nothing

add: The signature of 3ds games is not crack able in the next 1000 Years even with all current computer in the world (ok there is a chance but it is so small it is not worth saying)

add2: The first thing is not a theory it is what the GW team dose they write 0x6E (110) into the message length field and this causes an stack overflow. You can check the installer file.

add3: Without a ram dump there is not much we can try

 

[Boy12]

You can check the installer file.

add3: Without a ram dump there is not much we can try

I will definitly check the installer file sometime in this weekend, and add3: you are right, without a ram dump we can do very little.

 

[Gabelvampir]

add3: Without a ram dump there is not much we can try

Isn't neimod and his team supposed to have a way to read the 3DS RAM contents on the fly for a year or so?
Seems like it does not help them all that much.

 

[Boy12]

Isn't neimod and his team supposed to have a way to read the 3DS RAM contents on the fly for a year or so?
Seems like it does not help them all that much.

They can read the 3D's ram.
If i read it right, they even have a RAM dump.
But they won't release it, 'cause there afraid of getting sued (this is also why they don't release the haxx).

 

[RedHero]

Just an idea here, but would it be possible to use the Streetpass relay feature to hack the system? Like this:

- Create a fake Streetpass (using an existing game)
- Put it on a Nintendo hotspot (or a created hotspot)
- Get it with a 3DS using the streetpass relay feature
- When you check the streetpass in the right game (depends on which game is/can be used for it), it'll open a piece of homebrew software.
- Install homebrew

I do suspect that probably can't be done until someone can manage to make the correct encryption keys though... and that would probably require people to figure out how to get through the encryption in the first place. Anyway, just an idea. I'm not too tech savvy, just smelling a tiny 'maybe opportunity' here.