Homebrew Is it possible to make a Download Play exploit?

[WeedZ]

I may be talking out of my ass, here, and I probably am, but - what if we were to exploit the stream of data sent *after* the executable rather than the executable itself? I would imagine that's handled differently, no? Sure, there are signature checks on the chunk of game code need to run the downloaded game. But, take Mario Kart for example - after the executable for the game is sent, there's a continuous stream of data sent after that. Racer positions, speeds, synchronization, etc. Could that be potentially tampered with?

You mean like highjacking the communication between the devices as the software is already running? I'm not entirely sure, but I think that data is secured as well. It still travels through an encrypted protocol. Interesting thought anyway.

 

[TuxSH]

Search on Google for nwm_beaconkey and yellows8's beacon data tool. Use monitor mode and capture packets sent. Have fun (that's how smashbroshax was made)

Once you decrypt beacon data you are able to decrypt the packets following those, even if it seems to be a total pain...

 

[Duo8]

People still messing around with that "send modified CIA" idea?

 

[TuxSH]

People still messing around with that "send modified CIA" idea?

I'm not one of these.
It won't ever work.

 

[WeedZ]

People still messing around with that "send modified CIA" idea?

I don't know about you, but I send modified cias all the time.

 

[Duo8]

Oh wait it sends a CXI, not a CIA.

Wait no it's a CIA. That wiki is just hard to read some times.

 

[TuxSH]

I don't know about you, but I send modified cias all the time.

I believe that the DLP-broadcasted cia is just requesting the romfs contents of the server.

Send FBI over DLP and I'll believe you.

 

[JustPingo]

DLP sends a client that does different things depending on the game. Which means it's just a little piece of code that will download stuff from the server later in MK7. A signed piece of code. The CIA sent is that thing, and the maps are downloaded later in an unsigned format. Unless there's a buffer overflow in the game itself, you won't get anything.

 

[WeedZ]

I believe that the DLP-broadcasted cia is just requesting the romfs contents of the server.

Send FBI over DLP and I'll believe you.

You can't send software. That's not what I'm saying at all. What I'm saying is you would create a security flaw that could be exploited from the client itself.

DLP sends a client that does different things depending on the game. Which means it's just a little piece of code that will download stuff from the server later in MK7. A signed piece of code. The CIA sent is that thing, and the maps are downloaded later in an unsigned format. Unless there's a buffer overflow in the game itself, you won't get anything.

This is what I mean. The data sent is unsigned (aside from protocol). If the 'server' or host ds opened a connection there should be enough wiggle room through rom modding to make things unstable.

I can't argue this anymore. It'll either happen or it wont. In the meantime I'm going to explore it myself when I have freetime. This debate has been really useful though.

 

[Duo8]

You can't send software. That's not what I'm saying at all. What I'm saying is you would create a security flaw that could be exploited from the client itself.

This is what I mean. The data sent is unsigned (aside from protocol). If the 'server' or host ds opened a connection there should be enough wiggle room through rom modding to make things unstable.

I can't argue this anymore. It'll either happen or it wont. In the meantime I'm going to explore it myself when I have freetime. This debate has been really useful though.

You did say "send modified CIA".

 

[TuxSH]

You can't send software. That's not what I'm saying at all. What I'm saying is you would create a security flaw that could be exploited from the client itself.

This is what I mean. The data sent is unsigned (aside from protocol). If the 'server' or host ds opened a connection there should be enough wiggle room through rom modding to make things unstable.

I can't argue this anymore. It'll either happen or it wont. In the meantime I'm going to explore it myself when I have freetime. This debate has been really useful though.

If you have an exploit, it would be limited to userland.

And if it requires 2 3DSes, one of which having access to homebrew, (which would almost be a certitude due to technical reasons), then OOThax is just plain better.

If you did find an exploit in the DLP service itself, then it would be a whole different story.

 

[Duo8]

If you have an exploit, it would be limited to userland.

And if it requires 2 3DSes, one of which having access to homebrew, (which would almost be a certitude due to technical reasons), then OOThax is just plain better.

If you did find an exploit in the DLP service itself, then it would be a whole different story.

DLP app. Which is userland.

 

[TuxSH]

DLP app. Which is userland.

DLP app (eur: 0004001000022100) != DLP service (0004013000002802).

The DLP service (system module) has access to AM:U, which is what sysUpdater uses to downgrade (for instance).

 

[DutchyDutch]

Heh, how did this get 4 pages?

 

[TuxSH]

Heh, how did this get 4 pages?

Trying to tell the same thing to the same people.

 

[MasterLel]

Just had an idea about downgrading... We can't downgrade (unless we delete the old firmware) because of the system check, right ? So what about customizing a vulnerable firmware (like 9.2) changing its sysver to 10.4 or whatever, it should bypass the check and thus install the firmware, because it is technically newer than the current console firmware

So we would have a 9.2 fimrware exploits with a 10.4 sysver...

 

[TuxSH]

Just had an idea about downgrading... We can't downgrade (unless we delete the old firmware) because of the system check, right ?

Just delete the old fw as you said (afaik you just need AM:U, https://github.com/profi200/sysUpdater/blob/master/app/build-cia.rsf)

 

[MasterLel]

well if i recall correctly some people here said that they could update through DLP, so we could also downgrade

edit:

If you read my post I detail why it isn't possible, technically all of the pieces are there if we could bypass that one part of the security... Basically it is possible to update through download play (and has been done) but not downgrade

 

[TuxSH]

well if i recall correctly some people here said that they could update through DLP, so we could also downgrade

edit:

You need to have code exec inside the DLP service.
And, well, it's possible to update with DLP because it is implemented so (I mean, if the server is on a higher fw than the client, then it sends the update data to the client).

 

[shinyquagsire23]

Just had an idea about downgrading... We can't downgrade (unless we delete the old firmware) because of the system check, right ? So what about customizing a vulnerable firmware (like 9.2) changing its sysver to 10.4 or whatever, it should bypass the check and thus install the firmware, because it is technically newer than the current console firmware

So we would have a 9.2 fimrware exploits with a 10.4 sysver...

If it's modified it won't be signed properly any more.