Homebrew My Experimentation with the DS Profile Exploit

[profi200]

plutooo and lightenup were the first, who managed it. They did it completely without any doc about the NVRAM ROP. They said "we figured it out by staring at the NVRAM payload.". To be honest, we had a doc about all gadgets. The only problem left, was to find a way to dump memory to reverse the Launcher.dat ROP (the doc only described, what the NVRAM ROP-gadgets do).

 

[Deleted User]

i think OP is way over his head and most likely will either end up bricking his own console or bricking other people's consoles

 

[fierce waffle]

i think OP is way over his head and most likely will either end up bricking his own console or bricking other people's consoles

Worst case scenario I just make a hardware nand flasher and refresh my dump

 

[ichichfly]

i think OP is way over his head and most likely will either end up bricking his own console or bricking other people's consoles

As far as I know is if you don't mess with arm9 code there is nearly no way you can brick the 3DS.

 

[profi200]

Not the entire 3DS, but DS mode. Keyword: Hashes

 

[fierce waffle]

Not the entire 3DS, but DS mode. Keyword: Hashes

Are you referring to the CRC applied to DS User settings?

 

[fierce waffle]

Snailface
fierce waffle
If you fail already at this part, then i recommend you not to try it. The ROP stuff was really hard. More than 100 times harder than just reading NVRAM. We were very often stuck with our work.
Tip for you: It has something to do with SPI. I recommend you to read docs about the user settings, before you do anything, or you end up with a bricked DS mode! That was the reason, why i tried to dump my NAND first --> to fix the DS mode brick (system formatting fixes it) without losing all my games and saves.

Good luck. You need to do it yourself.

I have to access the firmware flash via the SPI. I have to figure out how to write instructions to the SPI. Here are the instructions that I am looking at to help http://nocash.emubase.de/gbatek.htm#dsfirmwareserialflashmemory

 

[profi200]

Maybe there is a example in DevKit ARM for SPI stuff. Dunno.

 

[Bond697]

why not just use the gateway installer to insert whatever you want? overwrite their patch with your own. it's writing to the firmware already, might as well take advantage.

 

[fierce waffle]

why not just use the gateway installer to insert whatever you want? overwrite their patch with your own. it's writing to the firmware already, might as well take advantage.

That would require the decompilation of their NDS rom which if done successfully and correctly could provide help with discovering ROP gadgets, but gateway uses the ROP gadgets almost as obfuscation as well.
Short answer : nah

 

[migles]

I have to access the firmware flash via the SPI. I have to figure out how to write instructions to the SPI. Here are the instructions that I am looking at to help http://nocash.emubase.de/gbatek.htm#dsfirmwareserialflashmemory

come on man, continue your good work in exploring the unknown cave

i am tired of seeing 3ds flashcarts and clnoes getting their hands on moners just becuase no one adventured yet in that deep cave besides smea...

 

[Bond697]

That would require the decompilation of their NDS rom which if done successfully and correctly could provide help with discovering ROP gadgets, but gateway uses the ROP gadgets almost as obfuscation as well.
Short answer : nah

you have no idea what you're talking about whatsoever, but ok. waste your time. all you have to do is overwrite their rop chain profile patch(es) with your stuff. there are no "rop gadgets" in the ds rom. it's a few arrays of patch bytes.

 

[migles]

you have no idea what you're talking about whatsoever, but ok. waste your time. all you have to do is overwrite their rop chain profile patch(es) with your stuff. there are no "rop gadgets" in the ds rom. it's a few arrays of patch bytes.

hey, maybe he needs to learn and know some stuff, but come on, don't tackle his self esteem ...

i have no idea about if he can or not, but let's motivate people for try!
some days ago i heard someone did extract private keys from gamecube or wii console with tweezers, even if no one believed it was possible

 

[N3XU5]

What about this vid?:

seems legit idunno if it still works

 

[fatcat1413]

All I will say is if you can actually figure all this stuff out and achieve running homebrew on your 3Ds then props to you dude, I know I wouldn't be able to figure out any of this stuff

 

[Thunder Hawk]

What about this vid?:

seems legit idunno if it still works

It's not really a hack. It's just running the ds firmware from an nds file and changing settings in ds mode. But, I guess it's useful for running outdated flashcards, maybe.

 

[zsakul2]

hey, maybe he needs to learn and know some stuff, but come on, don't tackle his self esteem ...

i have no idea about if he can or not, but let's motivate people for try!
some days ago i heard someone did extract private keys from gamecube or wii console with tweezers, even if no one believed it was possible

You're right, there's absolutely no reason to demotivate someone trying to learn.. Absolutely anyone with the knowledge they have now, started at a similar area of knowledge as waffle, you just have to learn and get better at it.. Why should you demotivate someone that might be able to contribute to the community.. Everyone has to start somewhere, Go at it waffle!

Edit: Also, Waffle check your PMs.

 

[Bond697]

hey, maybe he needs to learn and know some stuff, but come on, don't tackle his self esteem ...

i have no idea about if he can or not, but let's motivate people for try!
some days ago i heard someone did extract private keys from gamecube or wii console with tweezers, even if no one believed it was possible

No, my issue is that what he's saying is untrue. If he had said "well, you know, I don't know ARM and don't want to dig through the ROM to find the arrays(even though it takes literally 20 minutes)" then I would've said nothing back except maybe some encouragement. What he said is completely wrong, and mostly nonsense, either because he doesn't actually know ARM and doesn't want to do the (very minor) work or because he just doesn't know any better. Either way, it's not promising.

And for the OP: you kinda need to know ARM if you're going to exploit an ARM SoC. If you don't, how are you getting anything done on the extremely off chance you manage to get the rop chain working.

 

[Roxas75]

If you really wish to edit their ROP you can just edit their installer, no need to code one on your own.
Also, it's impossible to get forward to this without any ARM knownledge or a bit of experience on manipulating the stack.
But, i encourage you, learning is the best way, i'm quite new to this too.
Just google some documentations about the Return Oriented Programming in ARM structures, it will be useful, really.
Just trying to force something will just demage your console and get you mad, wasting your time.

 

[ernilos]

Doing the exploit installer ( SPI writting, reading and checking) is quite easy with devkitarm llibs, just write 0x6E and correct CRC16.The harder part is ROP payloads, this without any RAM dump it's hard as hell...

PS: If someone gonna try it correct Crc ever or gonna brick DS mode, and you dont have access to your ds flashcard to reflash firm cause is bricked.... Only fix is formatting