Hacking Question regarding DS profile exploit

[how_do_i_do_that]

Just out of curiosity, is there any chance for a hardware attack? Like the RGH on the 360 (glitch processor to say everything is ok) or is the 3ds secure against that sort of thing as well?

Other than that *hugs 4.5 XL*

A known direct hardware method is doping. Everyone here wouldn't be able to do it, requires more hardware than some can afford.

http://en.wikipedia.org/wiki/Doping_(semiconductor)


or you can pay for decapping.

 

[yifan_lu]

4.6? Isn't 4.5 the last 4.X firmware? I believe it jumps to 5.1 from 4.5...

Yes, I'm not familiar with the 3ds versioning.

A known direct hardware method is doping. Everyone here wouldn't be able to do it, requires more hardware than some can afford.

http://en.wikipedia.org/wiki/Doping_(semiconductor)


or you can pay for decapping.

I'm not an expert on hardware, but I believe that what you speak of is something a designer can introduce into a hardware design not something a hacker can insert into a device. A hardware hack could involve something like a device that sits between the RAM and CPU and changes data or something that exploits a debugging feature or something that slows down components to try to find keys. I doubt any of these examples would work because they are pretty basic and most hardware designers nowadays would know to secure against such attacks (since they were exploited in the past).

 

[how_do_i_do_that]

Doping is direct silicon modification. One thing about doping is that you can do things like make the RNG basically spit out 4 as the random number all the time. I don't need to tell you where this goes, think PS3.

What you are talking about is already being done by hackers.

 

[yifan_lu]

Doping is direct silicon modification. One thing about doping is that you can do things like make the RNG basically spit out 4 as the random number all the time. I don't need to tell you where this goes, think PS3.

What you are talking about is already being done by hackers.

Like I said, I don't know much about hardware, so I don't know when this "doping" would be used. But for RNG, I don't see much practical application. From what I'm reading here: http://www.extremetech.com/extreme/...f-hacking-cpus-and-theres-no-way-to-detect-it a RNG attack using doping would only increase chance of success to 1/2^n (which is still a low chance of success), but RNG is only useful for encryption that is happing ON the device. This excludes keys generated off the device (including all signing keys, per console keys, etc). In fact, the only thing I can think of is HTTPS/TLS attacking of traffic coming from the device and that's with the 1/2^n success rate (and doesn't affect code execution at all).

 

[justinkb]

Has anyone checked the new 7.0 apps? Miiverse? Might these opportunities for user-supplied data that can be exploited?

 

[elcravo]

For those who say exploits beyond 6.3 won't happen. Just think about the wii for example. Everyone said that playing GC Games of a SD Card or USB would be impossible. But Crediar showed with DML that it was indeed possible. I mean I wouldn't hold my breath but never say never.

 

[drfsupercenter]

As for finding a new exploit, what I'd be interested in trying, if I had the parts, money, patience, and skills, is to look for an entrypoint when a game is launched. If something could be found in a third-party title during the launch of a game, perhaps hardware could be made to inject custom code where a loophole is (In the ram, not the rom, unlike traditional flashcards), and instead of launching the game, custom code can be launched. That's just me going off a tangent. Since games can be patched, all that would have to be done is to add a patch for a game, but patches are optional.

Isn't that exactly what Team Cyclops did for their CycloDSi card? That save exploit in My Healthy Cooking Coach was brilliant, at least until Nintendo patched it and the team vanished off the face of the planet.

For those who say exploits beyond 6.3 won't happen. Just think about the wii for example. Everyone said that playing GC Games of a SD Card or USB would be impossible. But Crediar showed with DML that it was indeed possible. I mean I wouldn't hold my breath but never say never.

Wii is a bit different, because of how fake-signing works. As far as we know, the Wii's common key is *still* not known, all exploits just abuse fake-signing bugs in the IOS files that make the console think they're official.
Playing GC games off a SD card or USB just requires you to have SD or USB access, and with fake signing all of that is possible.

 

[yifan_lu]

For those who say exploits beyond 6.3 won't happen. Just think about the wii for example. Everyone said that playing GC Games of a SD Card or USB would be impossible. But Crediar showed with DML that it was indeed possible. I mean I wouldn't hold my breath but never say never.

It's going to happen but chances are it's going to happen on 6.3 before 7.0

 

[elcravo]

Wii is a bit different, because of how fake-signing works. As far as we know, the Wii's common key is *still* not known, all exploits just abuse fake-signing bugs in the IOS files that make the console think they're official.
Playing GC games off a SD card or USB just requires you to have SD or USB access, and with fake signing all of that is possible.

That's not what I meant. I was just saying that people were saying "it's impossible" about other things before and then someone came and pulled it off.
It may take some time but eventually the 3DS will be hacked in firmwares > 4.5.

 

[drfsupercenter]

Yes, and everybody said the same thing about the PS3, but it still can't be hacked beyond 3.55.

I'm sure there are exploits that give you kernel access, even in 7.0. But will anyone find them? Who knows. I like to remain hopeful but the chances are slim to none, really.

 

[elcravo]

There are hardwareflashers for the PS3 which allow you to downgrade your fw to 3.55. Or you could use Cobra ODE. So technically the PS3 is hacked in firmwares > 3.55
BTW I just read

Playing GC games off a SD card or USB just requires you to have SD or USB access, and with fake signing all of that is possible.

Like this it sounds just too easy. The real problem wasn't the signing but the fact, that if you play a gamecube game on the wii, the wii boots in gamecube mode. Gamecube mode replicates a real gamecube which does not have sd card slots or USB. But with DIOS MIOS it was possible to load data of USB or SD devices. That's why DIOS MIOS is such a great piece of homebrew

 

[profi200]

Hardware attacks are unlikely for handheld's, because there's not enough room for installing extra hardware. It's already hard to place a 4 pin connector for NAND dumping somewhere.

 

[cearp]

Hardware attacks are unlikely for handheld's, because there's not enough room for installing extra hardware. It's already hard to place a 4 pin connector for NAND dumping somewhere.

true but look up 'undiluted platinum', a mod chip for psp, very interesting

 

[profi200]

I don't like to buy hardware from unknown teams for a lot of money to get no support anymore after a month or so. That's why i and another one working on the software side. It's free and does the same. Contra: It is easy blockable.

 

[drfsupercenter]

There are hardwareflashers for the PS3 which allow you to downgrade your fw to 3.55. Or you could use Cobra ODE. So technically the PS3 is hacked in firmwares > 3.55

Those are hardware hacks, and they still downgrade you to 3.55. It's like if you have a NAND dump of a 3DS, you can update it then re-downgrade it.

It would be a big breakthrough if someone decrypted the 3DS NAND keys so you could dump your current NAND, take a "universal" 4.5 image and inject it into yours.

But with DIOS MIOS it was possible to load data of USB or SD devices. That's why DIOS MIOS is such a great piece of homebrew

Isn't MIOS just another IOS though, that's a software thing and DIOS MIOS just hacks that? I'm not saying it was easy to develop, but using fake-signing, you get almost complete unrestricted access to the system which opens up a whole world of possibilities.

The kernel of the 3DS is completely hacked now, but it requires firmware 4.5 to work. It's just a matter of people coding for it, things including a launcher, which we know Gateway is working on. The redirected NAND we have in Gateway's launcher is already a sort of "homebrew" for 3DS, if you will.

 

[profi200]

It would be a big breakthrough if someone decrypted the 3DS NAND keys so you could dump your current NAND, take a "universal" 4.5 image and inject it into yours.

Not possible. You always need code execution on your 3DS and the needed files from your NAND (i guess here the other 4.5 image, from which you want to create a valid 4.5 image for your 3DS from, is already decrypted) to create a valid NAND image. The NAND is en-/decrypted the same way as all other data ---> Through the 3DS hardware AES engine.

I have no other 4.5 3DS to test, which files are needed to create a valid NAND image. I guess only movable.sed and SecureInfo_A are needed.

(To not forget this, you can modify all partitions except firm0 and firm1. If you modify them, the RSA signature is broken and the 3DS doesn't boot at all with this image.)