Use modified NFC to execute arbitrary code?

Discussion in '3DS - Flashcards & Custom Firmwares' started by rvnx, Mar 26, 2015.

  1. rvnx
    OP

    rvnx Newbie

    Newcomer
    1
    0
    Mar 26, 2015
    Gambia, The
    Hey guys!

    I've recently bought the N3DS. It was a tough choice, but I needed a handheld to keep me entertained on my way to work. (My phone just drains way too much.)

    Anyway, I've been using some flashcards on my old DSi, so I went looking around how the current state of the 3DS is in this compartment. It seems to have progressed quite a lot since I last saw something about using a flashcard on the 3DS about a year ago. Anyway, a friend of mine, we were playing SSMB, showed me one of those Amiibos. I found the concept pretty interesting and read up on them. They use NFC to read/write data from the Amiibo itself to trigger specific events in games, or even save data on them to be used on other hardware without loss of data.

    So I've been thinking. It's possible to modify/program custom NFC tags that can be used to, let's say, trigger the WiFi on your phone for example. And I was wondering if it was possible to -theoretically- execute your own code using a modified Amiibo (or an NFC-Tag with modified data on it) to bypass some stuff related to loading flashcards or CFW?
    It would obviously require some reverse engineering on what data the Amiibo tells the system, and what exactly it triggers, but it should be possible, right?

    What are your opinions on this matter?
     
  2. vingt-2

    vingt-2 GBAtemp Regular

    Member
    112
    64
    Jan 30, 2015
    Canada
    Like any I/O options a device can use, it will depend on the level of security and checks implemented by the application programmer when handling communications via NFC.
     
  3. Apache Thunder

    Apache Thunder I have cameras in your head!

    Member
    4,102
    4,034
    Oct 7, 2007
    United States
    Levelland, Texas
    lol. A gateway Amiibo...I wonder what such a monstrosity would look like. :P

    I wouldn't put it past them to make one if they find an exploit that uses NFC as the entry point. A perfect excuse for them to make more money. :P
     
  4. Maximilious

    Maximilious GBAtemp Addict

    Member
    2,096
    883
    Nov 21, 2014
    United States
    That would be interesting. You can manage your Amiibo from the Home Settings menu so it would be fairly easy to execute. GW or any other flashcart designer could sell an NFC chip with USB input for file transfer for any updates they may need. Cool concept... so rvnx, GET CRACKIN! :)
     
  5. NoSmokingBandit

    NoSmokingBandit GBAtemp Fan

    Member
    411
    138
    Jan 17, 2009
    United States
    There are buttons on the 3ds! If I push one I should be able to run arbitrary code, right? The secret has been in the buttons all along! Someone should make this happen. But not me because reasons.
     
    otto888 and Kylecito like this.
  6. aenoch

    aenoch GBAtemp Advanced Fan

    Member
    744
    44
    Feb 23, 2015
    United States
    Ludington, Michigan
    It would sweet if they used the Dragon logo. but then it would be cheaply made. " how did you hack your 3ds. With this bad ass Dragon. Right here" You could probable use your phone nfc. So it would be point less for them to sell
     
  7. jrebey

    jrebey GBAtemp Regular

    Member
    116
    38
    Mar 12, 2015
    United States

    Well... technically it's possible to glitch a game using the buttons and load arbitrary code.

    As far as NFC goes, I'm pretty sure the NFC stack in the 3DS is meant solely for Amiibo. Amiibo data is encrypted. It's unlikely that the 3DS would accept arbitrary NFC data that isn't encrypted so the chances of exploiting a buffer overflow or something are pretty small. Unless of course someone gets their hands on the keys :)
     
  8. jrebey

    jrebey GBAtemp Regular

    Member
    116
    38
    Mar 12, 2015
    United States

    Not all phone NFC chipsets can be placed into tag mode which is required for the 3DS to read it.
     
  9. Apache Thunder

    Apache Thunder I have cameras in your head!

    Member
    4,102
    4,034
    Oct 7, 2007
    United States
    Levelland, Texas
    Amiibo encryption means nothing if you write to it using an exploited system. ;)

    Altering Amiibos using a smartphone would be where the encryption would get in the way. But assuming you have enough control over the n3DS you can write a payload to the Amiibo and just have the n3DS do the encryption for you instead of trying to crack the encryption. This isn't much different then using the 3DS to decrypt it's own data like generating xorpads and decrypting roms. Amiibos would not be immune to this.


    Gateway can use pre-exploited systems to write to Amiibos and then sell those Amiibos as well as provide a way for n3DS users on 9.2 or older fw to write a payload to the Amiibo themselves so they can use it once they update. That's how this would work in theory anyway.
     
  10. aenoch

    aenoch GBAtemp Advanced Fan

    Member
    744
    44
    Feb 23, 2015
    United States
    Ludington, Michigan
    Oh. shows you how much I know about it. I never use it. you can bet it's. Protected. I can see somebody trying to pirate amibos
     
  11. thorasgar

    thorasgar Checkout my evil Soon-in-atorâ„¢

    Member
    3,405
    1,844
    Jul 3, 2010
    United States
    All Aboard the Gateway Amiibo Hype Train! Ready, Set, Waitâ„¢