Hacking Alternate methods of installing exploits

[loco365]

I'm not posing this as a question thread, but more of a discussion thread. All the known 3DS exploits so far have to be installed using a DS-Mode flashcart of some form, although the limitation is that it has to be able to run on the given firmware, knocking a lot of flashcards (Like the Acekard 2i) out of contention.

I thought of this purely as a conceptual idea, and I wouldn't know if it'd actually work or not. DS Download Play allows DS code to run, although it has to be signed in some form. It can even run arbitrary code (See: DSBricker) and effectively wipe the DS portion of a system. Do you think it'd be possible to modify a DS Download Play .SRL file for a game (Insert the installer for the profile exploit), and allow it to run on a 3DS in DS Download Play mode (Being sent by a DS that can run a flashcard), so it can install a profile exploit and allow people to explore the emerging world of 3DS homebrew without having to buy a new flashcard?

Or do you think there could be yet another way to install said exploits?

 

[lambstone]

I'm not posing this as a question thread, but more of a discussion thread. All the known 3DS exploits so far have to be installed using a DS-Mode flashcart of some form, although the limitation is that it has to be able to run on the given firmware, knocking a lot of flashcards (Like the Acekard 2i) out of contention.

I thought of this purely as a conceptual idea, and I wouldn't know if it'd actually work or not. DS Download Play allows DS code to run, although it has to be signed in some form. It can even run arbitrary code (See: DSBricker) and effectively wipe the DS portion of a system. Do you think it'd be possible to modify a DS Download Play .SRL file for a game (Insert the installer for the profile exploit), and allow it to run on a 3DS in DS Download Play mode (Being sent by a DS that can run a flashcard), so it can install a profile exploit and allow people to explore the emerging world of 3DS homebrew without having to buy a new flashcard?

Or do you think there could be yet another way to install said exploits?

This is a rather novel idea.

Have you tested download play from a DS to 3DS yet? Perhaps using a rom on a DS flash cart?

AFAIK, NDS roms are easier to be hacked so this might offer a solution to rerun the rop chain loader without the need of a DS flash cart.

 

[loco365]

This is a rather novel idea.

Have you tested download play from a DS to 3DS yet? Perhaps using a rom on a DS flash cart?

AFAIK, NDS roms are easier to be hacked so this might offer a solution to rerun the rop chain loader without the need of a DS flash cart.

It does work, although if I try editing binaries, it won't run at all. It just freezes when the Nintendo logo fades out. I also don't have an exploitable 3DS (Mine is on the latest firmware, to which I regret this), although I plan to keep it here as exploits are starting to move up the firmware list with 6.3 recently becoming exploitable.

 

[redkeyboard]

If you want an easy solution, just buy a $5 flash cart. Eachmall has a ton that work with 7.1

 

[loco365]

If you want an easy solution, just buy a $5 flash cart. Eachmall has a ton that work with 7.1

I already have one, and 4 other DS systems it'll work on. I'm not asking for an easy out on this, I'm posing this as an idea for everyone else that doesn't want to have to get yet another flashcard if they don't have to.

 

[lambstone]

It does work, although if I try editing binaries, it won't run at all. It just freezes when the Nintendo logo fades out. I also don't have an exploitable 3DS (Mine is on the latest firmware, to which I regret this), although I plan to keep it here as exploits are starting to move up the firmware list with 6.3 recently becoming exploitable.

So download play from an unadulterated rom works.

However, if you modify a rom what happens? The download play function does not work? Or do you mean the modified rom itself does not load.

 

[mznova]

The way I understand it, the issue is not running code in ds mode. The issue is to somehow get it to run in 3ds mode so you can play 3ds games. Right now, the only way to touch 3ds mode from ds mode has been to change the name of the ds profile from within ds mode which causes an error in 3ds mode. There are not many variables that are shared across ds and 3ds mode as far as I know.

 

[loco365]

So download play from an unadulterated rom works.

However, if you modify a rom what happens? The download play function does not work? Or do you mean the modified rom itself does not load.

It just doesn't load. I'm not exactly sure why, but I'd like to see how to get it functioning so that not only could a ROP chain installer work, but homebrew could also be sent over.

The way I understand it, the issue is not running code in ds mode. The issue is to somehow get it to run in 3ds mode so you can play 3ds games. Right now, the only way to touch 3ds mode from ds mode has been to change the name of the ds profile from within ds mode which causes an error in 3ds mode. There are not many variables that are shared across ds and 3ds mode as far as I know.

Which is why one could utilise DS Download Play, since you could send a modified binary, and not have to use a flashcard on it. It'd just write the changes in DS Mode, then exit back to 3DS Mode.

 

[loco365]

-disregard-

 

[Falo]

The problem here is, you need to understand what the exploit actually does.
To enable Homebrew you always need 2 exploits, a usermode and a kernel mode.

The DS MSET exploit is fixed in 7.x+, even if you could run DS mode code in some way, you can't re-enable this exploit.

You need to use a new usermode exploit on 7.x+ and so far there are only savegame exploits
(where you need to get a save dongle + retail version of the game) and this limits the userbase,
that's why the 6.3 exploit is not public (it would limit it's userbase again to only flashcard users & FW 1.0 - 6.3).

 

[Snailface]

There's bangai-o sploit. It's unreleased but theoretically out there for the taking.

 

[dubbz82]

I'd be interested in this as well, because this would be of use for anyone that falls in between 4.xx and 6.3, even if not completely up to date. bangai-o sploit could be useful too, but still is a specific hardware requirement...if this could be done without hardware (the idea proposed originally seems rather interesting...) it would open it up to a broader audience...i.e. people that don't want to sink money into a flash cart only to get into homebrew -- this would be an interesting thing to look into for not just the exploit, but potentially other ds homebrew as well (or maybe even ds roms, if that's your thing...although there might be other potential barriers with commercial games -- not sure if there's any built in filesize limitations or anything of that nature).

 

[loco365]

I'd be interested in this as well, because this would be of use for anyone that falls in between 4.xx and 6.3, even if not completely up to date. bangai-o sploit could be useful too, but still is a specific hardware requirement...if this could be done without hardware (the idea proposed originally seems rather interesting...) it would open it up to a broader audience...i.e. people that don't want to sink money into a flash cart only to get into homebrew -- this would be an interesting thing to look into for not just the exploit, but potentially other ds homebrew as well (or maybe even ds roms, if that's your thing...although there might be other potential barriers with commercial games -- not sure if there's any built in filesize limitations or anything of that nature).

It couldn't be utilised for piracy, as the entire romfs is stored in the NDS memory, and the NDS only has 4MB. Retail games start at 8MB, so they'd never fit.

 

[dubbz82]

so still viable for homebrew anyways (provided it doesn't exceed the 4mb)

 

[loco365]

so still viable for homebrew anyways (provided it doesn't exceed the 4mb)

If the encryption can be cracked (Although it apparently has). Simply renaming a NDS homebrew game to an SRL file, inserting it into a rom with the proper name, and sending it over won't do anything. It will fail authenticity checks and crash upon code execution.