Toggle sidebar

Hacking 3DS Hacking Ideas: Post Your Ideas Here!

  • Thread starter Thread starter Rydian
  • Start date Start date
  • Views Views 106,002
  • Replies Replies 420
  • Likes Likes 18
I apologize if somebody has already tried something like this, but I didn't see anything posted previously.

I don't know much about finding exploits, but I did some testing with Pokemon X's patch being saved to a SD card to see if I could find anything potentially exploitable. While I didn't get any of the results I was looking for, I figured I'd post it here to either stop others from trying it, or let someone continue along the lines of what I was doing and see if they can find anything useful.

My first idea was, that it might be possible to modify the patch data to run unsigned code if you start up the game with the patch on an SD card, in-game put the 3DS into sleepmode, take the SD card out of the 3DS and swap the patch data on it. After that, put the SD card back into the 3DS and maybe it could read the modified patch, with the unsigned code. I don't know how to write code, or modify a patch, so I figured I'd test some other things first, to see if it was even possible.

First, ejecting the SD card mid-game will just cause an error to pop up ("The SD card has been removed, press the home button to return to the menu"). If you put the 3DS into sleepmode first, then take out the SD card, you are able to put the SD card back in, exit sleepmode, and continue playing. However, if you put the SD card into another device after removing it while in sleepmode, after reinserting it into the 3DS, the game will crash ("An error occurred, hold the power button to turn off the console"). Also if you leave the SD card out for too long, even after reinserting it, the game will instantly crash when exiting sleepmode.

So obviously my original idea wasn't going to work by switching the patches using a single SD card and a PC. So my next test was to see if I had two SD cards with the exact same data on them, would I be able to switch from one to the other mid-game, without crashing? I would've liked to test this using two of the exact same type of SD cards, but unfortunately, I don't own two that are the same. So I used a 4GB Toshiba SDHC and an 8GB Kingston micro SDHC with the adapter. The 3DS recognized that both SDs had the patch on them, however swapping them using the sleepmode method also produced a crash ("An error has occurred"). However, the game DID pop up on the screens for a few milliseconds before crashing, but I'm not sure if that would be enough time to load the modified patch off of the second SD (or if it even read the second SDs patch at all after I swapped them).

The reason I thought this might be possible is that, I know that the patch needs to be signed in order for the 3DS to run it, but it seems that since removing the SD with the patch on it at any time causes the game to crash, the game must be reading the patch at all times. I doubt that it's constantly checking the signature however, so I figured that if you swapped the patches and the game went to read it, it might be able to read unsigned code.

I also tried the following things, which all resulted in crashed:
-Put 3DS into sleepmode, then eject SD, then exit sleepmode (An error has occured).
-Go to the start menu (menu with Continue, Pokemon Link, Mystery Gift etc). Go into sleepmode, eject SD, put SD back in, exit
sleepmode, and press Continue (The SD card was removed).
-Swapping SD Cards at the Continue menu (The SD card was removed).

Tl;dr
I tried playing around with swapping patches on Pokemon X, and everything I did resulted in the game crashing.

I don't know if this would work better with another game (or if it's even possible at all), but if someone else wants to try, please do!
 
BobDoleOwndU said:
Tl;dr
I tried playing around with swapping patches on Pokemon X, and everything I did resulted in the game crashing.

I don't know if this would work better with another game (or if it's even possible at all), but if someone else wants to try, please do!
Click to expand...

AFAIK you'll still need your console's key to actually modify the patch anyway.
 
  • Like
Reactions: MAXLEMPIRA
What about game saves, can we hex edit them? Or does them all have different kinds of hash protections on it?

And I'm thinking What if you solder thin cables to the SD card and to a card reader and connect it to the PC. Could we possibly have Real-Time access to the SD card, change a file without it being removed from the 3DS.
Keep Cool
 
What about game saves, can we hex edit them? Or does them all have different kinds of hash protections on it?

Hex edit them to do what? And yes im sure they're encrypted anyways.

And I'm thinking What if you solder thin cables to the SD card and to a card reader and connect it to the PC. Could we possibly have Real-Time access to the SD card, change a file without it being removed from the 3DS.

I'm not sure if thats even possible outside of a 3ds. And if it is, sounds interesting. Maybe we could figure out the key of the specific 3ds by seeing if it drops a sign file and patches it to the 3ds as it installs or smth like that.
Very unlikely though.
 
Duo8 said:
Can we do something like a complete NAND chip replacement?
Click to expand...
Sure you can, as long as the chip is compatible, but you still need the original NAND contents, so what'd be the benefit? Hell, with some work, you could probably tinker around and make a hot-swappable NAND using an SD or MMC card since it follows MMC standards.
guily6669 said:
And I'm thinking What if you solder thin cables to the SD card and to a card reader and connect it to the PC. Could we possibly have Real-Time access to the SD card, change a file without it being removed from the 3DS.
Click to expand...
Pretty sure this cannot be done without some effort - you would require an arbiter device outside of the 3DS which would mount the SD in itself and then alternate between the two other devices connected to it in real-time - a lot of effort for very little gain. To my knowlege, an SD Card can only be mounted to one device at a time - anything else would be against protocol. Removing and re-inserting the card re-initiates the mounting procedure.
 
Duo8 said:
AFAIK you'll still need your console's key to actually modify the patch anyway.
Click to expand...

Ah, damn. Well, back to the drawing/idea board for me. :P

guily6669 said:
And I'm thinking What if you solder thin cables to the SD card and to a card reader and connect it to the PC. Could we possibly have Real-Time access to the SD card, change a file without it being removed from the 3DS.
Keep Cool
Click to expand...

I had actually thought about that too, but after reading what the others said, seems like it would be a lot of work to get it to read from two separate devices at the same time.
 
What about this "bug"?? Could it work to launch some codes??


and... well I noticed that since FW 5xx, when the system is booting, you can't enter any title before the upper bar appeared, but I remember that I could do that before the update, so maybe Nintendo patch that possible gap in the system, another vulnerability??
Someone with more knowledge about this could research this two ideas??
 
MAXLEMPIRA said:
What about this "bug"?? Could it work to launch some codes??


and... well I noticed that since FW 5xx, when the system is booting, you can't enter any title before the upper bar appeared, but I remember that I could do that before the update, so maybe Nintendo patch that possible gap in the system, another vulnerability??
Someone with more knowledge about this could research this two ideas??
Click to expand...

I didn't see anything weird in that vid.
 
MAXLEMPIRA said:
hahaha let me explain, in the races for Epona, if you let go Ingo to the goal and wait him before reaching to the goal, moreless about second 40, you'll win the race
Click to expand...

I don't think that would work, unless the glitch has effects elsewhere. You'd probably need a glitch which actually allows you to modify code to an extreme extent in order to find an exploit that way (ie. Pokemon Red/Blue Arbitrary Code Execution glitch), even then you would have to be highly knowledgeable about how the glitch modifies code, and I'm not sure if you would be able to modify any code outside of the game itself.
 
BobDoleOwndU said:
I don't think that would work, unless the glitch has effects elsewhere. You'd probably need a glitch which actually allows you to modify code to an extreme extent in order to find an exploit that way (ie. Pokemon Red/Blue Arbitrary Code Execution glitch), even then you would have to be highly knowledgeable about how the glitch modifies code, and I'm not sure if you would be able to modify any code outside of the game itself.
Click to expand...

hmmn... well I though it could work... because I just don't understand how Twilight Hack works... apparently in the part where the code is launched, there is happening... nothing!!! @, @ hahahaha just I thought... well what about the other idea??
 
MAXLEMPIRA said:
hmmn... well I though it could work... because I just don't understand how Twilight Hack works... apparently in the part where the code is launched, there is happening... nothing!!! @, @ hahahaha just I thought... well what about the other idea??
Click to expand...

To my understanding the Twilight hack works by the modified save causing a buffer overflow error due to Epona's name being being modified into a small program, which when the game tries to load Epona's name, tells the game to load a boot.elf or boot.dol file from the root of the SD card (I might be wrong about this, I don't know much about how these sort of bugs work).

I believe it is much harder, or even impossible to get a buffer overflow via modded save with the 3DS, due to the additional security added to prevent them.

After you pointed it out, I did notice that you couldn't start anything on the 3DS until the bar at the top of the top screen pops up, I'm not sure if that could be used for anything, but it seems more likely that it was made like that to stop an exploit that may have been there on the older firmware versions. Still, somebody who knows more about this stuff should check it out and see if anything's there.
 
BobDoleOwndU said:
After you pointed it out, I did notice that you couldn't start anything on the 3DS until the bar at the top of the top screen pops up, I'm not sure if that could be used for anything, but it seems more likely that it was made like that to stop an exploit that may have been there on the older firmware versions. Still, somebody who knows more about this stuff should check it out and see if anything's there.
Click to expand...

yeah, that's what I mean, maybe it could be a better exploit... or just nothing xD and only for FW 4xx maybe one day someone will try it or maybe they have already done... only they know...
 
MAXLEMPIRA said:
yeah, that's what I mean, maybe it could be a better exploit... or just nothing xD and only for FW 4xx maybe one day someone will try it or maybe they have already done... only they know...
Click to expand...

I'd consider that more of a glitch than an exploit. My guess is any sort of exploit here to run unsigned code would likely have to be something that more or less causes a game crash.
 
Found this post (from a recent Chaos Computer Congress 30C3) on hacking the microcontroller embedded in the actual SD cards. I'm not sure if it'll actually lead to anything or how to begin trying, but, having custom microcontroller code running inside the SD card in the 3DS sounds interesting.

http://www.bunniestudios.com/blog/?p=3554
 

Site & Scene News

Go to forum More news

Popular threads in this forum

Help on 3DS prices...

Homebrew app Emulator  [Release] 3DS-CLI - Run a real RISC-V Linux environment on the Nintendo 3DS

Hardware  2 Broken 3DSes, need help

Website for finding alternative games for 3DS

Homebrew  My Secret World DS: is there a way to bypass the password lock?

Homebrew Homebrew app  [Release] GridLauncher Rosalina

please help, wont boot

Hardware  I Have 2 THQ Dev Kit 3DSes (Panda), Need Help On Preserving What’s Inside