Toggle sidebar

Hacking Hack 3DS by Memory Dump?

  • Thread starter Thread starter Kirito-kun
  • Start date Start date
  • Views Views 10,806
  • Replies Replies 28
  • Likes Likes 1
Kirito-kun

Kirito-kun

Disciple of GabeN
Banned
Level 2
Joined
Jul 23, 2013
Messages
290
Reaction score
98
Trophies
0
Location
22nd Floor
XP
165
Country
Canada
Has anyone thought about uncovering the system encryption's private key by performing a memory dump? The private key has to exist in the system's memory at some point, if it's being used. A memdump will allow the privkey to be accessed while encrypted.

nintendo_3DS_teardown3.jpg


The original RAM chip can be removed and a reversed engineered version of the chip that allows interface with a PC can be attached in it's place. After connecting the modified RAM chip to a PC, we can scan system memory until we find the key.

Once you have they key, you'll be able to run any code you want on the system. The storage NAND is a separate chip on the PCB, so replacing the RAM shouldn't effect it. This seems like a possible method to hack the system.

Anyone thought about trying?
 
  • Like
Reactions: Margen67
Kirito-kun said:
So... Why is 3DS homebrew still at such a primitive stage? Are they having trouble finding the keys from the memory dumps?
Click to expand...

*I am not sure about this but I'll answer this using stuff I read*
Basically, it's somewhere in the ram but we don't know where it is. The ram is encrypted, and we need something to decrypt that.
EDIT:
You shouldn't use logic with hacking, because it doesn't usually work out.
 
Only the common key would be in memory, and if I remember correctly, it's only there for an instant, making it super hard to find (there's probably some other obstacle too).

[edit] Ninja'd by ZhangYang. I don't get this kind of thing at my usual forum... Oh well, this is bigger.
 
there is a different key used to sign content than there is to confirm that it is correctly signed.
the 3ds would not have the signing key stored anywhere because it doesn't need it
 
  • Like
Reactions: pelago
mercluke said:
there is a different key used to sign content than there is to confirm that it is correctly signed.
the 3ds would not have the signing key stored anywhere because it doesn't need it
Click to expand...


We don't need the signing key right now. As long as you crack the FS encryption private key, you'll have access to the FS. This will make it much easier to run code on the system, including code which remove the need to sign games.
 
  • Like
Reactions: Margen67
but ARM11 features XN (execute never) bit, that will throw an exception if the code jumps to an area with XN's set to 1 (and cannot be set to 0 without kernel access.. see user mode or privileged, but some guys already reached that point..)
 
Kirito-kun said:
So... Why is 3DS homebrew still at such a primitive stage? Are they having trouble finding the keys from the memory dumps?
Click to expand...
3ds homebrew is not at a primitive stage for yellows8 and neimod. They have full kernel control on firmware 4.5.

It really seems like you have missed the last 2.5 years of 3ds hacking and are now just waking up to make useless and simplistic generalizations about 3ds security.
 
Snailface said:
3ds homebrew is not at a primitive stage for yellows8 and neimod. They have full kernel control on firmware 4.5.

It really seems like you have missed the last 2.5 years of 3ds hacking and are now just waking up to make useless and simplistic generalizations about 3ds security.
Click to expand...

Wow. Easy there.

I think we all understood what he meant by that.
 
  • Like
Reactions: Celice
The real question is what happened to the pics that people donated 2k for, I would think they would make them public if they had them.... Not nice to get people to donate for them and not share....

Edit: So this hasnt been done due to $300....
 
  • Like
Reactions: Margen67
Kirito-kun said:
So... Why is 3DS homebrew still at such a primitive stage? Are they having trouble finding the keys from the memory dumps?
Click to expand...
The keys are never actually in the RAM. All AES keys except decrypted Title keys, are never stored in their "final" form, instead the key is descrambled by a hardware AES engine embedded in the SoC, when it is required for decrypting something.
Kirito-kun said:
We don't need the signing key right now. As long as you crack the FS encryption private key, you'll have access to the FS. This will make it much easier to run code on the system, including code which remove the need to sign games.
Click to expand...
Signature checks are done by the bootldr to verify the FW stored in the NAND. So yes, you do need the signing key.
 
  • Like
Reactions: DSoryu and pelago
13ds said:
if the data in the memory,can be dump very easy!
Click to expand...


Getting Data? Very Easy!

DECRYPTING that Data? Nigh-Impossible, without some kind of exploit, which is exactly what we've been looking for all these years.

RE-ENCRYPTING It to actually execute the data (barring unsigned code execution which could require another exploit entirely) without access to the private key? Nope.
 
muskieratboi said:
Getting Data? Very Easy!

DECRYPTING that Data? Nigh-Impossible, without some kind of exploit, which is exactly what we've been looking for all these years.

RE-ENCRYPTING It to actually execute the data (barring unsigned code execution which could require another exploit entirely) without access to the private key? Nope.
Click to expand...

Not that I wan't to cause any flaming, and neither am I trying to offend anyone here. I know these things can be quite complicated and very hard to achieve.

But that is exactly the kind of "thinking" that if the Gateway team had done, we would not have a cart that can play 3DS roms today..
 
WhiteMaze said:
Not that I wan't to cause any flaming, and neither am I trying to offend anyone here. I know these things can be quite complicated and very hard to achieve.

But that is exactly the kind of "thinking" that if the Gateway team had done, we would not have a cart that can play 3DS roms today..
Click to expand...


The difference is that the Gateway team (apparrently, since we STILL have yet to see the physical cartridge itself in the wild) know what the heck they are doing, and this found said unsigned code execution exploit.

In other words, Read Rydian's thread, namely this:



"Why not look into the 3DS and find the key?"
  • The key to sign things is not in the 3DS. The 3DS has a "common/public" key which is used to decrypt things and check signatures. Only Nintendo has the "secret/private" key/data needed to sign things. See here or here for the basic idea of how asymmetric encryption works.
 
  • Like
Reactions: WhiteMaze

Site & Scene News

Go to forum More news

Popular threads in this forum

Why did the price of 3ds shoot up ?

Hacking Homebrew Project  BlazerTube - a YouTube 3DS revival using the REAL app!

[WIP] SMW 3DS Port - Early Playable Demo by ZalgonEn

Problems getting Homebrew to appear outside of the Homebrew Launcher (homebrew won't appear on the HOME menu)

Homebrew app Emulator  [Release] 3DS-CLI - Run a real RISC-V Linux environment on the Nintendo 3DS

Website for finding alternative games for 3DS

Homebrew  [Progress update] LCE Minecraft 3ds

Gaming  any good rpgs on 3ds?