Replicatable Crash in FW 7.1.0 - 14J

Discussion in '3DS - Flashcards & Custom Firmwares' started by someonewhodied, Jan 15, 2014.

  1. someonewhodied
    OP

    someonewhodied Lazy Person

    Member
    870
    172
    Sep 21, 2008
    United States
    Basically, I've managed to find a way to crash my FW 7.1.0-14J


    It requires modifying a save in a 3ds game that has the fw2.1+ encryption though.


    新・光神話 パルテナの鏡 (JPN Kid Icarus Uprising)

    Play on a file until it saves.
    Extract Save.
    Decrypt the save.
    There are 4 files in the save. 0.sav through 3.sav, You only need 1, 2, or 3 depending on your file.
    In whichever active save, (1.sav, 2.sav, 3.sav) at
    0x00000675, change the value to A0
    0x00000676, change the valoe to 06
    Reinsert the file sav.
    Reencrypt the save.
    Insert the save onto your cartridge.

    That save file is now unusable for playing, but will instead crash the 3ds.


    Doubt anything useful will actually come from this due to inpracticality, but its out there. Its a 3DS-mode crash on the latest FW
     


  2. Xzi

    Xzi Console Hacker and PC Gamer

    Member
    3,052
    1,871
    Dec 26, 2013
    United States
    Spiraling Out
    Hey, who knows. If it's possible to insert code as a result of this crash, you might have just discovered what we need to run flash cart firmware on 7.1 in 3DS mode.

    Good on ya for doing the work.
     
  3. juins

    juins GBAtemp Fan

    Member
    496
    68
    Sep 13, 2003
    Just bumping this so that this thread is atop others. Great find, btw. you never know what can be done with stuff like this, and the whole scene may appreciate your share one day.
     
    minexew likes this.
  4. kirillov

    kirillov Advanced Member

    Newcomer
    73
    57
    Dec 10, 2013
    bump, waiting for experts
     
  5. Arras

    Arras GBAtemp Guru

    Member
    5,858
    2,673
    Sep 14, 2010
    Netherlands
    While the find is nice, do keep in mind that most crashes are just that - crashes, absolutely useless for hacking. It's not impossible that something may come of this, but don't get your hopes up. Even if this is usable as an exploit, an additional kernel exploit would be required to actually do cool stuff with it.
     
    Huntereb and cearp like this.
  6. Crass

    Crass Rock me Dr. Zaius

    Member
    999
    124
    Nov 3, 2006
    United States
    Oregon
    Could mean nothing, could potentially be exciting news. One of the first steps to getting an exploit is finding a usable crash! Thanks for sharing.
     
  7. Syphurith

    Syphurith Beginner

    Member
    641
    222
    Mar 8, 2013
    Switzerland
    Xi'an, Shaanxi Province
    help you bump. Besides i got some questions for you.
    1. You did say that is "Replicatable", means you could repeat it right? You were performing this on an official FW, so you might be playing a legal copy. Is that digital or a gamecard? Also, What tool did you use (to decrypt your fw2.1+ save).
    2. This is surely a crash caused by gamesave. Many gamesave exploits rely on the "buffer overflow", as said by Wololo[Source] about PSP scene. What is used in GW and Normatt's Launcher is a similiar one, cause it did overflew (please correct me if i said something wrong) the "name" field. I don't know what significant would happen after this crash. I don't think that may be an overflow, either, according to where you modified (Maybe you could try again, fill some section with a similiar data, like A00655AA55AA55AA55AA or other hex strings. That would be easier to detect its location and where it may overwrite). The location may tell its prior; the result may lead to technical report. IIRC 3ds is ARM based so some location may be just a location (could not be used).
    3. There are several types of crash. The one could run and stop then reboot; one could run and trigger the error and just stop; one could run and trigger and by some means back to its route (and continue to run). Oh the last one would need some experiments.. by hackers (Well if you are already one why not have a try). Yeah search for help..
    4. You could take some photos, also with your modified save zipped. And turn to efnet.org #3dsdev channel for help. Most users of gbatemp is players not hackers, and gbatemp is not a technical forum. They certianly do better than us. Don't be shy, be polite. If someone ask for details just collect and tell him. If someone could conform this is an exploit, well good news and good one you! Wish you a lucky day.
     
  8. greyneon

    greyneon Advanced Member

    Newcomer
    74
    15
    Sep 5, 2013
    Hidden Nuclear Base
    Which european games have 2.1+ encryption?
     
  9. master801

    master801 GBAtemp Fan

    Member
    352
    85
    Feb 24, 2011
    United States
    Alright, even though I'm not an expert with this stuff, how does the 3DS crash? Does it give an error? Or does it just *crash*? Because, if it does give an error, its a handled crash, and cannot be exploited. You should also make some pics or at-least a video. :)
     
    mvmiranda and pelago like this.
  10. minexew

    minexew ayy lmao

    Member
    228
    149
    Mar 16, 2013
    Nice find, though even if it allowed you to overflow something it probably won't be of much use with limited privileges and No Execute. Time for another ROP chain, anybody?
     
  11. profi200

    profi200 Banned

    Banned
    330
    216
    Sep 3, 2011
    Gambia, The
    This is useless, because you invalidate the AES MAC with your changes.
     
  12. someonewhodied
    OP

    someonewhodied Lazy Person

    Member
    870
    172
    Sep 21, 2008
    United States
    I used a retail copy of the game.

    The game actually locks up with this crash, There isn't a "please turn off the 3ds" error code.
    Replicatable means that it wasn't a luck based crash. I can make it happen every time, however you only need to modify the save file once.

    For editing the save, I used cyber gadget's 3ds save editor for my JPN copy of KIU.




    Not quite. I can get modified saves to run no problem easily.
     
    dot7z likes this.
  13. juins

    juins GBAtemp Fan

    Member
    496
    68
    Sep 13, 2003
    Bumping this. Did anyone check out this thing thoroughly?
     
  14. gamefan5

    gamefan5 Kid Icarus Uprising connoiseur

    Member
    4,946
    2,067
    Aug 29, 2010
    Canada
    Somewhere in this Earth
    This could get interesting... Or, it could not.
    So, we'll see what happens.
     
  15. juins

    juins GBAtemp Fan

    Member
    496
    68
    Sep 13, 2003
    how the hell do u tag ppl on gbatemp? might be worth tagging respectful users.
     
  16. someonewhodied
    OP

    someonewhodied Lazy Person

    Member
    870
    172
    Sep 21, 2008
    United States
    I'm just gonna wait and see if anything can actually come from this since I don't know how to code shit for 3ds. But yeah, someone that knows more should check it out.
     
    gamefan5 likes this.
  17. Sheimi

    Sheimi A cute Vixen!

    Member
    1,974
    880
    Oct 22, 2009
    United States
    Interesting. I will try this with other games.
     
  18. Nismax

    Nismax GBAtemp Regular

    Member
    185
    60
    Sep 13, 2009
    United States
    IB Gateway releases exploit using this crash to brick 3DS consoles.
     
    UltraMew and Huntereb like this.
  19. juins

    juins GBAtemp Fan

    Member
    496
    68
    Sep 13, 2003
    that would be lof
     
  20. mr. fancypants

    mr. fancypants that´s ´Sir´ for you!

    Member
    605
    88
    Jul 16, 2013
    Netherlands
    right here, right now

    @ "the name of the person you want to tag" (without the space between the @ and the name)