Hack 3DS by Memory Dump?

Discussion in '3DS - Flashcards & Custom Firmwares' started by Kirito-kun, Jul 24, 2013.

  1. Kirito-kun
    OP

    Kirito-kun Disciple of GabeN

    Banned
    290
    98
    Jul 23, 2013
    Canada
    22nd Floor
    Has anyone thought about uncovering the system encryption's private key by performing a memory dump? The private key has to exist in the system's memory at some point, if it's being used. A memdump will allow the privkey to be accessed while encrypted.

    [​IMG]

    The original RAM chip can be removed and a reversed engineered version of the chip that allows interface with a PC can be attached in it's place. After connecting the modified RAM chip to a PC, we can scan system memory until we find the key.

    Once you have they key, you'll be able to run any code you want on the system. The storage NAND is a separate chip on the PCB, so replacing the RAM shouldn't effect it. This seems like a possible method to hack the system.

    Anyone thought about trying?
     
    Margen67 likes this.


  2. ZhangYang

    ZhangYang Newbie

    Newcomer
    9
    0
    Jun 7, 2012
  3. Kirito-kun
    OP

    Kirito-kun Disciple of GabeN

    Banned
    290
    98
    Jul 23, 2013
    Canada
    22nd Floor
    So... Why is 3DS homebrew still at such a primitive stage? Are they having trouble finding the keys from the memory dumps?
     
    Margen67 likes this.
  4. ZhangYang

    ZhangYang Newbie

    Newcomer
    9
    0
    Jun 7, 2012
    *I am not sure about this but I'll answer this using stuff I read*
    Basically, it's somewhere in the ram but we don't know where it is. The ram is encrypted, and we need something to decrypt that.
    EDIT:
    You shouldn't use logic with hacking, because it doesn't usually work out.
     
  5. evandixon

    evandixon PMD Researcher

    Member
    1,667
    792
    May 29, 2009
    United States
    Only the common key would be in memory, and if I remember correctly, it's only there for an instant, making it super hard to find (there's probably some other obstacle too).

    [edit] Ninja'd by ZhangYang. I don't get this kind of thing at my usual forum... Oh well, this is bigger.
     
  6. mercluke

    mercluke ‮҉

    Member
    3,163
    172
    Dec 2, 2007
    Perth
    there is a different key used to sign content than there is to confirm that it is correctly signed.
    the 3ds would not have the signing key stored anywhere because it doesn't need it
     
    pelago likes this.
  7. RachelB

    RachelB GBAtemp Regular

    Member
    151
    53
    Jul 16, 2013
    United States
    Not necessarily. Keys can be stored solely in the cpu, and nowhere else. See TRESOR.
     
    Margen67 and McHaggis like this.
  8. Kirito-kun
    OP

    Kirito-kun Disciple of GabeN

    Banned
    290
    98
    Jul 23, 2013
    Canada
    22nd Floor

    We don't need the signing key right now. As long as you crack the FS encryption private key, you'll have access to the FS. This will make it much easier to run code on the system, including code which remove the need to sign games.
     
    Margen67 likes this.
  9. Coto

    Coto GBAtemp Addict

    Member
    2,353
    403
    Jun 4, 2010
    Chile
    but ARM11 features XN (execute never) bit, that will throw an exception if the code jumps to an area with XN's set to 1 (and cannot be set to 0 without kernel access.. see user mode or privileged, but some guys already reached that point..)
     
  10. xblackdemonx

    xblackdemonx Member

    Newcomer
    34
    5
    Nov 4, 2011
    Canada
    Please do it for us then
     
    Margen67 likes this.
  11. Kirito-kun
    OP

    Kirito-kun Disciple of GabeN

    Banned
    290
    98
    Jul 23, 2013
    Canada
    22nd Floor
    Would you like to provide me with a 3DS to tear down? The method I am describing requires the destruction of the system.
     
  12. RedCoreZero

    RedCoreZero Creativity is Power

    Banned
    526
    167
    Nov 12, 2012
    United States
    Lived in Florida
    Smells like lock bait!
     
  13. Snailface

    Snailface My frothing demand for 3ds homebrew is increasing

    Member
    4,324
    1,983
    Sep 20, 2010
    Engine Room with Cyan, watching him learn.
    3ds homebrew is not at a primitive stage for yellows8 and neimod. They have full kernel control on firmware 4.5.

    It really seems like you have missed the last 2.5 years of 3ds hacking and are now just waking up to make useless and simplistic generalizations about 3ds security.
     
  14. WhiteMaze

    WhiteMaze GBAtemp Advanced Fan

    Member
    694
    402
    Jun 16, 2013
    Wow. Easy there.

    I think we all understood what he meant by that.
     
    Celice likes this.
  15. Ericthegreat

    Ericthegreat Not New Member

    Member
    1,812
    316
    Nov 8, 2008
    United States
    Vana'diel
    The real question is what happened to the pics that people donated 2k for, I would think they would make them public if they had them.... Not nice to get people to donate for them and not share....

    Edit: So this hasnt been done due to $300....
     
    Margen67 likes this.
  16. 3DSGuy

    3DSGuy No longer in scene

    Member
    345
    303
    May 22, 2012
    United States
    The keys are never actually in the RAM. All AES keys except decrypted Title keys, are never stored in their "final" form, instead the key is descrambled by a hardware AES engine embedded in the SoC, when it is required for decrypting something.
    Signature checks are done by the bootldr to verify the FW stored in the NAND. So yes, you do need the signing key.
     
    Dartz150 and pelago like this.
  17. 13ds
    This message by 13ds has been removed from public view by raulpica, Sep 20, 2013.
    Jul 24, 2013
  18. muskieratboi

    muskieratboi Rydian's got some competition!

    Member
    401
    235
    Sep 19, 2012

    Getting Data? Very Easy!

    DECRYPTING that Data? Nigh-Impossible, without some kind of exploit, which is exactly what we've been looking for all these years.

    RE-ENCRYPTING It to actually execute the data (barring unsigned code execution which could require another exploit entirely) without access to the private key? Nope.
     
  19. WhiteMaze

    WhiteMaze GBAtemp Advanced Fan

    Member
    694
    402
    Jun 16, 2013
    Not that I wan't to cause any flaming, and neither am I trying to offend anyone here. I know these things can be quite complicated and very hard to achieve.

    But that is exactly the kind of "thinking" that if the Gateway team had done, we would not have a cart that can play 3DS roms today..
     
  20. muskieratboi

    muskieratboi Rydian's got some competition!

    Member
    401
    235
    Sep 19, 2012

    The difference is that the Gateway team (apparrently, since we STILL have yet to see the physical cartridge itself in the wild) know what the heck they are doing, and this found said unsigned code execution exploit.

    In other words, Read Rydian's thread, namely this:



    "Why not look into the 3DS and find the key?"
    • The key to sign things is not in the 3DS. The 3DS has a "common/public" key which is used to decrypt things and check signatures. Only Nintendo has the "secret/private" key/data needed to sign things. See here or here for the basic idea of how asymmetric encryption works.
     
    WhiteMaze likes this.
  21. muskieratboi

    muskieratboi Rydian's got some competition!

    Member
    401
    235
    Sep 19, 2012
    Posts merged.