Tag: Nintendo 3DS

Nintendo 3DS

~ hucktech ~ Leave a comment

A few links to Nintendo 3DS firmware. The first tweet below hints of Nintendo having a response (ban?) to custom firmware.

Nintendo’s Next Ban Wave is Targeting Hacked 3DS’s, Here’s Everything We Know

https://twitter.com/aquamarinedoto/status/867832446099668992

 

sighax is a BootROM exploit (revealed at 33c3) for the Nintendo 3DS/2DS/New3DS. It exploits a vulnerability in the RSA signature parser and allows you to run fake-signed firmware on any console.

http://www.sighax.com/

 

“Keyshuffling Attack for Persistent Early Code Execution in the Nintendo 3DS Secure Bootchain”

https://github.com/Plailect/keyshuffling

 

A complete guide to developer 3DS custom firmware, from stock to boot9strap.

https://dev.3ds.guide/

https://github.com/Plailect/devGuide

https://github.com/Plailect/Guide

A tool to parse, extract, and builds 3DS firmware files

https://github.com/TuxSH/firmtool

 

Luma3DS is a program to patch the system software of (New) Nintendo 3DS handheld consoles “on the fly”, adding features (such as per-game language settings and debugging capabilities for developers) and removing restrictions enforced by Nintendo (such as the region lock). It also allows you to run unauthorized (“homebrew”) content by removing signature checks. To use it, you will need a console capable of running homebrew software on the ARM9 processor. We recommend Plailect’s guide for details on how to get your system ready.

https://github.com/AuroraWright/Luma3DS

 

Nintendo 3DS Secure Bootchain attack

~ hucktech ~ Leave a comment

Keyshuffling Attack for Persistent Early Code Execution in the Nintendo 3DS Secure Bootchain
We demonstrate an attack on the secure bootchain of the Nintendo 3DS in order to gain early code execution. The attack utilizes the block shuffling vulnerability of the ECB cipher mode to rearrange keys in the Nintendo 3DS’s encrypted keystore. Because the shuffled keys will deterministically decrypt the encrypted firmware binary to incorrect plaintext data and execute it, and because the device’s memory contents are kept between hard reboots, it is possible to reliably reach a branching instruction to a payload in memory. This payload, due to its execution by a privileged processor and its early execution, is able to extract the hash of hardware secrets necessary to decrypt the device’s encrypted keystore and set up a persistent exploit of the system.[…]

https://github.com/Plailect/keyshuffling