Hacking [Release] 3DSafe: In-NAND PIN lock for 3DS

mashers

mashers

Stubborn ape
OP
Member
Level 15
Joined
Jun 10, 2015
Messages
3,837
Trophies
0
Age
40
Location
Kongo Jungle
XP
5,074
Country
Keylogger said:
Nice ^^

So if I can't remember the PIN, my 3DS is useless if I have no hardmod and a NAND backup?
Click to expand...
Correct.

Keylogger said:
EDIT: What spash screen are you using in the video? :O
Click to expand...
N3DS Space, from here: https://splash.3dsthem.es/?q=user:HeyItsJono

--------------------- MERGED ---------------------------

Quantumcat said:
He was talking about when it is written to the NAND, and a suggestion for a back door is having the OTP on the card.
Click to expand...
Correct. It's only written to SD temporarily while I figure out how to write it to NAND and read back from NAND.

TheStoneBanana said:
I would totally use this, but the risk of a brick is kind of a turn off for me...
Click to expand...
The risk of brick is not really any higher than installing any other A9LH payload. Just make sure you make a note of the PIN once NAND PIN storage is implemented. For now if you forget it you can just delete the pin.txt from the SD card to get around it.
 
Hayleia

Hayleia

Well-Known Member
Member
Level 8
Joined
Feb 26, 2015
Messages
1,485
Trophies
0
XP
1,294
Country
France
I don't have any clue about how stages work, but couldn't you maybe reserve some space at a place you know (like for example "the beginning of stage 2") and put a default password there at compilation, then use a password-setter payload (that wouldn't be bootable without knowing the password, so it's not a backdoor) to modify it (it would have a max length but I don't think anyone wants to press 17 keys just to boot a 3DS :P)?
 
  • Like
Reactions: Quantumcat
mashers

mashers

Stubborn ape
OP
Member
Level 15
Joined
Jun 10, 2015
Messages
3,837
Trophies
0
Age
40
Location
Kongo Jungle
XP
5,074
Country
Oishikatta said:
Would be nice if it could display some contact information for if someone finds your 3DS.
Click to expand...
Actually somebody else mentioned that but I forgot to add it to the to-do list.

hacksn5s4 said:
this is a stuipd idea forget the pin and your 3ds is like a brick
Click to expand...
Forgetting the PIN is a stupid idea.

Quantumcat said:
You should be able to boot into Hourglass9 at least without the pin. The owner of the console is going to be the only person with a backup.
Click to expand...
Hmm, what can you do in hourglass9? Just restore a NAND backup?
 
  • Like
Reactions: DayVeeBoi
nastys

nastys

ナースティス
Member
Level 9
Joined
Aug 5, 2014
Messages
1,730
Trophies
0
Age
26
Location
Earth
XP
1,794
Country
Italy
mashers said:
Currently, the PIN is loaded from a file on SD (/pin.txt). This means that editing the file will change the PIN, and deleting it will remove the requirement to enter the PIN. This will change once NAND reading and writing has been added, at which point the PIN will be stored in NAND and it will not be possible to change it until the PIN has been entered. This will mean that there will be absolutely no way to circumvent the PIN lock.
Click to expand...
In the meanwhile, maybe you can encrypt that file using a key extracted from the console. Provided that you have a NAND backup, it should be possible to decrypt the key in case you forget the PIN (without restoring the backup), without a pointless backdoor.
I'm not sure which console-specific keys can be accessed, though...
Is it possible?

Anyway... if you forget the PIN and don't even have a NAND backup, you could always try every possible combination (but since it's a 6-digit code, good luck with that... 10^6=1000000)
 
mashers

mashers

Stubborn ape
OP
Member
Level 15
Joined
Jun 10, 2015
Messages
3,837
Trophies
0
Age
40
Location
Kongo Jungle
XP
5,074
Country
nastys said:
In the meanwhile, maybe you can encrypt that file using a key extracted from the console. Provided that you have a NAND backup, it should be possible to decrypt the key in case you forget the PIN (without restoring the backup), without a pointless backdoor.
I'm not sure which console-specific keys can be accessed, though...
Is it possible?
Click to expand...
I have no idea. But it's not really worth adding encryption/decryption since SD storage of the PIN is temporary.

nastys said:
Anyway... if you forget the PIN and don't even have a NAND backup, you could always try every possible combination (but since it's a 6-digit code, good luck with that... 10^6=1000000)
Click to expand...
Also, it's only because of the PIN I chose that it's 6-digit. You could use any length of PIN you like.
 
  • Like
Reactions: awtgrduzwt5r9 and nastys
mashers

mashers

Stubborn ape
OP
Member
Level 15
Joined
Jun 10, 2015
Messages
3,837
Trophies
0
Age
40
Location
Kongo Jungle
XP
5,074
Country
@Quantumcat
The problem with booting hourglass9 if the PIN is incorrect is that the user could replace the hourglass9 payload with something else (i.e. CFW) to get the 3DS to boot even with an incorrect PIN. A couple of ideas which occur to me are:
  • Once NAND reading and writing is working, the hourglass9.bin payload could be stored as a file in NAND, and then saved to SD any time it is needed. That way, only hourglass9 will be bootable if an incorrect PIN is entered
  • Extract the parts of hourglass9 which write the NAND backup and incorporate it directly into 3DSafe
Of the two solutions, I am leaning more towards the first. What do you think?
 
hacksn5s4

hacksn5s4

Banned!
Banned
Level 7
Joined
Aug 12, 2015
Messages
4,332
Trophies
0
XP
1,322
Country
mashers said:
@Quantumcat
The problem with booting hourglass9 if the PIN is incorrect is that the user could replace the hourglass9 payload with something else (i.e. CFW) to get the 3DS to boot even with an incorrect PIN. A couple of ideas which occur to me are:
  • Once NAND reading and writing is working, the hourglass9.bin payload could be stored as a file in NAND, and then saved to SD any time it is needed. That way, only hourglass9 will be bootable if an incorrect PIN is entered
  • Extract the parts of hourglass9 which write the NAND backup and incorporate it directly into 3DSafe
Of the two solutions, I am leaning more towards the first. What do you think?
Click to expand...
make it generate a key file or some thing and if its on the sd it will let you boot it with out a pin and every key file is different for every 3ds those other solutions will let a theif brick your 3ds they could just download the hourglass9 bin file to get in it needs to be different for every 3ds
 
Last edited by hacksn5s4,
osm70

osm70

Well-Known Member
Member
Level 11
Joined
Apr 17, 2011
Messages
1,243
Trophies
1
XP
2,732
Country
Czech Republic
mashers said:
I don't know why this is a problem. Remember that you would have to restore a NAND from the device itself. So if the 3DS were to be stolen, somebody would have to restore YOUR NAND backup using a hardmod. For that to happen, the 3DS thief would have to know where I live, know where I keep my NAND backup, break in to my house and steal it. I think at that point I have bigger problems than my 3DS :P


I don't know what that has to do with Apple. But the only person who would not know my 3DS PIN would be a thief. And if they've got my property, then I'm absolutely happy for the 3DS to be a brick.


Too easy to circumvent. Thief google's 3DS PIN code, finds the GitHub page for 3DSafe, and obtains the backdoor combination, rendering the PIN completely useless.

Let me reiterate: I will not be adding a back door function to this payload. If you don't like the idea of a locked NAND with no way of bypassing the lock, then don't use it.
Click to expand...


The iOS activation lock feature. If you factory reset a password protected device, you will need to enter the password to make it work again. The password is verified by Apple's server and is used to decrypt iOS. The operating system is encrypted upon istallation. The decryption key is literally the password you use. And no, you can't just install unecrypted version, because Apple's server has to allow you to install anything.
 
Last edited by osm70,
capito27

capito27

Well-Known Member
Member
Level 7
Joined
Jan 19, 2015
Messages
874
Trophies
0
XP
1,230
Country
Swaziland
mashers said:
@Quantumcat
The problem with booting hourglass9 if the PIN is incorrect is that the user could replace the hourglass9 payload with something else (i.e. CFW) to get the 3DS to boot even with an incorrect PIN. A couple of ideas which occur to me are:
  • Once NAND reading and writing is working, the hourglass9.bin payload could be stored as a file in NAND, and then saved to SD any time it is needed. That way, only hourglass9 will be bootable if an incorrect PIN is entered
  • Extract the parts of hourglass9 which write the NAND backup and incorporate it directly into 3DSafe
Of the two solutions, I am leaning more towards the first. What do you think?
Click to expand...
what good would that do ? since hourglass9 will never overwrite a9lh, it won't replace the stage1/2 of a9lh and thus won't help to recover from a forgotten pin code. also, sorry to bust your bubble, but if you allow people to overwrite their nand, people on O3DS can easily bypass your stage 1 and 2 thanks to the fact that a9lh is totally standardized, simply repace firm0 by a o3ds firm that is smaller than a9lh firm1 (and they exist) and it totally bypasses the pin code and if the used firm is from before 11.0, a downgrade will bring them back to an exploitable firmware.
 
Last edited by capito27,
  • Like
Reactions: astronautlevel
MistWisp

MistWisp

Well-Known Member
Member
Level 2
Joined
Aug 29, 2016
Messages
165
Trophies
0
Age
31
XP
218
Country
Brazil
mashers said:
@Quantumcat
The problem with booting hourglass9 if the PIN is incorrect is that the user could replace the hourglass9 payload with something else (i.e. CFW) to get the 3DS to boot even with an incorrect PIN. A couple of ideas which occur to me are:
  • Once NAND reading and writing is working, the hourglass9.bin payload could be stored as a file in NAND, and then saved to SD any time it is needed. That way, only hourglass9 will be bootable if an incorrect PIN is entered
  • Extract the parts of hourglass9 which write the NAND backup and incorporate it directly into 3DSafe
Of the two solutions, I am leaning more towards the first. What do you think?
Click to expand...
You can do a MD5 or SHA1 verification to see if the payload is actually hourglass9
 
X

-Xin-

Well-Known Member
Newcomer
Level 1
Joined
Jul 26, 2015
Messages
72
Trophies
0
XP
118
Country
Morocco
mashers said:
The idea is that there is no backdoor. If there's a backdoor, it's useless.

The code is on GitHub, so if anybody wants to fork it and add a backdoor then that's up to them, but in this release there won't be one.
Click to expand...
So that mean if we hate someone we can use your "3DSafe" one him and choose a random password and then boom he can never play with it !!!!!!
Dude even great company have backdoor , your software can be used on evil more than good ... think a little before releasing it.
 
  • Like
Reactions: Deleted User, the assaf and Quantumcat

Site & Scene News

Go to forum More news

Popular threads in this forum

Hacking Homebrew  A new way to experience StreetPass

Hacking Hardware  New Nintendo 3DS XL Louvre

Emulation  i have citra, i have my aes keys installed, how do i get the home menu

Hardware  Why does my 3DS take so long to turn off?

What's the best 3DS emulator (especially after Citra's shutdown)?

Tutorial  How to fix 007-2001

can't download system files on citra because im "not connected to the internet"

gacube emeleter

General chit-chat
Help Users
    Psionic Roshambo @ Psionic Roshambo: https://www.youtube.com/watch?v=RVMvART9kb8