Using Flipnote to hack?

Discussion in 'NDS - Flashcarts and Accessories' started by RupeeClock, Sep 4, 2009.

  1. RupeeClock
    OP

    RupeeClock Colors 3D Snivy!

    Member
    6,377
    853
    May 15, 2008
    I don't really know all that much about hacking, maybe some concept theory but not technical knowledge, but here goes.

    I got thinking, Flipnote is a free DSiWare program that loads in DSiMode from the NAND and can load PPM files through the SD slot. (PPM files are Flipnote Files)

    Do you think that by hacking the PPM files, which happen to use name tags, a buffer overflow would be possible? (And since it's running DSi mode from NAND/SD, maybe be able to load a file?)

    Just a thought, I mean I've seen the Twilight Hack work this way, and I've seen Brawl perform the same concept using a hacked stage creator file. (It's called SmashStack.)
     
  2. DeltaBurnt

    DeltaBurnt I'm bored

    Member
    3,353
    2
    Feb 21, 2009
    United States
    Where intellect matters
    It's possible but I think Nintendo would have been a little more careful about that.

    Go on efnet and goto #dsidev pitch your idea there, though they've probably already thought about it.

    (And yah I know what smashstack is I got to test it cause I know comex on the IRC [​IMG])
     
  3. anaxs

    anaxs got milk, got candy

    Member
    2,208
    1
    Mar 23, 2009
    Canada
    your moms jeans pocket
    that is something to consider, nice thinking.
    would be cool if thats how the dsi's hacking first starts
     
  4. DeltaBurnt

    DeltaBurnt I'm bored

    Member
    3,353
    2
    Feb 21, 2009
    United States
    Where intellect matters
    It's actually already technically started with the DSi enhanced game exploit that has been released.
     
  5. Liv2MsTrb8T

    Liv2MsTrb8T Member

    Newcomer
    39
    0
    Aug 18, 2009
    United States
    Columbus Ohio
    I was Think that Exact same but Every time the PPM File is edited it says File is Corrupted and the DSi deletes it [​IMG]
     
  6. RupeeClock
    OP

    RupeeClock Colors 3D Snivy!

    Member
    6,377
    853
    May 15, 2008
    Edited how? Seems like you can do just about anything to any file if you know your way around a hex editor.
     
  7. raulpica

    raulpica With your drill, thrust to the sky!

    Supervisor
    11,008
    7,246
    Oct 23, 2007
    Italy
    PowerLevel: 9001
    Every PPM file is probably signed and encrypted with the DSi's unique key.

    I do not have a DSi myself, but if you can't exchange PPM files between DSis, then it's like that.

    If you can transfer PPM files between different DSis, then they're encrypted with the DSi's common key.

    In every case we do not possess either of those keys, so "hacking" using a hex editor is totally useless.
     
  8. RupeeClock
    OP

    RupeeClock Colors 3D Snivy!

    Member
    6,377
    853
    May 15, 2008
    Flipnotes are completely sharable, you take the program online and download other peoples PPM files.
    You can save them to SD card as well, although I do not know if those files can be shared from SD card to SD card.
    You can send flipnotes by local wireless too.

    Did the Twilight Hack require use of the Wii's common key?
     
  9. Jamstruth

    Jamstruth Secondary Feline Anthropomorph

    Member
    3,456
    183
    Apr 23, 2009
    North East Scotland
    Probably since it used a save file and needed some way to make the Wii recognise it or maybe it bypassed it by coding a particular way. Most likely the former though.
     
  10. raulpica

    raulpica With your drill, thrust to the sky!

    Supervisor
    11,008
    7,246
    Oct 23, 2007
    Italy
    PowerLevel: 9001
    Yep, Team Twiizers got it using the Twiizer attack, iirc.
     
  11. Overlord Nadrian

    Overlord Nadrian Banned

    Banned
    6,671
    10
    Jul 28, 2008
    Belgium
    Riviera
    I think someone's working on this, but I'm not sure...
     
  12. SifJar

    SifJar Not a pirate

    Member
    6,022
    891
    Apr 4, 2009
    Hmm, when they're downloaded from internet/transferred by local wireless, the recieving DS may sign it, then save it to SD card. Someone with flipnote upload a PPM, and someone else with flipnote download it and copy it to their SD card. If it works, that means its signed with common key, meaning it could be used for an exploit, once the common key is found. If it doesn't work, its signed with individual DSi's keys, meaning that to be able to put a hacked PPM on your DSi and load it, you'd have to sign it with your DSi's keys, and if you have the keys, you can probably already run homebrew, so it'd be useless. Basically, it'll only be possibly able to be made into a useful exploit if its signed with common key, i.e. you can download a PPM from someone else, stick it on your SD card and open it, without having downloaded it through the app. Even if it is possible to load a hacked one, that doesn't necessarily mean it'll be exploitable.
     
  13. Tokiopop

    Tokiopop Caffeine fiend

    Member
    1,833
    169
    Apr 14, 2009
    UK
  14. Liv2MsTrb8T

    Liv2MsTrb8T Member

    Newcomer
    39
    0
    Aug 18, 2009
    United States
    Columbus Ohio
    Well when i Edit any Piece of it , it says Corrupted and its not like the Photos if you save it on a PC its still readable [​IMG] & Why does the DSi read ahead by 6 seconds ?¿?
     
  15. DeltaBurnt

    DeltaBurnt I'm bored

    Member
    3,353
    2
    Feb 21, 2009
    United States
    Where intellect matters
  16. swiley

    swiley Newbie

    Newcomer
    1
    0
    Sep 26, 2009
    United States
    I'm not so sure it's encrypted that way and here is why:

    1 in the header at the top of the file you can see null terminated strings containing the creators name.

    2 the audio seems to be stored in a sort of raw/wav format if your running linux you can cat or dd the file to /dev/dsp after a bunch beeping for the picture you can here the audio from the flipnote (it's very statiky thogh).


    My theory is that the garbage that always seems to be a fixed length at the end of the file is a check sum (or something like that)
     
  17. pbsds

    pbsds Member

    Newcomer
    46
    22
    Sep 16, 2009
    Norway
    Røros
    Only stuff on the NAND and DsiWare saved to SD is encrypted with the DSi Common.key.
    The last 144 bytes at the end of a flipnote changes with each edit, so that must be a hash.
    and no other parts is encrypted. I'm actually working with reverse engineering the PPM fileformat.
    I have managed to extract both the preview image and most of the frames. Proof(My blog): Proof 1 and Proof 2
    I'm now working on the sounds.
    Documentation on the format: http://www.dsibrew.org/wiki/Flipnote_Files/PPM

    @swiley: Could you please give me some more info on the sound? KTHXBAI!
     
  18. exangel

    exangel executioner angel

    Member
    1,574
    267
    Apr 20, 2010
    United States
    Tucson, AZ
    i'm guessing swiley is long gone, considering they have posted to these forums only once, and this post was September 25 of 2009

    though it's interesting information it's generally poor etiquette to rouse dead threads.
    sometimes it's better to start a fresh one with just a link to the dead one.
     
  19. pbsds

    pbsds Member

    Newcomer
    46
    22
    Sep 16, 2009
    Norway
    Røros
    Okay