Breaking the 3DS: how the 3DS was hacked – Presentation by Smealum, Derrek, and Plutoo
Smealum, Derrek, and Plutoo had a Keynote at the Chaos Communication Congress (32C3), and the recording of the video is now online (embedded below)
In the talk, the 3 hackers explain how they broke the security of the Nintendo 3DS, which led to a lively 3DS Homebrew scene. They first describe an overview of the system (specifically details on the ARM11, and ARM9, the security CPU).
They then explain how they breach through the 4 levels of security (ARM11 Userland, ARM11 Kernel, ARM9 Userland, ARM9 Kernel), and how they involved the GPU to get access to the RAM. An interesting anecdote from Smealum is that in practice, the ARM9 Kernel has an unintentional syscall backdoor. One can feed it any operation pointer and it will run in Kernel Mode. ARM11 doesn’t have direct access to it, but anything in ARM9 can access it, meaning once a hacker gets Userland ARM9 access, it’s equivalent to getting Kernel access to that CPU. This makes the last layer of security pretty much moot.
The hackers added a few tongue-in-cheek pieces of advice for Nintendo and other console manufacturers, in particular “Secrets hidden in hardware are great, unless you leak them”, in reference to how they managed to extract encryption keys shared by the Wii U and the 3DS.
There’s alot being explained and I won’t summarize it all here. You can see the full presentation below. If you have interest in console security and hacking ( and if the words ROP, Webkit, NX don’t scare you), it’s a must see!
Note: the presentation actually starts 15 minutes into the video.
One important point from Smealum is that he believes the 3DS homebrew scene is lively and growing. He emphasized his disagreement with Fail0verflow’s statement a few years ago that console homebrew is dead. He showcased a cool screenshot if existing 3DS homebrew.
Last but not least, at the end of the presentation, Smealum announced the release of Browserhax, Ironhax, and Menuhax for the latest 3DS firmware 10.3. The release of at least Browserhax was made simultaneously with the Keynote. Details here.
now to wait for cfw !!! wiiiii xD
Has there not been already a working CFW for 3DS? I know it has since I’m running my old 3DS with one.
i mean on latest 10.3 firmware 😀
Not happening. It’s been ages since we’ve been able to have userland homebrew on firmwares past 9.2, and yet no Gateway or CFW developer has cared to use the newer exploits to find ways of accessing the kernel on any sysnand firmware past 9.2. It’s still better than the PS3, where after 3.55, people just stopped looking for any kind of exploit period outside of hardmods or that backup-editing trick that didn’t get much use because of the legal actions Sony took when 3.55 was hacked. Now everyone who can mod a Sony console has moved on to the PS4, leaving PS3 super-slim owners and Vita owners unable to access Rejuvenate in the dust. And it’s only a matter of time before PS4 owners who are too late to the party are neglected too.
Well looks like we can soon see it on 10.3 fw 🙂
We are waiting for sony playstation 4 jailbreak, are there any news about it wololo?
To install the ps4 jailbreak all you have to do is cut the power from the ps4 while it is updating.
if there was news on it, then wololo would’ve posted an article about it.
Now do you see any new article on the ps4 jailbreak? No, so of course there’s no news yet.-.-
I saw an article 3 days ago, posted on 25 december I think. Also, wololo last night poted something about ps4 and linux. Wololo said 12/30. I don’t understand, does wololo mean 30 december, or what?!
yes……12/30 means December 30 -.-
there is one actually
all you need is a giant metal sledgehammer
take a few wack at your ps4 with it and you get break
simple
This recipe works equally well for turning other electronics into expensive doorstops too 😀
This is pretty awesome. Good on them!
Firstly congratulations are in order.
Secondly, see what these guys did? take a good look at it… cause that’s exactly what f0f won’t do in 3 days.
Just watched the presentation, really amazing work … I am so fascinated by all of this, I just wish I had the coder mind to be able to figure out these kinds of exploits.
Ok so heres the great news considering what the guys are doing is a opening for devs to make a cfw thus they dont need to make a cfw thats up to the devs around the world to jump into the scene.
Does this means we can run language patch on the latest firmware soon?
If you mean changing a games language, yes. That has been possible since Hax 2.0 came out. You need to run the game through Hans and choose which region you want to run it. If not there are patched romfs files you can download
This is amazing. I can’t wait to go home to watch it.
Since devs essentially have kernel access and I assume an open SDK exists to make homebrew, does this mean someone can make a backup loader? Preferably like Devolution on the Wii with 1 time cart checks? It would be nice to take down someone like Gateway mainly due to them using these guys’s work for their cart.
There is already a backup loader (see rxtools), and no cart check DRM on it.
Very interesting stuff. Confirmation by those that know that Nintendo’s cryptography isn’t as good as Sony’s, basically, and a detailed explanation of the hows and whys. I’m not a coder/hacker myself but I understood the majority of it.
Smea was talking about the NFC fail, Nintendo rushed the 8.1 firmware and left an old version of the NFC crypto that was later replaced in later firmwares.
This one was using a common key, then in firmwares 9.3+ they hardcoded this key to “hide” it safely.
But basically they had already leaked it themselves in the 8.1 firmware.
This has nothing to do with the wii u shared stuff.
I think “Secrets hidden in hardware are great, unless you leak them” was referring to the keyY(?) used in the rushed firmware and the normal key used in 9.x, not the key sharing between the wiiu.
well that’s one hot smealum
“An interesting anecdote from Smealum is that in practice, the ARM9 Kernel has an unintentional syscall backdoor. ”
Well, it did until now.
Is this something that CFW already uses? If yes, then why hasn’t Nintendo closed it already? If no, wouldn’t it be a bad idea to release information about it until the last moment possible, since Nintendo will close it as soon as they find out?
“An interesting anecdote from Smealum is that in practice, the ARM9 Kernel has an unintentional syscall backdoor. ”
Wololo, this is false.
The backdoor IS intentional.
Why? For Nintendo repair centers to have a way of fixing bricked consoles?
Because Process9 is the only process to ever run on ARM9, so why restrain its privileges ?