Hacking Use modified NFC to execute arbitrary code?

[rvnx]

Hey guys!

I've recently bought the N3DS. It was a tough choice, but I needed a handheld to keep me entertained on my way to work. (My phone just drains way too much.)

Anyway, I've been using some flashcards on my old DSi, so I went looking around how the current state of the 3DS is in this compartment. It seems to have progressed quite a lot since I last saw something about using a flashcard on the 3DS about a year ago. Anyway, a friend of mine, we were playing SSMB, showed me one of those Amiibos. I found the concept pretty interesting and read up on them. They use NFC to read/write data from the Amiibo itself to trigger specific events in games, or even save data on them to be used on other hardware without loss of data.

So I've been thinking. It's possible to modify/program custom NFC tags that can be used to, let's say, trigger the WiFi on your phone for example. And I was wondering if it was possible to -theoretically- execute your own code using a modified Amiibo (or an NFC-Tag with modified data on it) to bypass some stuff related to loading flashcards or CFW?
It would obviously require some reverse engineering on what data the Amiibo tells the system, and what exactly it triggers, but it should be possible, right?

What are your opinions on this matter?

 

[vingt-2]

Like any I/O options a device can use, it will depend on the level of security and checks implemented by the application programmer when handling communications via NFC.

 

[Apache Thunder]

lol. A gateway Amiibo...I wonder what such a monstrosity would look like.

I wouldn't put it past them to make one if they find an exploit that uses NFC as the entry point. A perfect excuse for them to make more money.

 

[Maximilious]

That would be interesting. You can manage your Amiibo from the Home Settings menu so it would be fairly easy to execute. GW or any other flashcart designer could sell an NFC chip with USB input for file transfer for any updates they may need. Cool concept... so rvnx, GET CRACKIN!

 

[NoSmokingBandit]

There are buttons on the 3ds! If I push one I should be able to run arbitrary code, right? The secret has been in the buttons all along! Someone should make this happen. But not me because reasons.

 

[aenoch]

lol. A gateway Amiibo...I wonder what such a monstrosity would look like.

I wouldn't put it past them to make one if they find an exploit that uses NFC as the entry point. A perfect excuse for them to make more money.

It would sweet if they used the Dragon logo. but then it would be cheaply made. " how did you hack your 3ds. With this bad ass Dragon. Right here" You could probable use your phone nfc. So it would be point less for them to sell

 

[jrebey]

There are buttons on the 3ds! If I push one I should be able to run arbitrary code, right? The secret has been in the buttons all along! Someone should make this happen. But not me because reasons.

Well... technically it's possible to glitch a game using the buttons and load arbitrary code.

As far as NFC goes, I'm pretty sure the NFC stack in the 3DS is meant solely for Amiibo. Amiibo data is encrypted. It's unlikely that the 3DS would accept arbitrary NFC data that isn't encrypted so the chances of exploiting a buffer overflow or something are pretty small. Unless of course someone gets their hands on the keys

 

[jrebey]

It would sweet if they used the Dragon logo. but then it would be cheaply made. " how did you hack your 3ds. With this bad ass Dragon. Right here" You could probable use your phone nfc. So it would be point less for them to sell

Not all phone NFC chipsets can be placed into tag mode which is required for the 3DS to read it.

 

[Apache Thunder]

Amiibo encryption means nothing if you write to it using an exploited system.

Altering Amiibos using a smartphone would be where the encryption would get in the way. But assuming you have enough control over the n3DS you can write a payload to the Amiibo and just have the n3DS do the encryption for you instead of trying to crack the encryption. This isn't much different then using the 3DS to decrypt it's own data like generating xorpads and decrypting roms. Amiibos would not be immune to this.


Gateway can use pre-exploited systems to write to Amiibos and then sell those Amiibos as well as provide a way for n3DS users on 9.2 or older fw to write a payload to the Amiibo themselves so they can use it once they update. That's how this would work in theory anyway.

 

[aenoch]

Oh. shows you how much I know about it. I never use it. you can bet it's. Protected. I can see somebody trying to pirate amibos

 

[thorasgar]

All Aboard the Gateway Amiibo Hype Train! Ready, Set, Wait™