another theory. a glitch hack? the device has a SD card monitor, so every time you insert or remove the card the 3DS checks for the apps it has registered. according to stuff i know some devices load some data from the SD card as soon as it is inserted. with some tools, like a SD diag connected to lpt port or whatever, both public keys and private keys "could" be retreived. the SD card flash image can also be modified to make this work as the 3ds HAS to load it or else it wont be read. the sd flash image mod has been done with HTC devices but thats mainly because of a VERY old hardware related mod called Gold Card. just my 2 cents.
Hacking Post your ideas regarding how to hack the 3DS, here
- Thread starter Vulpes Abnocto
- Start date
- Views 430,354
- Replies 1,786
- Likes 1
I was actually not aware that this goldcard thing existed. Nice to know.
You could make such a sniffer with some fairly inexpensive parts. http://www.sparkfun.com/products/9237 is an SD sniffer; connect this to a microcontroller that will record the data being transferred.
However, from what I've read, the goldcard technique took advantage of what appears to be a debug mode in the device firmware (meaning that goldcards had an actual legitimate purpose, a la Pandora batteries). Nintendo won't have something like that. I don't think this will work, unless you're suggesting that we read the keys directly from memory (which IS possible but very difficult without knowing where they would reside in RAM). In that case, SD card sniffing won't help - you need to sniff the memory bus directly.
This is what I'm thinking of:
http://hackmii.com/2009/09/dsi-ram-hax/
http://hackmii.com/2009/09/dsi-ram-tracing-camera/
This is going to be a stupid question but why is hacking a 3DS any more difficult than hacking a DS Lite ?
Surely, the flashcard just holds the game 'backup' (which after all is just raw game data) and makes the console think it is a 'legitimate' cartridge but then the 3DS does the rest. Is a 3DS game cartridge phsyically different to DS Lite one ? Or is there some additional new 'thing' on a 3DS cart that means it's not just the console's new hardware that is doing everything ?
Surely, the flashcard just holds the game 'backup' (which after all is just raw game data) and makes the console think it is a 'legitimate' cartridge but then the 3DS does the rest. Is a 3DS game cartridge phsyically different to DS Lite one ? Or is there some additional new 'thing' on a 3DS cart that means it's not just the console's new hardware that is doing everything ?
We can modify DS ROMS easily (and we have been able to for years). This allows the flashcard to patch the ROM to make it work on whatever specific hardware as well as save to the memory card. In the case of the DSi/3DS, the bootloader of the flashcard will contain a specially modified DS ROM which has an instruction to jump to the flashcard loader menu.
Of course, loading a DS game means DS mode.
We can't modify 3DS ROMS because of the keys (we can't even take a look inside).
Without getting technical, any major exploits that worked for one system are going to be patched up in a totally new successor.
So whatever worked for the DS, won't work for the 3DS. Anything DSi flashcarts only continue to work because of legacy backwards compatibility support in the 3DS.
- Joined
- Jun 25, 2010
- Messages
- 1,096
- Trophies
- 1
- Location
- Your computer's Recycle Bin
- Website
- www.google.com
- XP
- 1,949
- Country
noob] OH OH OH I HAZ IDEA [/noob]
So what about overloading the number of coins through DS mode, iirc in ds mode the 3ds still counts your steps, so there's maybe a small, tiny hole to hack
. it might leed to a system freeze. It's just a idea.
So what about overloading the number of coins through DS mode, iirc in ds mode the 3ds still counts your steps, so there's maybe a small, tiny hole to hack
. it might leed to a system freeze. It's just a idea.
noob] OH OH OH I HAZ IDEA [/noob]
So what about overloading the number of coins through DS mode, iirc in ds mode the 3ds still counts your steps, so there's maybe a small, tiny hole to hack
Nope. the pedometer is a 3DS function. DS mode software runs in a hypervisor, meaning that it will not have access to 3DS functions. The pedometer is isolated from DS mode software.
thougt of another theory. what if we run a game that reads save data from a sd card (like pes) and make the game load a hacked save file that overides the game and installs blabity
Discussed many times in this thread. We can't do this until we know of an exploit in these games. Otherwise, we'd be guessing blindly.
Also, you still have to break the hypervisor to "install" anything.
- Joined
- Jun 24, 2007
- Messages
- 12,022
- Trophies
- 3
- Location
- In the Murderbox!
- Website
- www.twitch.tv
- XP
- 16,188
- Country
I've just read through all 13 pages of posts tonight and I think there is a good idea that gains a little bliss but then drops of the radar. Now just to point out, I'm understanding little by little of how this whole thing works, but just give me praise for compiling a couple of ideas.
Just to point out, apparently the most brought up ideas are hardware mods, cartridge mods, save hacks, overflows/freezes, and sd hacks.
The idea I came out with it purely just recoding a whole program or modifying it to do what you want it to do. In a way this idea goes with sd hacks, but, if need be, it might have to trigger a freeze. What we do is that we take a program like Netflix or any other program that directly connects to a site to receive information (has to be exclusive to the 3DS). We thoroughly break how the program is executed (which is what "arthurvandijk" has been doing). Then get rid of all of the code except was is used to make the 3DS accept the program and replace the rest with what could be the "Homebrew Station" (just to make it unique for the handheld). The reason it would have to be one of those programs is so that it would be easier to update it than having to reinstall like "hackmii". If it's not possible to modify all of the app, then try to at least mod it enough to cause it to freeze on the 3DS loading screen. Since this is the way of checking if it is a legit item, just cause it to freeze for a set time limit such as 30 seconds to a minute. Within that time period, switch out the sd card with another that contains the Homebrew Station. The reason the freeze time would have to have a set time period is so that when you want to load the actual program, you would have to just wait a little bit.
In short my idea is to completely modify a program or use one program to open another.
How I came up with the idea was from reading the posts made by rufus85, Mega-Mario, obesefishstick, wchill, & arthurvandijk. So, give them some credit as well.
Please just give it some thought and see if I helped in any way. And, those of you who are going to say that I'm a dumba** and that I don't know anything. Shut the f*** up, at least I tried.
I'll contribute as much as I can to help.
Just to point out, apparently the most brought up ideas are hardware mods, cartridge mods, save hacks, overflows/freezes, and sd hacks.
The idea I came out with it purely just recoding a whole program or modifying it to do what you want it to do. In a way this idea goes with sd hacks, but, if need be, it might have to trigger a freeze. What we do is that we take a program like Netflix or any other program that directly connects to a site to receive information (has to be exclusive to the 3DS). We thoroughly break how the program is executed (which is what "arthurvandijk" has been doing). Then get rid of all of the code except was is used to make the 3DS accept the program and replace the rest with what could be the "Homebrew Station" (just to make it unique for the handheld). The reason it would have to be one of those programs is so that it would be easier to update it than having to reinstall like "hackmii". If it's not possible to modify all of the app, then try to at least mod it enough to cause it to freeze on the 3DS loading screen. Since this is the way of checking if it is a legit item, just cause it to freeze for a set time limit such as 30 seconds to a minute. Within that time period, switch out the sd card with another that contains the Homebrew Station. The reason the freeze time would have to have a set time period is so that when you want to load the actual program, you would have to just wait a little bit.
In short my idea is to completely modify a program or use one program to open another.
How I came up with the idea was from reading the posts made by rufus85, Mega-Mario, obesefishstick, wchill, & arthurvandijk. So, give them some credit as well.
Please just give it some thought and see if I helped in any way. And, those of you who are going to say that I'm a dumba** and that I don't know anything. Shut the f*** up, at least I tried.
I'll contribute as much as I can to help.
Chicken and egg problem again. Can't modify app code without hacking the 3DS first. I will applaud the whole official app modification idea, as it leads me to think of the following possibility...
You could try DNS poisoning and make the apps receive invalid data, but whether this would actually do anything is debatable. Like I said, I think all 3DS applications run on a hypervisor, meaning that you must break two layers of protection if you are to use an exploit.
Totally forgot I made this post. No, not exactly what the current DSi carts do... as you said those have modified bootloaders. This idea involves using an unmodified bootloader but is timer-chip attacked... kind of like in the (sort of) recent 360 hack? Except those were timer-attacks directly to the CPU. Though on second thought it would probably cause it to fail signature checks... I don't know. This is a difficult issue (as indicated by the whole fact that it hasn't been done yet)
Allright, so I went and studied the 3DS' behaviour when launching different titles. IDK at the moment what this might present or not, but anything might help, so here's my breakdown:
I noticed some titles don't show the 3DS logo when booting/decrypting/signature checking/(insert other method here), so I tried to sort out which do and don't.
Results:
When the 3DS logo is NOT displayed, I suspect the system to go into some form of hypervisor mode, in which all unneeded hardware and NAND (IDK if it really is NAND, but the most commonly known term for the Wii's internal memory is NAND, so for clarity purpose, I'll go with that.) access is disabled. The only way to exit a hypervisor mode is to reboot, flushing the RAM. Hypervisor means we don't want to hack it, because then we would only have access to that specific Hypervisor mode. Basically, if we hack a GBA game, we get a 3DS sized GBA. The GBA SP is much smaller, so no thanks. I'd rather save the pocket size, plus it has already been done. Don't get me wrong: It would be nice to play ANY GBA game on the 3DS, but this is not the goal we have set, and, if we get to the point where we can "take over" the console, we would have full access to said hypervisor mode anyways.
Ahem, When the 3DS IS presented at boot (or whatever it is the console is doing), 3DS hardware and functions remain fully operable. This does not mean the game can actually access all those functions, only the ones it has a "license" for. (Basically, you aren't allowed drive a truck with just a license for an automobile, even if you were able to). The suspension function worries me though: Basically this means "any 3DS native code that is running can be fully suspended by the System menu, should the console desire". This leads me to think EVERY NON SYSTEM MENU TITLE (including, but not limited to: AR Card program, the Face shooting game, 3DS Camera and Music titles) is sandboxed, or granted read-only access to specific hardware. To use 3DS specific functions (like the 3D camera), a license must be presented which obviously has to be signed. I highly doubt any cartridge game has write access to the NAND. No wait, we MIGHT have games with write access to NAND! How else would streetpass work for DOA?
Can someone confirm Dead Or Alive streetpass still works when the cartridge is NOT inserted? Does it install some kind of channel?
edit: (now we have another chicken and egg thing, but hey... The egg came first anyway: created by two different but compatible birds. From that egg, the worlds first chicken hatched.)
I noticed some titles don't show the 3DS logo when booting/decrypting/signature checking/(insert other method here), so I tried to sort out which do and don't.
Results:
- DS Cartridge: NO
- DSi Cartridge: NO
- 3DS Cartridge: YES
- DSi Ware: NO
- VC NES: YES
- VC GB or GBC: YES
- 3DS Ware: YES
- VC GBA: NO
When the 3DS logo is NOT displayed, I suspect the system to go into some form of hypervisor mode, in which all unneeded hardware and NAND (IDK if it really is NAND, but the most commonly known term for the Wii's internal memory is NAND, so for clarity purpose, I'll go with that.) access is disabled. The only way to exit a hypervisor mode is to reboot, flushing the RAM. Hypervisor means we don't want to hack it, because then we would only have access to that specific Hypervisor mode. Basically, if we hack a GBA game, we get a 3DS sized GBA. The GBA SP is much smaller, so no thanks. I'd rather save the pocket size, plus it has already been done. Don't get me wrong: It would be nice to play ANY GBA game on the 3DS, but this is not the goal we have set, and, if we get to the point where we can "take over" the console, we would have full access to said hypervisor mode anyways.
Ahem, When the 3DS IS presented at boot (or whatever it is the console is doing), 3DS hardware and functions remain fully operable. This does not mean the game can actually access all those functions, only the ones it has a "license" for. (Basically, you aren't allowed drive a truck with just a license for an automobile, even if you were able to). The suspension function worries me though: Basically this means "any 3DS native code that is running can be fully suspended by the System menu, should the console desire". This leads me to think EVERY NON SYSTEM MENU TITLE (including, but not limited to: AR Card program, the Face shooting game, 3DS Camera and Music titles) is sandboxed, or granted read-only access to specific hardware. To use 3DS specific functions (like the 3D camera), a license must be presented which obviously has to be signed. I highly doubt any cartridge game has write access to the NAND. No wait, we MIGHT have games with write access to NAND! How else would streetpass work for DOA?
Can someone confirm Dead Or Alive streetpass still works when the cartridge is NOT inserted? Does it install some kind of channel?
edit: (now we have another chicken and egg thing, but hey... The egg came first anyway: created by two different but compatible birds. From that egg, the worlds first chicken hatched.)
Considering, as you said, PassMe worked in a similar way, you can be sure Nintendo will have added safe guards against this sort of thing. Heck, they had done that before the original DS was dead. (Only early models of the DS worked with the original PassMe, and Passme v2 was also blocked by the time of the DS Lite)
Well it was worth a shot at least. I just got the idea of the 3DS opening one program while making it think it was opening another. At least it was something different. Also, out of pure curiosity, is there a possible exploit when using the bare minimum camera just by using the L/R button. Reason being is that when you use this version of the camera, it acts like a smart phone whenever it scans an QR code (works with 5 pack gum packs, test it).As far as I know this access both the web and the home menu with ease.
Similar doesn't mean same. PassMe was using the authenication of other games, NoPass had a custom bootloader after we knew the DS key, and DSi-based carts used a customized commercial bootloader for authenication. All similar but with PassMe roots...
Similar threads
