Homebrew About Fieldrunners...

[TheOverseer]

I had a little idea, for a possible hack. But, before I mention this to have it looked into, I want to ask a few things about the DSiWare hack.

First of all, excluding things like firmware updates and TWL patches, Fieldrunners is a usermode exploit, correct? And uses an oversight to D/G Firm?

In other words, the only things needed to perform this hack are a game running in DSi mode, and a usermode exploit installed that can launch the associated boot.nds file, is this correct?

 

[Davidosky99]

Yes, but the dsi game MUST be exploitable and as of now the only use of it is for the firm plaintext attack the same technique to execute FIRM downgrades using hard mod.
And before you ask, no the boot.nds has a size limitation, you can't launch ROMs trough there.
And you can't run a cfw from there, this isn't this kind of arm9 exploit.

 

[TheOverseer]

Yes, but the dsi game MUST be exploitable and as of now the only use of it is for the firm plaintext attack the same technique to execute FIRM downgrades using hard mod.
And before you ask, no the boot.nds has a size limitation, you can't launch ROMs trough there.
And you can't run a cfw from there, this isn't this kind of arm9 exploit.

I wasn't going to say anything like that. I realize if that was possible, someone probably would have already done so. I do have an important follow-up question that will sound stupid, but please hear me out.

So, I have looked around at the remains of CycloDS. I have heard on all DS mode flashcards, games that are DSi Enhanced still run in DS mode. So, by following this line of logic, is it safe to also think that DSi-Enhanced games run in DSi-Mode, to be able to use the additional features and such?

Forgive me, I'm brand new to the DS scene, and need a little information and things.

 

[Davidosky99]

I wasn't going to say anything like that. I realize if that was possible, someone probably would have already done so. I do have an important follow-up question that will sound stupid, but please hear me out.

So, I have looked around at the remains of CycloDS. I have heard on all DS mode flashcards, games that are DSi Enhanced still run in DS mode. So, by following this line of logic, is it safe to also think that DSi-Enhanced games run in DSi-Mode, to be able to use the additional features and such?

Forgive me, I'm brand new to the DS scene, and need a little information and things.

If you launch a DS/DSi flashcard it will launch in NTR mode AFAIK not TWL, thus not being able to perform the firm plaintext attack

 

[TheOverseer]

And to be clear, I know what TWL mode is. What is NTR mode again? Is that a specific part of FIRM? That's not the one used for normal DS games is it? It's specifically for hybrid DS/DSi games?

 

[Davidosky99]

Yes, for DS/DSi enhanced games/cartridges . The DSi titles on the home menu run in TWL and are the only ones with the capability of running this firm plaintext attack for downgrading, you cant use a dsi enhanced flashcard(runs as a cartridge) for downgrading .

 

[TheOverseer]

I have done a little more research, and I think this may not be true. NTR is the DS codename, for the original DS. TWL is the DSi codename. These modes likely correspond to each other properly. But...I something to run by you guys.

https://www.3dbrew.org/wiki/4.0.0-7 - A list of changes in the firmware. Take special note at the bottom, how it mentions TWL_FIRM was patched to block these exploits. However...TWL_FIRM is DSi. But if you look at the games themselves...

https://www.amazon.com/Classic-Word-Games-Nintendo-DS/dp/B001WCN250

This is actually a DS/DSi hybrid game. So, if I'm correct, this shows, at the very least, that enhanced game cartridges must interact with TWL in some way, correct? Otherwise, what would be the point of updating TWL_FIRM in response to that exploit?

 

[Davidosky99]

On the dsi(original dsi) the cartridges you put there would run in NTR mode and the apps you installed , DSIWARE would run in TWL mode.
2 different things with different accesses
DSi enchanced cartridges ≠ DSiWARE

 

[GerbilSoft]

DSi-enhanced cartridges do run in TWL mode, not NTR mode. (TWL_FIRM handles both; they didn't make a separate NTR_FIRM because there's no point.)

The main issue AFAIK is that DSi-enhanced cartridges don't have permission to access the eMMC, whereas DSiWare does.

 

[TheOverseer]

DSi-enhanced cartridges do run in TWL mode, not NTR mode. (TWL_FIRM handles both; they didn't make a separate NTR_FIRM because there's no point.)

The main issue AFAIK is that DSi-enhanced cartridges don't have permission to access the eMMC, whereas DSiWare does.

I haven't heard about eMMC much. What does it handle? Is this basically what DSiWare uses to downgrade FIRM, or does eMMC cover write access to the entire NAND in general and prevent that?

Could a DSi mode exploit in this manner, if it can't access FIRM to do the downgrade directly, be used to modify something else in TWL_NAND, like save files?

For example, could it run, say...DSiWare_Injector?

 

[Davidosky99]

I haven't heard about eMMC much. What does it handle? Is this basically what DSiWare uses to downgrade FIRM, or does eMMC cover write access to the entire NAND in general and prevent that?

Could a DSi mode exploit in this manner, if it can't access FIRM to do the downgrade directly, be used to modify something else in TWL_NAND, like save files?

For example, could it run, say...DSiWare_Injector?

Emmc=NAND
And no cartridges as only run in NTR only modify themselves (EEPROM/SAVES)they can't touch the nand

 

[GerbilSoft]

The DSi/3DS eMMC is what most people refer to as "NAND". I call it eMMC because "NAND" is too generic (SD cards are NAND), and it can be confusing in some devices that have both raw NAND flash and eMMC (e.g. Wii U).

The eMMC isn't protected by an operating system in DSi mode like it is in 3DS mode; it's either all or nothing. DSiWare has to have eMMC access in order for save games to work, so they have "all" access, whereas cartridges save to an SPI flash ROM on the cartridge, so they have "no" access.

This does mean that DSiWare exploits can be used to modify anything on TWL_NAND, but in practice no one's done it because it's far easier to do that in GodMode9 once you've downgraded and have A9LH installed.

 

[Roboman]

Even though dsiware (once exploited) can arbitrarily read and write to nand, we run into the same limitations as doing so with hardmod: most of it is encrypted per console and you lack the keys. Oddly, the plaintext bug exist because a fairly critical file was left unencrypted. A poster child of Nintendo's superb security.

 

[GerbilSoft]

Oddly, the plaintext bug exist because a fairly critical file was left unencrypted. A poster child of Nintendo's superb security.

It actually is encrypted, but since it uses AES-CTR with a static keystream (and no authentication), it's susceptible to a known plaintext attack (as mentioned).

From the implementation here: https://github.com/ihaveamac/firmswap

Assume the following:

• FIRM0_11_1 == the encrypted FIRM0 partition on your NAND (which has 11.1)
• DEC_11_1 == decrypted copy of FIRM from 11.1
• DEC_10_4 == decrypted copy of FIRM from 10.4

FIRM0_11_1 XOR DEC_11_1 XOR DEC_10_4 == FIRM0_10_4

where FIRM0_10_4 is your FIRM0 partition with the 10.4 NATIVE_FIRM, encrypted for your specific console.

This *can* be fixed if Nintendo releases an updated Home Menu that requires a newer version of NATIVE_FIRM, but the last version that did this IIRC was 10.4.

Also see: https://www.3dbrew.org/wiki/3DS_System_Flaws#Hardware

 

[Roboman]

It actually is encrypted, but since it uses AES-CTR with a static keystream (and no authentication), it's susceptible to a known plaintext attack (as mentioned).

From the implementation here: https://github.com/ihaveamac/firmswap

Assume the following:

• FIRM0_11_1 == the encrypted FIRM0 partition on your NAND (which has 11.1)
• DEC_11_1 == decrypted copy of FIRM from 11.1
• DEC_10_4 == decrypted copy of FIRM from 10.4

FIRM0_11_1 XOR DEC_11_1 XOR DEC_10_4 == FIRM0_10_4

where FIRM0_10_4 is your FIRM0 partition with the 10.4 NATIVE_FIRM, encrypted for your specific console.

This *can* be fixed if Nintendo releases an updated Home Menu that requires a newer version of NATIVE_FIRM, but the last version that did this IIRC was 10.4.

Also see: https://www.3dbrew.org/wiki/3DS_System_Flaws#Hardware

So it would be safe to say that this critical file is *poorly* encrypted.

 

[The Real Jdbye]

It actually is encrypted, but since it uses AES-CTR with a static keystream (and no authentication), it's susceptible to a known plaintext attack (as mentioned).

From the implementation here: https://github.com/ihaveamac/firmswap

Assume the following:

• FIRM0_11_1 == the encrypted FIRM0 partition on your NAND (which has 11.1)
• DEC_11_1 == decrypted copy of FIRM from 11.1
• DEC_10_4 == decrypted copy of FIRM from 10.4

FIRM0_11_1 XOR DEC_11_1 XOR DEC_10_4 == FIRM0_10_4

where FIRM0_10_4 is your FIRM0 partition with the 10.4 NATIVE_FIRM, encrypted for your specific console.

This *can* be fixed if Nintendo releases an updated Home Menu that requires a newer version of NATIVE_FIRM, but the last version that did this IIRC was 10.4.

Also see: https://www.3dbrew.org/wiki/3DS_System_Flaws#Hardware

I believe it was 9.6, since people have been using 10.3 FIRM with NTR for a long time, until recently when support was added natively to NTR.

So it would be safe to say that this critical file is *poorly* encrypted.

It's actually very secure encryption, but it doesn't change between firmware versions because the encryption key is stored in hardware so there's no way to change it. That allows us to use an already decrypted FIRM binary (which you can get with a hacked 3DS) to encrypt another one.
They probably could have used another encryption method that wouldn't be vulnerable to this, but to say that it's poorly encrypted is not entirely correct. Without the 3DS already being hacked we would never be able to do this. And it doesn't really matter in the end, since they can easily patch it.

 

[TheOverseer]

Alright, I've come back with more questions.

1. How are DSiWare games signed? Are they only signed with the console specific key? Is their sum checked? Is there any way, without having TWL_FIRM access already and unsigned code, to be able to modify the files at all? For example:

2. I know you can do things like export the DSiWare files, and even install them to another 3DS, but the 3DS will reject the key and not let you play it. Could this be utilized? If another 3DS can recognize it, but not play it, is there a chance that while being signed with a key, that key isn't needed to be able read the files, only to play the game itself? (As the 3DS checks the key).

If that's the case, could the saves, when exported, be vulnerable to manual injection?

I remember reading that originally on the DSi, you could move saves themselves independently, but it was then patched. Now I've heard it's more of a bundle package.

3. Is there any possibility to (I don't have DSiWare at the moment) to use the bundle package to import a DSiWare game that you have with the save intentionally, as the executable would be invalid, and then re-download Fieldrunners (that you actually own) to get a valid executable? Or would that delete the save?

Just a couple things on my mind. Still waiting for the charger for my 3DS XL, so I figured I'd go ahead and ask about these things.

 

[ADS3500]

Alright, I've come back with more questions.

1. How are DSiWare games signed? Are they only signed with the console specific key? Is their sum checked? Is there any way, without having TWL_FIRM access already and unsigned code, to be able to modify the files at all? For example:

2. I know you can do things like export the DSiWare files, and even install them to another 3DS, but the 3DS will reject the key and not let you play it. Could this be utilized? If another 3DS can recognize it, but not play it, is there a chance that while being signed with a key, that key isn't needed to be able read the files, only to play the game itself? (As the 3DS checks the key).

If that's the case, could the saves, when exported, be vulnerable to manual injection?

I remember reading that originally on the DSi, you could move saves themselves independently, but it was then patched. Now I've heard it's more of a bundle package.

3. Is there any possibility to (I don't have DSiWare at the moment) to use the bundle package to import a DSiWare game that you have with the save intentionally, as the executable would be invalid, and then re-download Fieldrunners (that you actually own) to get a valid executable? Or would that delete the save?

Just a couple things on my mind. Still waiting for the charger for my 3DS XL, so I figured I'd go ahead and ask about these things.

If you're talking about moving Dsiware games to the SD card to inject the save, that wouldn't work because they're encrypted. Yellows8 was looking for a way to inject Dsiware saves without an arm9 exploit a while ago, but I'm not sure if there has been any progress, and MrNbaYoh was looking into either a primary Dsiware entry point or one that would work through multiplayer, but he couldn't find anything and he hasn't said if he has made any progress with it.

 

[TheOverseer]

Thank you for the information. I figured they were encrypted, that's pretty brutal, and I assume plaintext is impossible because, once again, the encrypted key itself varies per system.

So, I guess I'll bring up something specific. SmileBASIC got an exploit, right? If this is the case...has anyone tried looking into Petit Computer, it's predecessor? It's technically DSiWare, so it would have proper access, I think it has QR code access, and I think it's downloadable for 3DS/2DS.

 

[CeeDee]

Thank you for the information. I figured they were encrypted, that's pretty brutal, and I assume plaintext is impossible because, once again, the encrypted key itself varies per system.

So, I guess I'll bring up something specific. SmileBASIC got an exploit, right? If this is the case...has anyone tried looking into Petit Computer, it's predecessor? It's technically DSiWare, so it would have proper access, I think it has QR code access, and I think it's downloadable for 3DS/2DS.

I believe it was removed from eShop after SmileBasic's release.