Homebrew My Experimentation with the DS Profile Exploit

fierce waffle

Well-Known Member
OP
Member
Joined
Sep 15, 2012
Messages
108
Trophies
1
XP
216
Country
United States
Much of this information in this thread is provided by smealum. He's been extremely helpful in ensuring my comprehension on the topic. If you notice any errors or flaws in this thread, please inform me. The exploit used by GW as well as smealum utilizes a stack smash exploit. For more info on this, watch this video : http://videos.securitytube.net/Buffer Overflow Primer Part 1 (Smashing the Stack).mp4

Too long or corrupted strings (01Ah 2 Nickname length in characters 050h 2 Message length in characters) in the NVRAM DS user settings cause (System Settings->Other Settings->Profile->Nintendo DS Profile) to crash in 3DS-mode due to a stack-smash. The reason(presumably) that the DS crashes in this case is that the string that has been corrupted and overflowed is apparent in the stack causing it to crash. The same string then is used to manipulate the stack smash and create a ROP chain(what this string specifically needs to be is beyond me as of yet) loaded from the NVRAM. You can then use function that is already apparent in memory to load another ROP chain located on the SD card. This code that corrupts the DS profile strings can be written in devkitarm. There is NDS code involved for loading the initial NVRAM payload but that's it. The actual 3DS code is loaded from a file put on the SD card.

I have yet to reach this point, keep in mind.
END OF THREAD FOR NOW!
If any of you have achieved the above, feel free to elaborate on how you did so. If we wish to achieve our own CFW and not be reliant on a company(which in theory, their card isn't even necessary) then we need this collaboration.
 

DinohScene

Gay twink catboy
Global Moderator
Joined
Oct 11, 2011
Messages
22,515
Trophies
4
Location
Восторг
XP
22,642
Country
Antarctica
cfw is not possible bro, sorry. the firmware is signed and encrypted...

All it takes is taking over boot control and you can run whatever you want.
This includes CFW's

Everything in RAM on a 360 is hashed and encrypted.
Yet we're able to execute custom dashboards and even Devkit NANDs/replacement NANDs (Fusion)
Since we can run pretty much whatever we want after the 2nd bootloader.


300+ views on the topic and only 1 response. Wow...now wonder this scene isn't really thriving.

Sorry lad, I'm far more in the Xbox scene then 3DS ;p
Tho I love to read about it!
 
  • Like
Reactions: Margen67 and cearp

fierce waffle

Well-Known Member
OP
Member
Joined
Sep 15, 2012
Messages
108
Trophies
1
XP
216
Country
United States
All it takes is taking over boot control and you can run whatever you want.
This includes CFW's

Everything in RAM on a 360 is hashed and encrypted.
Yet we're able to execute custom dashboards and even Devkit NANDs/replacement NANDs (Fusion)




Sorry lad, I'm far more in the Xbox scene then 3DS ;p
Tho I love to read about it!

As am I. Everytime someone mentions something is impossible it relate it to the 360. Donor NANDs. All we need is to crack the software encryption similar to the CPU Keys and we can do a ton more.
 
  • Like
Reactions: Margen67

fatcat1413

Well-Known Member
Member
Joined
Dec 2, 2013
Messages
118
Trophies
0
Age
30
XP
75
Country
United States
I don't think anyone really cares right now until something is actually released that allows people to do stuff without flash cards, until then everyone is focused on using Gateway flashcards right now.
 

DinohScene

Gay twink catboy
Global Moderator
Joined
Oct 11, 2011
Messages
22,515
Trophies
4
Location
Восторг
XP
22,642
Country
Antarctica
As am I. Everytime someone mentions something is impossible it relate it to the 360. Donor NANDs. All we need is to crack the software encryption similar to the CPU Keys and we can do a ton more.

That would only be limited to that particular 3DS (given a key used for decrypting everything)
But yes, seeing that everything is encrypted and hashed, it also was impossible to execute things via software, yet we achieved these things
Fusion being a prime example of a "CFW" for the 360.

3DS already can execute things entirely from software (counting out the fact needed for a flashcard), I don't think we'd see much trouble in CFW/MFW and or more things.
Iirc, BootMii was also executed before the Systemmenu on the Wii and it allowed for the execution of elf files?
Could be that I'm to used to XeLL ;p

I don't think anyone really cares right now until something is actually released that allows people to do stuff without flash cards, until then everyone is focused on using Gateway flashcards right now.

That's just the pirates.
Aye, DS homebrew can also only be executed from flashcards but still, it's just the pirates that don't care about it.
 
  • Like
Reactions: MAXLEMPIRA

fatcat1413

Well-Known Member
Member
Joined
Dec 2, 2013
Messages
118
Trophies
0
Age
30
XP
75
Country
United States
That would only be limited to that particular 3DS (given a key used for decrypting everything)
But yes, seeing that everything is encrypted and hashed, it also was impossible to execute things via software, yet we achieved these things
Fusion being a prime example of a "CFW" for the 360.

3DS already can execute things entirely from software (counting out the fact needed for a flashcard), I don't think we'd see much trouble in CFW/MFW and or more things.
Iirc, BootMii was also executed before the Systemmenu on the Wii and it allowed for the execution of elf files?
Could be that I'm to used to XeLL ;p



That's just the pirates.
Aye, DS homebrew can also only be executed from flashcards but still, it's just the pirates that don't care about it.


I'm sure that if Smealum released his exploit that someone will figure how to launch roms off the exploit, pretty sure anyone could go into the exploit themselves and undo whatever Smealum will do with the whole 'anti piracy' thing if they're good at coding :/
 
  • Like
Reactions: Margen67

DinohScene

Gay twink catboy
Global Moderator
Joined
Oct 11, 2011
Messages
22,515
Trophies
4
Location
Восторг
XP
22,642
Country
Antarctica
I'm sure that if Smealum released his exploit that someone will figure how to launch roms off the exploit, pretty sure anyone could go into the exploit themselves and undo whatever Smealum will do with the whole 'anti piracy' thing if they're good at coding :/

That's the downside of it.
However, they'd have to reverse engineer Ninty's digital download bootstrapper first before they can load ROMs from the SD
 

fatcat1413

Well-Known Member
Member
Joined
Dec 2, 2013
Messages
118
Trophies
0
Age
30
XP
75
Country
United States
That's the downside of it.
However, they'd have to reverse engineer Ninty's digital download bootstrapper first before they can load ROMs from the SD

I'm sure someone will find a way to get the signing keys from Ninty someday or find a way to emulate the system into thinking the roms are signed or something of the such, that's if anything will actually be released that'll work on fw 6.3-7.0 and doesn't need a flashcard ;)
 

DinohScene

Gay twink catboy
Global Moderator
Joined
Oct 11, 2011
Messages
22,515
Trophies
4
Location
Восторг
XP
22,642
Country
Antarctica
I'm sure someone will find a way to get the signing keys from Ninty someday or find a way to emulate the system into thinking the roms are signed or something of the such, that's if anything will actually be released that'll work on fw 6.3-7.0 and doesn't need a flashcard ;)

Eventually they will indeed.
Unsigned code was only available on 4548 and 7371 or below with the Kingkong hack and JTAG hack.
2/3 years later, the RGH came so it's a pretty long time of unexploitable 360's.
Work continued on 4548 machines and afterwards on 7371 machines.

Who says that the 3DS won't undergo the same process?
Exploitable FW and then patched for 3 years?
Time will tell.
 

profi200

Banned!
Banned
Joined
Sep 3, 2011
Messages
330
Trophies
0
XP
282
Country
Gambia, The
From pokéhacking to console hacking? Really?

Anyway why do you think someone post details here? It's not like we are asses, who never share anything, but you should know, how easy it is to pirate with this. That's the main problem. It's nothing more than just place files on the SD card (except the NVRAM installing part) and it would be free for everyone. You can think, what the result is.

If you really wan't a fucking warez loader, do it yourself ;)
 

Snailface

My frothing demand for 3ds homebrew is increasing
Member
Joined
Sep 20, 2010
Messages
4,324
Trophies
2
Age
40
Location
Engine Room with Cyan, watching him learn.
XP
2,255
From pokéhacking to console hacking? Really?

Anyway why do you think someone post details here? It's not like we are asses, who never share anything, but you should know, how easy it is to pirate with this. That's the main problem. It's nothing more than just place files on the SD card (except the NVRAM installing part) and it would be free for everyone. You can think, what the result is.

If you really wan't a fucking warez loader, do it yourself ;)
I don't think you realize how small a subsection of 3ds owners have v4.5 firmware and a 4.5 compatible DS flashcard. It might seem higher, but you see a distorted image of the 3ds install base being a GBAtemp member.
 

fierce waffle

Well-Known Member
OP
Member
Joined
Sep 15, 2012
Messages
108
Trophies
1
XP
216
Country
United States
Guys. We're going a little off topic. Rather than debating about what is possible and whining that smea should release his let's actually get stuff done. Everyone is waiting for the next release from gateway or smea and we really don't need them. Sure, they're awareness of certain things we aren't but they started in the exact same place we did.
 

Flame

Me > You
Global Moderator
Joined
Jul 15, 2008
Messages
7,214
Trophies
3
XP
18,396
Okay im going to be the 1st to say it, do you have some sort of idea what you are doing or is this hacking and slashing?



but good luck with everything tho. :yay:
 

profi200

Banned!
Banned
Joined
Sep 3, 2011
Messages
330
Trophies
0
XP
282
Country
Gambia, The
Snailface
Yeah, but <=4.5 3DS's and XL's still exist. A lot of them in some countrys. If a warez loader gets released, it would be all over the internet within 1 or 2 days and the most peoples would buy a 4.5 3DS. That's enough to say it is mass piracy. If the 3DS is dead sometime, like the DS now, then i don't care, what happens with it.

fierce waffle
If you fail already at this part, then i recommend you not to try it. The ROP stuff was really hard. More than 100 times harder than just reading NVRAM. We were very often stuck with our work.
Tip for you: It has something to do with SPI. I recommend you to read docs about the user settings, before you do anything, or you end up with a bricked DS mode! That was the reason, why i tried to dump my NAND first --> to fix the DS mode brick (system formating fixes it) without losing all my games and saves.

Good luck. You need to do it youself.
 

fierce waffle

Well-Known Member
OP
Member
Joined
Sep 15, 2012
Messages
108
Trophies
1
XP
216
Country
United States
Snailface
Yeah, but <=4.5 3DS's and XL's still exist. A lot of them in some countrys. If a warez loader gets released, it would be all over the internet within 1 or 2 days and the most peoples would buy a 4.5 3DS. That's enough to say it is mass piracy. If the 3DS is dead sometime, like the DS now, then i don't care, what happens with it.

fierce waffle
If you fail already at this part, then i recommend you not to try it. The ROP stuff was really hard. More than 100 times harder than just reading NVRAM. We were very often stuck with our work.
Tip for you: It has something to do with SPI. I recommend you to read docs about the user settings, before you do anything, or you end up with a bricked DS mode! That was the reason, why i tried to dump my NAND first --> to fix the DS mode brick (system formating fixes it) without losing all my games and saves.

Good luck. You need to do it youself.
Thank you for the advice. Of course, I always appreciate it. I dont think I will figure the exploit honestly. But there's no harm in trying. And who knows, I might help someone smarter than me get interested in it and maybe he'll figure it out.
 

mathieulh

Well-Known Member
Member
Joined
Feb 28, 2008
Messages
378
Trophies
0
Website
keybase.io
XP
897
Country
France
Snailface
Yeah, but <=4.5 3DS's and XL's still exist. A lot of them in some countrys. If a warez loader gets released, it would be all over the internet within 1 or 2 days and the most peoples would buy a 4.5 3DS. That's enough to say it is mass piracy. If the 3DS is dead sometime, like the DS now, then i don't care, what happens with it.

fierce waffle
If you fail already at this part, then i recommend you not to try it. The ROP stuff was really hard. More than 100 times harder than just reading NVRAM. We were very often stuck with our work.
Tip for you: It has something to do with SPI. I recommend you to read docs about the user settings, before you do anything, or you end up with a bricked DS mode! That was the reason, why i tried to dump my NAND first --> to fix the DS mode brick (system formating fixes it) without losing all my games and saves.

Good luck. You need to do it youself.


What I fail to understand, is how did you get to figure out what each ROP gadget does without a RAM dump to begin with ? Especially as most are there merely for obfuscation purposes.
 

Site & Scene News

Popular threads in this forum

General chit-chat
Help Users
    LeoTCK @ LeoTCK: yes for nearly a month i was officially a wanted fugitive, until yesterday when it ended