3DS Hacking FAQs: Post Your Ideas Here! Common Suggestions "Let's send it a hack through wifi/custom-mii/bluetooth/NFC/SD/update!" That's about as useful as saying "Start your online personals ad with a fancy word like 'indubitably' and get laid!", you're missing about 75 steps in-between the start and finish. The 3DS will only naturally run code that's signed, just feeding it custom code through some interface will do nothing. "I found a crash, let's use that to make a hack for it." Unlike older systems, the 3DS has things like the NX bit and potentially ASLR. These features mean that you cannot simply inject a blob of custom code through a crash and have it run anymore. "Why don't we just hex-edit one of the games?" "Hey guys, let's send it a faked update file with a hack in it!" "Let's just hack a game on an SD card to hack the system." "We can edit one of the ambassador games to swap ROMs with a hack, right?" Games and programs on the 3DS are signed, so if you manually change the program code (without re-signing it) the signatures become invalid and the 3DS will refuse to run whatever you edited. "Why not look into the 3DS and find the key?" The key to sign things is not in the 3DS. The 3DS has a "common/public" key which is used to decrypt things and check signatures. Only Nintendo has the "secret/private" key/data needed to sign things. See here or here for the basic idea of how asymmetric encryption works. "Well we have the keyhole, so to speak, so let's use it to guess the shape of the key!" Asymmetric encryption uses a set of two keys, not a key and a keyhole. In addition, it's specifically designed so that you cannot use one key to find another. "If the encryption was designed by Nintendo then it MUST have a flaw somewhere!" It was not designed by Nintendo. RSA Encryption was created ages ago, and is used worldwide. "Let's just wait for some small-time game company to leak the keys!" They never get them. Only Nintendo has the data. Game companies, when they're done making a game, send it to Nintendo, then Nintendo signs it for them. "Let's just guess the key." That's just not plausible. Let's say, for example, that the system uses 128-bit RSA encryption for signing. This means there's a certain number of possible keys, with one of them being correct. How many keys are there? 2 (binary, a bit) to the 128th power (number of bits). That's so many that the calculator that comes with windows can't even display the number without reverting to scientific notation. 128-bits is 340,282,366,920,938,463,463,374,607,431,768,211,456 possible values in binary. If you want it visualized in hex (like keys are often distributed), then we subtract one to get the maximum value (since 0 is a possibility but a representation of no number) and convert it to hexadecimal, and we end up with a 32-character key range of 0x00000000000000000000000000000000 to 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF. Either way you display it, that is 340 undecillion combinations. The actual number is a bit less since a key will be a certain number of digits and be designed to not have repeating segments, but this puts it in perspective. Let's say that you have a super computer that can try 50,000 unique keys a second. Let's say that you also have 499 friends with super computers that can each try 50,000 unique keys a second. 25,000,000 keys a second. 1,500,000,000 keys a minute. 90,000,000,000 keys an hour. 2,160,000,000,000 keys a day. 788,400,000,000,000 keys in one year. So in one year, you and your 499 friends would have managed to try 0.0000000000000000000002% of the keys (and thus have about a 0.0000000000000000000002% chance of success). That's just 128-bit, and in reality the DSi uses 1024-bit, and the 3DS uses 2048-bit. (I'm just not doing math on numbers that goddamned large.) Well then how the hell do we currently run homebrew on systems that check encryption/signing without knowing the key!?! You need an exploit that slips code past the signature check once, and the exploit also needs to gain the highest rights in a system in order to modify the system to remove the signature checks. Then once the checks have been removed, you can run whatever.