My Experimentation with the DS Profile Exploit

Discussion in '3DS - Homebrew Development and Emulators' started by fierce waffle, Dec 16, 2013.

  1. fierce waffle
    OP

    fierce waffle GBAtemp Regular

    Member
    108
    136
    Sep 15, 2012
    United States
    Much of this information in this thread is provided by smealum. He's been extremely helpful in ensuring my comprehension on the topic. If you notice any errors or flaws in this thread, please inform me. The exploit used by GW as well as smealum utilizes a stack smash exploit. For more info on this, watch this video : http://videos.securitytube.net/Buffer Overflow Primer Part 1 (Smashing the Stack).mp4

    Too long or corrupted strings (01Ah 2 Nickname length in characters 050h 2 Message length in characters) in the NVRAM DS user settings cause (System Settings->Other Settings->Profile->Nintendo DS Profile) to crash in 3DS-mode due to a stack-smash. The reason(presumably) that the DS crashes in this case is that the string that has been corrupted and overflowed is apparent in the stack causing it to crash. The same string then is used to manipulate the stack smash and create a ROP chain(what this string specifically needs to be is beyond me as of yet) loaded from the NVRAM. You can then use function that is already apparent in memory to load another ROP chain located on the SD card. This code that corrupts the DS profile strings can be written in devkitarm. There is NDS code involved for loading the initial NVRAM payload but that's it. The actual 3DS code is loaded from a file put on the SD card.

    I have yet to reach this point, keep in mind.
    END OF THREAD FOR NOW!
    If any of you have achieved the above, feel free to elaborate on how you did so. If we wish to achieve our own CFW and not be reliant on a company(which in theory, their card isn't even necessary) then we need this collaboration.
     
    Margen67, 2ndApex, migles and 5 others like this.


  2. json

    json MUSCLEMAN

    Member
    693
    781
    Aug 9, 2013
    Burkina Faso
    cfw is not possible bro, sorry. the firmware is signed and encrypted...
     
  3. fierce waffle
    OP

    fierce waffle GBAtemp Regular

    Member
    108
    136
    Sep 15, 2012
    United States
    I meant crfw(custom redirected firmware)
     
    Margen67 likes this.
  4. fierce waffle
    OP

    fierce waffle GBAtemp Regular

    Member
    108
    136
    Sep 15, 2012
    United States
    300+ views on the topic and only 1 response. Wow...now wonder this scene isn't really thriving.
     
    Margen67 likes this.
  5. DinohScene

    DinohScene Capture the Dino

    Member
    GBAtemp Patron
    DinohScene is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    16,026
    12,542
    Oct 11, 2011
    Antarctica
    В небо
    All it takes is taking over boot control and you can run whatever you want.
    This includes CFW's

    Everything in RAM on a 360 is hashed and encrypted.
    Yet we're able to execute custom dashboards and even Devkit NANDs/replacement NANDs (Fusion)
    Since we can run pretty much whatever we want after the 2nd bootloader.


    Sorry lad, I'm far more in the Xbox scene then 3DS ;p
    Tho I love to read about it!
     
    Margen67 and cearp like this.
  6. fierce waffle
    OP

    fierce waffle GBAtemp Regular

    Member
    108
    136
    Sep 15, 2012
    United States
    As am I. Everytime someone mentions something is impossible it relate it to the 360. Donor NANDs. All we need is to crack the software encryption similar to the CPU Keys and we can do a ton more.
     
    Margen67 likes this.
  7. fatcat1413

    fatcat1413 GBAtemp Regular

    Member
    118
    4
    Dec 2, 2013
    United States
    I don't think anyone really cares right now until something is actually released that allows people to do stuff without flash cards, until then everyone is focused on using Gateway flashcards right now.
     
  8. DinohScene

    DinohScene Capture the Dino

    Member
    GBAtemp Patron
    DinohScene is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    16,026
    12,542
    Oct 11, 2011
    Antarctica
    В небо
    That would only be limited to that particular 3DS (given a key used for decrypting everything)
    But yes, seeing that everything is encrypted and hashed, it also was impossible to execute things via software, yet we achieved these things
    Fusion being a prime example of a "CFW" for the 360.

    3DS already can execute things entirely from software (counting out the fact needed for a flashcard), I don't think we'd see much trouble in CFW/MFW and or more things.
    Iirc, BootMii was also executed before the Systemmenu on the Wii and it allowed for the execution of elf files?
    Could be that I'm to used to XeLL ;p

    That's just the pirates.
    Aye, DS homebrew can also only be executed from flashcards but still, it's just the pirates that don't care about it.
     
    MAXLEMPIRA likes this.
  9. fatcat1413

    fatcat1413 GBAtemp Regular

    Member
    118
    4
    Dec 2, 2013
    United States

    I'm sure that if Smealum released his exploit that someone will figure how to launch roms off the exploit, pretty sure anyone could go into the exploit themselves and undo whatever Smealum will do with the whole 'anti piracy' thing if they're good at coding :/
     
    Margen67 likes this.
  10. DinohScene

    DinohScene Capture the Dino

    Member
    GBAtemp Patron
    DinohScene is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    16,026
    12,542
    Oct 11, 2011
    Antarctica
    В небо
    That's the downside of it.
    However, they'd have to reverse engineer Ninty's digital download bootstrapper first before they can load ROMs from the SD
     
  11. fatcat1413

    fatcat1413 GBAtemp Regular

    Member
    118
    4
    Dec 2, 2013
    United States
    I'm sure someone will find a way to get the signing keys from Ninty someday or find a way to emulate the system into thinking the roms are signed or something of the such, that's if anything will actually be released that'll work on fw 6.3-7.0 and doesn't need a flashcard ;)
     
  12. DinohScene

    DinohScene Capture the Dino

    Member
    GBAtemp Patron
    DinohScene is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    16,026
    12,542
    Oct 11, 2011
    Antarctica
    В небо
    Eventually they will indeed.
    Unsigned code was only available on 4548 and 7371 or below with the Kingkong hack and JTAG hack.
    2/3 years later, the RGH came so it's a pretty long time of unexploitable 360's.
    Work continued on 4548 machines and afterwards on 7371 machines.

    Who says that the 3DS won't undergo the same process?
    Exploitable FW and then patched for 3 years?
    Time will tell.
     
  13. profi200

    profi200 Banned

    Banned
    330
    216
    Sep 3, 2011
    Gambia, The
    From pokéhacking to console hacking? Really?

    Anyway why do you think someone post details here? It's not like we are asses, who never share anything, but you should know, how easy it is to pirate with this. That's the main problem. It's nothing more than just place files on the SD card (except the NVRAM installing part) and it would be free for everyone. You can think, what the result is.

    If you really wan't a fucking warez loader, do it yourself ;)
     
  14. Snailface

    Snailface My frothing demand for 3ds homebrew is increasing

    Member
    4,324
    1,983
    Sep 20, 2010
    Engine Room with Cyan, watching him learn.
    I don't think you realize how small a subsection of 3ds owners have v4.5 firmware and a 4.5 compatible DS flashcard. It might seem higher, but you see a distorted image of the 3ds install base being a GBAtemp member.
     
    Margen67 and DinohScene like this.
  15. fierce waffle
    OP

    fierce waffle GBAtemp Regular

    Member
    108
    136
    Sep 15, 2012
    United States
    Guys. We're going a little off topic. Rather than debating about what is possible and whining that smea should release his let's actually get stuff done. Everyone is waiting for the next release from gateway or smea and we really don't need them. Sure, they're awareness of certain things we aren't but they started in the exact same place we did.
     
  16. fierce waffle
    OP

    fierce waffle GBAtemp Regular

    Member
    108
    136
    Sep 15, 2012
    United States
    So... I'm currently stuck on trying to figure out how to modify the profile strings(or buffer lengths) using devkitARM. Anyone have an idea?
     
    Margen67 and filfat like this.
  17. Flame

    Flame Me > You

    Member
    3,897
    5,124
    Jul 15, 2008
    Okay im going to be the 1st to say it, do you have some sort of idea what you are doing or is this hacking and slashing?



    but good luck with everything tho. :yay:
     
  18. profi200

    profi200 Banned

    Banned
    330
    216
    Sep 3, 2011
    Gambia, The
    Snailface
    Yeah, but <=4.5 3DS's and XL's still exist. A lot of them in some countrys. If a warez loader gets released, it would be all over the internet within 1 or 2 days and the most peoples would buy a 4.5 3DS. That's enough to say it is mass piracy. If the 3DS is dead sometime, like the DS now, then i don't care, what happens with it.

    fierce waffle
    If you fail already at this part, then i recommend you not to try it. The ROP stuff was really hard. More than 100 times harder than just reading NVRAM. We were very often stuck with our work.
    Tip for you: It has something to do with SPI. I recommend you to read docs about the user settings, before you do anything, or you end up with a bricked DS mode! That was the reason, why i tried to dump my NAND first --> to fix the DS mode brick (system formating fixes it) without losing all my games and saves.

    Good luck. You need to do it youself.
     
  19. fierce waffle
    OP

    fierce waffle GBAtemp Regular

    Member
    108
    136
    Sep 15, 2012
    United States
    Thank you for the advice. Of course, I always appreciate it. I dont think I will figure the exploit honestly. But there's no harm in trying. And who knows, I might help someone smarter than me get interested in it and maybe he'll figure it out.
     
  20. mathieulh

    mathieulh GBAtemp Fan

    Member
    335
    394
    Feb 28, 2008
    France

    What I fail to understand, is how did you get to figure out what each ROP gadget does without a RAM dump to begin with ? Especially as most are there merely for obfuscation purposes.
     
    Margen67 and B4rtj4h like this.