Hacking Hacking progress - Encryption?

[FireGrey]

Slowing down CPU's is generally about limiting the I/O, since you control the I/O when using an FPGA board you can slowdown the intake of the CPU enough so to read data, sonly a certain amount of slowdown can be achieved before the device comms creates an I/O error when the expected data isn't received within the time-frame allocated.

You sir, are fucking awesome!

There isn't much clarity on the different uses of the FPGA board. It sounds like the FPGA is a type of hardware voltage attack. I've also been trying to uncover the other uses the FPGA boards might have in hacking. Hopefully, Nintendo didn't implement a check to their I/O operations. Got any other information about FPGA boards that might be worthwhile?

I've read somewhere that it might be possible FPGA board could possibly stimulate encryption/decryption processes? Know anything about this? I'm trying to refer back to my sources...

I have been googling and have came across this

 

[Dionysus]

Slowing down CPU's is generally about limiting the I/O, since you control the I/O when using an FPGA board you can slowdown the intake of the CPU enough so to read data, sonly a certain amount of slowdown can be achieved before the device comms creates an I/O error when the expected data isn't received within the time-frame allocated.

You sir, are fucking awesome!

There isn't much clarity on the different uses of the FPGA board. It sounds like the FPGA is a type of hardware voltage attack. I've also been trying to uncover the other uses the FPGA boards might have in hacking. Hopefully, Nintendo didn't implement a check to their I/O operations. Got any other information about FPGA boards that might be worthwhile?

I've read somewhere that it might be possible FPGA board could possibly stimulate encryption/decryption processes? Know anything about this? I'm trying to refer back to my sources...

I have been googling and have came across this

YES FIREGREY CRACKED IT!!!

 

[FireGrey]

How?
I just posted a link to a site...

 

[Critica1]

I have been googling and have came across this

Could it be plausible to simulate the same encryption/decryption processes as the 3DS to bypass it? Anyone know the encryption/decryption security used? I think it might be both AES128/SHA256.

 

[FireGrey]

I have been googling and have came across this

Could it be plausible to simulate the same encryption/decryption processes as the 3DS to bypass it? Anyone know the encryption/decryption security used? I think it might be both AES128/SHA256.

I believe it uses 128bit AES CTR
If you could connect it to the 3DS, then it is likely you could.

 

[cyb3ritachi]

I have been googling and have came across this

Could it be plausible to simulate the same encryption/decryption processes as the 3DS to bypass it? Anyone know the encryption/decryption security used? I think it might be both AES128/SHA256.

I believe it uses 128bit AES CTR
If you could connect it to the 3DS, then it is likely you could.

i actually took the time to read article you posted from that link, and i was able to decrypt AES files but from another game(Combat arms). In order to test it i would have to team up with some one that has a 3ds, i have one but its being share by smaller brothers(lol) and if something happens to it i will get a whole mob against me(and parents).

 

[Immortal_no1]

Slowing down CPU's is generally about limiting the I/O, since you control the I/O when using an FPGA board you can slowdown the intake of the CPU enough so to read data, sonly a certain amount of slowdown can be achieved before the device comms creates an I/O error when the expected data isn't received within the time-frame allocated.

You sir, are fucking awesome!

There isn't much clarity on the different uses of the FPGA board. It sounds like the FPGA is a type of hardware voltage attack. I've also been trying to uncover the other uses the FPGA boards might have in hacking. Hopefully, Nintendo didn't implement a check to their I/O operations. Got any other information about FPGA boards that might be worthwhile?

I've read somewhere that it might be possible FPGA board could possibly stimulate encryption/decryption processes? Know anything about this? I'm trying to refer back to my sources...

At this point i'm going to assume you don't know much about FPGA boards, if this isn't true then this can be some information to others who want to know.
An FPGA stands for (Field Programmable Gate Array) and what this is, is in effect a cut-down computer with integrated circuits designed to be usually compact, for the use of testing hardware solutions (There is no Operating System). If you wanted you can take a normal Motherboard and rework the Bios and you will have yourself a nice FPGA board, but it won't have that many connecters, however since you control every aspect of the board you can do what you want.

So you make the software and put it on the FPGA board.
You control all the Input and output pins (lines)

So for the 3DS process it will be cut into 3 parts - Snooping - Replicating - Exploiting

Snooping - once you have made your software for the FPGA
You read in what the 3DS is sending to the Cartridge then pass the data on to the cartridge
Read in what the cartridge is sending to the 3DS then pass it onto the 3DS
What you have at the end is a protocol Dump, include time stamps on the debug logs and you can recreate the order of the data that gets sent and received. Thus you can then map out the protocol.

Replicating - Once you know the protocol you can remove the cartridge and connect up your Flash Memory reader (A Fast memory reader required or pre reading into FPGA onboard RAM required)
You use the protocol to send commands to the 3DS from the FPGA and interpret the responses based on your protocol map.
at the point when it asks for the data you send it from your memory/flash bank instead of from the cartridge.
All going well the 3DS will think that everything is all good and will show the icon on the screen and assuming the protocol map is complete you will be able to make the 3DS think that your FPGA is a cartridge!

Exploiting - Once you know the protocol and can replicate it and make the 3DS think it's an official cartridge you then go to a manufacturer and ask them for a device which fits the requirements you have on your FPGA, so onboard Flash, a microprocessor or similar chip to interpret the protocol, microSD card and whatever else. SuperCard DS2 is the perfect example for what i would expect the 3DS flashcard to end up looking like although i would also expect that it would have a GB of flash to put the ROM in so that it has it on Boot, it may not be necessary if the Supercard DS2 400mhz MIPS core is good enough to defeat the protection, i think it is but time will tell.
Once the manufacturer creates the card and flashes in the binary blob (compiled sourcecode) into the onboard chip and shoves a plastic case on it. the company that manufactured the cards gets their money, the designer gets their product, the shops get their products to sell on for a profit and...
if you're unlucky the clients design/binary blob will be leaked to other manufacturers and cloned cards will be released.

Thus this is the usual life cycle process for all hardware manufactured. (minus the Cloning)

Hope this helps someone, it was enjoyable writing this

Ah, took so long to write this tat other posts have been made. I like the AES FPGA, nice

 

[Dionysus]

I have been googling and have came across this

Could it be plausible to simulate the same encryption/decryption processes as the 3DS to bypass it? Anyone know the encryption/decryption security used? I think it might be both AES128/SHA256.

I believe it uses 128bit AES CTR
If you could connect it to the 3DS, then it is likely you could.

i actually took the time to read article you posted from that link, and i was able to decrypt AES files but from another game(Combat arms). In order to test it i would have to team up with some one that has a 3ds, i have one but its being share by smaller brothers(lol) and if something happens to it i will get a whole mob against me(and parents).

Are you serious?!

this could be..........the start of something....kudos brudaaaaaa

 

[FireGrey]

I have been googling and have came across this

Could it be plausible to simulate the same encryption/decryption processes as the 3DS to bypass it? Anyone know the encryption/decryption security used? I think it might be both AES128/SHA256.

I believe it uses 128bit AES CTR
If you could connect it to the 3DS, then it is likely you could.

i actually took the time to read article you posted from that link, and i was able to decrypt AES files but from another game(Combat arms). In order to test it i would have to team up with some one that has a 3ds, i have one but its being share by smaller brothers(lol) and if something happens to it i will get a whole mob against me(and parents).

You managed to decrypt a game?
Great job!
Well sadly i don't have a 3DS so I won't be able to try any of these things, only theorize.

 

[Critica1]

At this point i'm going to assume you don't know much about FPGA boards, if this isn't true then this can be some information to others who want to know.

No, I don't know anything about DS related hacking. Never even owned a DS. In 3 days I was able to understand the recent posts and news and came up with perfectly logical and credible information myself. How? By using Google ladies and gentlemen

Thank you so much for this tidbit of information. I am planing on buying a FPGA soon and ready to start ordering tools to disassemble my 3DS in the near future.

 

[Immortal_no1]

Combat Arms not being a 3DS game right?.... i have a 3DS so i can look into it, post a link to the files and i'll see what i can find

 

[FireGrey]

At this point i'm going to assume you don't know much about FPGA boards, if this isn't true then this can be some information to others who want to know.

No, I don't know anything about DS related hacking. Never even owned a DS. In 3 days I was able to understand the recent posts and news and came up with perfectly logical and credible information myself. How? By using Google ladies and gentlemen

Thank you so much for this tidbit of information. I am planing on buying a FPGA soon and ready to start ordering tools to disassemble my 3DS in the near future.

I would like to help you in some way.
If you want me to to help you in any way with it, send me a PM.

 

[Quincy]

Seeing that I have 2 3DSes.. I could help with some of the stuff too. PM me if needed. Just realize that I don't have any kind of hardware development tools.

 

[Critica1]

It's just the fact of buying hardware without knowing the future consequences. So I compared prices to some FPGA boards and it seems they aren't tooooo expensive. Xlinx Spartan 6 goes for $200. Then you gotta get the right CPLD, one made to fit the 3DS cart slot (DS form most likely) which could be around $25. Dont' forget the parts; USB dongle, wiring, tools, and other parts not at the top of my head. I'd say this could be roughly a $300 project. Then to analyze and trial and error so that the RAM traffic actually dumps. Also need to guesstimate the how many voltages the FPGA needs in order to communicate with the 3DS properly.

And even with the the parts, what parts have we identified on the motherboard? We don't even know the connection points to the FPGA. On top of that, the theories that could backfire leading to hardware malfunctions....

Do I dare go on? All this for little internal bits of information. Logistically speaking, it's a gamble.

 

[FireGrey]

It's just the fact of buying hardware without knowing the future consequences. So I compared prices to some FPGA boards and it seems they aren't tooooo expensive. Xlinx Spartan 6 goes for $200. Then you gotta get the right CPLD, one made to fit the 3DS cart slot (DS form most likely) which could be around $25. Dont' forget the parts; USB dongle, wiring, tools, and other parts not at the top of my head. I'd say this could be roughly a $300 project. Then to analyze and trial and error so that the RAM traffic actually dumps. Also need to guesstimate the how many voltages the FPGA needs in order to communicate with the 3DS properly.

And even with the the parts, what parts have we identified on the motherboard? We don't even know the correction points to the FPGA. On top of that, the theories that could backfire leading to hardware malfunctions....

Do I dare go on? All this for little internal bits of information. Logistically speaking, it's a gamble.

If you manage to do it successfully, it will be a major accomplishment!

 

[Immortal_no1]

It's just the fact of buying hardware without knowing the future consequences. So I compared prices to some FPGA boards and it seems they aren't tooooo expensive. Xlinx Spartan 6 goes for $200. Then you gotta get the right CPLD, one made to fit the 3DS cart slot (DS form most likely) which could be around $25. Dont' forget the parts; USB dongle, wiring, tools, and other parts not at the top of my head. I'd say this could be roughly a $300 project. Then to analyze and trial and error so that the RAM traffic actually dumps. Also need to guesstimate the how many voltages the FPGA needs in order to communicate with the 3DS properly.

And even with the the parts, what parts have we identified on the motherboard? We don't even know the correction points to the FPGA. On top of that, the theories that could backfire leading to hardware malfunctions....

Do I dare go on? All this for little internal bits of information. Logistically speaking, it's a gamble.

The way which i mentioned in my earlier post is to spoof the cartridge via protocol and data sniffing, so no disassembly of the 3DS is required.

The way in which you are describing the process suggests you're going for a memory dump process which is a lot more technical and a trial/error process needed.

Total Kit requirements:
Broken DS for DS port / Buy a DS cartridge port. Price about £4 ($7)
Pliars to cut out top edge of DS cartridge port so 3DS game will fit. £2 ($3)
Wires
FPGA board - Prices vary, reasonable ones could be bought for about £70 which should be compatible ($100)
A PC - for reading the data onto
Soldering Iron (needlenose tip is prefered) £7 ($10)
Solder whatever should be fine
Flux is useful for making the solder go where you want it to so you don't end up bridging solder points.
Software writing Skills
A DS game that you can have access to the pinouts and solder directly to, a cheap game. removing parts of the DS game will be required so that it doesn't boot the game and make the 3DS jump into DS mode. £3) ($5)

 

[Critica1]

Ok, this seems like a much better budget. Mine was a quick reference only looking at one company. I think it's best to understand to know what specifics the FPGA board needs.

Questions:
How many I/O pins? 500? 600? 800? 1200?
How many volts are needed? DSi required 1.8v in order to communicate properly.

I think the first step is to at least disassemble the the 3DS. Might as well get your hands dirty.

Edit: You suggested no disassembled required. Somehow I just don't see that happening xD

Edit 2: We can't assume your theory because it directly conflicts with Crown3DS. We aren't 100% positive that the video is real. Despite looking real/authentic, I would like a lot more reassuring confidence than trying this methodology.

 

[Cyan]

Combat Arms not being a 3DS game right?.... i have a 3DS so i can look into it, post a link to the files and i'll see what i can find

No, don't post game files or link to it on the forum.

Only save data are allowed to share, not the game's files of any form.

 

[Immortal_no1]

Combat Arms not being a 3DS game right?.... i have a 3DS so i can look into it, post a link to the files and i'll see what i can find

No, don't post game files or link to it on the forum.

Only save data are allowed to share, not the game's files of any form.

My bad, sorry.

 

[cyb3ritachi]

im not going to post them, if i can get the save files decrypted then maybe but not game files