3DS Hacking Ideas: Post Your Ideas Here!

Discussion in '3DS - Flashcards & Custom Firmwares' started by Rydian, Apr 8, 2013.

Apr 8, 2013
  1. Rydian
    OP

    Member Rydian Resident Furvert™

    Joined:
    Feb 4, 2010
    Messages:
    27,883
    Location:
    Cave Entrance, Watching Cyan Write Letters
    Country:
    United States
    3DS Hacking FAQs: Post Your Ideas Here!

    Common Suggestions

    • "Let's send it a hack through wifi/custom-mii/bluetooth/NFC/SD/update!"
      • That's about as useful as saying "Start your online personals ad with a fancy word like 'indubitably' and get laid!", you're missing about 75 steps in-between the start and finish. The 3DS will only naturally run code that's signed, just feeding it custom code through some interface will do nothing.


    • "I found a crash, let's use that to make a hack for it."
      • Unlike older systems, the 3DS has things like the NX bit and potentially ASLR. These features mean that you cannot simply inject a blob of custom code through a crash and have it run anymore.


    • "Why don't we just hex-edit one of the games?"
      "Hey guys, let's send it a faked update file with a hack in it!"
      "Let's just hack a game on an SD card to hack the system."
      "We can edit one of the ambassador games to swap ROMs with a hack, right?"
      • Games and programs on the 3DS are signed, so if you manually change the program code (without re-signing it) the signatures become invalid and the 3DS will refuse to run whatever you edited.


    • "Why not look into the 3DS and find the key?"
      • The key to sign things is not in the 3DS. The 3DS has a "common/public" key which is used to decrypt things and check signatures. Only Nintendo has the "secret/private" key/data needed to sign things. See here or here for the basic idea of how asymmetric encryption works.


    • "Well we have the keyhole, so to speak, so let's use it to guess the shape of the key!"
      • Asymmetric encryption uses a set of two keys, not a key and a keyhole. In addition, it's specifically designed so that you cannot use one key to find another.


    • "If the encryption was designed by Nintendo then it MUST have a flaw somewhere!"
      • It was not designed by Nintendo. RSA Encryption was created ages ago, and is used worldwide.


    • "Let's just wait for some small-time game company to leak the keys!"
      • They never get them. Only Nintendo has the data. Game companies, when they're done making a game, send it to Nintendo, then Nintendo signs it for them.


    • "Let's just guess the key."
      • That's just not plausible. Let's say, for example, that the system uses 128-bit RSA encryption for signing. This means there's a certain number of possible keys, with one of them being correct. How many keys are there? 2 (binary, a bit) to the 128th power (number of bits). That's so many that the calculator that comes with windows can't even display the number without reverting to scientific notation. 128-bits is 340,282,366,920,938,463,463,374,607,431,768,211,456 possible values in binary.

        If you want it visualized in hex (like keys are often distributed), then we subtract one to get the maximum value (since 0 is a possibility but a representation of no number) and convert it to hexadecimal, and we end up with a 32-character key range of 0x00000000000000000000000000000000 to 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF.

        Either way you display it, that is 340 undecillion combinations. The actual number is a bit less since a key will be a certain number of digits and be designed to not have repeating segments, but this puts it in perspective.

        Let's say that you have a super computer that can try 50,000 unique keys a second. Let's say that you also have 499 friends with super computers that can each try 50,000 unique keys a second.

        25,000,000 keys a second.
        1,500,000,000 keys a minute.
        90,000,000,000 keys an hour.
        2,160,000,000,000 keys a day.
        788,400,000,000,000 keys in one year.

        So in one year, you and your 499 friends would have managed to try 0.0000000000000000000002% of the keys (and thus have about a 0.0000000000000000000002% chance of success).

        That's just 128-bit, and in reality the DSi uses 1024-bit, and the 3DS uses 2048-bit.
        (I'm just not doing math on numbers that goddamned large.)


    • Well then how the hell do we currently run homebrew on systems that check encryption/signing without knowing the key!?!
      • You need an exploit that slips code past the signature check once, and the exploit also needs to gain the highest rights in a system in order to modify the system to remove the signature checks. Then once the checks have been removed, you can run whatever.
     


  2. nermal

    Newcomer nermal Member

    Joined:
    Jun 24, 2011
    Messages:
    11
    Country:
    United States
    The most interesting thing I've read today. Thanks for sharing.
     
    eosia and BRSTYLISH like this.
  3. Zanark11

    Member Zanark11 GBAtemp Regular

    Joined:
    Mar 14, 2013
    Messages:
    110
    Country:
    Brazil
    Nice text, but the problem ( I don´t know about hack) is apply that, right? or not? =D
     
  4. Syphurith

    Member Syphurith Beginner

    Joined:
    Mar 8, 2013
    Messages:
    641
    Location:
    Xi'an, Shaanxi Province
    Country:
    China
    Well then, Rydian.. You'd made a good announcement.
    If the AES one is in the chip and yeah we can not have RSA one to sign, or any other special things..
    I've got that this Custom ARM core have obstacle for hackers to change some content..
    Might we even have to decrypt the SEM and make a replacement of that chip?
    I do wonder that now, orz.

    (RSA length 2048/4096, so that should be safe in several years. TitleKey use AES-128-CBC)
    (Well i prefer the chip analysing, that should tell us what is used to block the unsigned content)
    For those who want to try brute-force or cracking AES, get the attachment.
    (Also notice: The key used to decrypt TitleKey is 3ds Common Key -- also widely used in 3ds)
    (That is impossible to say i always know more than you. Indeed. So if you have talent in CryptoGraphy or even you are a student of a professional that you know better about the vulnerability of AES -- i recommend you to post the reduction of cost here, not try cracking at the time.)
     

    Attached Files:

  5. Metoroid0

    Member Metoroid0 Any objections Adam?

    Joined:
    Nov 2, 2012
    Messages:
    1,238
    Location:
    Bottle Ship
    Country:
    Japan
    oooooh i get it now..
    So the trick is to bypass the signature checking in 3DS
    or to eliminate it so nothing will check for signature,
    meaning you can run whatever :D

    ....did i get it right?


    And also, thank you Rydian for your posts..and sorry for your trouble on writing these things :)
    Great sticky (is that how you guys call it)
     
  6. Rydian
    OP

    Member Rydian Resident Furvert™

    Joined:
    Feb 4, 2010
    Messages:
    27,883
    Location:
    Cave Entrance, Watching Cyan Write Letters
    Country:
    United States
    Heh, thanks.

    Yeah generally "hacking" a console refers to removing the signature checks so that homebrew (which is unsigned) will run.
     
  7. Syphurith

    Member Syphurith Beginner

    Joined:
    Mar 8, 2013
    Messages:
    641
    Location:
    Xi'an, Shaanxi Province
    Country:
    China
    I have recently got some books very helpful for novices in hacking. There is the first two i found.
    1. Hacking The XBox
    There is a free version as PDF document, just Google for it. It will tell you some common sense related to hacking a game console. Hacking a console easily get linked to Hardware methods (yep FPGA is your friend).
    2. A Guide to Kernel Exploitation - Attacking the core
    You may need to buy or borrow the book. It is all about the war of exploits writers and defenders. It can also be used as a tutorial book to lead someone into the door of hackers. It reminds me of the newer methods that may be helpful. Highly recommend you to read the first 3 chapters - well if you're too busy, at least read the first.

    Rydian, i think it may be a good choice to lead someone into the hacking scene..
    If you get any other books that worth reading please post the name here.

    Appedix
    1. When you successfully open the door to decrypted content. You may need to learn ARM to understand that.
    There are ARM references on arm.com, but i sugguest you to get a arm disassembler first.
    If you don't know which one you should pick, try to ask yellows8 for advice on 3dbrew.
    When you want to develop a few, there are IAS, MDK, and ARM DS-5 -- all commercial, so wait for openkit.
     
    filfat likes this.
  8. Metoroid0

    Member Metoroid0 Any objections Adam?

    Joined:
    Nov 2, 2012
    Messages:
    1,238
    Location:
    Bottle Ship
    Country:
    Japan
    Signature checker, YO'RE FIRED!​
     
    MrMarco likes this.
  9. Tattorack

    Member Tattorack Elementalist

    Joined:
    Jun 15, 2011
    Messages:
    206
    Location:
    Deep space orbital station 5
    Country:
    France
    Thanks, your explanation of the encryption has helped... putting it to scale so to speak.
    Now I wonder how many people would actually read this and not come up with the same questions...
     
  10. masterz87

    Member masterz87 GBAtemp Fan

    Joined:
    Apr 21, 2013
    Messages:
    411
    Country:
    United States
    Eh... I hate to tell you this, but your math is _insanely_ off. first off rsa uses 2 prime numbers thus you cannot have _every_ single value. if it was 128bit aes which is what the DS uses for _encryption_ not code signing/pki then your math would be _completely_ correct but since it's RSA which _requires_ you to have 2 prime numbers the total amount of values you can have are _much_ _much_ lower than that. Also 128bit rsa was more than enough in the 90s when it took you 20min to generate the key, and ~15min to sign the thing. Now a days though that's no longer true. I don't have the article handy but someone recently was able to factor a 512bit rsa key(to get the private key) using Amazon's EC2 and it _only_ took them ~4hrs. If someone was _way_ more better at code than me, looked at the public key, then you could generate the RSA key way faster than you originally said. Since the all bits used thing only applies to AES which is aboslutely true. That shit ain't ever getting broken(nsa might have something that can break an old session in ~3yrs but that's still questionable).

    Anyway to reiterate something for you again, the TI calculator hacking community managed to _factor_ a 512bit key which is many millions times harder to factor than the 128bit one that the 3ds uses. So anyway to just say it once more/finally if a few people got together, spent a few hundred dollars, they could _easily_ factor the thing using amazon's ec2 or googles computing platform that they have. And this is because of the flaw in rsa. It's why all ssl certs now a days _require_ 1024bit rsa as a minimum and now they're moving to 2048bit it's all because rsa is _way_ as in billions of times weaker than AES and other encryption algorithms where you only have _one_ key. If a bunch of people can factor a 512bit key in 2009 I'm sure that in 2013 with amazon's ec2/google's computing platform some people can easily do the same with 128bit rsa. The key is _ungodly_ weak(when compared with what it should be) _but_ because of that, people can now factor it, is it simple? Not really, but it's in no way shape _or_ form the numbers that you're putting out there. The numbers have to be prime, and they have to relate to each other. We already know one of them(I'm assuming because how else would you know that it's 128bit) and even though nintendo _can_ change it via a firmware update it's all over once it's found. Like the ps3 they can redo it, but all previously released games _have_ to work still, so there's no way to get rid of it besides forcing people to upgrade their firmware.


    edit: removed stuff that wasn't necessary to my point, so that way it was smaller.
     
    Metoroid0 likes this.
  11. aalokishere

    Member aalokishere GBAtemp Regular

    Joined:
    Jun 19, 2012
    Messages:
    160
    Country:
    Nepal
    why do you use underscore instead of quotes? felt like i was reading some kind of code

    EDIT: Anyway OP, very good stuff
     
  12. yuyuyup

    Member yuyuyup GBAtemp Psycho!

    Joined:
    Apr 30, 2006
    Messages:
    3,302
    Location:
    USA MTN timezone
    Country:
    United States
    They were used for emphasis, more akin to italics or caps than quote marks
     
  13. aalokishere

    Member aalokishere GBAtemp Regular

    Joined:
    Jun 19, 2012
    Messages:
    160
    Country:
    Nepal
    I got the emphasis part. Just had never seen it before. So its an typewriter way of underlining. Well here you could actually underline or Italic or whatever, but I guess the poster's way is faster.
     
    yuyuyup likes this.
  14. masterz87

    Member masterz87 GBAtemp Fan

    Joined:
    Apr 21, 2013
    Messages:
    411
    Country:
    United States
    it's because I mainly right text, thus the _ instead of underline is faster, and it's also something that works everywhere, including in my code. It's a bad habit I guess...

    edit: also I could click the u, or use the bbcode that this site(likely) uses or do other such things, but it always feels weird to me.
     
  15. aalokishere

    Member aalokishere GBAtemp Regular

    Joined:
    Jun 19, 2012
    Messages:
    160
    Country:
    Nepal
    Yeah got that. Might even copy it myself.
     
  16. Rydian
    OP

    Member Rydian Resident Furvert™

    Joined:
    Feb 4, 2010
    Messages:
    27,883
    Location:
    Cave Entrance, Watching Cyan Write Letters
    Country:
    United States
    Added the "I found a crash, let's use that to make a hack for it." bit.
     
    Metoroid0 likes this.
  17. LinkBlaBla

    Member LinkBlaBla Glitches Expert and Anti-Government (TFTP*)

    Joined:
    Jun 7, 2013
    Messages:
    134
    Location:
    Quebec
    Country:
    Canada

    I understand what your point to tell that "i found a crash, let's use that to make a hack for it" it is not simple to put an exploit into just a crash but maybe if we try different way of crashing the message or put a new message decryption and encrypted again for swapnote maybe the 3ds would run it i said maybe that why i started a thread and unfortunately they blocked me from my own thread so what i want to tell is that if we try it to run certain code into the message with the computer and find a way to send it to the 3ds or put it on the folder maybe the message will open then crash and after this maybe we will able the use this for hack the 3ds i said maybe but that just my point im not an expert.
     
  18. Rydian
    OP

    Member Rydian Resident Furvert™

    Joined:
    Feb 4, 2010
    Messages:
    27,883
    Location:
    Cave Entrance, Watching Cyan Write Letters
    Country:
    United States
    We can't encrypt/sign things, we don't have the key.
     
  19. PsyBlade

    Member PsyBlade Snake Charmer

    Joined:
    Jul 30, 2009
    Messages:
    2,204
    Location:
    Sol III
    Country:
    Germany
    Since we can compose messages on the 3DS a presumed key needs to be in there.
    Which means that it probably can be dug out.
     
  20. Rydian
    OP

    Member Rydian Resident Furvert™

    Joined:
    Feb 4, 2010
    Messages:
    27,883
    Location:
    Cave Entrance, Watching Cyan Write Letters
    Country:
    United States
    As far as sending something in swapnote?

    Yeah, but I'm talking the actual critical part. :P
     

Share This Page