Hacking [Release] 3DSafe: In-NAND PIN lock for 3DS

mashers

Stubborn ape
OP
Member
Joined
Jun 10, 2015
Messages
3,837
Trophies
0
Age
39
Location
Kongo Jungle
XP
4,952
Country
Notice: 3dsafe is no longer being maintained

3DSafe is an arm9loaderhax payload which will lock your sysnand with a PIN. The PIN request is displayed as soon as the 3DS is powered on. Because the 3DSafe payload is the A9LH stage1/stage2 payload, it is stored in NAND itself, not on the SD card. The PIN is also stored in NAND, so there is no way to edit or remove the PIN by removing the SD card or modifying files on it. After successfully entering the PIN, arm9loaderhax.bin is loaded from the SD card.

pinentry.png

options.png

If you forget your PIN
Because everything to do with 3DSafe is in NAND, you cannot remove the PIN lock or change the PIN until you have already got past the request for the PIN. For this reason, a bypass is included. This involves dumping your (nearly console-specific) sha.bin, placing it at /sha.bin on your 3DS SD card, and then booting. 3DSafe will detect the presence of the SHA file and bypass the PIN request, allowing you to change the PIN and boot the console. 3DSafe includes a simple option to dump the SHA to the SD card during installation, and the full installation instructions include details of what to do with it.


You must safeguard your PIN and your sha.bin
I cannot stress this enough. If you install 3DSafe, forget your PIN and lose your sha.bin, your 3DS will be a brick. There is absolutely no way to circumvent the PIN request without the sha.bin. The only thing you would be able to do in this situation would be to hardmod your 3DS and use the hardmod to write a NAND backup which does not have 3DSafe installed (or one in which you know the PIN). If you forget your PIN, lose your sha.bin and don't have a NAND backup you can restore using a hardmod, your 3DS will be permanently bricked.

I reiterate: BEFORE installing 3DSafe, make two NAND backups and verify that the md5sums match. After installation, dump your sha.bin, and then store your NAND backup and sha.bin in several safe locations. If you don't do this and forget your PIN, your 3DS is BRICKED.


Testing and disclaimer
I have tested this on my EUR n3DS. I make absolutely no guarantee that it will work for anybody else. Since you are writing these payloads to sysNAND, there is a possibility that you will brick your 3DS. I take absolutely no responsibility for this. Do not install this unless you know exactly what you are doing. I highly recommend that you take a NAND backup before installing this, and preferably have a hardmod before installing.


How to Install
Installation instructions can be found here:
https://github.com/mashers/3DSafe/blob/master/README.md
(Main project page deleted, you can use one of the forked project instead, see the download link below)

Download link
Download the release from GitHub:
https://github.com/maorninja/3dsafe/


Credits
This project is based on ShadowNAND by RShadowhand, from which it is forked. All credit for the original payload is inherited from this project and the projects on which it is based in turn. The modifications in 3DSafe are by @mashers.

3DSafe incorporates parts of GodMode9 by @d0k3 for reading and writing the PIN from/to NAND. Credit for the code in 3DSafe which is taken from GodMode9 and modified by mashers is given to d0k and the other contributors to the GodMode9 project. This includes the following components of 3DSafe:
  • godmode.c
  • godmode.h
  • fatfs (modified to mount/read/write 3DS NAND partitions)
  • nand
3DSafe also includes an integrated version of SafeA9LHInstaller by @Aurora Wright.
 
Last edited by Cyan,

mashers

Stubborn ape
OP
Member
Joined
Jun 10, 2015
Messages
3,837
Trophies
0
Age
39
Location
Kongo Jungle
XP
4,952
Country
I saw you posting about this yesterday and didn't see this coming, great job and thanks for sharing :)
You're welcome :) I was going to wait until I had the PIN stored in NAND before releasing, but I decided it's still useful as-is since the PIN lock does actually work, and someone would have to think to delete pin.txt from the SD card to get around it :D
 
  • Like
Reactions: peteruk

migles

All my gbatemp friends are now mods, except for me
Member
Joined
Sep 19, 2013
Messages
8,034
Trophies
0
Location
Earth-chan
XP
5,234
Country
China
This will mean that there will be absolutely no way to circumvent the PIN lock.
once this will be possible you need to put an arse door on it (backdoor)
people can shove the console on an attic for years and when selling the console at garage sales or trying to play again after some time, they will forget the pin..then it is just another electronic waste...
 

mashers

Stubborn ape
OP
Member
Joined
Jun 10, 2015
Messages
3,837
Trophies
0
Age
39
Location
Kongo Jungle
XP
4,952
Country
once this will be possible you need to put an arse door on it (backdoor)
people can shove the console on an attic for years and when selling the console at garage sales or trying to play again after some time, they will forget the pin..then it is just another electronic waste...
The idea is that there is no backdoor. If there's a backdoor, it's useless.

The code is on GitHub, so if anybody wants to fork it and add a backdoor then that's up to them, but in this release there won't be one.
 

dimmidice

Well-Known Member
Member
Joined
Sep 12, 2009
Messages
2,359
Trophies
1
XP
2,960
Country
Belgium
Can you still import a nand backup without the pin or not? That seems like a pretty safe backdoor. Forget the pin and your data is secure, but you can still import a nand backup (without pin setup) that you have to unpin it.
 

mashers

Stubborn ape
OP
Member
Joined
Jun 10, 2015
Messages
3,837
Trophies
0
Age
39
Location
Kongo Jungle
XP
4,952
Country
@yacepi15
It's a Luma3DS splash screen. Nothing to do with 3DSafe at all :)

@dimmidice
Yes, if you overwrite the NAND from a backup then it will remove the PIN. But, since the PIN is asked for before any A9LH payload from SD is launched, you won't be able to restore the NAND backup without entering the PIN first (unless you use a hardmod).

@Thunder Kai
I don't know what you mean by using payload GM9. As I said above, if you restore a NAND without it, then it will remove the PIN requirement.

--------------------- MERGED ---------------------------

@osm70
That is correct.
 

dimmidice

Well-Known Member
Member
Joined
Sep 12, 2009
Messages
2,359
Trophies
1
XP
2,960
Country
Belgium
@yacepi15
@dimmidice
Yes, if you overwrite the NAND from a backup then it will remove the PIN. But, since the PIN is asked for before any A9LH payload from SD is launched, you won't be able to restore the NAND backup without entering the PIN first (unless you use a hardmod).
Ah, that's a shame. Still its a nice release that i'm sure some people will definitely use.
 

Hayleia

Well-Known Member
Member
Joined
Feb 26, 2015
Messages
1,485
Trophies
0
XP
1,273
Country
France
You remind me of Apple. Both of you are willing to brick a device if you don't know the password.
On one hand, it sounds like a stupid way to brick. But on the other hand, what's the use of the password if it can be bypassed?
(Note, you could repeat this exact sentence about arm9loaderhay's passwords, but the point was not to be 100% safe, just to prevent people from booting random payloads by chance).
 

Temarile

(ノ◕ヮ◕)ノ*:・゚✧ A9LH ✧゚・: *ヽ(◕ヮ◕ヽ)
Member
Joined
Jan 7, 2016
Messages
1,132
Trophies
0
XP
529
Country
Netherlands
What about a build in reset password function if you press Left 4 times in a row? Or even a silly combination of buttons? Would that be feasible? So you can reset your password if you forgot it, but it is still kinda hidden so you won't be able to do it by accident
 

mashers

Stubborn ape
OP
Member
Joined
Jun 10, 2015
Messages
3,837
Trophies
0
Age
39
Location
Kongo Jungle
XP
4,952
Country
Ah, that's a shame. Still its a nice release that i'm sure some people will definitely use.
I don't know why this is a problem. Remember that you would have to restore a NAND from the device itself. So if the 3DS were to be stolen, somebody would have to restore YOUR NAND backup using a hardmod. For that to happen, the 3DS thief would have to know where I live, know where I keep my NAND backup, break in to my house and steal it. I think at that point I have bigger problems than my 3DS :P

You remind me of Apple. Both of you are willing to brick a device if you don't know the password.
I don't know what that has to do with Apple. But the only person who would not know my 3DS PIN would be a thief. And if they've got my property, then I'm absolutely happy for the 3DS to be a brick.

What about a build in reset password function if you press Left 4 times in a row? Or even a silly combination of buttons? Would that be feasible? So you can reset your password if you forgot it, but it is still kinda hidden so you won't be able to do it by accident
Too easy to circumvent. Thief google's 3DS PIN code, finds the GitHub page for 3DSafe, and obtains the backdoor combination, rendering the PIN completely useless.

Let me reiterate: I will not be adding a back door function to this payload. If you don't like the idea of a locked NAND with no way of bypassing the lock, then don't use it.
 

dimmidice

Well-Known Member
Member
Joined
Sep 12, 2009
Messages
2,359
Trophies
1
XP
2,960
Country
Belgium
On the subject of bypassing the pin in a sort of safe manner, what about the OTP file? if you put that in a specific place then you can bypass the bin. If you don't have it then it can't be bypassed. You should store that somewhere safely anyway so its convenient.

I don't know why this is a problem. Remember that you would have to restore a NAND from the device itself. So if the 3DS were to be stolen, somebody would have to restore YOUR NAND backup using a hardmod. For that to happen, the 3DS thief would have to know where I live, know where I keep my NAND backup, break in to my house and steal it. I think at that point I have bigger problems than my 3DS :P
Well, it wouldn't be for thieves. Thieves wouldn't be able to use it. It'd be for if you forget the pin. I thought that would've been obvious.
 

mashers

Stubborn ape
OP
Member
Joined
Jun 10, 2015
Messages
3,837
Trophies
0
Age
39
Location
Kongo Jungle
XP
4,952
Country
On the subject of bypassing the pin in a sort of safe manner, what about the OTP file? if you put that in a specific place then you can bypass the bin. If you don't have it then it can't be bypassed. You should store that somewhere safely anyway so its convenient.

Well, it wouldn't be for thieves. Thieves wouldn't be able to use it. It'd be for if you forget the pin. I thought that would've been obvious.
I don't know if it's possible to verify that the OTP matches the specific console it's from. And let's face it, anybody who's using this should already have a safe copy of their 3DS NAND and OTP. So why not just store the PIN in a text file in the same place? :rolleyes:
 

yacepi15

Well-Known Member
Member
Joined
Aug 15, 2015
Messages
1,023
Trophies
0
XP
1,863
Country
Germany
On the subject of bypassing the pin in a sort of safe manner, what about the OTP file? if you put that in a specific place then you can bypass the bin. If you don't have it then it can't be bypassed. You should store that somewhere safely anyway so its convenient.

Well, it wouldn't be for thieves. Thieves wouldn't be able to use it. It'd be for if you forget the pin. I thought that would've been obvious.
And if your console is stolen with the SD inside... The console will be always unlocked.
 
General chit-chat
Help Users
  • No one is chatting at the moment.
    Psionic Roshambo @ Psionic Roshambo: Lol