Hacking Post your ideas regarding how to hack the 3DS, here
- Thread starter Vulpes Abnocto
- Start date
- Views 430,367
- Replies 1,786
- Likes 1
No, we don't have a browser-based exploit. Anyway, a QR code would be useless, you could just go to that website directly (if it actually existed).
The system unfreezes? You mean it freezes. Doesn't help us in the slightest, that doesn't give us a workable exploit or a way to find one.
@Linkiboy: I see what you mean. I wasn't 100% sure exactly how the PassMes worked since I wasn't familiar with the scene then. I'm not familiar with how timing attacks work, though.
it was meant to show that the sd card is actively checked even when the system crashes sorry it wasn't exactly a helpful find for hacking. I could do a video if it helps.
No, I see what you're saying now.
This just proves that everything runs in a hypervisor, whether it is a 3DS game or DSiWare/DS games/etc. running in backwards compatibility mode.
This just proves that everything runs in a hypervisor, whether it is a 3DS game or DSiWare/DS games/etc. running in backwards compatibility mode.
If this is the case, doesn't that mean that we have to attack it at a point where it isn't in hypervisor like in the channels menu or the settings menu (like that one homebrew installer for the Wii)
Keys are probably bigger than that, and it has no way to find if it's accurate or not.
So, no.
ighashgpu is a Windows program.
1. These keys are incredibly complicated and bruteforcing them would take years
2. You expect a Windows exec to run on the 3DS? How the hell would we even get a Windows program on the 3DS anyways?
3. These keys aren't passwords in that sense. You can't input them into some magic system setting and it'll unlock the system, allowing hacks.
4. Read up on this please
5. And this too.
6. For example, if you replace letters with numbers, replacing A with 1, and so on, the "key" to decrypting the message would be to replace the numbers with letters. How the encryption works, is similar in the slightest, with the software being the message, and an unknown hex string as the "key"
Once you know the "key" you can decrypt the "message"
1. These keys are incredibly complicated and bruteforcing them would take years
2. You expect a Windows exec to run on the 3DS? How the hell would we even get a Windows program on the 3DS anyways?
3. These keys aren't passwords in that sense. You can't input them into some magic system setting and it'll unlock the system, allowing hacks.
4. Read up on this please
5. And this too.
6. For example, if you replace letters with numbers, replacing A with 1, and so on, the "key" to decrypting the message would be to replace the numbers with letters. How the encryption works, is similar in the slightest, with the software being the message, and an unknown hex string as the "key"
Once you know the "key" you can decrypt the "message"
i already knew how cryptography works but my thought was to hash an encrypted file and use the hash in ighashgpu to calculate the key and you can use multiple gpus to cut down the time.
The Wii's system is different. The way IOS worked is that only one can be running at a time. Thus, the HOME menu was running on the IOS that the game was using. For example, Zelda:TP ran on IOS9, I believe. System Menu 4.3 runs on IOS80. If you press HOME in Z:TP on a 4.3 Wii, it'll load the HOME menu on IOS9.
Of course, Nintendo will have fixed this with the 3DS. The way that the 3DS System Menu can suspend 3DS games and apps shows this. The Wii could not really do this; the game's IOS would simply just pause the game and open the HOME menu. The System Menu was not involved in the HOME menu on the Wii.
But yes, it would be far easier to attack it when the hypervisor is not running. Hypervisors can be exploited, but having to do that on top of finding an exploit to run unsigned code while in a game is difficult.
We can't hash an encrypted file. It's not that simple. Hashing and encryption are two different things.
In addition, cracking an AES key is extremely time-consuming. With a 256-bit AES key (the 3DS likely has a 256-bit or higher key), 2^256 trials are required to try every possibility through bruteforce. That is, we need to try at worst 1.15792089 * 10^77 keys. In comparison, the reference ATI Radeon HD 7970 graphics card (using a yet-unreleased top-end GPU) does about 947 GFLOPS (billion floating-point operations per second). 9.47*10^11 is nothing compared to the 10^77 we're talking about here.
There are ways to get the key faster, but even then, for a 256-bit key, the best known technique has a complexity of 2^99.5, or 8.96*10^29. At one key per operation, we're still talking a time far greater than the age of the universe (4.5 billion years).
Cracking the key is unfeasible. There must be another way.
Out of pure curiosity, does anyone know what we're going to do with the hombrew channel as soon as we get it up and running? (please don't answer "to use hombrew of course", I want more specific answers)
Did it myself, as I got MarioKart 7 from my wife for Christmas. (Isn't she sweet?)
Streetpass and/or Spotpass channels for games are installed on SD card as an invisible channel (Invisible as in not showing in the system menu). This means two things:
- 3DS mode Slot 1 games have full access to the SD card
- No software other than systemmenu is allowed to access the NAND
As of now, I think Hardware attacks would be the best method to get useful things and information. Unfortunately, I have no such hardware to "clip-on" the RAM, memory bus or ARM processors. Right now, I think we (or the more experienced ones among us) should either try to break the encryption, or get the console to run decrypted code regardless if it's singed or not. By the time we get the encryption, we'd probably have a way of fake-signing any code anyways, and I still believe each 3DS console has it's own PERSONAL certificate, probably based on ConsoleID.
- Joined
- Aug 26, 2009
- Messages
- 2,653
- Trophies
- 0
- Age
- 27
- Location
- New York
- Website
- Visit site
- XP
- 662
- Country
I wouldn't be surprised if a hardware exploit is necessary to run unsigned code. Your Console ID idea made me think of the Xbox 360, since every one has it's own unique CPU key (required for running unsigned code). The only way this has been obtained is through hardware exploits (the KK shader hack only needed a flashed DVD drive, but it was patched years ago). Anyway, I'm rambling here. Basically, I think there should be more investigation of the 3DS's hardware. I bet you that will be the first way unsigned code is run.
Yep. Hardware exploits seem the most likely. Every single "first" hack on the Wii, 360 and PS3 involved hardware exploits in some way (Wii with the Tweezer attack, 360 with the thing you just mentioned, and PS3 with Geohot's memory glitching + the PSJailbreak dongles).
I think a good first approach would be to analyze how a 3DS cart interacts with the 3DS upon execution. ie. handshake exchanges, authentication checks, communication protocols. This should lead to us at least being able to make clone 1:1 carts (but of course, the Chinese flashcart makers will be the first to do this). Another thing to do is to analyze how the 3DS performs checks upon installation/execution. It may be that there is a flaw in the 3DS's checking code (unlikely, but possible).
why not try and make a cart that works in 3ds mode
dont worry about playing games just getting one to start whilst in that mode would be great
see if its possible to run a 3ds rom on a fake 3ds flash cart to simply play that rom and nothing else?
so basically just transfer the contents of the real cart to a fake one
i think i read earlier on that someone needed to know more about the hardware
http://3dbrew.org/wiki/Hardware
i also read that someone suggested to try brute force hacking of the needed code
followed by people telling him it would take to long
i have a suggestion
why not split the work so that
someone can hack the first 50 billion combinations while other people are hacking the other possible combinations
thus first halving the time it will take if 2 people do it
and its not going to take the whole computer it could just be a program running in background while you do your stuff on the internet
and i think its at least giving it a shot imagine what we could do with the right code
dont worry about playing games just getting one to start whilst in that mode would be great
see if its possible to run a 3ds rom on a fake 3ds flash cart to simply play that rom and nothing else?
so basically just transfer the contents of the real cart to a fake one
i think i read earlier on that someone needed to know more about the hardware
http://3dbrew.org/wiki/Hardware
i also read that someone suggested to try brute force hacking of the needed code
followed by people telling him it would take to long
i have a suggestion
why not split the work so that
someone can hack the first 50 billion combinations while other people are hacking the other possible combinations
thus first halving the time it will take if 2 people do it
and its not going to take the whole computer it could just be a program running in background while you do your stuff on the internet
and i think its at least giving it a shot imagine what we could do with the right code
why not try hacking the roms? or the encrypted files on the sd card that could be done on a pc
Similar threads
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
@
yeager1239:
can someone help me ripping a song from a GBA game that isn't supported by Sappy, Sorry if this isn't the right place to ask im new here -
@
SnowStormAkikaze:
Just watch the movies trailer on IMDB it look really fun but I don't know why the review score is only 5.5 :/ -
-
-
-
@
BigOnYa:
@yeager1239 read thru here and if not answered, create a thread and ask https://gbatemp.net/forums/nintendo-gba.339/ -
-
-
-
-
