3DS update process analyzed

Discussion in '3DS - Flashcards & Custom Firmwares' started by Cyan, Mar 27, 2011.

Thread Status:
Not open for further replies.
Mar 27, 2011

3DS update process analyzed by Cyan at 9:10 PM (38,655 Views / 1 Likes) 145 replies

  1. Cyan
    OP

    Global Moderator Cyan GBATemp's lurking knight

    Joined:
    Oct 27, 2002
    Messages:
    16,417
    Location:
    Engine room, learning
    Country:
    France
    This is the 3DS hacking forum, so I'll talk about what's happening behind the scene :P


    I updated my 3DS from 1.0.0-0E to firmware 1.1.0-1E and used Etheral at the same time to see the transfered data.

    when exchanging data with the server, it first show an application ID 00002400 (It should be the "settings" application, as this is the same when doing a connection test.)
    here is the header :
    Connection test communication


    Then, after connecting through SSL and communicating their certificates, it start downloading the update files (without SSL this time ?).
    The updates are located on NUS servers, like for the Wii.

    The used structure is also the same as the Wii, using folder and sub-folder named with Title ID.
    here are the 9 files composing the 1.0.0-1E update :

    /ccs/download/0004001000025000/00000000 (15MB) <-- could be the 3D video footage.
    /ccs/download/000400DB00016102/00000001 (16.8kB)
    /ccs/download/000400DB00017102/00000003 (16.8kB)
    /ccs/download/0004013000001C02/00000003 (36.3kB)
    /ccs/download/0004013000002402/00000002 (98.8kB)
    /ccs/download/0004013000002D02/00000002 (276KB)
    /ccs/download/0004013000002E02/00000002 (132kB)
    /ccs/download/0004013000003402/00000002 (111kB)
    /ccs/download/0004013800000002/00000002 (827kB)

    The files can be downloaded manually from any computer http:// nus.cdn.c.shop.nintendowifi.net/ccs/download/0004001000025000/00000000
    There exist many other files in other folders not downloaded by the 3DS (just try different Title ID and file number)

    The files are downloaded in the internal memory (not on SD card).

    This files can be downloaded with NUSD?

    Ok, that's all :P
    I just wanted to list the Title ID names.
    Maybe it will become useful for hackers and developers, and will figure what their TitleID are used for.


    edit:
    1.0.0-0E to 1.0.0-1E (15MB)
    1.0.0-1E to 2.1.0-3E (75MB)
    2.1.0-3E to 2.1.0-4E (80MB)
    2.1.0-4E to 3.0.0-5E (??MB)
     
    1 person likes this.


  2. xdixonx

    Newcomer xdixonx Member

    Joined:
    Jun 16, 2009
    Messages:
    24
    Country:
    United States
    I see this as being potentially useful, like maybe spoofing the update to load some form of custom firmware? That is, if the files didn't need some form of signing.

    Good to see some progress actually being made.
     
  3. OuHiroshi

    Newcomer OuHiroshi Member

    Joined:
    Mar 27, 2011
    Messages:
    14
    Country:
    United States
    Very cool [​IMG] Is there anyway to dump the files for further analysis? I'm sure that the files are signed and encrypted.
     
  4. haddad

    Member haddad GBAtemp Advanced Maniac

    Joined:
    Aug 12, 2010
    Messages:
    1,519
    Country:
    Canada
    that maybe pretty useful info for hackers as u said.... and ya, thanks for the info
     
  5. Cyan
    OP

    Global Moderator Cyan GBATemp's lurking knight

    Joined:
    Oct 27, 2002
    Messages:
    16,417
    Location:
    Engine room, learning
    Country:
    France
    yes, I dumped the files, but I can't share them :/
    It's like for the Wii, you need to get them yourself using NUSDownloader (Wii version not working as is) or save the data with a packet sniffing while updating.
    I think the files are encrypted as the console is communicating something through SSL before downloading, it could be the public key, because the file transfer is then in simple HTTP.
    I suppose Nintendo encrypted them, because they said 3DS would be harder to hack, so it's only logical. But who knows, maybe they didn't [​IMG]


    Just a thing :
    I still haven't accepted their use agreement, and though, after setting my connection information the console it talking with Nintendo servers (at least to tell me there were an update).
    The connection is established every time I'm going back to system menu.
    I received a lot of UDP packet on my first connection, that may be the notifications in every languages ? I don't know. At least, nothing was transmitted in plain text.
    There's no more UDP packet now, only testing if the net is working.
     
  6. xdixonx

    Newcomer xdixonx Member

    Joined:
    Jun 16, 2009
    Messages:
    24
    Country:
    United States
    This IS Nintendo we're talking about [​IMG]
     
  7. Okami Wolfen

    Member Okami Wolfen GBAtemp Regular

    Joined:
    Jul 10, 2009
    Messages:
    257
    Location:
    Ohio
    Country:
    United States
    What exactly makes everyone think it looks useful, aside from the fact that it looks complicated? Unless you are one of the hackers, you're not gonna have a good idea of what is useful and what is not.

    To op: nice find, tho.
     
  8. raulpica

    Supervisor raulpica With your drill, thrust to the sky!

    Joined:
    Oct 23, 2007
    Messages:
    10,668
    Location:
    _____________ PowerLevel: 9001
    Country:
    Italy
    Everything was encrypted on the Wii and the DSi and I expect the same to happen here.
     
  9. xdixonx

    Newcomer xdixonx Member

    Joined:
    Jun 16, 2009
    Messages:
    24
    Country:
    United States
    It's useful, because it means you can potentially decrypt the updates, inject some code and sign them. Then if you can spoof it to somehow download from your pc, then you have a kind of softmod.
     
  10. Cyan
    OP

    Global Moderator Cyan GBATemp's lurking knight

    Joined:
    Oct 27, 2002
    Messages:
    16,417
    Location:
    Engine room, learning
    Country:
    France
    Currently it's not useful at all, it's only the filenames.
    Though, It shows that it's still using multiple files, and multiple TitleID/version, it's not a single firmware file.

    This system is what made the Wii Fail, because instead of using a real firmware it depended on multiple IOS.
    Maybe they repeated that error ?
    Or maybe it's a single firmware, and it downloaded updated files only seeing as they are very small, and not relaying on IOS-style anymore.

    What's noticeable too is the headers sent :
    User-Agent: CTR AC/01
     
  11. trev1

    Member trev1 GBAtemp Regular

    Joined:
    Mar 19, 2010
    Messages:
    186
    Country:
    United States
    Now didn't you have to accept the user agreement in order to update to newest firmware?
     
  12. Cyan
    OP

    Global Moderator Cyan GBATemp's lurking knight

    Joined:
    Oct 27, 2002
    Messages:
    16,417
    Location:
    Engine room, learning
    Country:
    France
    No, I didn't have to.
    It still tell me to agree if I want to access internet/spotpass/streetpass.

    So, are Nintendo breaking their own user agreement by sending me notification of new firmware?
    They checked my firmware version, IP, MAC. maybe even my serial number and my logs (Like I said, there were a lot of UDP exchange on my first connection, which are not occurring anymore).


    I'm leaving the console in that state to see if more data are transfered without agreeing to spotpass. (not that it will change anything to me, I'm just curious to understand how things are working).
     
  13. xdixonx

    Newcomer xdixonx Member

    Joined:
    Jun 16, 2009
    Messages:
    24
    Country:
    United States
    Well, I believe that when an exploit is found, it will be a rather simple one. Nintendo will have probably fixed even the most remote sign of a possibility, while leaving something painstakingly simple open.
     
  14. WiiUBricker

    Member WiiUBricker Insert Custom Title

    Joined:
    Sep 19, 2009
    Messages:
    5,827
    Location:
    Espresso
    Country:
    Argentina
    Even a firmware/system that relies on multiple IOS can be secure if they are well programmed.
     
  15. pachura

    Member pachura GBAtemp Advanced Fan

    Joined:
    Dec 9, 2006
    Messages:
    566
    Country:
    Thanks Cyan. This is definitevely interesting.

    1. You're writing that "you've dumped the files, but can't share them". So you do have them on your computer ? Are you afraid that publishing these files would somehow reveal your UserID or something ?

    2. Could you at least briefly check in some hexadecimal editor if there is any unencrypted (readable) content in any of these files ? Maybe the video clip (this 15 MB file) is not encrypted ? (it would begin eg. with "RIFF AVI" if it's AVI).

    3. Too bad update files are not stored on the SD card... it's strange, however, that they are wasting 15 MB of space to store the video clip internally.
     
  16. Cyan
    OP

    Global Moderator Cyan GBATemp's lurking knight

    Joined:
    Oct 27, 2002
    Messages:
    16,417
    Location:
    Engine room, learning
    Country:
    France
    1 - I don't think there are UserID data in the file. I think it's only encrypted with my own public key, so it will work and be decrypted only on my console.

    2 - Even the video is encrypted. There's no significant pattern (video, multiple jpeg or audio). the file header is ...G>.@..3.>.3, and is different for every files.

    3 - They have a lot of space now, I don't remember exactly but I think it's 1.5GB.
     
  17. LAA

    Member LAA GBAtemp Fan

    Joined:
    Aug 3, 2008
    Messages:
    369
    Country:
    United Kingdom
    Wow, this stuff is all very interesting! Hope to see a lot of progress for 3DS hacking soon. Imagine 3D homebrew!

    Also, you reckon saves could be the way to have 3DS? Like with wii with the Z:TP hack?
    I know saves were dumped, so... We kinda have the tools to get saves.
     
  18. Cyan
    OP

    Global Moderator Cyan GBATemp's lurking knight

    Joined:
    Oct 27, 2002
    Messages:
    16,417
    Location:
    Engine room, learning
    Country:
    France
    save files are un-transfearable.
    You can't even copy a save to another SD card and use it on your own 3DS.
    You also can't make backups of your savefile to restore later, the console keeps tracks of the last used time of every files, so no possibility to overwrite it with another (older or newer) save file.
    You have to share the entire "Nintendo 3ds" folder to make sharing save game possible, but I think the saves are locked to the console.

    I didn't try it myself as I don't own any 3DS game, it's what I read in the user manual.
    I can't try with AR card, it's saved on the internal memory.
    I think Photo and Audio channel are stored on SD card, but it's only cache data.
     
  19. WiiUBricker

    Member WiiUBricker Insert Custom Title

    Joined:
    Sep 19, 2009
    Messages:
    5,827
    Location:
    Espresso
    Country:
    Argentina
    We need the 3DS common key.
     
  20. xdixonx

    Newcomer xdixonx Member

    Joined:
    Jun 16, 2009
    Messages:
    24
    Country:
    United States
    Well if we know what we're looking for it's a start I guess... worst case scenario is that the key takes years to find, much like the ps3.
     
Thread Status:
Not open for further replies.

Share This Page