Using Flipnote to hack?

Discussion in 'NDS - Flashcarts and Accessories' started by RupeeClock, Sep 4, 2009.

Sep 4, 2009

Using Flipnote to hack? by RupeeClock at 12:50 AM (5,765 Views / 0 Likes) 18 replies

  1. RupeeClock
    OP

    Member RupeeClock Colors 3D Snivy!

    Joined:
    May 15, 2008
    Messages:
    6,307
    Country:
    United Kingdom
    I don't really know all that much about hacking, maybe some concept theory but not technical knowledge, but here goes.

    I got thinking, Flipnote is a free DSiWare program that loads in DSiMode from the NAND and can load PPM files through the SD slot. (PPM files are Flipnote Files)

    Do you think that by hacking the PPM files, which happen to use name tags, a buffer overflow would be possible? (And since it's running DSi mode from NAND/SD, maybe be able to load a file?)

    Just a thought, I mean I've seen the Twilight Hack work this way, and I've seen Brawl perform the same concept using a hacked stage creator file. (It's called SmashStack.)
     
  2. DeltaBurnt

    Member DeltaBurnt I'm bored

    Joined:
    Feb 21, 2009
    Messages:
    3,353
    Location:
    Where intellect matters
    Country:
    United States
    It's possible but I think Nintendo would have been a little more careful about that.

    Go on efnet and goto #dsidev pitch your idea there, though they've probably already thought about it.

    (And yah I know what smashstack is I got to test it cause I know comex on the IRC [​IMG])
     
  3. anaxs

    Member anaxs got milk, got candy

    Joined:
    Mar 23, 2009
    Messages:
    2,208
    Location:
    your moms jeans pocket
    Country:
    Canada
    that is something to consider, nice thinking.
    would be cool if thats how the dsi's hacking first starts
     
  4. DeltaBurnt

    Member DeltaBurnt I'm bored

    Joined:
    Feb 21, 2009
    Messages:
    3,353
    Location:
    Where intellect matters
    Country:
    United States
    It's actually already technically started with the DSi enhanced game exploit that has been released.
     
  5. Liv2MsTrb8T

    Newcomer Liv2MsTrb8T Member

    Joined:
    Aug 18, 2009
    Messages:
    39
    Location:
    Columbus Ohio
    Country:
    United States
    I was Think that Exact same but Every time the PPM File is edited it says File is Corrupted and the DSi deletes it [​IMG]
     
  6. RupeeClock
    OP

    Member RupeeClock Colors 3D Snivy!

    Joined:
    May 15, 2008
    Messages:
    6,307
    Country:
    United Kingdom
    Edited how? Seems like you can do just about anything to any file if you know your way around a hex editor.
     
  7. raulpica

    Supervisor raulpica With your drill, thrust to the sky!

    Joined:
    Oct 23, 2007
    Messages:
    10,657
    Location:
    _____________ PowerLevel: 9001
    Country:
    Italy
    Every PPM file is probably signed and encrypted with the DSi's unique key.

    I do not have a DSi myself, but if you can't exchange PPM files between DSis, then it's like that.

    If you can transfer PPM files between different DSis, then they're encrypted with the DSi's common key.

    In every case we do not possess either of those keys, so "hacking" using a hex editor is totally useless.
     
  8. RupeeClock
    OP

    Member RupeeClock Colors 3D Snivy!

    Joined:
    May 15, 2008
    Messages:
    6,307
    Country:
    United Kingdom
    Flipnotes are completely sharable, you take the program online and download other peoples PPM files.
    You can save them to SD card as well, although I do not know if those files can be shared from SD card to SD card.
    You can send flipnotes by local wireless too.

    Did the Twilight Hack require use of the Wii's common key?
     
  9. Jamstruth

    Member Jamstruth Secondary Feline Anthropomorph

    Joined:
    Apr 23, 2009
    Messages:
    3,456
    Location:
    North East Scotland
    Country:
    United Kingdom
    Probably since it used a save file and needed some way to make the Wii recognise it or maybe it bypassed it by coding a particular way. Most likely the former though.
     
  10. raulpica

    Supervisor raulpica With your drill, thrust to the sky!

    Joined:
    Oct 23, 2007
    Messages:
    10,657
    Location:
    _____________ PowerLevel: 9001
    Country:
    Italy
    Yep, Team Twiizers got it using the Twiizer attack, iirc.
     
  11. Overlord Nadrian

    Banned Overlord Nadrian Banned

    Joined:
    Jul 28, 2008
    Messages:
    6,671
    Location:
    Riviera
    Country:
    Belgium
    I think someone's working on this, but I'm not sure...
     
  12. SifJar

    Member SifJar Not a pirate

    Joined:
    Apr 4, 2009
    Messages:
    6,022
    Country:
    United Kingdom
    Hmm, when they're downloaded from internet/transferred by local wireless, the recieving DS may sign it, then save it to SD card. Someone with flipnote upload a PPM, and someone else with flipnote download it and copy it to their SD card. If it works, that means its signed with common key, meaning it could be used for an exploit, once the common key is found. If it doesn't work, its signed with individual DSi's keys, meaning that to be able to put a hacked PPM on your DSi and load it, you'd have to sign it with your DSi's keys, and if you have the keys, you can probably already run homebrew, so it'd be useless. Basically, it'll only be possibly able to be made into a useful exploit if its signed with common key, i.e. you can download a PPM from someone else, stick it on your SD card and open it, without having downloaded it through the app. Even if it is possible to load a hacked one, that doesn't necessarily mean it'll be exploitable.
     
  13. Tokiopop

    Member Tokiopop Caffeine fiend

    Joined:
    Apr 14, 2009
    Messages:
    1,833
    Location:
    UK
    Country:
    United Kingdom
  14. Liv2MsTrb8T

    Newcomer Liv2MsTrb8T Member

    Joined:
    Aug 18, 2009
    Messages:
    39
    Location:
    Columbus Ohio
    Country:
    United States
    Well when i Edit any Piece of it , it says Corrupted and its not like the Photos if you save it on a PC its still readable [​IMG] & Why does the DSi read ahead by 6 seconds ?¿?
     
  15. DeltaBurnt

    Member DeltaBurnt I'm bored

    Joined:
    Feb 21, 2009
    Messages:
    3,353
    Location:
    Where intellect matters
    Country:
    United States
  16. swiley

    Newcomer swiley Newbie

    Joined:
    Sep 26, 2009
    Messages:
    1
    Country:
    United States
    I'm not so sure it's encrypted that way and here is why:

    1 in the header at the top of the file you can see null terminated strings containing the creators name.

    2 the audio seems to be stored in a sort of raw/wav format if your running linux you can cat or dd the file to /dev/dsp after a bunch beeping for the picture you can here the audio from the flipnote (it's very statiky thogh).


    My theory is that the garbage that always seems to be a fixed length at the end of the file is a check sum (or something like that)
     
  17. pbsds

    Newcomer pbsds Member

    Joined:
    Sep 16, 2009
    Messages:
    45
    Location:
    Røros
    Country:
    Norway
    Only stuff on the NAND and DsiWare saved to SD is encrypted with the DSi Common.key.
    The last 144 bytes at the end of a flipnote changes with each edit, so that must be a hash.
    and no other parts is encrypted. I'm actually working with reverse engineering the PPM fileformat.
    I have managed to extract both the preview image and most of the frames. Proof(My blog): Proof 1 and Proof 2
    I'm now working on the sounds.
    Documentation on the format: http://www.dsibrew.org/wiki/Flipnote_Files/PPM

    @swiley: Could you please give me some more info on the sound? KTHXBAI!
     
  18. exangel

    Member exangel executioner angel

    Joined:
    Apr 20, 2010
    Messages:
    1,574
    Location:
    Tucson, AZ
    Country:
    United States
    i'm guessing swiley is long gone, considering they have posted to these forums only once, and this post was September 25 of 2009

    though it's interesting information it's generally poor etiquette to rouse dead threads.
    sometimes it's better to start a fresh one with just a link to the dead one.
     
  19. pbsds

    Newcomer pbsds Member

    Joined:
    Sep 16, 2009
    Messages:
    45
    Location:
    Røros
    Country:
    Norway

Share This Page