[33c3] Console Hacking 2016 (3DS/WiiU) talk Dec 27-30: smea, derrek, nedwill, naehrwert

Discussion in '3DS - Homebrew Development and Emulators' started by zoogie, Nov 21, 2016.

?

What will Santa Hax bring us this year?

Poll closed Dec 27, 2016.
  1. Slowhax (arm11 kernelhax)

    184 vote(s)
    32.1%
  2. Soundhax (free primary userland sploit)

    183 vote(s)
    31.9%
  3. Bootrom dump method !!

    166 vote(s)
    28.9%
  4. Something more awesome than the above.

    156 vote(s)
    27.2%
  5. Something nice for the WiiU

    178 vote(s)
    31.0%
  6. Nothing. Ninty will banhammer: 001-1337 "Your use of this speech has been restricted by Nintendo"

    80 vote(s)
    13.9%
  7. This checkbox pleases me

    152 vote(s)
    26.5%
  8. ( ͡° ͜ʖ ͡°)

    92 vote(s)
    16.0%
Multiple votes are allowed.
  1. zoogie
    OP

    zoogie simple pimp tool

    Member
    6,237
    7,909
    Nov 30, 2014
    United States
    TL;DR Summary of Talk:
    • Soundhax - Excellent, convenient, and free userland primary that hacks the built in sound application with just an MP3 on the sd card. Will be released soon according to nedwill.
    • Fasthax - New arm11 kernel expoit (like memchunkhax, waithax, etc.) also by nedwill. Works on latest firm and should be released soon just like Soundhax. Should allow nfirm downgrading on latest firm when more advanced dsiware injection techniques are released very soon.
    • Method to dump arm9 bootrom detailed by derrek. Hash given as proof. The same technique has been worked on for months already by #Cakey devs, so this will likely take quite a bit more time for a public dump to show up. One benefit of bootrom dumping is faster PC based crypto stuff instead of slow 3ds methods. The second benefit is the next exploit:
    • Sighax - The big one. Flaw discovered in the bootrom's RSA parsing process of the 3ds's firmware partition. This will allow us to sign our own custom firm and no more having to do risky downgrades and 100 step guides to get the OTP. Unfortunately, we need a bootrom dump to implement this and that is an issue, see above bullet point for why. You will also still need a way to actually write to system NAND, and even k11 hax usually isn't enough for that. Hardmod is also an option, but it's expensive and inconvenient. That should always be an option, at least, given sighax itself is unpatchable without hardware revision.
    • Method to dump arm11 bootrom and hash of it given by derrek. This isn't considered important.
    (skip yt video ahead to 20:00 for 3ds part of the speech - full talk at link below)

    https://media.ccc.de/v/33c3-8344-nintendo_hacking_2016

    Last year, this very event produced groundbreaking new 3ds hacks such as arm9loaderhax and memchunkhax2 that really shook up the scene. What will happen this year?
    Looks like our 32c3 friend derrek will return, but this time tagging along will be fresh new talent nedwill and Nintendo/Sony scene veteran naehrwert. Gonna be big, so stay tuned!
    Day: 2016-12-27
    Start time: 20:30 (German time)
    Duration: 01:00
    Room: Saal 2
    Track: Security
    Language: en

    lecture: Nintendo Hacking 2016
    Game Over
    game_over_1.png

    This talk will give a unique insight of what happens when consoles have been hacked already, but not all secrets are busted yet. This time we will not only focus on the Nintendo 3DS but also on the Wii U, talking about our experiences wrapping up the end of an era. We will show how we managed to exploit them in novel ways and discuss why we think that Nintendo has lost the game.


    As Nintendo's latest game consoles, the 3DS and Wii U were built with security in mind.
    While both have since been the targets of many successful attacks, certain aspects have so far remained uncompromised, including critical hardware secrets.

    During this talk, we will present our latest research, which includes exploits for achieving persistent code execution capabilities and the extraction of secrets from both Wii U and 3DS.

    Basic knowledge of embedded systems, CPU architectures and cryptography is recommended, though we will do our best to make this talk accessible and enjoyable to all. We also recommend watching the recording of last year's C3 talk called "Console Hacking - Breaking the 3DS".

    opRmcM0.png
    [​IMG]
    Courtesy of Julian20
    Update6: Jan. 09 - WiiU Summary point removed. Nobody cares.
    Update5: Dec. 27 - Youtube recording posted, thanks @Sasori
    Update5: Dec. 27 - Event complete
    Update4: Dec. 27 - Smealum sighting
    Update3: Dec. 26 - Countdown added courtesy of@gnmmarechal
    Update2: Dec. 22 - Video links added.
    Update1: Dec. 17 - 33c3 Bingo courtesy of @Suiginou
    Update0: Dec. 15 - Event date/time and other details.


    :arrow: Source
     
    Last edited by zoogie, Jan 10, 2017
    elBenyo, Joel16, NoNAND and 46 others like this.


  2. Exavold

    Exavold GBAtemp Advanced Fan

    Member
    996
    1,055
    Nov 9, 2015
    France
    Hype !
     
  3. Skylinedeadline

    Skylinedeadline Shitposter

    Member
    393
    194
    Jan 26, 2016
    United States
    I take it this is the best bet for slowhax to be released? If so neat.
     
    jt_1258 and Lotoonlink like this.
  4. Vappy

    Vappy GBAtemp Advanced Maniac

    Member
    1,507
    1,154
    May 23, 2012
    Last edited by Vappy, Nov 21, 2016
  5. metroid maniac

    metroid maniac An idiot with an opinion

    Member
    1,800
    718
    May 16, 2009
    These presentations are always the best Christmas presents.

    I can't wait.
     
    kprovost7314, SirBeethoven and fodder like this.
  6. TheVinAnator

    TheVinAnator GBATemp's Greatest Vin

    Member
    3,552
    2,554
    Jan 10, 2016
    Canada
    NO COFFEI!
    Wooo let's go!
     
  7. kingraa777

    kingraa777 boom!

    Member
    1,048
    266
    Apr 17, 2015
    awsome cant wait for this :)
     
  8. Aletron9000

    Aletron9000 3DS Master

    Member
    1,581
    428
    May 10, 2016
    United States
    3DS ARM9 CPU
    HYPE! when is 33c3?
     
  9. zoogie
    OP

    zoogie simple pimp tool

    Member
    6,237
    7,909
    Nov 30, 2014
    United States
    Its pretty bad when people don't read the topic's title much less the OP. :P

    Nevertheless, I added the date to the OP as well.
     
    WeedZ likes this.
  10. Aletron9000

    Aletron9000 3DS Master

    Member
    1,581
    428
    May 10, 2016
    United States
    3DS ARM9 CPU
    Oh, :blush: just saw that, sorry.
     
    zoogie likes this.
  11. Alex658

    Alex658 GBAtemp Maniac

    Member
    1,150
    340
    Jun 4, 2010
    Venezuela
    Venezuela
    This speech last year was what allowed me to finally downgrade my 9.4 second 3ds back into a hackable state :)
    Good times.

    They really think nintendo has lost the game? They must have something pretty powerful/unpatchable to think that. Because a9lh is already released and nintendo hasn't been able to patch it yet, they must be talking about something else then.
     
  12. VinLark

    VinLark This machine kills bourgeois sentimentality.

    Member
    4,092
    4,782
    Jun 11, 2016
    Trinidad and Tobago
    4chan and other wonders of the internet
    Neat, but what are the benifits of being able to dump and have bootroms?
     
  13. Vappy

    Vappy GBAtemp Advanced Maniac

    Member
    1,507
    1,154
    May 23, 2012
    https://www.reddit.com/r/3dshacks/c..._the_bootrom/d2alk5r/?st=ivsu8ing&sh=e5654253
     
    cheuble and VinLark like this.
  14. Conn0r

    Conn0r GBAtemp Fan

    Member
    327
    187
    Jan 10, 2016
    United States
    More decryption keys so we can do everything on a computer. Also with the dumped code we could search for a bootrom exploit though unlikely.

    Edit: Ninja'd ;(
     
    VinLark and Vappy like this.
  15. WiiUBricker

    WiiUBricker Insert Custom Title

    Member
    6,890
    3,910
    Sep 19, 2009
    Argentina
    Espresso
    I don't hink Santa Hax will bring us anything this year. Maybe a downgrade from latest firmware, maybe NES Classic Mini hax, but I don't expect anything.
     
    Stecker8, Alex1234 and Conn0r like this.
  16. Vappy

    Vappy GBAtemp Advanced Maniac

    Member
    1,507
    1,154
    May 23, 2012
    I believe nedwill's already said he planned to release musichax and slowhax after 33c3, but I could never find a direct quote from him, just other people saying he said it. I'm pretty confident they've got some cool surprises in store, not necessarily as a direct release but certainly for information, since the Wii U and 3DS were both pretty thoroughly covered in previous years. Maybe that elusive boot1 fail0verflow couldn't quite get.
    Shame that marcan's potential PS4 presentation apparently isn't happening, supposedly because it was applied for with the same presentation name as this one.
     
  17. einhuman197

    einhuman197 GBAtemp Advanced Fan

    Member
    942
    356
    Aug 17, 2015
    Germany
    Inside your bootloader (´◉◞౪◟◉)
    Time for arm7loaderhax :PP
    I expect bootrom cracking, sound hax, slowhax, an arm9 Exploit from nedwill and browserhax and menuhax for the latest fw's
     
  18. Osakasan

    Osakasan GBAtemp Advanced Fan

    Member
    788
    446
    Sep 19, 2015
    3ds is already wide open. Let's lube those Us, beibe <3
     
    Pandaxclone2 likes this.
  19. daxtsu

    daxtsu GBAtemp Guru

    Member
    5,536
    3,925
    Jun 9, 2007
    Antarctica
    Hopefully Derrek won't be as nervous this time, poor guy was white as a sheet at last year's talk. :P
     
  20. noctis90210

    noctis90210 GBAtemp Advanced Fan

    Member
    730
    106
    Dec 24, 2013
    i hope they will release a way run nds/dsi on home screen as a rom located on sd, installed as cia... :-)