how do people find exploits on consoles like 3ds

Discussion in '3DS - Homebrew Development and Emulators' started by Jimmay123, May 27, 2015.

  1. Jimmay123
    OP

    Jimmay123 Advanced Member

    Newcomer
    95
    21
    Feb 8, 2015
    delfino plaza
    I really want to learn how its all done what happens under the hood how it works and be able to come up with an exploit
    like how did smea find ninjhax for example i know shit all about coding and while i have one or two ideas i wouldnt even begin to know how id try it and even if it would work out or whether my 3ds would explode.
    anyone got a resource for someone like me who knows zilch about exploting and coding to teach myself how to do it all :)
     


  2. Chrisser_75

    Chrisser_75 GBAtemp Regular

    Member
    256
    107
    Dec 12, 2014
    Germany
    Germany
    #nohobbys ^^
     
    MajinCubyan likes this.
  3. The Real Jdbye

    The Real Jdbye Always Remember 30/07/08

    Member
    GBAtemp Patron
    The Real Jdbye is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    11,899
    5,048
    Mar 17, 2010
    Norway
    Alola
    All it takes is the right skill set, and hard work and dedication. Start by learning programming, and then move onto more advanced things like hacking/reverse engineering older games. But the people who are hacking the 3DS have been programming and such for years, it takes a lot of experience (not neccessarily in hacking, but general programming) to be able to do things like this.
     
    Kafke and WiiCube_2013 like this.
  4. nop90

    nop90 GBAtemp Maniac

    Member
    1,406
    2,110
    Jan 11, 2014
    Italy
    Rome
    An Informatic Engineering degree could be a good starting point.
     
    caprathebest likes this.
  5. Duo8

    Duo8 I don't like video games

    Member
    3,440
    1,139
    Jul 16, 2013
    RE-ing
    That's it I think.
     
  6. Noctosphere

    Noctosphere Moon furries | Official follower of Skiddon't-ism

    Member
    2,031
    1,917
    Dec 30, 2013
    Canada
    Between three furries women
    Here is how I see everything about coding :
    There are many language for coding, but the one mainly used for video games, on pc AND on console, is currently the C++.
    C++ is a complex language based on what we call object.
    Objects are composed by many function and variables (I don't recall their correct names in english, I learned programming in french ^^)

    Objects can be visualised as a Cube that you can't see through it
    Variables can be visualised as mecanisms inside the cube. You can't touch them, you can't modify them, you can't see them.
    Function can be visualised as buttons on the cube. Once you press a button, a function, mecanisms begins to move, to modify each other, but the way the programmer wanted to.

    That way, variables cannot be touched. Users of the Cube/Object cannot modify what they want to whatever they want. It's like changing the amount of maximum life of a character, the programmer doesn't want the user to change it from 100 to 10000.
    So, with the cube, only some variables can be modified and only in certain ways, depending on how the programmer wanted to.

    The cube is the object, but it also act as a protection, in the case of the Wii U, I think this protection is called the Kernel. (please tell me if I'm wrong).
    Even if the cube has 6 squared-faces, that you can't see through them, there is always some tiny crack. For exemple, the cube is 1 meter-cube sized and there is a crack of 0,3 milimeter on one of the face.
    This crack is called an exploit, and it is the role of hacker to find it and exploit it. Even if this crack is 0,3 milimeter long, it's way enough for hacker to find a way to go inside the cube, to modify some variable and to be able, in the case of wii u,
    to load some files that couldn't be loaded before, isos, homebrew and such things for example.

    There is a trick however, it's called an update.
    But updates are double-edged.
    Updates won't just fix the crack on the face of the cube. (don't ask me why, it's just against rules of programmation, compilation, and whatever)
    Here is what updates does : They completly remove the cube, they create another cube, and then, they replace everything back in the cube.

    This way, the cube doesn't have the crack at this place anymore... BUT !!!! It's a whole new cube, there isn't a crack here, but since it's a whole new cube, there might be a new crack on another face of the cube.
    This crack could be of 0,04 milimeter, so it will be harder for hacker to find it, but it could also be of 0,8 milimeter, so it will easier for hacker to find it.

    So, to resume :
    Exploit are some crack (exploit) in a wall (Protection alias Kernel), separating users (you) and mecanisms (variables users aren't supposed to see)
     
  7. TheCruel

    TheCruel Developer

    Banned
    1,351
    2,883
    Dec 6, 2013
    United States
    In the beginning, it's all hardware reverse engineering, so you would seek help from microprocessor engineers unless you know how to decap a CPU or extract necessary information yourself. Even then, it's a matter of getting access to internal information (firmware, memory states, etc.) which require tapping in at the hardware level (see: JTAG as a common example). Once you're able to read from ROM/RAM then it mostly requires a shit ton of tinkering, observing, and documenting behaviors. This is where it helps to be an experienced (low-level) programmer. There are common exploits and entry-points like buffer overflows that have certain flags and indicators to look for.

    It basically takes a lot of time, knowledge, and luck.

    If you want to do this, then learn how computers work: computer instruction down to the ASM level, different types of memory and how they all work together, etc. I suggest you start with software reverse engineering, learn to disassemble Photoshop and make a crack to get it to bypass product code/serial registration for example. Though obviously you don't start with Photoshop.
     
    Nickname863 likes this.
  8. Nickname863

    Nickname863 Advanced Member

    Newcomer
    82
    24
    May 21, 2015
    Gambia, The
    Interwebs
    That is actually a really nice explaination :D I like it.
     
    Noctosphere likes this.
  9. Noctosphere

    Noctosphere Moon furries | Official follower of Skiddon't-ism

    Member
    2,031
    1,917
    Dec 30, 2013
    Canada
    Between three furries women
    thanks^^
    that's the way I learned actually, I learned online and that's how they described the c++
     
  10. NicEXE

    NicEXE GBAtemp Fan

    Member
    397
    123
    Dec 6, 2009
    Cyprus
    1) Locate a module in the whole system that is likely to break
    2) Try and break it

    PS. If it sounds simple: it isn't
     
    Laroon and Kafke like this.
  11. Noctosphere

    Noctosphere Moon furries | Official follower of Skiddon't-ism

    Member
    2,031
    1,917
    Dec 30, 2013
    Canada
    Between three furries women
    no, it's very simple,
    1) open the 3ds and rip off a chipcard
    2) try and break it

    done.... huh... WAIT! WHAT!!!!!
    MY 3DS NOOOOO!!!!
     
  12. fuyukaidesu

    fuyukaidesu Member

    Newcomer
    48
    18
    Mar 2, 2015
    France

    This is cringe-worthy.
     
    Kafke likes this.
  13. Nickname863

    Nickname863 Advanced Member

    Newcomer
    82
    24
    May 21, 2015
    Gambia, The
    Interwebs
    why?
     
  14. TheCruel

    TheCruel Developer

    Banned
    1,351
    2,883
    Dec 6, 2013
    United States
    Well, he just described object-oriented programming and not really exploiting consoles...

    Lol, the way you say it...

    [​IMG]
     
    Laroon and Kafke like this.
  15. fuyukaidesu

    fuyukaidesu Member

    Newcomer
    48
    18
    Mar 2, 2015
    France

    It wasn't even close to being accurate.
    Also talking about abstraction is generally going in the wrong direction when talking about RE.
     
    Kafke likes this.
  16. Nickname863

    Nickname863 Advanced Member

    Newcomer
    82
    24
    May 21, 2015
    Gambia, The
    Interwebs
    Yeah he didn't but cringe-worthy is pretty hard i think.
    (And i know that you cant extract ways to work with it out of his explaination)
     
  17. Noctosphere

    Noctosphere Moon furries | Official follower of Skiddon't-ism

    Member
    2,031
    1,917
    Dec 30, 2013
    Canada
    Between three furries women
    English isn't my native language, I'm looking on internet and "Cringe-worthy" means "FAIL"
    If it's the right thing, can you tell me how I am failing?
    If it isn't, then could you explain me what this means?
    Am I supposed to apology?
    Am I supposed to laugh?
    Maybe I should roll-over and wait for a cookie :)
     
    Nickname863 likes this.
  18. Noctosphere

    Noctosphere Moon furries | Official follower of Skiddon't-ism

    Member
    2,031
    1,917
    Dec 30, 2013
    Canada
    Between three furries women
    I said that? Did I?
    Well, what I'm about to say is very close :
    All good video games programmers use the c++

    :)
     
  19. Nickname863

    Nickname863 Advanced Member

    Newcomer
    82
    24
    May 21, 2015
    Gambia, The
    Interwebs
    I don't agree. A lot programming Language have some advantages and disatvantages. That includes the c++
     
  20. Kafke

    Kafke GBAtemp Fan

    Member
    415
    144
    Jan 2, 2009
    United States
    Since Noctosphere was.... um... entirely wrong, I'll give a rundown.

    If you don't know the ins/outs of coding in a low level language (C/ASM), you aren't going to be able to find an exploit. That's pretty much a guarantee. The idea of hacking the console is to get access to system features without authorization. On a regular computer, this is fairly simple, since that's the whole point, and 'hacking into a computer' is a lot simpler because we can access hardware, easily write software that runs, etc.

    On a console (3DS), we don't have that luxury. There's no way to write code/programs/games for the console without being authorized by Nintendo and being given a nice pretty packaged developer's kit. So instead, we need to find a way to execute our own code. How we do this is by finding a vulnerability in some file loading system, 'exploit it', and then write ASM/C to do what we please.

    Finding an exploit is tricky, since there's no guaranteed way of going about it. And there might not BE any exploits in the first place. Cubic Ninja, a shittily coded game, pretty much handed us an exploit on a silver platter. The game uses QR codes to generate levels, those levels are stored and ran off the SD card, and there's no checks to ensure the levels are valid (there might be, and Smea just found a way around those checks). Cubic Ninja then tries to load our junk level that's intentionally bad, and instead of loading a level, we have it run custom code instead. I'm not familiar with the exact nature of the exploit, but it appears to me that it's most likely a buffer overflow, with some code injection. It wouldn't surprise me if that was the case.

    Once you have an initial exploit, you still have the problem of getting access to the system itself. Modern computers (and game consoles) typically have several levels of permissions. Which is why Ninjhax can't do everything (like launch games). The code we are able to run is limited to what sort of access we have. For NinjHax, that's anything cubic Ninja has access to.

    From there, the guys working on PastaCFW have found another exploit, that gives us access to Arm9 (and Arm11, IIRC). Which means we can do things like install CIAs, patch sig checks, and so on.

    The deal with patches, naturally, changes the code in some exploited system to remove that vulnerability.

    So the TL;DR: You don't find exploits. At least, not without a lot of computer science knowledge and a good understanding of how the hardware works. Shit's hard. Be impressed by the exploits these guys have found.

    "Programming" doesn't have much to do with it. It's more system level stuff and ASM. "Programming" is just for the noobier of us, who don't care to deal with mucking around in ASM, but still want to write cool stuff.

    Finally, at Nocto... OOP is almost never related to finding exploits. Nor with cheating in games. And a kernel isn't a "protection" it's literally the system you are trying to exploit.
     
    fuyukaidesu and Nickname863 like this.