Hacking seedminer (single system DSiWare injection)

If you are planning on using seedminer, do you have a dedicated graphics card in your PC?

  • Yes!

    Votes: 205 44.9%
  • No

    Votes: 105 23.0%
  • What's dedicated graphics?

    Votes: 35 7.7%
  • I'm a cat, we can just guess our movable.sed through feline intuition

    Votes: 112 24.5%

  • Total voters
    457
  • This poll will close: .

zoogie

playing around in the dsiware
OP
Developer
Joined
Nov 30, 2014
Messages
8,416
Trophies
2
XP
13,796
Country
Micronesia, Federated States of
UPDATE JANUARY 10, 2019!
This following link is an updated version of Seedminer that works on latest firm 11.9.0-42!
And it's FREE!

https://jisagi.github.io/FrogminerGuide/

What is this:

A stable implementation of the 3ds vuln described here. The old thread about it is here.
This is a new way to inject dsiwarehax -- which can install B9S -- that doesn't require a second 3ds on hand.

What you need:
Seedminer only needs a system's *LFCS and ID0 (the long hex # in your Nintendo 3DS folder) to work its magic.
Currently, you need either a userland entrypoint or someone online you can friend code exchange with and send you a file with the LFCS.
Other ways to get the LFCS are being worked on, more details in the release archive's readme.
A PC is required for a brute-forcing of the actual movable.sed. A CPU will suffice, but a dedicated GPU is
much, much better. Integrated graphics suck, don't count on that to be much better than a CPU. It can even be worse.
You will also need to buy a $2 dsiware game if you don't have a compatible one yet.

* Local Friend Code Seed - this is not the same as LocalFriendCodeSeed_B, see readme.txt for more details.

How to do this:
The easiest method is here.
Please see the readme in the release archive for additional methods that aren't recommended for most people.

How can I help:
There is actually one thing either users of seedminer, or people who already have cfw, can do - dump msed_data nodes!
Seedminer uses "error correction" to make better guesses on where to start brute forcing - this can greatly improve speed, especially needed with
cpu brute-forcing. This data is gathered from actual movable.seds. You can dump and share this data with seedstarter.cia (option X) in the release archive or find "seedminer" in FBI's TitleDB homebrew shop. It is also dumped at the conclusion of a successful brute-force (alongside your movable.sed). It looks like "msed_data_00001234.bin" for example.
The data consists of [LFCS - truncated 12 bits for data privacy] [msed3 error distance] [seedtype new/old 3ds] (12 bytes total)
REMEMBER - it is entirely optional to share this, but greatly appreciated! You can post it in the thread or PM, your choice. I will then add them to the seedminer database files at regular intervals.

If you would like to help people brute-force their seeds, or help them get their LFCS with a friend code exchange, there is a special thread for that here.

Q&A:
Q. I've got my movable.sed and now I'm at the TADpole part, what's this about the ctcert.bin, will you be providing one?
A. No. That file is extremely console-unique and not something I'm comfortable sharing. Someone else will have to share. It only takes one - they work globally. Don't upload it here, it will probably be considered warez (not really sure about that designation - not my call).
Q. Why not ntrboot?
A. Ntrboot is fantastic! It's certainly a better long term solution. However, seedminer only requires a $2 dsiware purchase and you don't have to wait weeks for China Post to deliver a flashcard. Seedminer is pretty involved though, so if you're not comfortable with a lot of steps, just go with
ntrboot.
Q. Could Nintendo patch this?
A. Yes, certainly at least the dsiware injection. Now that it's a primary, they might consider it more of a priority to fix than when it was just used for dsiware transfer hax (3ds.guide). That doesn't account for the possibility of additional dsiware savehax games, however. The movable.sed vuln itself will be a bit more difficult to patch since it's pretty deeply built into the security infrastructure of the 3ds. They could at least make it harder to fish out the LFCS from userland and below.
Q. If dsiware injection was fixed, could this be used for anything else?
A. Yes, I think so at least. Knowing the movable.sed should allow one to modify 3ds game saves (it does, see update below), and this should essentially turn eshop userland secondary exploits into primaries. Again, I haven't actually tested this, but it should work. @wwylele made a tool recently that could help with this.
UPDATE Jun-7-18
Steelhax savegame injection implemented.
http://steelminer.jisagi.net/


Thanks:
Code
@JimmyZ - for providing the sorely-needed ocl brute forcer
@Joel16 - tons of friend functions and other useful code
@ihaveamac - python3 porting for TADpole and seedminer_launcher
@Blackfall - the DIS cloud version of TADpole
Testers
@Quantumcat - tons of advice and testing
@FallenApex - first successful public trial!
@PowerBall253 - the second successful public trial!
Helpers
@Hunter
@Marenthyu
@punderino
@MrJason005
@eip618
@Ihiing
@zacchi4k
@everyone-else-who-has-mined-or-FC-shared-for-someone-else

Release:
Download
Source
 

Attachments

  • seedstarter.zip
    123.7 KB · Views: 1,528
  • FROGminer_BETA.zip
    94 KB · Views: 452
Last edited by zoogie,

JimmyZ

Sarcastic Troll
Member
Joined
Apr 2, 2009
Messages
681
Trophies
0
XP
752
Country
Zimbabwe
update: realized I could just append a fake extension.

31... 2DS U
49... new 3DS LL J
54... new 3DS J
 

Attachments

  • msed_data_31C5BE2B.bin.zip
    12 bytes · Views: 720
  • msed_data_49BAB3BB.bin.zip
    12 bytes · Views: 637
  • msed_data_5420AE67.bin.zip
    12 bytes · Views: 673
Last edited by JimmyZ,
  • Like
Reactions: zoogie

THEELEMENTKH

Well-Known Member
Member
Joined
May 31, 2016
Messages
1,892
Trophies
1
Age
23
XP
3,067
Country
Spain
This is amazing
This made me realize how funny it is that the 3ds scene basically cracked open any FW Nintendo has released, and the Vita scene decided not to search (at least publicly?) a 3.60+ CFW solution (Yes, I know nintendo is crap at security)
 

zoogie

playing around in the dsiware
OP
Developer
Joined
Nov 30, 2014
Messages
8,416
Trophies
2
XP
13,796
Country
Micronesia, Federated States of
This is very cool! Any high or low end estimate of how long one should expect to take when doing this?
Absolute worst case for CPU is about 5 days. Average 1-2 days.
Worst case GPU about 6 hours, average 1-2 hours.

CPU is faster than China Post at least :P

Having a newer (old/new) 3ds certainly helps as we have more msed_data points for newer systems.
You can see that from this chart of msed_data nodes (up-to-date)
Figure_1.png
(forgot to say: LFCS's are given out sequentially like a serial number, so higher values == newer)
 
Last edited by zoogie,
  • Like
Reactions: CrispyYoshi

GinBunBun

Well-Known Member
Member
Joined
Dec 24, 2012
Messages
117
Trophies
0
Location
I don't know. Ohio I think?
XP
371
Country
United States

zoogie

playing around in the dsiware
OP
Developer
Joined
Nov 30, 2014
Messages
8,416
Trophies
2
XP
13,796
Country
Micronesia, Federated States of
Got a 1080 Ti in my rig what you need a GPU for?
Brute forcing the movable.sed keyy to hax 3ds's. GPU is much faster at sha256 hashing than CPUs. That's why they were so popular in the early days of bitcoin mining.
If your 3ds is already hacked, I guess you don't need to brute force anything.

Other people could use that power though. And you could provide that as a service (all you need from them is the ID0 and a friend code exchange). Might even be a good little way to earn money -- or as an act of free charity, whatever floats your boat.
I am probably being totally stupid right now but how do you use these with seed miner? I read the readme but I got pretty lost.
You just upload them and the maintainer of this project (me) adds them to the database to improve brute force times.
 
Last edited by zoogie,

Xenon Hacks

Well-Known Member
Member
Joined
Nov 13, 2014
Messages
7,414
Trophies
0
Age
29
XP
4,650
Country
United States
Brute forcing the movable.sed keyy to hax 3ds's. GPU is much faster at sha256 hashing than CPUs. That's why they were so popular in the early days of bitcoin mining.
If your 3ds is already hacked, I guess you don't need to brute force anything.

Other people could use that power though. And you could provide that as a service (all you need from them is the ID0 and a friend code exchange). Might even be a good little way to earn money -- or as an act of free charity, whatever floats your boat.

You just upload them and the maintainer of this project (me) adds them to the database to improve brute force times.
right now im mining ethereum but if someone is reading this hit me up and I get guess I can try for them

--------------------- MERGED ---------------------------

@zoogie Do you have a sample I can test on, my 3DS is in its box and my memory of everything 3DS related is fuzzy. Also what version of python do I need for this?
 
  • Like
Reactions: zoogie
General chit-chat
Help Users
    gudenau @ gudenau: Does anyone know if there is a list of Smash data.arc hashes anywhere? I want to make sure my...