seedminer (single system DSiWare injection)

Discussion in '3DS - Flashcards & Custom Firmwares' started by zoogie, Feb 1, 2018.

?
  1. Yes!

    193 vote(s)
    45.3%
  2. No

    96 vote(s)
    22.5%
  3. What's dedicated graphics?

    32 vote(s)
    7.5%
  4. I'm a cat, we can just guess our movable.sed through feline intuition

    105 vote(s)
    24.6%
  1. zoogie
    OP

    zoogie playing around in the dsiware

    Member
    20
    Nov 30, 2014
    Micronesia, Federated States of
    What is this:
    A stable implementation of the 3ds vuln described here. The old thread about it is here.
    This is a new way to inject dsiwarehax -- which can install B9S -- that doesn't require a second 3ds on hand.

    What you need:
    Seedminer only needs a system's *LFCS and ID0 (the long hex # in your Nintendo 3DS folder) to work its magic.
    Currently, you need either a userland entrypoint or someone online you can friend code exchange with and send you a file with the LFCS.
    Other ways to get the LFCS are being worked on, more details in the release archive's readme.
    A PC is required for a brute-forcing of the actual movable.sed. A CPU will suffice, but a dedicated GPU is
    much, much better. Integrated graphics suck, don't count on that to be much better than a CPU. It can even be worse.
    You will also need to buy a $2 dsiware game if you don't have a compatible one yet.

    * Local Friend Code Seed - this is not the same as LocalFriendCodeSeed_B, see readme.txt for more details.

    How to do this:
    The easiest method is here.
    Please see the readme in the release archive for additional methods that aren't recommended for most people.

    How can I help:
    There is actually one thing either users of seedminer, or people who already have cfw, can do - dump msed_data nodes!
    Seedminer uses "error correction" to make better guesses on where to start brute forcing - this can greatly improve speed, especially needed with
    cpu brute-forcing. This data is gathered from actual movable.seds. You can dump and share this data with seedstarter.cia (option X) in the release archive or find "seedminer" in FBI's TitleDB homebrew shop. It is also dumped at the conclusion of a successful brute-force (alongside your movable.sed). It looks like "msed_data_00001234.bin" for example.
    The data consists of [LFCS - truncated 12 bits for data privacy] [msed3 error distance] [seedtype new/old 3ds] (12 bytes total)
    REMEMBER - it is entirely optional to share this, but greatly appreciated! You can post it in the thread or PM, your choice. I will then add them to the seedminer database files at regular intervals.

    If you would like to help people brute-force their seeds, or help them get their LFCS with a friend code exchange, there is a special thread for that here.

    Q&A:
    Q. I've got my movable.sed and now I'm at the TADpole part, what's this about the ctcert.bin, will you be providing one?
    A. No. That file is extremely console-unique and not something I'm comfortable sharing. Someone else will have to share. It only takes one - they work globally. Don't upload it here, it will probably be considered warez (not really sure about that designation - not my call).
    Q. Why not ntrboot?
    A. Ntrboot is fantastic! It's certainly a better long term solution. However, seedminer only requires a $2 dsiware purchase and you don't have to wait weeks for China Post to deliver a flashcard. Seedminer is pretty involved though, so if you're not comfortable with a lot of steps, just go with
    ntrboot.
    Q. Could Nintendo patch this?
    A. Yes, certainly at least the dsiware injection. Now that it's a primary, they might consider it more of a priority to fix than when it was just used for dsiware transfer hax (3ds.guide). That doesn't account for the possibility of additional dsiware savehax games, however. The movable.sed vuln itself will be a bit more difficult to patch since it's pretty deeply built into the security infrastructure of the 3ds. They could at least make it harder to fish out the LFCS from userland and below.
    Q. If dsiware injection was fixed, could this be used for anything else?
    A. Yes, I think so at least. Knowing the movable.sed should allow one to modify 3ds game saves (it does, see update below), and this should essentially turn eshop userland secondary exploits into primaries. Again, I haven't actually tested this, but it should work. @wwylele made a tool recently that could help with this.
    UPDATE Jun-7-18
    Steelhax savegame injection implemented.
    http://steelminer.jisagi.net/


    Thanks:
    Code
    @JimmyZ - for providing the sorely-needed ocl brute forcer
    @Joel16 - tons of friend functions and other useful code
    @ihaveamac - python3 porting for TADpole and seedminer_launcher
    @Blackfall - the DIS cloud version of TADpole
    Testers
    @Quantumcat - tons of advice and testing
    @FallenApex - first successful public trial!
    @PowerBall253 - the second successful public trial!
    Helpers
    @Hunter
    @Marenthyu
    @punderino
    @MrJason005
    @eip618
    @Ihiing
    @zacchi4k
    @everyone-else-who-has-mined-or-FC-shared-for-someone-else

    Release:
    Download
    Source
     

    Attached Files:

    Last edited by zoogie, Jun 7, 2018
    Nissay, yritzu, reix and 50 others like this.
  2. Aletron9000

    Aletron9000 3DS Master

    Member
    5
    May 10, 2016
    United States
    3DS ARM9 CPU
    Just when i think 3ds hacking is dead, this comes out. Great to see more progress!
     
    SirKyogre, CuriousTommy and zoogie like this.
  3. PowerBall253

    PowerBall253 GBAtemp Regular

    Member
    1
    Dec 17, 2017
    United States
    I can confirm this actually works!!!
    @zoogie helped me to B9S my console with it :)
     
    Quantumcat and zoogie like this.
  4. LukeHasAWii

    LukeHasAWii GBAtemp Advanced Fan

    Member
    6
    Apr 24, 2016
    United States
    Iowa
    Wow, almost 50,000 views. I was lucky to be early on this thread!
     
    Last edited by LukeHasAWii, Feb 19, 2018
    zoogie likes this.
  5. JimmyZ

    JimmyZ Sarcastic Troll

    Member
    5
    Apr 2, 2009
    Zimbabwe
    My heart skipped a beat when I thought that was "badly coded".
     
    zoogie likes this.
  6. zoogie
    OP

    zoogie playing around in the dsiware

    Member
    20
    Nov 30, 2014
    Micronesia, Federated States of
    Changed the wording a bit.
    Never in a million years would "badly-coded" cross my mind when thinking of your code :D
     
    JimmyZ likes this.
  7. JimmyZ

    JimmyZ Sarcastic Troll

    Member
    5
    Apr 2, 2009
    Zimbabwe
    update: realized I could just append a fake extension.

    31... 2DS U
    49... new 3DS LL J
    54... new 3DS J
     

    Attached Files:

    Last edited by JimmyZ, Feb 2, 2018
    zoogie likes this.
  8. anonymoose

    anonymoose Lannister

    Member
    2
    Nov 15, 2015
    Germany
    Kashyyyk
    Thanks for the amazing work! :yay:
    The primarys are stacking ...
     
    KillaRose93 and zoogie like this.
  9. zoogie
    OP

    zoogie playing around in the dsiware

    Member
    20
    Nov 30, 2014
    Micronesia, Federated States of
    THYPLEX likes this.
  10. SomeGamer

    SomeGamer GBAtemp Guru

    Member
    12
    Dec 19, 2014
    Antarctica
    I'm a cat and all my 3DSes already have B9S, but thanks still. I'm sure humans will find it useful.
     
  11. astrangeone

    astrangeone GBAtemp Addict

    Member
    6
    Dec 1, 2009
    Canada
    Canada
    Bookmarking this. Will add some 3DS info from my systems soon.
     
    zoogie likes this.
  12. THEELEMENTKH

    THEELEMENTKH GBAtemp Advanced Maniac

    Member
    8
    May 31, 2016
    Spain
    This is amazing
    This made me realize how funny it is that the 3ds scene basically cracked open any FW Nintendo has released, and the Vita scene decided not to search (at least publicly?) a 3.60+ CFW solution (Yes, I know nintendo is crap at security)
     
  13. astrangeone

    astrangeone GBAtemp Addict

    Member
    6
    Dec 1, 2009
    Canada
    Canada
    zoogie likes this.
  14. CrispyYoshi

    CrispyYoshi GBAtemp Advanced Maniac

    Member
    5
    Mar 20, 2010
    United States
    This is very cool! Any high or low end estimate of how long one should expect to take when doing this?
     
  15. zoogie
    OP

    zoogie playing around in the dsiware

    Member
    20
    Nov 30, 2014
    Micronesia, Federated States of
    Absolute worst case for CPU is about 5 days. Average 1-2 days.
    Worst case GPU about 6 hours, average 1-2 hours.

    CPU is faster than China Post at least :P

    Having a newer (old/new) 3ds certainly helps as we have more msed_data points for newer systems.
    You can see that from this chart of msed_data nodes (up-to-date)
    Figure_1.png
    (forgot to say: LFCS's are given out sequentially like a serial number, so higher values == newer)
     
    Last edited by zoogie, Feb 2, 2018
    CrispyYoshi likes this.
  16. GinBunBun

    GinBunBun GBAtemp Regular

    Member
    3
    Dec 24, 2012
    United States
    I don't know. Ohio I think?
  17. Shumulu

    Shumulu Newbie

    Newcomer
    1
    Aug 20, 2017
    Germany
    O3DS E
     

    Attached Files:

    zoogie likes this.
  18. Xenon Hacks

    Xenon Hacks GBAtemp Guru

    Member
    13
    Nov 13, 2014
    United States
    Got a 1080 Ti in my rig what you need a GPU for?
     
  19. zoogie
    OP

    zoogie playing around in the dsiware

    Member
    20
    Nov 30, 2014
    Micronesia, Federated States of
    Brute forcing the movable.sed keyy to hax 3ds's. GPU is much faster at sha256 hashing than CPUs. That's why they were so popular in the early days of bitcoin mining.
    If your 3ds is already hacked, I guess you don't need to brute force anything.

    Other people could use that power though. And you could provide that as a service (all you need from them is the ID0 and a friend code exchange). Might even be a good little way to earn money -- or as an act of free charity, whatever floats your boat.
    You just upload them and the maintainer of this project (me) adds them to the database to improve brute force times.
     
    Last edited by zoogie, Feb 2, 2018
  20. Xenon Hacks

    Xenon Hacks GBAtemp Guru

    Member
    13
    Nov 13, 2014
    United States
    right now im mining ethereum but if someone is reading this hit me up and I get guess I can try for them

    — Posts automatically merged - Please don't double post! —

    @zoogie Do you have a sample I can test on, my 3DS is in its box and my memory of everything 3DS related is fuzzy. Also what version of python do I need for this?
     
    zoogie likes this.
Loading...