Homebrew What is the NDS vulnerability finding and exploit development setup?

kNNplus

Member
OP
Newcomer
Joined
Jan 2, 2018
Messages
9
Trophies
0
Age
30
XP
52
Country
Spain
Hi guys,

I have experience on vulnerability finding and exploit development, but I do not know how I can do it on my NDSi.. I have read this amazing writeup: cturt.github.io/DS-exploit-finding.html , and also this: shonumi.github.io/articles/art3.html (to know better how the NDS works).

The problem is I do not know what I need to debug some NDS apps.. For example, Ugopwn exploits Flipnote, but how could I debug this app? Is it available to download as rom and run it in the emulator? I need to debug it in order to see what are the offsets for the exploit..

So, what I want is know if there is any tutorial or something that explains what I need to debug "specific" apps whose rom is not available to run in an emulator.
Also, there is any writeup about ugopwn? I would like to understand better what is the bug :)

Thank you!
And sorry if this post is not in the correct section... :S
 

myanpezi

Well-Known Member
Newcomer
Joined
Oct 9, 2017
Messages
84
Trophies
0
Age
22
XP
130
Country
Australia
Not sure if they're serious but they told me this: IDA Pro. DSiWare can be ran on emulators so there are dumps/roms of it. And there's also the no$gba debugger. You may have luck with a USA dsi nand with flipnote and the ugopwn files in it and see how it works.
 
Last edited by myanpezi,

kNNplus

Member
OP
Newcomer
Joined
Jan 2, 2018
Messages
9
Trophies
0
Age
30
XP
52
Country
Spain
Not sure if they're serious but they told me this: IDA Pro. DSiWare can be ran on emulators so there are dumps/roms of it. And there's also the no$gba debugger. You may have luck with a USA dsi nand with flipnote and the ugopwn files in it and see how it works.

Thank you for your reply!

Well, IDA is just a dissasembler, but I think I need more tools to find vulnerabilities and develop exploits (like a debugger). I cannot pay for IDA, but I use radare2, so no problem :D.
I have read that apps/games from DSiWare can be run in no$gba. I also read that I need to decrypt them using a tool called "SRL Extractor". Is it correct? Is it working or now it does not work? Are there any way to get/download the roms already decrypted? (just to save some time).

About the ugopwn and the USA NDSi... What is the problem with this exploit? I mean, why I need an USA DSi?
the vulnerability is not present on other versions of flip note?
the exploit is not compatible with other versions (maybe the offsets are different)? I could try to adapt it..
or maybe the problem is that the downgrade tool only works on USA DSi? If it is the problem, there is no problem, I do not want to downgrade my DSi, I just want to do vulnerability research and exploit development.

As I said, I only want to understand some basic stuff about the DSi and know what tools I need. Then, I will look for vulnerabilities and probably I will be able to help and share knowledge with the community.
 

smf

Well-Known Member
Member
Joined
Feb 23, 2009
Messages
6,659
Trophies
2
XP
5,945
Country
United Kingdom
About the ugopwn and the USA NDSi... What is the problem with this exploit? I mean, why I need an USA DSi?
the vulnerability is not present on other versions of flip note?
the exploit is not compatible with other versions (maybe the offsets are different)? I could try to adapt it..

I believe the offsets are different.
 
  • Like
Reactions: myanpezi

myanpezi

Well-Known Member
Newcomer
Joined
Oct 9, 2017
Messages
84
Trophies
0
Age
22
XP
130
Country
Australia
Thank you for your reply!

Well, IDA is just a dissasembler, but I think I need more tools to find vulnerabilities and develop exploits (like a debugger). I cannot pay for IDA, but I use radare2, so no problem :D.
I have read that apps/games from DSiWare can be run in no$gba. I also read that I need to decrypt them using a tool called "SRL Extractor". Is it correct? Is it working or now it does not work? Are there any way to get/download the roms already decrypted? (just to save some time).

About the ugopwn and the USA NDSi... What is the problem with this exploit? I mean, why I need an USA DSi?
the vulnerability is not present on other versions of flip note?
the exploit is not compatible with other versions (maybe the offsets are different)? I could try to adapt it..
or maybe the problem is that the downgrade tool only works on USA DSi? If it is the problem, there is no problem, I do not want to downgrade my DSi, I just want to do vulnerability research and exploit development.

As I said, I only want to understand some basic stuff about the DSi and know what tools I need. Then, I will look for vulnerabilities and probably I will be able to help and share knowledge with the community.

The downgrade tools (fwtool/fwtool with safety checks, twlnf, etc.) works on any dsi. You'd only need dsi srl extractor if you have sd exports of the DSiWare (you could literally find a huge dump of dsiware backups, I cannot mention where BUT it's quite easy to find). and yes the exploit offsets/addresses are different on other regions from what I heard. Lastly about the debugger thing there's no$gba debugger version.

NO$GBA Debug version:
http://problemkaputt.de/gba.htm
 

kNNplus

Member
OP
Newcomer
Joined
Jan 2, 2018
Messages
9
Trophies
0
Age
30
XP
52
Country
Spain
The downgrade tools (fwtool/fwtool with safety checks, twlnf, etc.) works on any dsi. You'd only need dsi srl extractor if you have sd exports of the DSiWare (you could literally find a huge dump of dsiware backups, I cannot mention where BUT it's quite easy to find). and yes the exploit offsets/addresses are different on other regions from what I heard. Lastly about the debugger thing there's no$gba debugger version.

NO$GBA Debug version:
LINK

Thank you for your reply! :)

I just realized I need the bios files to run the emulator/debugger with DSiWare games.. I have found this: reddit[.]com/r/emulation/comments/6h4oa9/how_to_use_nogbas_dsi_emulation_features/ , but I have no knowledge about hardware to do that.. So, if there is no other way to obtain it, I can not do anything. I know there are some bios in the internet, but the files I have found are USA, not Europe, so I can not try the european version of flip note and other games/apps..

Please, tell me if there are any way to dump the bios7 and 9 from my dsi or if there are any EUR bios to download. If not, I will have to give up, at least for now. :(
 

myanpezi

Well-Known Member
Newcomer
Joined
Oct 9, 2017
Messages
84
Trophies
0
Age
22
XP
130
Country
Australia
Thank you for your reply! :)

I just realized I need the bios files to run the emulator/debugger with DSiWare games.. I have found this: reddit[.]com/r/emulation/comments/6h4oa9/how_to_use_nogbas_dsi_emulation_features/ , but I have no knowledge about hardware to do that.. So, if there is no other way to obtain it, I can not do anything. I know there are some bios in the internet, but the files I have found are USA, not Europe, so I can not try the european version of flip note and other games/apps..

Please, tell me if there are any way to dump the bios7 and 9 from my dsi or if there are any EUR bios to download. If not, I will have to give up, at least for now. :(
You do not need the bios files as far as i'm aware (if you get the ones from the internet). you only need to have an EU NAND dump and such. I think you could ask some people who have dsi nand dumps of their EU dsi (they can edit out some private things out of the nand if they're really concerned about their privacy)
 
Last edited by myanpezi,

myanpezi

Well-Known Member
Newcomer
Joined
Oct 9, 2017
Messages
84
Trophies
0
Age
22
XP
130
Country
Australia
seems like radare2 also supports nds format files so seems like you're in luck incase you want to dig a bit deeper
 

kNNplus

Member
OP
Newcomer
Joined
Jan 2, 2018
Messages
9
Trophies
0
Age
30
XP
52
Country
Spain
You do not need the bios files as far as i'm aware (if you get the ones from the internet). you only need to have an EU NAND dump and such. I think you could ask some people who have dsi nand dumps of their EU dsi (they can edit out some private things out of the nand if they're really concerned about their privacy)

seems like radare2 also supports nds format files so seems like you're in luck incase you want to dig a bit deeper

Thank you very much for your replies.

Do you know if I can dump the NAND via software only? Do you have any link or something to see what I need and how should I do it? I have a flashcard (TTDSi), so I should be able to run the tools needed to dump it.

Yes, radare2 have NDS support. But in order to find bugs and develop the exploit I need to debug them. It is possible to do it without debugger, but it requires more time trying offsets, etc. And of course, I not going to try ugopwn without debugger, I am not going to develop an exploit completely blind, trying offsets and repeating the "122 copy/paste" step.

Most probable is I will try to find bugs on other apps/games and then I will try to develop the exploit blindly.

As I said, thank you very much for all your replies, it seems it is difficult to get replies.. :(
So, any help is highly appreciated :)
 

myanpezi

Well-Known Member
Newcomer
Joined
Oct 9, 2017
Messages
84
Trophies
0
Age
22
XP
130
Country
Australia
Thank you very much for your replies.

Do you know if I can dump the NAND via software only? Do you have any link or something to see what I need and how should I do it? I have a flashcard (TTDSi), so I should be able to run the tools needed to dump it.

Yes, radare2 have NDS support. But in order to find bugs and develop the exploit I need to debug them. It is possible to do it without debugger, but it requires more time trying offsets, etc. And of course, I not going to try ugopwn without debugger, I am not going to develop an exploit completely blind, trying offsets and repeating the "122 copy/paste" step.

Most probable is I will try to find bugs on other apps/games and then I will try to develop the exploit blindly.

As I said, thank you very much for all your replies, it seems it is difficult to get replies.. :(
So, any help is highly appreciated :)
To dump a nand you either need a dsiwarehax entry point or hardmod. Those are the only options really. Software route is much safer but hard modding is alright as well (although you'd need a few things and some sd card reader that can read it)

Also if you go the software route, dump nand u fwtool (afaik twlnf is a nand manager)
 
Last edited by myanpezi,

kNNplus

Member
OP
Newcomer
Joined
Jan 2, 2018
Messages
9
Trophies
0
Age
30
XP
52
Country
Spain
I just used this guide to downgrade my dsi to 1.4 and part of that was dumping the NAND. Was able to do it with software only, but it required flipnote. [LINK]

To dump a nand you either need a dsiwarehax entry point or hardmod. Those are the only options really. Software route is much safer but hard modding is alright as well (although you'd need a few things and some sd card reader that can read it)

Also if you go the software route, dump nand u fwtool (afaik twlnf is a nand manager)

mmmm... I think I will try fwtool with my flashcard, I think it should work..

I am also understanding the PPM file structure. I have seen that it uses a signature and if it is not correct Flipnote does not open the file. Do you know if the key used to sign it is public? Or maybe someone can send me it..?
 

thom_tl

Well-Known Member
Member
Joined
Aug 18, 2017
Messages
180
Trophies
0
Location
Behind my desk.
XP
220
Country
Netherlands
mmmm... I think I will try fwtool with my flashcard, I think it should work..

I am also understanding the PPM file structure. I have seen that it uses a signature and if it is not correct Flipnote does not open the file. Do you know if the key used to sign it is public? Or maybe someone can send me it..?
FWTool does not work on your flashcard(DSTT) because that flashcard boots into DS mode which means you can't access the nand or SD or any DSI specific things, It is not possible to get out of DS mode because the read only SFCG register on the armv7 processor(the security processor) is locked to DS mode and can only be reset via a shutdown or hard reset. Like @myanpezi said you will need an exploitable DSIware like Flipnote studio.
 

myanpezi

Well-Known Member
Newcomer
Joined
Oct 9, 2017
Messages
84
Trophies
0
Age
22
XP
130
Country
Australia
mmmm... I think I will try fwtool with my flashcard, I think it should work..

I am also understanding the PPM file structure. I have seen that it uses a signature and if it is not correct Flipnote does not open the file. Do you know if the key used to sign it is public? Or maybe someone can send me it..?
Seems like that the signature of a ppm is a flipnote studio id? in reverse bytes.
 
Last edited by myanpezi,

kNNplus

Member
OP
Newcomer
Joined
Jan 2, 2018
Messages
9
Trophies
0
Age
30
XP
52
Country
Spain
FWTool does not work on your flashcard(DSTT) because that flashcard boots into DS mode which means you can't access the nand or SD or any DSI specific things, It is not possible to get out of DS mode because the read only SFCG register on the armv7 processor(the security processor) is locked to DS mode and can only be reset via a shutdown or hard reset. Like @myanpezi said you will need an exploitable DSIware like Flipnote studio.

:( I thought I could use the flashcard.. Definitely I will not be able to debug EUR flipnote..

Seems like that the signature of a ppm is a flipnote studio id? in reverse bytes.

Here: dsibrew.org/wiki/Flipnote_Files/PPM it sais "The last 0x10-bytes in a PPM are all-zero. The 0x80 bytes before that is a RSA-1024 SHA-1 signature over the whole PPM, excluding the last 0x90 bytes with the signature."...
 

myanpezi

Well-Known Member
Newcomer
Joined
Oct 9, 2017
Messages
84
Trophies
0
Age
22
XP
130
Country
Australia
:( I thought I could use the flashcard.. Definitely I will not be able to debug EUR flipnote..



Here: dsibrew.org/wiki/Flipnote_Files/PPM it sais "The last 0x10-bytes in a PPM are all-zero. The 0x80 bytes before that is a RSA-1024 SHA-1 signature over the whole PPM, excluding the last 0x90 bytes with the signature."...
oh
 
D

Deleted-369620

Guest
No$gba also has documentation on flipnote files and I think they also mention the private key.
 

kNNplus

Member
OP
Newcomer
Joined
Jan 2, 2018
Messages
9
Trophies
0
Age
30
XP
52
Country
Spain
No$gba also has documentation on flipnote files and I think they also mention the private key.

Do you have a link to this??

Anyway, I have given up. I wanted to do security research (find vulnerabilities and develop exploits), but preparing the setup is time consuming, and it is not my goal. Also, the debugger (no$gba) only works on Windows and I am not a windows user. The community I see in the DSi scene is not good.. No one of the exploit's developers has replied to this thread, no one shares info about the vulnerabilities/exploits. With this kind of community no one wants to start, there is no info to start the research, if you want to start you have to start from the beginning. It is frustrating and it is not my goal. Also, it makes people to work alone and not sharing their work.

Maybe if someone provide the bios/nand files to use the debugger with flipnote installed (EUR or USA version, it does not matter, I prefer EUR, but for the research any of them is ok) I will use it to start with the research.
 

thom_tl

Well-Known Member
Member
Joined
Aug 18, 2017
Messages
180
Trophies
0
Location
Behind my desk.
XP
220
Country
Netherlands
Do you have a link to this??

Anyway, I have given up. I wanted to do security research (find vulnerabilities and develop exploits), but preparing the setup is time consuming, and it is not my goal. Also, the debugger (no$gba) only works on Windows and I am not a windows user. The community I see in the DSi scene is not good.. No one of the exploit's developers has replied to this thread, no one shares info about the vulnerabilities/exploits. With this kind of community no one wants to start, there is no info to start the research, if you want to start you have to start from the beginning. It is frustrating and it is not my goal. Also, it makes people to work alone and not sharing their work.

Maybe if someone provide the bios/nand files to use the debugger with flipnote installed (EUR or USA version, it does not matter, I prefer EUR, but for the research any of them is ok) I will use it to start with the research.
Google is your friend. bios and nands are on there somewhere.
 

myanpezi

Well-Known Member
Newcomer
Joined
Oct 9, 2017
Messages
84
Trophies
0
Age
22
XP
130
Country
Australia
Do you have a link to this??

Anyway, I have given up. I wanted to do security research (find vulnerabilities and develop exploits), but preparing the setup is time consuming, and it is not my goal. Also, the debugger (no$gba) only works on Windows and I am not a windows user. The community I see in the DSi scene is not good.. No one of the exploit's developers has replied to this thread, no one shares info about the vulnerabilities/exploits. With this kind of community no one wants to start, there is no info to start the research, if you want to start you have to start from the beginning. It is frustrating and it is not my goal. Also, it makes people to work alone and not sharing their work.

Maybe if someone provide the bios/nand files to use the debugger with flipnote installed (EUR or USA version, it does not matter, I prefer EUR, but for the research any of them is ok) I will use it to start with the research.

the bios is already included if you downloaded the "no$gba with dsi emulation" that's floating around. just replace the no$gba.exe with debug version one. (I'll see what i can do on the nand part)
 

Site & Scene News

Popular threads in this forum

General chit-chat
Help Users
    ZeroT21 @ ZeroT21: i went through 3 monitors in the past 2 years, still feel iffy bout display hardware quality...