The Case of the 3DS Part 1: Brief History & Standings
The Nintendo 3DS has been fermenting for a while now, waiting for us to pour a glass of that sweet, sweet homebrew. Now, nearly a year and half down the track of the first publicly announced exploit, we have ARM11 code execution.
The following is a brief retelling of the public history of the 3DS being broken free of its shackles (almost completely).
A Glimmer on The Horizon
Mid December 2012 Australian console modification retailer OzModChips posted an image on Twitter showing a 3DS unit with both screens lit up, showing simply “WE HACKED IT!”.
They made a point to note that they did not have anything to do with the hack, they were simply the messengers.
This lead to a lot of excitement and suspicion around the internet as websites reacted to the news. Later the credibility of the find would be confirmed by scene veterans including Nemoid, Crediar and Yellows8, who would later explain that a save game exploit was responsible for gaining code execution.
The name of the game and the actual method however were not disclosed, because the exploit would limit users to User Land/User Mode and thus any homebrew would be limited to using assets of the system originally authorised for that game by the system. This also protected the exploit from being patched by Nintendo prematurely.
A Juicy Kernel (Vulnerability)
Later down the track reports would surface claiming that the veteran, Nemoid had managed to leverage a vulnerability within the system to gain kernel level control of the 3DS. This news claimed no hardware modification of the system and was later confirmed to use a save game exploit.
Again this secret was guarded from public distribution for fear that Nintendo could easily patch the vulnerability. Instead it was said to be distributed amongst a close circle of associates so that further experimentation could be carried out. This had a secondary effect of making sure the vulnerabilities had the opportunity to make it through to future firmware version.
Along Comes Gateway
Shooting forward through time to the end of May, 2013 information starts to surface about a new team going by the name Gateway 3DS. The claims state that they have a working “flash cart” for the system that allows users to use (illegal) ROM dumps.
To back up these claims, they also released a video showing the “flash cart” in action, running a dumped game (Luigi’s Mansion). The Nintendo piracy section of the internet was ablaze with furious excitement, while others who did not support piracy wondered curiously what would happen next.
As June flew by a lot of the eager faces started to become wrinkled with worry that the video was an elaborate hoax, and that the card would not come to market. Then, like a light at the end of the tunnel, an announcement surfaces in the first third of July stating that preorders were now being accepted through their international resellers and provided curious souls with a little more information on the product. The information mentioned the vulnerable firmware version (4.1 to 4.5) and that they will always plan to get the product updated to run on later versions of firmware, that there was a DS mode loader cartridge and a 3DS mode ROM dump cartridge, amongst other things.
The product saw several delays and prompted a lot of angst, but now nearly a year down the track, after a shaky release date issue, some drama over cartridge DRM (bricking) code and a few firmware revisions, here we are: Able to run our own homebrew.
The Chain of Command
You might be thinking, “That’s all good but how did they do it?”. Well, the explanation is complex and you could always do some research if you want to fully understand it. But the basic concept, in lay terms, is this:
A DS mode homebrew is executed which writes an exploit back to the ‘message’ section of the DS profile on the 3DS unit. This message is too long and causes the message to overflow, overwriting a section of memory. Sometimes, this can overwrite a return address (a location in the memory that tells the unit to move on to another section of code and run it).
In the case of the 3DS, the return address is known, so we are able to perform a ROP (Return-orientated programming) attack chain, or payload, injecting custom code in to the 3DS memory stack where it expects to execute the rest of the code it would normally execute.
In the case of the “flash cart” they are able to trick the system (via the ROP chain) into executing a loader that makes the 3DS treat the “flash card” as a normal 3DS game cartridge (or in later firmware, run some custom diagnostic code, and a ROM loader for the unit, as well as recently; the most exciting thing: Our own homebrew!).
So What About The Brew?
Prior to the latest Gateway 3DS firmware, reverse engineering work was done to deobfuscate (make less obscure, reveal the trick) that was being used to execute code, and around this (and other hard work), ARM9 homebrew tools were born.
Recently, our good friend 173210 announced and released his own ARM11 “Hello World” proof of concept, showing ARM11 code running from a loader like above. Others have also been developing ARM11 loader based code in tandem, with great results.
Now, with the most recent firmware by the Gateway 3DS team we are able to construct homebrew by using the talented Smealum’s ctrulib, to be run from the “flash cartridge” in a similar fashion to a commercial ROM dump.
But what is next and how do I get my hands dirty?
There’s much more pouring from the brewery, but let’s leave that for another day. If you want to know more, please stick around and wait for Part 2 of our series, “The Case of the 3DS”…
wololo,u havent sed anythin about da rumored crash bandicoot for ps4
Prolly because
1) the rumor originated straight from sonys video
2) Naughty dog is probably gonna develop it
3) Naughty dog is doing TLOU PS4 but then
4) Naughty Dog is gonna to UC4 but then
5) Naughty Dog is gonna plan out the story for crash
6) Try and make crash not scary looking as he always does in semi hd
7) develop crash
8) wait for release date
9) this is just a *rumour* but since acti took him off their site it’s kinda obvs someone bought him
10) High impact Games could also be the ones making it tbh
We finally have online play but some issues remain (*** I spoiled part 2)
Finally an article worth reading on the front page 😉
The 3ds scene is really interesting right now (unlike another console’s scene). The original gateway DS profile payload had a neat trick with fitting a second payload (loaded into another profile). The 4.5 kernel exploit was pretty stupid on Nintendo’s part (don’t know if it’s public knowledge). However the most creative people were the ones who originally reversed the gateway profile rop payload with no information but some comments from yellows8. Multiple people/groups most likely done this independently but I saw one of these groups reverse the payload and the method used was genius. I hope one day, it comes to light because it really was something.
Thank you 🙂
Yeah, it is a clever piece of (reverse) engineering on both parties behalves and a well deserved accomplishment for the people who ‘figured out’ what was going on behind the curtain. I hope to sink my teeth into the juicy specifics one day.
Like! haha if only this wer facebook
Good job on the article! I’ve been waiting to hear something about this for quite some time now. Looking forward to part 2!
Wololo, your page looks very cool know but I have a simple suggestion (if possible) : Make the left bar hideable or dragable.
It takes like 1/3 of the screen width. It’s much better to be able to read in fullscreen
Remember how the Wii was hacked by using GameCube mode.
Any company that intentionally bricks devices is not to be trusted.
Can’t wait to see the next part.
As for the off topic comment about a Crash Bandicoot game, Naughty Dog is probably NOT going to develop it as it hasn’t owned the rights to Crash for over a decade. They only made the PSX versions. PS2 and later games were made by various developers. Crash Bandicoot: Wrath of Cortex was the last GOOD Crash game. The rest were mostly junk.
gateway is pretty expensive, hope that there is a free, CFW alternative that loads on 3DS’ memory card instead..
😀
This is cool news I bought the AceCard 3DS Deluxe and bricked my 3DS after playing a few times.
I would love a good, safe exploit and sweet Homebrews for my now and only 7.X 3DSXL.
Is there a easy way to unbrick a 3DS yet!!!!????
Sorry I meant the R4 3ds Deluxe is the card that bricked my 3ds, I don’t think AceCard has a card for 3ds files.
Gateway’s multi loader is a great piece of functionality and has really made getting a low firmware 3ds worth it. The screen just can’t compete with the Vita’s OLED for homebrew and emulators though.
This new site look is awesome. Its like being on IGN but with intelligent articles!
Is my 3DS on latest FW useless? (Like my PS3 running latest firmware)
This is a great first set of steps! All I want from 3DS CFW is region free. I don’t care for homebrew or loading of ROMs. If someone is able to crack it on ANY firmware by either finding a hardware vulnerability or if the encryption keys somehow leak like they did with the PSP and homebrew is able to run without piracy? Sure. Until then I only want the region lock to GTFO. There are at least 2 games I want to import, and until this happens they’d only be wasting space on my self.
Simple answer, yes. More complex answer: yes, due to the current exploits only working on FW 4.1-4.5, and anything above that it’s been patched.
wololo: once you or a mod accepts my comments could you take the longer one and make it its own comment vs a reply to SSJVasto? the ‘simple answer’ one is what I want to be a response to him, and not the longer one. Thanks.
Very interesting, thank you very much!