About Fieldrunners...

Discussion in '3DS - Homebrew Development and Emulators' started by TheOverseer, Sep 23, 2016.

  1. TheOverseer
    OP

    TheOverseer Advanced Member

    Newcomer
    54
    9
    Sep 23, 2016
    United States
    I had a little idea, for a possible hack. But, before I mention this to have it looked into, I want to ask a few things about the DSiWare hack.

    First of all, excluding things like firmware updates and TWL patches, Fieldrunners is a usermode exploit, correct? And uses an oversight to D/G Firm?

    In other words, the only things needed to perform this hack are a game running in DSi mode, and a usermode exploit installed that can launch the associated boot.nds file, is this correct?
     
  2. Davidosky99

    Davidosky99 Eevee :3

    Banned
    2,582
    1,570
    Jun 7, 2015
    Porto
    Yes, but the dsi game MUST be exploitable and as of now the only use of it is for the firm plaintext attack the same technique to execute FIRM downgrades using hard mod.
    And before you ask, no the boot.nds has a size limitation, you can't launch ROMs trough there.
    And you can't run a cfw from there, this isn't this kind of arm9 exploit.
     
  3. TheOverseer
    OP

    TheOverseer Advanced Member

    Newcomer
    54
    9
    Sep 23, 2016
    United States
    I wasn't going to say anything like that. I realize if that was possible, someone probably would have already done so. I do have an important follow-up question that will sound stupid, but please hear me out.

    So, I have looked around at the remains of CycloDS. I have heard on all DS mode flashcards, games that are DSi Enhanced still run in DS mode. So, by following this line of logic, is it safe to also think that DSi-Enhanced games run in DSi-Mode, to be able to use the additional features and such?

    Forgive me, I'm brand new to the DS scene, and need a little information and things.
     
    Last edited by TheOverseer, Sep 23, 2016
  4. Davidosky99

    Davidosky99 Eevee :3

    Banned
    2,582
    1,570
    Jun 7, 2015
    Porto
    If you launch a DS/DSi flashcard it will launch in NTR mode AFAIK not TWL, thus not being able to perform the firm plaintext attack
     
  5. TheOverseer
    OP

    TheOverseer Advanced Member

    Newcomer
    54
    9
    Sep 23, 2016
    United States
    And to be clear, I know what TWL mode is. What is NTR mode again? Is that a specific part of FIRM? That's not the one used for normal DS games is it? It's specifically for hybrid DS/DSi games?
     
  6. Davidosky99

    Davidosky99 Eevee :3

    Banned
    2,582
    1,570
    Jun 7, 2015
    Porto
    Yes, for DS/DSi enhanced games/cartridges . The DSi titles on the home menu run in TWL and are the only ones with the capability of running this firm plaintext attack for downgrading, you cant use a dsi enhanced flashcard(runs as a cartridge) for downgrading .
     
  7. TheOverseer
    OP

    TheOverseer Advanced Member

    Newcomer
    54
    9
    Sep 23, 2016
    United States
    I have done a little more research, and I think this may not be true. NTR is the DS codename, for the original DS. TWL is the DSi codename. These modes likely correspond to each other properly. But...I something to run by you guys.

    https://www.3dbrew.org/wiki/4.0.0-7 - A list of changes in the firmware. Take special note at the bottom, how it mentions TWL_FIRM was patched to block these exploits. However...TWL_FIRM is DSi. But if you look at the games themselves...

    https://www.amazon.com/Classic-Word-Games-Nintendo-DS/dp/B001WCN250

    This is actually a DS/DSi hybrid game. So, if I'm correct, this shows, at the very least, that enhanced game cartridges must interact with TWL in some way, correct? Otherwise, what would be the point of updating TWL_FIRM in response to that exploit?
     
  8. Davidosky99

    Davidosky99 Eevee :3

    Banned
    2,582
    1,570
    Jun 7, 2015
    Porto
    On the dsi(original dsi) the cartridges you put there would run in NTR mode and the apps you installed , DSIWARE would run in TWL mode.
    2 different things with different accesses
    DSi enchanced cartridges ≠ DSiWARE
     
    Last edited by Davidosky99, Sep 23, 2016
  9. GerbilSoft

    GerbilSoft GBAtemp Addict

    Member
    2,103
    2,341
    Mar 8, 2012
    United States
    DSi-enhanced cartridges do run in TWL mode, not NTR mode. (TWL_FIRM handles both; they didn't make a separate NTR_FIRM because there's no point.)

    The main issue AFAIK is that DSi-enhanced cartridges don't have permission to access the eMMC, whereas DSiWare does.
     
  10. TheOverseer
    OP

    TheOverseer Advanced Member

    Newcomer
    54
    9
    Sep 23, 2016
    United States
    I haven't heard about eMMC much. What does it handle? Is this basically what DSiWare uses to downgrade FIRM, or does eMMC cover write access to the entire NAND in general and prevent that?

    Could a DSi mode exploit in this manner, if it can't access FIRM to do the downgrade directly, be used to modify something else in TWL_NAND, like save files?

    For example, could it run, say...DSiWare_Injector?
     
  11. Davidosky99

    Davidosky99 Eevee :3

    Banned
    2,582
    1,570
    Jun 7, 2015
    Porto
    Emmc=NAND
    And no cartridges as only run in NTR only modify themselves (EEPROM/SAVES)they can't touch the nand
     
  12. GerbilSoft

    GerbilSoft GBAtemp Addict

    Member
    2,103
    2,341
    Mar 8, 2012
    United States
    The DSi/3DS eMMC is what most people refer to as "NAND". I call it eMMC because "NAND" is too generic (SD cards are NAND), and it can be confusing in some devices that have both raw NAND flash and eMMC (e.g. Wii U).

    The eMMC isn't protected by an operating system in DSi mode like it is in 3DS mode; it's either all or nothing. DSiWare has to have eMMC access in order for save games to work, so they have "all" access, whereas cartridges save to an SPI flash ROM on the cartridge, so they have "no" access.

    This does mean that DSiWare exploits can be used to modify anything on TWL_NAND, but in practice no one's done it because it's far easier to do that in GodMode9 once you've downgraded and have A9LH installed.
     
    XRaTiX, Swiftloke and Davidosky99 like this.
  13. Roboman

    Roboman GBAtemp Fan

    Member
    303
    70
    Jan 7, 2016
    United States
    Even though dsiware (once exploited) can arbitrarily read and write to nand, we run into the same limitations as doing so with hardmod: most of it is encrypted per console and you lack the keys. Oddly, the plaintext bug exist because a fairly critical file was left unencrypted. A poster child of Nintendo's superb security.
     
    Last edited by Roboman, Sep 23, 2016
  14. GerbilSoft

    GerbilSoft GBAtemp Addict

    Member
    2,103
    2,341
    Mar 8, 2012
    United States
    It actually is encrypted, but since it uses AES-CTR with a static keystream (and no authentication), it's susceptible to a known plaintext attack (as mentioned).

    From the implementation here: https://github.com/ihaveamac/firmswap

    Assume the following:
    • FIRM0_11_1 == the encrypted FIRM0 partition on your NAND (which has 11.1)
    • DEC_11_1 == decrypted copy of FIRM from 11.1
    • DEC_10_4 == decrypted copy of FIRM from 10.4

    FIRM0_11_1 XOR DEC_11_1 XOR DEC_10_4 == FIRM0_10_4

    where FIRM0_10_4 is your FIRM0 partition with the 10.4 NATIVE_FIRM, encrypted for your specific console.

    This *can* be fixed if Nintendo releases an updated Home Menu that requires a newer version of NATIVE_FIRM, but the last version that did this IIRC was 10.4.

    Also see: https://www.3dbrew.org/wiki/3DS_System_Flaws#Hardware
     
    Last edited by GerbilSoft, Sep 23, 2016
  15. Roboman

    Roboman GBAtemp Fan

    Member
    303
    70
    Jan 7, 2016
    United States
    So it would be safe to say that this critical file is *poorly* encrypted.
     
  16. The Real Jdbye

    The Real Jdbye Always Remember 30/07/08

    Member
    GBAtemp Patron
    The Real Jdbye is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    12,292
    5,317
    Mar 17, 2010
    Norway
    Alola
    I believe it was 9.6, since people have been using 10.3 FIRM with NTR for a long time, until recently when support was added natively to NTR.
    It's actually very secure encryption, but it doesn't change between firmware versions because the encryption key is stored in hardware so there's no way to change it. That allows us to use an already decrypted FIRM binary (which you can get with a hacked 3DS) to encrypt another one.
    They probably could have used another encryption method that wouldn't be vulnerable to this, but to say that it's poorly encrypted is not entirely correct. Without the 3DS already being hacked we would never be able to do this. And it doesn't really matter in the end, since they can easily patch it.
     
    Last edited by The Real Jdbye, Sep 24, 2016
  17. TheOverseer
    OP

    TheOverseer Advanced Member

    Newcomer
    54
    9
    Sep 23, 2016
    United States
    Alright, I've come back with more questions.

    1. How are DSiWare games signed? Are they only signed with the console specific key? Is their sum checked? Is there any way, without having TWL_FIRM access already and unsigned code, to be able to modify the files at all? For example:

    2. I know you can do things like export the DSiWare files, and even install them to another 3DS, but the 3DS will reject the key and not let you play it. Could this be utilized? If another 3DS can recognize it, but not play it, is there a chance that while being signed with a key, that key isn't needed to be able read the files, only to play the game itself? (As the 3DS checks the key).

    If that's the case, could the saves, when exported, be vulnerable to manual injection?

    I remember reading that originally on the DSi, you could move saves themselves independently, but it was then patched. Now I've heard it's more of a bundle package.

    3. Is there any possibility to (I don't have DSiWare at the moment) to use the bundle package to import a DSiWare game that you have with the save intentionally, as the executable would be invalid, and then re-download Fieldrunners (that you actually own) to get a valid executable? Or would that delete the save?

    Just a couple things on my mind. Still waiting for the charger for my 3DS XL, so I figured I'd go ahead and ask about these things.
     
  18. ADS3500

    ADS3500 GBAtemp Fan

    Member
    329
    99
    Jul 27, 2016
    Canada
    If you're talking about moving Dsiware games to the SD card to inject the save, that wouldn't work because they're encrypted. Yellows8 was looking for a way to inject Dsiware saves without an arm9 exploit a while ago, but I'm not sure if there has been any progress, and MrNbaYoh was looking into either a primary Dsiware entry point or one that would work through multiplayer, but he couldn't find anything and he hasn't said if he has made any progress with it.
     
  19. TheOverseer
    OP

    TheOverseer Advanced Member

    Newcomer
    54
    9
    Sep 23, 2016
    United States
    Thank you for the information. I figured they were encrypted, that's pretty brutal, and I assume plaintext is impossible because, once again, the encrypted key itself varies per system.

    So, I guess I'll bring up something specific. SmileBASIC got an exploit, right? If this is the case...has anyone tried looking into Petit Computer, it's predecessor? It's technically DSiWare, so it would have proper access, I think it has QR code access, and I think it's downloadable for 3DS/2DS.
     
    Last edited by TheOverseer, Sep 28, 2016
  20. CeeDee

    CeeDee hm?~

    Member
    3,836
    5,432
    May 4, 2014
    United States
    somewhere
    I believe it was removed from eShop after SmileBasic's release.