Hacking Hacking progress - Encryption?

[Critica1]

Find the game that wil read an altered save (with bad information or not legal)
and make the game crash to a boot file.

Not without properly dumping the firmware modules and reversing the ARM to pseudo C+. We don't know anything about the 3DS software besides multiple "modes or emulation."

Software exploits have already been found.

 

[Thesolcity]

Find the game that wil read an altered save (with bad information or not legal)
and make the game crash to a boot file.

Not without properly dumping the firmware modules and reversing the ARM to pseudo C+. We don't know anything about the 3DS software besides multiple "modes or emulation."

Software exploits have already been found.

Oh really? Like what?

 

[Critica1]

The 3DS browser, Metriod, and LoZ: Link's Awakening DX crashes are all examples of software crashes.
These might not be good crashes, but are crashes none the less. (I assume we aren't 100% that GB emulation or any emulation is sandboxed for that matter.)

If these exploits exist, along with whatever other DS exploits (Suduko), then why hasn't anyone been able to execute code once the crash happens?

The reason is being;

a) We don't completely understand the functionality of the 3DS mode or if DS mode is native or emulated
b) We don't know anything about the firmware modules or what functions to call on to run executable code

 

[FireGrey]

Would a reflashable 3DS card be possible?
Like the Crown3DS where you reflash the card to act exactly like a retail game?

 

[Critica1]

Like the Crown3DS where you reflash the card to act exactly like a retail game?

After speculating and watching the Crown3DS thread, I was pretty shocked to see no one ever dared to identify the motherboard used to communicate with the 3DS. Took me a few days of deep searching (2005-2007).

The way the Crown3DS is set up is very similar to the old ages of hacking the DS. Using external hardware components to communicate between your DS and computer. Pretend your attaching your DS to your computer with the most ugly looking USB cable ever. That's the best analogy I got.

The Crown3DS video does show some legitimacy of using a **custom FPGA board to communicate to the 3DS back to his computer. The reason why I say custom is because I have not been able to identify if the team used a commercial FPGA board. The attachment that goes into the 3DS cart slot is a custom or commercial CPLD "PassMe" imitator.

 

[Dionysus]

Like the Crown3DS where you reflash the card to act exactly like a retail game?

After speculating and watching the Crown3DS thread, I was pretty shocked to see no one ever dared to identify the motherboard used to communicate with the 3DS. Took me a few days of deep searching (2005-2007).

The way the Crown3DS is set up is very similar to the old ages of hacking the DS. Using external hardware components to communicate between your DS and computer. Pretend your attaching your DS to your computer with the most ugly looking USB cable ever. That's the best analogy I got.

The Crown3DS video does show some legitimacy of using a **custom FPGA board to communicate to the 3DS back to his computer. The reason why I say custom is because I have not been able to identify if the team used a commercial FPGA board. The attachment that goes into the 3DS cart slot is a custom or commercial CPLD "PassMe" imitator.

I swear this guy's on to something!!

 

[Immortal_no1]

The need to identify what FPGA board is being used isn't necessary unless you want to get their source code and make the setup the same as theirs, and they won't give out the source code no matter how nicely you ask.

Any FPGA with enough pins and powerful enough to pass the data through quickly enough will do.

The important things are:
1. The Processing power of the Board
2. Number of usable pins on the board
3. THE SOURCE CODE

The processing power as i've said would have to be faster than the output clock of a 3DS game to be able to return the data quickly enough back to the cartridge once it's gone through the FPGA. Cheap ATMEL boards won't do. or at least i'd be very very surprised.
The number of pins are important as most of the cheap boards won't have enough usable pins.
The source is the next important thing, as the source has to know which order to send data through the pins and the order that the data should be received in.

Since the data on the cartridges is encrypted, i wouldn't be surprised if the pins on the flash chip in the Cartridge (not the pins you see on the back of the cartridge) get scrambled once it's detected as a 3DS game. it's an easy process to do in software.

 

[FireGrey]

I have another theory.
What about Blank 3DS Cards?
Like the Crown3DS but not re-flashable.
Like a dvd-r
It could be called a 3DS-r
But there would be 2 things that may cause some trouble:
Can someone write onto the card simply at home?
Will the 3DS-r be read as a proper game by the 3DS and be able to be blocked by a firmware update?

 

[Critica1]

You bring up many good points here. Some very serious questions that need answering:

Would the typical FGPA board be able to keep up with the technology inside the 3DS? The DSi experiment, ramhax, was reported to communicate properly at 1.8v (volts). What are the changes today?

A very good FGPA board is the BASYS. It's out of stock at the moment, since BASYS2 is on the way.

Scanlime's experiment still lead to a VERY good amount of information despite the DSi not being hacked from his experiment.

Here was his set up:

Apparently a XLINX Spartan-3 FGPA board attached to a USB dongle was used.

"Scanlime really does some excellent work; through a bit of EE cleverness, he was able to slow down the clock of the DSi enough such that he could sniff all of the RAM traffic and dump it over USB to his computer for analysis."

It's unclear how we was able to slow down the CPU.

 

[Dionysus]

You bring up many good points here. Some very serious questions that need answering:

Would the typical FGPA board be able to keep up with the technology inside the 3DS? The DSi experiment, ramhax, was reported to communicate properly at 1.8v (volts). What are the changes today?

A very good FGPA board is the BASYS. It's out of stock at the moment, since BASYS2 is on the way.

Scanlime's experiment still lead to a VERY good amount of information despite the DS not being hacked.

Here was his set up:

Apparently a XLINX Spartan-3 FGPA board attached to a USB dongle was used.

"Scanlime really does some excellent work; through a bit of EE cleverness, he was able to slow down the clock of the DSi enough such that he could sniff all of the RAM traffic and dump it over USB to his computer for analysis."

It's unclear how we was able to slow down the CPU.

This guy!

 

[FireGrey]

You bring up many good points here. Some very serious questions that need answering:

Would the typical FGPA board be able to keep up with the technology inside the 3DS? The DSi experiment, ramhax, was reported to communicate properly at 1.8v (volts). What are the changes today?

A very good FGPA board is the BASYS. It's out of stock at the moment, since BASYS2 is on the way.

Scanlime's experiment still lead to a VERY good amount of information despite the DS not being hacked.

Here was his set up:

Apparently a XLINX Spartan-3 FGPA board attached to a USB dongle was used.

"Scanlime really does some excellent work; through a bit of EE cleverness, he was able to slow down the clock of the DSi enough such that he could sniff all of the RAM traffic and dump it over USB to his computer for analysis."

It's unclear how we was able to slow down the CPU.

This guy!

Haha he's been posting hacking theory's better then any 3DS hacking theory on GBAtemp.

 

[nintendoom]

You bring up many good points here. Some very serious questions that need answering:

Would the typical FGPA board be able to keep up with the technology inside the 3DS? The DSi experiment, ramhax, was reported to communicate properly at 1.8v (volts). What are the changes today?

A very good FGPA board is the BASYS. It's out of stock at the moment, since BASYS2 is on the way.

Scanlime's experiment still lead to a VERY good amount of information despite the DS not being hacked.

Here was his set up:

Apparently a XLINX Spartan-3 FGPA board attached to a USB dongle was used.

"Scanlime really does some excellent work; through a bit of EE cleverness, he was able to slow down the clock of the DSi enough such that he could sniff all of the RAM traffic and dump it over USB to his computer for analysis."

It's unclear how we was able to slow down the CPU.

This guy!

I know.

He's a noob temper who has the knowledge about these things I don't even know.

 

[FireGrey]

You bring up many good points here. Some very serious questions that need answering:

Would the typical FGPA board be able to keep up with the technology inside the 3DS? The DSi experiment, ramhax, was reported to communicate properly at 1.8v (volts). What are the changes today?

A very good FGPA board is the BASYS. It's out of stock at the moment, since BASYS2 is on the way.

Scanlime's experiment still lead to a VERY good amount of information despite the DS not being hacked.

Here was his set up:

Apparently a XLINX Spartan-3 FGPA board attached to a USB dongle was used.

"Scanlime really does some excellent work; through a bit of EE cleverness, he was able to slow down the clock of the DSi enough such that he could sniff all of the RAM traffic and dump it over USB to his computer for analysis."

It's unclear how we was able to slow down the CPU.

This guy!

I know.

He's a noob temper who has the knowledge about these things I don't even know.

You seem to be getting noob and new member mixed up.

Noob: Newbie is a slang term for a or , or somebody inexperienced in any profession or activity.

 

[Dionysus]

You bring up many good points here. Some very serious questions that need answering:

Would the typical FGPA board be able to keep up with the technology inside the 3DS? The DSi experiment, ramhax, was reported to communicate properly at 1.8v (volts). What are the changes today?

A very good FGPA board is the BASYS. It's out of stock at the moment, since BASYS2 is on the way.

Scanlime's experiment still lead to a VERY good amount of information despite the DS not being hacked.

Here was his set up:

Apparently a XLINX Spartan-3 FGPA board attached to a USB dongle was used.

"Scanlime really does some excellent work; through a bit of EE cleverness, he was able to slow down the clock of the DSi enough such that he could sniff all of the RAM traffic and dump it over USB to his computer for analysis."

It's unclear how we was able to slow down the CPU.

This guy!

I know.

He's a noob temper who has the knowledge about these things I don't even know.

You seem to be getting noob and new member mixed up.

Noob: Newbie is a slang term for a or , or somebody inexperienced in any profession or activity.

 

[nintendoom]

You bring up many good points here. Some very serious questions that need answering:

Would the typical FGPA board be able to keep up with the technology inside the 3DS? The DSi experiment, ramhax, was reported to communicate properly at 1.8v (volts). What are the changes today?

A very good FGPA board is the BASYS. It's out of stock at the moment, since BASYS2 is on the way.

Scanlime's experiment still lead to a VERY good amount of information despite the DS not being hacked.

Here was his set up:

Apparently a XLINX Spartan-3 FGPA board attached to a USB dongle was used.

"Scanlime really does some excellent work; through a bit of EE cleverness, he was able to slow down the clock of the DSi enough such that he could sniff all of the RAM traffic and dump it over USB to his computer for analysis."

It's unclear how we was able to slow down the CPU.

This guy!

I know.

He's a noob temper who has the knowledge about these things I don't even know.

You seem to be getting noob and new member mixed up.

Noob: Newbie is a slang term for a or , or somebody inexperienced in any profession or activity.

Newbie, then. but... still....

Same for me.

 

[Dionysus]

You bring up many good points here. Some very serious questions that need answering:

Would the typical FGPA board be able to keep up with the technology inside the 3DS? The DSi experiment, ramhax, was reported to communicate properly at 1.8v (volts). What are the changes today?

A very good FGPA board is the BASYS. It's out of stock at the moment, since BASYS2 is on the way.

Scanlime's experiment still lead to a VERY good amount of information despite the DS not being hacked.

Here was his set up:

Apparently a XLINX Spartan-3 FGPA board attached to a USB dongle was used.

"Scanlime really does some excellent work; through a bit of EE cleverness, he was able to slow down the clock of the DSi enough such that he could sniff all of the RAM traffic and dump it over USB to his computer for analysis."

It's unclear how we was able to slow down the CPU.

This guy!

I know.

He's a noob temper who has the knowledge about these things I don't even know.

You seem to be getting noob and new member mixed up.

Noob: Newbie is a slang term for a or , or somebody inexperienced in any profession or activity.

Newbie, then. but... still....

Same for me.

 

[Quincy]

Wow, we are going way offtopic here...

 

[Critica1]

@FireGrey, nintendoom, and blazergamer93,

I appreciate the you following this thread, but my replies for this thread were to address serious questions and ideas by members who actually seek to understand the 3DS better than what's documented. Please to not litter your spam on this thread. Feel free watch this thread, but only post constructive words or questions. Do not display big obnoxious pictures to display your emotions -__-

 

[Immortal_no1]

Slowing down CPU's is generally about limiting the I/O, since you control the I/O when using an FPGA board you can slowdown the intake of the CPU enough so to read data, sonly a certain amount of slowdown can be achieved before the device comms creates an I/O error when the expected data isn't received within the time-frame allocated.

 

[Critica1]

Slowing down CPU's is generally about limiting the I/O, since you control the I/O when using an FPGA board you can slowdown the intake of the CPU enough so to read data, sonly a certain amount of slowdown can be achieved before the device comms creates an I/O error when the expected data isn't received within the time-frame allocated.

You sir, are fucking awesome!

There isn't much clarity on the different uses of the FPGA board. It sounds like the FPGA is a type of hardware voltage attack. I've also been trying to uncover the other uses the FPGA boards might have in hacking. Hopefully, Nintendo didn't implement a check to their I/O operations. Got any other information about FPGA boards that might be worthwhile?

I've read somewhere that it might be possible FPGA board could possibly stimulate encryption/decryption processes? Know anything about this? I'm trying to refer back to my sources...