Toggle sidebar

Hacking Finding the 3DS Common Key

SifJar said:
Foxi4 said:
Pong20302000 said:
didnt nintendo just patch the header that was used on the DSi exploit for the IEvolution?
but the headers had to be region specific?
Click to expand...
The iEvo exploit was not based on the header. As far as I know, it was an exploit in the Wi-Fi subsystem.
Click to expand...
No, I believe it was a buffer overflow exploit in Cooking Coach or Classic Word Games (can't remember which of WinterMute's exploits iEvo ripped off)
Click to expand...
I remember reading that iEvo was suffering of WiFi issues precisely due to the nature of the exploit, aka, the module was busy, but you may be right, I'm no expert on Cyclo. What I do know is that it had nothing to do with the DSi headers. :)
 
It would probably be easier to just ask Nintendo what the keys are. You probably would have a better chance at getting them and a good laugh too.
 
Foxi4 said:
I remember reading that iEvo was suffering of WiFi issues precisely due to the nature of the exploit, aka, the module was busy, but you may be right, I'm no expert on Cyclo. What I do know is that it had nothing to do with the DSi headers. :)
Click to expand...
It wasn't an exploit in the header, but it did (in a way) have to do with the header.

All DSi compatible flash cards (now) use an official ROM (or part thereof) to pass the checks in the DSi software. They report the header as it would be reported from an official game. Then they boot said game. While it boots, they trigger an exploit (formed by replacing files in the ROM's file system), which takes over from the ROM and loads the flash card software. Typically this is just a DS game, and hence the DSi will load the card in DS mode, therefore the flash card software will run in DS mode.

With the iEvo, the game used is a DSi mode game, so the software can run in DSi mode.

So when I say it "had to do with the header", what I mean is that the header of the ROM was there (with other parts of it) to make the DSi think it was a legit copy of the game so that it would load it. But the header itself was not involved in the exploit, as you say.

I have not heard about this stuff about WiFi before, dunno how that is related to all this, but I'm sure it is in some way.
 
Rydian said:
How many encryption keys are there? 2 (binary, a bit) to the 128th power (number of bits), divided by 8 (8 bits in a byte).
That's so many that the calculator that comes with windows (at least XP) can't even display the number without reverting to scientific notation.

128-bits is...
340,282,366,920,938,463,463,374,607,431,768,211,456 possible values in binary.
However, Since there's 8 bits in a byte, you divide 128 by 8 and get 16. That's 16 bytes, 16 characters.
That's 18,446,744,073,709,552,000 possible values, ranging from 0x0000000000000000 to 0xFFFFFFFFFFFFFFFF. Eighteen quintillion possible keys.
The actual number is a bit less less since a key will be a certain number of digits and be designed to not have repeating segments, but this puts it in perspective.
Click to expand...
Hold on, why do you divide by 8? Each bit can be on or off, so there should be 2^128 possibilities, right? Which is approximately 340,282,366,920,938,463,463,374,607,431,770,000,000. Also, 0xFFFFFFFFFFFFFFFF is 8 bytes.
 
  • Like
Reactions: 1 person
IIRC the only thing using an exploit in the ROM itself is the iEvo, all the others just fake whatever correct info they can to pass the boot check, and are then booted like normal.
http://hackmii.com/2010/02/lawsuit-coming-in-3-2-1/

The iEvo is the only one that actually appears to partially launch and exploit a game.
 
Prof. 9 said:
Hold on, why do you divide by 8? Each bit can be on or off, so there should be 2^128 possibilities, right? Which is approximately 340,282,366,920,938,463,463,374,607,431,770,000,000.
Click to expand...
Good point, now that I read over that again yeah, there's no need to do the division since it's all binary anyways.

Prof. 9 said:
Also, 0xFFFFFFFFFFFFFFFF is 8 bits.
Click to expand...
Wait what? The max value for eight bits is 11111111, which is 2^8-1, 255, which translates to FF in hex.
 
  • Like
Reactions: Sparkette and pelago
Rydian said:
IIRC the only thing using an exploit in the ROM itself is the iEvo, all the others just fake whatever correct info they can to pass the boot check, and are then booted like normal.
http://hackmii.com/2...oming-in-3-2-1/

The iEvo is the only one that actually appears to partially launch and exploit a game.
Click to expand...
Apologies, my memory was a little rusty. Yeah they just hide a payload in the ROM overlay and it gets loaded and switches the card to "be a flashcard" as such.
 
SifJar said:
Foxi4 said:
I remember reading that iEvo was suffering of WiFi issues precisely due to the nature of the exploit, aka, the module was busy, but you may be right, I'm no expert on Cyclo. What I do know is that it had nothing to do with the DSi headers. :)
Click to expand...
It wasn't an exploit in the header, but it did (in a way) have to do with the header.

All DSi compatible flash cards (now) use an official ROM (or part thereof) to pass the checks in the DSi software. They report the header as it would be reported from an official game. Then they boot said game. While it boots, they trigger an exploit (formed by replacing files in the ROM's file system), which takes over from the ROM and loads the flash card software. Typically this is just a DS game, and hence the DSi will load the card in DS mode, therefore the flash card software will run in DS mode.

With the iEvo, the game used is a DSi mode game, so the software can run in DSi mode.

So when I say it "had to do with the header", what I mean is that the header of the ROM was there (with other parts of it) to make the DSi think it was a legit copy of the game so that it would load it. But the header itself was not involved in the exploit, as you say.

I have not heard about this stuff about WiFi before, dunno how that is related to all this, but I'm sure it is in some way.
Click to expand...
Oh yeah, I'm aware of the fact that the card needs a legit header, what I wanted to say was that the header is not, like you said, the focus of the exploit. Unlike early passme which worked thanks to a effective header with an empty pointer, the DSi exploit had little to do with the header, it was just the hardware that required one. ;)
 
It's too bad statisticians aren't cryptology experts; they could potentially drastically reduce the amount of time to cracking things with statistical models.

If we had 100,000,000 computers, we could probably organize them to crack it pretty fast! Dump 3ds firmware image ---> develop a cluster of websites that allows people to coordinate a bruteforce attack using the clients CPU. Get it popular enough and you may be able to get enough people to eliminate possibilities.
 
I would start by figuring out a way to observe traffic between the 3DS and the cartridge. Needs something like a Wireshark, ollydbg, or curl_setops, etc. (but for the 3DS of course). Maybe some hardware doohickey configuration would allow it, but much easier if there's already a way to execute third party sources.

Trial and error is the name of the game for now.
 
  • Like
Reactions: 2 people

Site & Scene News

Go to forum More news

Popular threads in this forum

Why did the price of 3ds shoot up ?

Hacking Homebrew Project  BlazerTube - a YouTube 3DS revival using the REAL app!

[WIP] SMW 3DS Port - Early Playable Demo by ZalgonEn

Problems getting Homebrew to appear outside of the Homebrew Launcher (homebrew won't appear on the HOME menu)

Homebrew app Emulator  [Release] 3DS-CLI - Run a real RISC-V Linux environment on the Nintendo 3DS

Website for finding alternative games for 3DS

Homebrew  [Progress update] LCE Minecraft 3ds

Gaming  any good rpgs on 3ds?