Homebrew how do people find exploits on consoles like 3ds

[Jimmay123]

I really want to learn how its all done what happens under the hood how it works and be able to come up with an exploit
like how did smea find ninjhax for example i know shit all about coding and while i have one or two ideas i wouldnt even begin to know how id try it and even if it would work out or whether my 3ds would explode.
anyone got a resource for someone like me who knows zilch about exploting and coding to teach myself how to do it all

 

[Chrisser_75]

#nohobbys ^^

 

[The Real Jdbye]

I really want to learn how its all done what happens under the hood how it works and be able to come up with an exploit
like how did smea find ninjhax for example i know shit all about coding and while i have one or two ideas i wouldnt even begin to know how id try it and even if it would work out or whether my 3ds would explode.
anyone got a resource for someone like me who knows zilch about exploting and coding to teach myself how to do it all

All it takes is the right skill set, and hard work and dedication. Start by learning programming, and then move onto more advanced things like hacking/reverse engineering older games. But the people who are hacking the 3DS have been programming and such for years, it takes a lot of experience (not neccessarily in hacking, but general programming) to be able to do things like this.

 

[nop90]

I really want to learn how its all done what happens under the hood how it works and be able to come up with an exploit
like how did smea find ninjhax for example i know shit all about coding and while i have one or two ideas i wouldnt even begin to know how id try it and even if it would work out or whether my 3ds would explode.
anyone got a resource for someone like me who knows zilch about exploting and coding to teach myself how to do it all

An Informatic Engineering degree could be a good starting point.

 

[Duo8]

RE-ing
That's it I think.

 

[Noctosphere]

Here is how I see everything about coding :
There are many language for coding, but the one mainly used for video games, on pc AND on console, is currently the C++.
C++ is a complex language based on what we call object.
Objects are composed by many function and variables (I don't recall their correct names in english, I learned programming in french ^^)

Objects can be visualised as a Cube that you can't see through it
Variables can be visualised as mecanisms inside the cube. You can't touch them, you can't modify them, you can't see them.
Function can be visualised as buttons on the cube. Once you press a button, a function, mecanisms begins to move, to modify each other, but the way the programmer wanted to.

That way, variables cannot be touched. Users of the Cube/Object cannot modify what they want to whatever they want. It's like changing the amount of maximum life of a character, the programmer doesn't want the user to change it from 100 to 10000.
So, with the cube, only some variables can be modified and only in certain ways, depending on how the programmer wanted to.

The cube is the object, but it also act as a protection, in the case of the Wii U, I think this protection is called the Kernel. (please tell me if I'm wrong).
Even if the cube has 6 squared-faces, that you can't see through them, there is always some tiny crack. For exemple, the cube is 1 meter-cube sized and there is a crack of 0,3 milimeter on one of the face.
This crack is called an exploit, and it is the role of hacker to find it and exploit it. Even if this crack is 0,3 milimeter long, it's way enough for hacker to find a way to go inside the cube, to modify some variable and to be able, in the case of wii u,
to load some files that couldn't be loaded before, isos, homebrew and such things for example.

There is a trick however, it's called an update.
But updates are double-edged.
Updates won't just fix the crack on the face of the cube. (don't ask me why, it's just against rules of programmation, compilation, and whatever)
Here is what updates does : They completly remove the cube, they create another cube, and then, they replace everything back in the cube.

This way, the cube doesn't have the crack at this place anymore... BUT !!!! It's a whole new cube, there isn't a crack here, but since it's a whole new cube, there might be a new crack on another face of the cube.
This crack could be of 0,04 milimeter, so it will be harder for hacker to find it, but it could also be of 0,8 milimeter, so it will easier for hacker to find it.

So, to resume :
Exploit are some crack (exploit) in a wall (Protection alias Kernel), separating users (you) and mecanisms (variables users aren't supposed to see)

 

[TheCruel]

In the beginning, it's all hardware reverse engineering, so you would seek help from microprocessor engineers unless you know how to decap a CPU or extract necessary information yourself. Even then, it's a matter of getting access to internal information (firmware, memory states, etc.) which require tapping in at the hardware level (see: JTAG as a common example). Once you're able to read from ROM/RAM then it mostly requires a shit ton of tinkering, observing, and documenting behaviors. This is where it helps to be an experienced (low-level) programmer. There are common exploits and entry-points like buffer overflows that have certain flags and indicators to look for.

It basically takes a lot of time, knowledge, and luck.

If you want to do this, then learn how computers work: computer instruction down to the ASM level, different types of memory and how they all work together, etc. I suggest you start with software reverse engineering, learn to disassemble Photoshop and make a crack to get it to bypass product code/serial registration for example. Though obviously you don't start with Photoshop.

 

[Nickname863]

A lot of stuff[not the actual quote]

That is actually a really nice explaination I like it.

 

[Noctosphere]

That is actually a really nice explaination I like it.

thanks^^
that's the way I learned actually, I learned online and that's how they described the c++

 

[NicEXE]

1) Locate a module in the whole system that is likely to break
2) Try and break it

PS. If it sounds simple: it isn't

 

[Noctosphere]

1) Locate a module in the whole system that is likely to break
2) Try and break it

PS. If it sounds simple: it isn't

no, it's very simple,
1) open the 3ds and rip off a chipcard
2) try and break it

done.... huh... WAIT! WHAT!!!!!
MY 3DS NOOOOO!!!!

 

[fuyukaidesu]

Here is how I see everything about coding :
There are many language for coding, but the one mainly used for video games, on pc AND on console, is currently the C++.
C++ is a complex language based on what we call object.
Objects are composed by many function and variables (I don't recall their correct names in english, I learned programming in french ^^)

Objects can be visualised as a Cube that you can't see through it
Variables can be visualised as mecanisms inside the cube. You can't touch them, you can't modify them, you can't see them.
Function can be visualised as buttons on the cube. Once you press a button, a function, mecanisms begins to move, to modify each other, but the way the programmer wanted to.

That way, variables cannot be touched. Users of the Cube/Object cannot modify what they want to whatever they want. It's like changing the amount of maximum life of a character, the programmer doesn't want the user to change it from 100 to 10000.
So, with the cube, only some variables can be modified and only in certain ways, depending on how the programmer wanted to.

The cube is the object, but it also act as a protection, in the case of the Wii U, I think this protection is called the Kernel. (please tell me if I'm wrong).
Even if the cube has 6 squared-faces, that you can't see through them, there is always some tiny crack. For exemple, the cube is 1 meter-cube sized and there is a crack of 0,3 milimeter on one of the face.
This crack is called an exploit, and it is the role of hacker to find it and exploit it. Even if this crack is 0,3 milimeter long, it's way enough for hacker to find a way to go inside the cube, to modify some variable and to be able, in the case of wii u,
to load some files that couldn't be loaded before, isos, homebrew and such things for example.

There is a trick however, it's called an update.
But updates are double-edged.
Updates won't just fix the crack on the face of the cube. (don't ask me why, it's just against rules of programmation, compilation, and whatever)
Here is what updates does : They completly remove the cube, they create another cube, and then, they replace everything back in the cube.

This way, the cube doesn't have the crack at this place anymore... BUT !!!! It's a whole new cube, there isn't a crack here, but since it's a whole new cube, there might be a new crack on another face of the cube.
This crack could be of 0,04 milimeter, so it will be harder for hacker to find it, but it could also be of 0,8 milimeter, so it will easier for hacker to find it.

So, to resume :
Exploit are some crack (exploit) in a wall (Protection alias Kernel), separating users (you) and mecanisms (variables users aren't supposed to see)

This is cringe-worthy.

 

[Nickname863]

This is cringe-worthy.

why?

 

[TheCruel]

why?

Well, he just described object-oriented programming and not really exploiting consoles...

but the one mainly used for video games, on pc AND on console, is currently the C++.

Lol, the way you say it...

 

[fuyukaidesu]

Well, he just described object-oriented programming and not really exploiting consoles...

It wasn't even close to being accurate.
Also talking about abstraction is generally going in the wrong direction when talking about RE.

 

[Nickname863]

Well, he just described object-oriented programming and not really exploiting consoles...

Yeah he didn't but cringe-worthy is pretty hard i think.
(And i know that you cant extract ways to work with it out of his explaination)

 

[Noctosphere]

This is cringe-worthy.

English isn't my native language, I'm looking on internet and "Cringe-worthy" means "FAIL"
If it's the right thing, can you tell me how I am failing?
If it isn't, then could you explain me what this means?
Am I supposed to apology?
Am I supposed to laugh?
Maybe I should roll-over and wait for a cookie

 

[Noctosphere]

Well, he just described object-oriented programming and not really exploiting consoles...


Lol, the way you say it...

I said that? Did I?
Well, what I'm about to say is very close :
All good video games programmers use the c++

 

[Nickname863]

I said that? Did I?
Well, what I'm about to say is very close :
All good video games programmers use the c++

I don't agree. A lot programming Language have some advantages and disatvantages. That includes the c++

 

[Kafke]

Since Noctosphere was.... um... entirely wrong, I'll give a rundown.

If you don't know the ins/outs of coding in a low level language (C/ASM), you aren't going to be able to find an exploit. That's pretty much a guarantee. The idea of hacking the console is to get access to system features without authorization. On a regular computer, this is fairly simple, since that's the whole point, and 'hacking into a computer' is a lot simpler because we can access hardware, easily write software that runs, etc.

On a console (3DS), we don't have that luxury. There's no way to write code/programs/games for the console without being authorized by Nintendo and being given a nice pretty packaged developer's kit. So instead, we need to find a way to execute our own code. How we do this is by finding a vulnerability in some file loading system, 'exploit it', and then write ASM/C to do what we please.

Finding an exploit is tricky, since there's no guaranteed way of going about it. And there might not BE any exploits in the first place. Cubic Ninja, a shittily coded game, pretty much handed us an exploit on a silver platter. The game uses QR codes to generate levels, those levels are stored and ran off the SD card, and there's no checks to ensure the levels are valid (there might be, and Smea just found a way around those checks). Cubic Ninja then tries to load our junk level that's intentionally bad, and instead of loading a level, we have it run custom code instead. I'm not familiar with the exact nature of the exploit, but it appears to me that it's most likely a buffer overflow, with some code injection. It wouldn't surprise me if that was the case.

Once you have an initial exploit, you still have the problem of getting access to the system itself. Modern computers (and game consoles) typically have several levels of permissions. Which is why Ninjhax can't do everything (like launch games). The code we are able to run is limited to what sort of access we have. For NinjHax, that's anything cubic Ninja has access to.

From there, the guys working on PastaCFW have found another exploit, that gives us access to Arm9 (and Arm11, IIRC). Which means we can do things like install CIAs, patch sig checks, and so on.

The deal with patches, naturally, changes the code in some exploited system to remove that vulnerability.

So the TL;DR: You don't find exploits. At least, not without a lot of computer science knowledge and a good understanding of how the hardware works. Shit's hard. Be impressed by the exploits these guys have found.

"Programming" doesn't have much to do with it. It's more system level stuff and ASM. "Programming" is just for the noobier of us, who don't care to deal with mucking around in ASM, but still want to write cool stuff.

Finally, at Nocto... OOP is almost never related to finding exploits. Nor with cheating in games. And a kernel isn't a "protection" it's literally the system you are trying to exploit.