Homebrew Possible Nintendo 3DS exploit/vulnerability (Found by me!)

[SifJar]

When was he talking about iCrap 3S?

But you're right otherwise.
He has no influence over the code what-so-ever.

In the part of his post I didn't quote.

 

[sychotix]

You guys arn't being creative enough with this. (Ignore the fact that it probably wouldn't work due to being unsigned code) What if someone was to place code to run in the same position in memory that is accesses when displaying the manual? You click manual it executes the code... etc. No, I'm not saying this will be an exploit that the 3DS gets hacked with, but you gotta get creative when dealing with these things =P

You clearly have no idea what you're talking about, but good luck with that.

How exactly do you intend to loading code INTO memory in that specific location? If you had some way of influencing memory to that extent, you'd probably already be running unsigned code, making it pointless.

Late response, but you misunderstood. If you insert a modified cartridge, or simply create a connection between the I/O device and some custom hardware, when the 3DS sends out a request for the manual, a modified request can be returned. If it is simply text that is executed, there may be a sort of buffer overflow exploit that can be used in order to execute external code.

 

[SifJar]

You guys arn't being creative enough with this. (Ignore the fact that it probably wouldn't work due to being unsigned code) What if someone was to place code to run in the same position in memory that is accesses when displaying the manual? You click manual it executes the code... etc. No, I'm not saying this will be an exploit that the 3DS gets hacked with, but you gotta get creative when dealing with these things =P

You clearly have no idea what you're talking about, but good luck with that.

How exactly do you intend to loading code INTO memory in that specific location? If you had some way of influencing memory to that extent, you'd probably already be running unsigned code, making it pointless.

Late response, but you misunderstood. If you insert a modified cartridge, or simply create a connection between the I/O device and some custom hardware, when the 3DS sends out a request for the manual, a modified request can be returned. If it is simply text that is executed, there may be a sort of buffer overflow exploit that can be used in order to execute external code.

Every on cartridges is encrypted and signed. You'll need to get 3DS public and private keys first. Good luck with that.

 

[sychotix]

You guys arn't being creative enough with this. (Ignore the fact that it probably wouldn't work due to being unsigned code) What if someone was to place code to run in the same position in memory that is accesses when displaying the manual? You click manual it executes the code... etc. No, I'm not saying this will be an exploit that the 3DS gets hacked with, but you gotta get creative when dealing with these things =P

You clearly have no idea what you're talking about, but good luck with that.

How exactly do you intend to loading code INTO memory in that specific location? If you had some way of influencing memory to that extent, you'd probably already be running unsigned code, making it pointless.

Late response, but you misunderstood. If you insert a modified cartridge, or simply create a connection between the I/O device and some custom hardware, when the 3DS sends out a request for the manual, a modified request can be returned. If it is simply text that is executed, there may be a sort of buffer overflow exploit that can be used in order to execute external code.

Every on cartridges is encrypted and signed. You'll need to get 3DS public and private keys first. Good luck with that.

Which I mentioned in my original post =P But w/e. No point in arguing over it.

 

[NathanDuma]

Actually guys, this is real.
I did this with Mario Kart 7. Just put it in there (don't push it in all the way) and wait for it to load. Keep pushing and pulling it back up really fast. Then put it back in then take it out as soon as the picture comes up. Then you can't open any app without it crashing. Also for some reason the music and animations are still going on the system menu.

It also takes a few more seconds to turn off.

 

[Tom Bombadildo]

Actually guys, this is real.
I did this with Mario Kart 7. Just put it in there (don't push it in all the way) and wait for it to load. Keep pushing and pulling it back up really fast. Then put it back in then take it out as soon as the picture comes up. Then you can't open any app without it crashing. Also for some reason the music and animations are still going on the system menu.

It also takes a few more seconds to turn off.

We never doubted whether it's real or not. He called it a "possible exploit/vulnerability", something we all know now that it isn't.

 

[Joseph2k]

I have to registry in this page for explain a crash in the legend of zelda ocarina of time, when link is adult, you go to gerudo fortress, when gerudo guard try to catching, but them can´t catch me, in one floor less, or can´t touch you, the game crash and you can´t do nothing only turn the power off pushing the button for 5 or 10 second.

P.D: yep i don´t have video, and i don´t know what have this bug, but i try to help in 3ds scene.
P.D.2: If you have the gerudo fortress pass, you can´t do this.

 

[NathanDuma]

Okay, so I just tried this again and I found something odd. If you remove the sd card, the apps that are on your sd cards are still on the 3ds.

 

[loco365]

Okay, so I just tried this again and I found something odd. If you remove the sd card, the apps that are on your sd cards are still on the 3ds.

This could lead to something.

 

[Wizerzak]

Okay, so I just tried this again and I found something odd. If you remove the sd card, the apps that are on your sd cards are still on the 3ds.

Can you still launch them though? I'm gonna take a guess that if the system has crashed and they're not launchable it's useless. Don't listen to me though, I'm no expert.

 

[Thesolcity]

Okay, so I just tried this again and I found something odd. If you remove the sd card, the apps that are on your sd cards are still on the 3ds.

This could lead to something.

Not really. Some apps install a shortcut on the 3DS but create the data onto the SD card. Like Android's "App 2 SD" function.

 

[NathanDuma]

Okay, so I just tried this again and I found something odd. If you remove the sd card, the apps that are on your sd cards are still on the 3ds.

Can you still launch them though? I'm gonna take a guess that if the system has crashed and they're not launchable it's useless. Don't listen to me though, I'm no expert.

I'll test them right now. They probably won't load.
EDIT: I just tried Netflix and it won't open.
EDIT 2: I just got a spot pass notification from pokedex 3d, and the sd card is out.

 

[loco365]

Okay, so I just tried this again and I found something odd. If you remove the sd card, the apps that are on your sd cards are still on the 3ds.

This could lead to something.

Not really. Some apps install a shortcut on the 3DS but create the data onto the SD card. Like Android's "App 2 SD" function.

No, but the fact that it knows there's a valid header there, but you could remove the SD, edit data (if you can find a key, doubt that'd happen) and place it back in. Then you'd go to the app you modified and launch the proper banner.

That's if we had the key. Alas, we don't so...

 

[Foxi4]

Yeah, bump aside...

Late response, but you misunderstood. If you insert a modified cartridge, or simply create a connection between the I/O device and some custom hardware, when the 3DS sends out a request for the manual, a modified request can be returned. If it is simply text that is executed, there may be a sort of buffer overflow exploit that can be used in order to execute external code.

Even if you manage to encrypt the content, this in no way guarantees code execution - what matters is how the buffer is declared within the system - you can't overflow any buffer you want, most have a fixed size or assign the size for themselves on the fly using a'la malloc(sizeof(filepath)); methods in areas of the memory that you cannot execute binary code from.

If life was that easy, the system would've been hacked with an image or a song file day one.