3DS update process analyzed

Discussion in '3DS - Flashcards & Custom Firmwares' started by Cyan, Mar 27, 2011.

Thread Status:
Not open for further replies.
  1. Cyan
    OP

    Cyan GBATemp's lurking knight

    Global Moderator
    18,078
    8,586
    Oct 27, 2002
    France
    Engine room, learning
    This is the 3DS hacking forum, so I'll talk about what's happening behind the scene :P


    I updated my 3DS from 1.0.0-0E to firmware 1.1.0-1E and used Etheral at the same time to see the transfered data.

    when exchanging data with the server, it first show an application ID 00002400 (It should be the "settings" application, as this is the same when doing a connection test.)
    here is the header :
    Connection test communication


    Then, after connecting through SSL and communicating their certificates, it start downloading the update files (without SSL this time ?).
    The updates are located on NUS servers, like for the Wii.

    The used structure is also the same as the Wii, using folder and sub-folder named with Title ID.
    here are the 9 files composing the 1.0.0-1E update :

    /ccs/download/0004001000025000/00000000 (15MB) <-- could be the 3D video footage.
    /ccs/download/000400DB00016102/00000001 (16.8kB)
    /ccs/download/000400DB00017102/00000003 (16.8kB)
    /ccs/download/0004013000001C02/00000003 (36.3kB)
    /ccs/download/0004013000002402/00000002 (98.8kB)
    /ccs/download/0004013000002D02/00000002 (276KB)
    /ccs/download/0004013000002E02/00000002 (132kB)
    /ccs/download/0004013000003402/00000002 (111kB)
    /ccs/download/0004013800000002/00000002 (827kB)

    The files can be downloaded manually from any computer http:// nus.cdn.c.shop.nintendowifi.net/ccs/download/0004001000025000/00000000
    There exist many other files in other folders not downloaded by the 3DS (just try different Title ID and file number)

    The files are downloaded in the internal memory (not on SD card).

    This files can be downloaded with NUSD?

    Ok, that's all :P
    I just wanted to list the Title ID names.
    Maybe it will become useful for hackers and developers, and will figure what their TitleID are used for.


    edit:
    1.0.0-0E to 1.0.0-1E (15MB)
    1.0.0-1E to 2.1.0-3E (75MB)
    2.1.0-3E to 2.1.0-4E (80MB)
    2.1.0-4E to 3.0.0-5E (??MB)
     
    1 person likes this.


  2. xdixonx

    xdixonx Member

    Newcomer
    24
    0
    Jun 16, 2009
    United States
    I see this as being potentially useful, like maybe spoofing the update to load some form of custom firmware? That is, if the files didn't need some form of signing.

    Good to see some progress actually being made.
     
  3. OuHiroshi

    OuHiroshi Member

    Newcomer
    15
    1
    Mar 27, 2011
    United States
    Very cool [​IMG] Is there anyway to dump the files for further analysis? I'm sure that the files are signed and encrypted.
     
  4. haddad

    haddad GBAtemp Advanced Maniac

    Member
    1,519
    16
    Aug 12, 2010
    Canada
    that maybe pretty useful info for hackers as u said.... and ya, thanks for the info
     
  5. Cyan
    OP

    Cyan GBATemp's lurking knight

    Global Moderator
    18,078
    8,586
    Oct 27, 2002
    France
    Engine room, learning
    yes, I dumped the files, but I can't share them :/
    It's like for the Wii, you need to get them yourself using NUSDownloader (Wii version not working as is) or save the data with a packet sniffing while updating.
    I think the files are encrypted as the console is communicating something through SSL before downloading, it could be the public key, because the file transfer is then in simple HTTP.
    I suppose Nintendo encrypted them, because they said 3DS would be harder to hack, so it's only logical. But who knows, maybe they didn't [​IMG]


    Just a thing :
    I still haven't accepted their use agreement, and though, after setting my connection information the console it talking with Nintendo servers (at least to tell me there were an update).
    The connection is established every time I'm going back to system menu.
    I received a lot of UDP packet on my first connection, that may be the notifications in every languages ? I don't know. At least, nothing was transmitted in plain text.
    There's no more UDP packet now, only testing if the net is working.
     
  6. xdixonx

    xdixonx Member

    Newcomer
    24
    0
    Jun 16, 2009
    United States
    This IS Nintendo we're talking about [​IMG]
     
  7. Okami Wolfen

    Okami Wolfen GBAtemp Regular

    Member
    257
    0
    Jul 10, 2009
    United States
    Ohio
    What exactly makes everyone think it looks useful, aside from the fact that it looks complicated? Unless you are one of the hackers, you're not gonna have a good idea of what is useful and what is not.

    To op: nice find, tho.
     
  8. raulpica

    raulpica With your drill, thrust to the sky!

    Supervisor
    11,025
    7,344
    Oct 23, 2007
    Italy
    PowerLevel: 9001
    Everything was encrypted on the Wii and the DSi and I expect the same to happen here.
     
  9. xdixonx

    xdixonx Member

    Newcomer
    24
    0
    Jun 16, 2009
    United States
    It's useful, because it means you can potentially decrypt the updates, inject some code and sign them. Then if you can spoof it to somehow download from your pc, then you have a kind of softmod.
     
  10. Cyan
    OP

    Cyan GBATemp's lurking knight

    Global Moderator
    18,078
    8,586
    Oct 27, 2002
    France
    Engine room, learning
    Currently it's not useful at all, it's only the filenames.
    Though, It shows that it's still using multiple files, and multiple TitleID/version, it's not a single firmware file.

    This system is what made the Wii Fail, because instead of using a real firmware it depended on multiple IOS.
    Maybe they repeated that error ?
    Or maybe it's a single firmware, and it downloaded updated files only seeing as they are very small, and not relaying on IOS-style anymore.

    What's noticeable too is the headers sent :
    User-Agent: CTR AC/01
     
  11. trev1

    trev1 GBAtemp Regular

    Member
    186
    1
    Mar 19, 2010
    United States
    Now didn't you have to accept the user agreement in order to update to newest firmware?
     
  12. Cyan
    OP

    Cyan GBATemp's lurking knight

    Global Moderator
    18,078
    8,586
    Oct 27, 2002
    France
    Engine room, learning
    No, I didn't have to.
    It still tell me to agree if I want to access internet/spotpass/streetpass.

    So, are Nintendo breaking their own user agreement by sending me notification of new firmware?
    They checked my firmware version, IP, MAC. maybe even my serial number and my logs (Like I said, there were a lot of UDP exchange on my first connection, which are not occurring anymore).


    I'm leaving the console in that state to see if more data are transfered without agreeing to spotpass. (not that it will change anything to me, I'm just curious to understand how things are working).
     
  13. xdixonx

    xdixonx Member

    Newcomer
    24
    0
    Jun 16, 2009
    United States
    Well, I believe that when an exploit is found, it will be a rather simple one. Nintendo will have probably fixed even the most remote sign of a possibility, while leaving something painstakingly simple open.
     
  14. WiiUBricker

    WiiUBricker Insert Custom Title

    Member
    6,897
    3,925
    Sep 19, 2009
    Argentina
    Espresso
    Even a firmware/system that relies on multiple IOS can be secure if they are well programmed.
     
  15. pachura

    pachura GBAtemp Advanced Fan

    Member
    566
    2
    Dec 9, 2006
    Thanks Cyan. This is definitevely interesting.

    1. You're writing that "you've dumped the files, but can't share them". So you do have them on your computer ? Are you afraid that publishing these files would somehow reveal your UserID or something ?

    2. Could you at least briefly check in some hexadecimal editor if there is any unencrypted (readable) content in any of these files ? Maybe the video clip (this 15 MB file) is not encrypted ? (it would begin eg. with "RIFF AVI" if it's AVI).

    3. Too bad update files are not stored on the SD card... it's strange, however, that they are wasting 15 MB of space to store the video clip internally.
     
  16. Cyan
    OP

    Cyan GBATemp's lurking knight

    Global Moderator
    18,078
    8,586
    Oct 27, 2002
    France
    Engine room, learning
    1 - I don't think there are UserID data in the file. I think it's only encrypted with my own public key, so it will work and be decrypted only on my console.

    2 - Even the video is encrypted. There's no significant pattern (video, multiple jpeg or audio). the file header is ...G>.@..3.>.3, and is different for every files.

    3 - They have a lot of space now, I don't remember exactly but I think it's 1.5GB.
     
  17. LAA

    LAA GBAtemp Fan

    Member
    372
    21
    Aug 3, 2008
    Wow, this stuff is all very interesting! Hope to see a lot of progress for 3DS hacking soon. Imagine 3D homebrew!

    Also, you reckon saves could be the way to have 3DS? Like with wii with the Z:TP hack?
    I know saves were dumped, so... We kinda have the tools to get saves.
     
  18. Cyan
    OP

    Cyan GBATemp's lurking knight

    Global Moderator
    18,078
    8,586
    Oct 27, 2002
    France
    Engine room, learning
    save files are un-transfearable.
    You can't even copy a save to another SD card and use it on your own 3DS.
    You also can't make backups of your savefile to restore later, the console keeps tracks of the last used time of every files, so no possibility to overwrite it with another (older or newer) save file.
    You have to share the entire "Nintendo 3ds" folder to make sharing save game possible, but I think the saves are locked to the console.

    I didn't try it myself as I don't own any 3DS game, it's what I read in the user manual.
    I can't try with AR card, it's saved on the internal memory.
    I think Photo and Audio channel are stored on SD card, but it's only cache data.
     
  19. WiiUBricker

    WiiUBricker Insert Custom Title

    Member
    6,897
    3,925
    Sep 19, 2009
    Argentina
    Espresso
    We need the 3DS common key.
     
  20. xdixonx

    xdixonx Member

    Newcomer
    24
    0
    Jun 16, 2009
    United States
    Well if we know what we're looking for it's a start I guess... worst case scenario is that the key takes years to find, much like the ps3.
     
Thread Status:
Not open for further replies.