Hacking Using Flipnote to hack?

  • Thread starter Thread starter RupeeClock
  • Start date Start date
  • Views Views 8,783
  • Replies Replies 18

RupeeClock

Colors 3D Snivy!
Member
Joined
May 15, 2008
Messages
6,507
Solutions
6
Reaction score
1,025
Trophies
3
Age
36
Website
Visit site
XP
3,705
Country
I don't really know all that much about hacking, maybe some concept theory but not technical knowledge, but here goes.

I got thinking, Flipnote is a free DSiWare program that loads in DSiMode from the NAND and can load PPM files through the SD slot. (PPM files are Flipnote Files)

Do you think that by hacking the PPM files, which happen to use name tags, a buffer overflow would be possible? (And since it's running DSi mode from NAND/SD, maybe be able to load a file?)

Just a thought, I mean I've seen the Twilight Hack work this way, and I've seen Brawl perform the same concept using a hacked stage creator file. (It's called SmashStack.)
 
It's possible but I think Nintendo would have been a little more careful about that.

Go on efnet and goto #dsidev pitch your idea there, though they've probably already thought about it.

(And yah I know what smashstack is I got to test it cause I know comex on the IRC
tongue.gif
)
 
Liv2MsTrb8T said:
I was Think that Exact same but Every time the PPM File is edited it says File is Corrupted and the DSi deletes it
frown.gif

Edited how? Seems like you can do just about anything to any file if you know your way around a hex editor.
 
Every PPM file is probably signed and encrypted with the DSi's unique key.

I do not have a DSi myself, but if you can't exchange PPM files between DSis, then it's like that.

If you can transfer PPM files between different DSis, then they're encrypted with the DSi's common key.

In every case we do not possess either of those keys, so "hacking" using a hex editor is totally useless.
 
raulpica said:
Every PPM file is probably signed and encrypted with the DSi's unique key.

I do not have a DSi myself, but if you can't exchange PPM files between DSis, then it's like that.

If you can transfer PPM files between different DSis, then they're encrypted with the DSi's common key.

In every case we do not possess either of those keys, so "hacking" using a hex editor is totally useless.

Flipnotes are completely sharable, you take the program online and download other peoples PPM files.
You can save them to SD card as well, although I do not know if those files can be shared from SD card to SD card.
You can send flipnotes by local wireless too.

Did the Twilight Hack require use of the Wii's common key?
 
RupeeClock said:
raulpica said:
Every PPM file is probably signed and encrypted with the DSi's unique key.

I do not have a DSi myself, but if you can't exchange PPM files between DSis, then it's like that.

If you can transfer PPM files between different DSis, then they're encrypted with the DSi's common key.

In every case we do not possess either of those keys, so "hacking" using a hex editor is totally useless.

Flipnotes are completely sharable, you take the program online and download other peoples PPM files.
You can save them to SD card as well, although I do not know if those files can be shared from SD card to SD card.
You can send flipnotes by local wireless too.

Did the Twilight Hack require use of the Wii's common key?

Probably since it used a save file and needed some way to make the Wii recognise it or maybe it bypassed it by coding a particular way. Most likely the former though.
 
RupeeClock said:
raulpica said:
Every PPM file is probably signed and encrypted with the DSi's unique key.

I do not have a DSi myself, but if you can't exchange PPM files between DSis, then it's like that.

If you can transfer PPM files between different DSis, then they're encrypted with the DSi's common key.

In every case we do not possess either of those keys, so "hacking" using a hex editor is totally useless.

Flipnotes are completely sharable, you take the program online and download other peoples PPM files.
You can save them to SD card as well, although I do not know if those files can be shared from SD card to SD card.
You can send flipnotes by local wireless too.

Did the Twilight Hack require use of the Wii's common key?
Yep, Team Twiizers got it using the Twiizer attack, iirc.
 
RupeeClock said:
raulpica said:
Every PPM file is probably signed and encrypted with the DSi's unique key.

I do not have a DSi myself, but if you can't exchange PPM files between DSis, then it's like that.

If you can transfer PPM files between different DSis, then they're encrypted with the DSi's common key.

In every case we do not possess either of those keys, so "hacking" using a hex editor is totally useless.

Flipnotes are completely sharable, you take the program online and download other peoples PPM files.
You can save them to SD card as well, although I do not know if those files can be shared from SD card to SD card.
You can send flipnotes by local wireless too.

Did the Twilight Hack require use of the Wii's common key?
Hmm, when they're downloaded from internet/transferred by local wireless, the recieving DS may sign it, then save it to SD card. Someone with flipnote upload a PPM, and someone else with flipnote download it and copy it to their SD card. If it works, that means its signed with common key, meaning it could be used for an exploit, once the common key is found. If it doesn't work, its signed with individual DSi's keys, meaning that to be able to put a hacked PPM on your DSi and load it, you'd have to sign it with your DSi's keys, and if you have the keys, you can probably already run homebrew, so it'd be useless. Basically, it'll only be possibly able to be made into a useful exploit if its signed with common key, i.e. you can download a PPM from someone else, stick it on your SD card and open it, without having downloaded it through the app. Even if it is possible to load a hacked one, that doesn't necessarily mean it'll be exploitable.
 
RupeeClock said:
Liv2MsTrb8T said:
I was Think that Exact same but Every time the PPM File is edited it says File is Corrupted and the DSi deletes it
frown.gif

Edited how? Seems like you can do just about anything to any file if you know your way around a hex editor.
Well when i Edit any Piece of it , it says Corrupted and its not like the Photos if you save it on a PC its still readable
biggrin.gif
& Why does the DSi read ahead by 6 seconds ?¿?
 
I'm not so sure it's encrypted that way and here is why:

1 in the header at the top of the file you can see null terminated strings containing the creators name.

2 the audio seems to be stored in a sort of raw/wav format if your running linux you can cat or dd the file to /dev/dsp after a bunch beeping for the picture you can here the audio from the flipnote (it's very statiky thogh).


My theory is that the garbage that always seems to be a fixed length at the end of the file is a check sum (or something like that)
 
Only stuff on the NAND and DsiWare saved to SD is encrypted with the DSi Common.key.
The last 144 bytes at the end of a flipnote changes with each edit, so that must be a hash.
and no other parts is encrypted. I'm actually working with reverse engineering the PPM fileformat.
I have managed to extract both the preview image and most of the frames. Proof(My blog): Proof 1 and Proof 2
I'm now working on the sounds.
Documentation on the format: http://www.dsibrew.org/wiki/Flipnote_Files/PPM

@swiley: Could you please give me some more info on the sound? KTHXBAI!
 
i'm guessing swiley is long gone, considering they have posted to these forums only once, and this post was September 25 of 2009

though it's interesting information it's generally poor etiquette to rouse dead threads.
sometimes it's better to start a fresh one with just a link to the dead one.
 

Site & Scene News

Popular threads in this forum