Hacking 3DS Hacking Theory Thread

[ichichfly]

you can not modifier the QR-data yet (they have a check sum) but you can do this http://qrcode.kaywa.com/img.php?s=8&d=...%A9%67%99%8D%94

 

[xakota]

I can't reproduce it via flash cart since I am at school atm. (School lets out in a few minutes). I will update this post if I can reproduce it with Mario Kart Ds.

And how could you even use a code to buffer overflow it anyway? Seriously what means do you have of running executable code on the thing?

 

[Devin]

I figured that it'd be possible to do something with a "hacked" Wii. Like connecting it to the Wii, and allowing a installer or something run. I'm not very in tune with the whole process so it may be impossible.

 

[RNorthex]

I figured that it'd be possible to do something with a "hacked" Wii. Like connecting it to the Wii, and allowing a installer or something run. I'm not very in tune with the whole process so it may be impossible.

atm the only connectivity there is the old ds connectivities[which won't help much anyway] and the Mii connectivity
so you would need to hack the miis and also hope that the 3ds accepts the mii

 

[Knyaz Vladimir]

No(t much) offense intended... but this is stupid.
And some of the reasons are even more stupid.

C- Use the Photo or Sound channels and boot up an exploit in JPG, MPO, or MP3. I doubt having a rar file in a JPG would work. (Somewhat possible)

D- Use a HEX editor to find an unencrypted file on a 3DS and figuring out more information on system and the keys (if it even has that). (Very unlikely)

E- Run ROMs through a HEX Editor, which is impossible right now, due to no ROMs existing at time of writing. (Even LESS unlikely)

F- Wait for the May update and make an exploit. (Probable)

G- try and use exploits already made to do this. Which is EXTREMELY unlikely.

H- Transfer a Mii with an exploit or scan an exploited QR code. (Mii with exploit somewhat possible, QR is very unlikely)

C, F, G, H: Exploits are FOUND not made, that's why they are EXPLOITS not HACKS.
C, G, H: There are no pre-made exploits for the 3DS. Exploits for other systems (PC/Wii) will not work.
D, F: FUCK! RANDOM HEX EDITING DOES NOT WORK, IT HAS NEVER WORKED, IT NEVER WILL WORK!

As I said, most of these ideas are not mine- they are harvested from other threads. I made this thread for people to post ideas on finding exploits, and using them. We've already got one, let's just try to get SOMETHING. Also, exploits were referring to DSi exploits, which are very unlikely to work. NOT PC NOR WII!

Fuck, I thought you people read topics entirely before posting.

Let's just try to make something run on 3DS.

 

[Coto]

I figured that it'd be possible to do something with a "hacked" Wii. Like connecting it to the Wii, and allowing a installer or something run. I'm not very in tune with the whole process so it may be impossible.

This. Debugging a Wii while access a 3DS at Nintendo Channel?

 

[twiztidsinz]

Also, exploits were referring to DSi exploits, which are very unlikely to work. NOT PC NOR WII!

At best, they'd work in DSi mod... not really 3DS hacking, but most likely they've already been fixed like the Cooking Coach/iEvolution hack.

 

[Knyaz Vladimir]

I figured that it'd be possible to do something with a "hacked" Wii. Like connecting it to the Wii, and allowing a installer or something run. I'm not very in tune with the whole process so it may be impossible.

This. Debugging a Wii while access a 3DS at Nintendo Channel?

Location confirmed. Sending supplies.

Anyway, EoF time over, this might be the closest theory we have. If the 3DS can access DS Download Play, then we can send a signal which fires up prog.3DSR (.3DS is a taken file type, lol), opening up a hole in the system and booting malicious code. Of course, that is very difficult to do, but quite likely.

Softmodded Wiis, AWAY!

 

[pachura]

Yes, you can use steganography to hide whatever content you want, including RAR archives, inside something that looks like a plain simple JPEG file. But this has totally no use in hacking whatsoever and is completely unrelated to the libTiff exploit on PSP which involved a carefully crafted TIFF file with PSP executable code inside.

For the brute force - again. How the fuck should it work ?
Usually, bruteforcing works like this:
- you generate a key
- you to decrypt the encrypted file using this generated key
- if the result of decryption turns out to be some random junk, repeat
- if the result seems to make sense, bingo, you've found the key
But to be able to do this you need to know what encryption algorithm was used in order to try the decryption.
So please tell me, what encryption algorithm is 3DS using ? What is its block size ? What is its key size ? Are the passwords salted ?

Now for the devkits. Granted, owning one of them would be a great help. We'd at least know what is the 3DS' CPU, how well does Pica200 perform, how do you communicate with various input devices and so on... I know you have to sign a non-disclosure statement when buying the SDK, buy can't someone leak the specs anonymously ?

 

[Coto]

I figured that it'd be possible to do something with a "hacked" Wii. Like connecting it to the Wii, and allowing a installer or something run. I'm not very in tune with the whole process so it may be impossible.

This. Debugging a Wii while access a 3DS at Nintendo Channel?

Location confirmed. Sending supplies.

Anyway, EoF time over, this might be the closest theory we have. If the 3DS can access DS Download Play, then we can send a signal which fires up prog.3DSR (.3DS is a taken file type, lol), opening up a hole in the system and booting malicious code. Of course, that is very difficult to do, but quite likely.

Softmodded Wiis, AWAY!

Good idea , but I meant sniff arm generated code done through wii while doing handshake between 3DS.

And, if you would want to boot an executable through 3DS, it must be signed first.

 

[abatrour]

I noticed that the DS Download and Play still has access to the home button (3DS mode?).

Is it possible to run some kind of ds download play diagnostic homebrew and then get access to 3DS mode that way?

 

[totalnoob617]

i see people saying that ds code is run through emulation,how do we even know this,wouldnt it be more likely that there is an actual ds chipset in the 3ds, that runs it directly?

i checked marcan and bushings twitter,all i see are posts about dsi and there kinda old,i wonder if they are at least going to take a look at this thing,does anyone know if their working on it?
i also find that marcan works on much less interesting,strange stuff,like childerens toys,miley cirus guitar,and leap frog devices,not sure why exactly,also the vii,you think 3ds would be so much more interesting to him

if we do see an exploit found it will most likely either come from him or a chinese flashcard manufacturer
i didnt know how the ds exploit started but was kinda surprised to read here that it was a game exploit ,and not found by a chinese flashcard company
,but i think this time they will have much banked capital from the sale of ds cards and much incentive now that they see how profitable it is after the ds,to work very hard on a 3ds card,also was surprised they didnt come up with it first since the ds was made in china,& im sure 3ds is too,i think ninty subbing out the dev to china greatly opens up possibility of IP theft
and what is to stop the card manufacturers from setting up a front company posing as 3ds game development house to obtain a dev kit?or secret deal between a shovel ware developer and a card manufacturer,to put in an "accidental"bug/exploit in one of their crap titles and leak it to said card manufacturer

i dont know alot about the other scene developers ,but seems like marcan is really the only one with both the software AND hardware and soldering skills to pull it off,i think waninkkoko and hermes and most other scene devs just deal with the software end, only really seen marcan and geohot with heavily modified console hardware setups,inkow there are other less know people that can do it too but im just saying ,out of the most well known regularly heavily active ones

 

[totalnoob617]

also might this be an opportunity? http://www.3dsbuzz.com/widespread-3ds-crashing/

hopefully marcan and other devs are aware of this ,it would be a shame if there was an exploit potential here and it got patched before any of the really smart devs got around to having a look at it

 

[Zanoab]

I am using the Relocator on Pokemon Black in my original DS (launch day) to access my 3DS.

With Pokemon Platinum in the 3DS.
The Home button threatens to close it out (so suspension is impossible even when the connection ended) and the Relocator remains running in the background so not a single interruption from the Home button.

With a 3DS game in the 3DS.
Relocator says that the game is incompatible.

For control testing, I put in my Picross DS in the 3DS.
Relocator says that the game is incompatible.

No game in the 3DS.
Relocator says that the game is incompatible. (heart breaker...)

I picked the Relocator in Pokemon Black/White because I know it reads data from the save, transfers data it finds to the host, and writes altered save data. Unfortunately, we have no idea if a DS Download is denied access to a 3DS cart but the only way to know for certain is to have a homebrew Rom/Save Dumper that is loaded via DS Download and transfers the data back to the host which writes the data to storage (most likely a microSD). I will be searching through my game library for a game that has DS Download that acknowledges that there is no game inserted. It was a nice try though for a possibility to dump 3DS Roms and dump/write 3DS saves (maybe Nintendo didn't want a "no cartridge found" in the Relocator for a reason).

 

[Schicksalsheld]

New Theory,
We bruteforce the DS/DSi RSA Key for DS Download Play, then we need a second DS with Flashcard and sends modified packages to the 3DS which includes an Update, these Hack sell we to TeamCyclops, and then PROFIT!!!!!!! $$$$$$$$$$$$$$$$$$$$

 

[panzone]

New Theory,
We bruteforce the DS/DSi RSA Key for DS Download Play, then we need a second DS with Flashcard and sends modified packages to the 3DS which includes an Update, these Hack sell we to TeamCyclops, and then PROFIT!!!!!!! $$$$$$$$$$$$$$$$$$$$

Why do we bruteforce the DS RSA key ?

 

[Masterpaul]

New Theory,
We bruteforce the DS/DSi RSA Key for DS Download Play, then we need a second DS with Flashcard and sends modified packages to the 3DS which includes an Update, these Hack sell we to TeamCyclops, and then PROFIT!!!!!!! $$$$$$$$$$$$$$$$$$$$

What an very asholic thing to do. Instead of running a costume firmware... and setting up the 3DS with its own version Of Cydia, and making suitable grounds for profit for garage deveopers, add legal competition for 3dsware shop. You come up with selling the stuff to cyclo, which would only enable piracy and some ubmisial home brew in most cases (since garage makers wont have motivation to actually make their games)

We make a nonofficial shop on 3DS, and I garantee that homebrew will talke off on 3DS, like on no other before.

 

[pachura]

costume firmware

:facepalm:

 

[TheNikkoMan]

costume firmware

:facepalm:

Sounds awesome.
On a more serious note, if we can encrypt, decrypt and put saves back to the cart, why aren't we looking for buffer overflows? Or maybe the pro's are doing it, but without us knowing.
However, it shouldn't be too hard. If you have the backuptool, why not try? Won't hurt.

 

[Rydian]

On a more serious note, if we can encrypt, decrypt and put saves back to the cart, why aren't we looking for buffer overflows? Or maybe the pro's are doing it, but without us knowing.
However, it shouldn't be too hard. If you have the backuptool, why not try? Won't hurt.

Generally if you post that you're working on something, people expect it to be done (and then piss all over the place when it's not released, even if you gave no promise that there would even BE an exploit in it, since you're just looking for one).

The pros know this, so they don't talk about shit before releasing it, as this article shows.
http://hackmii.com/2011/02/return-of-the-jodi/