Homebrew [33c3] Console Hacking 2016 (3DS/WiiU) talk Dec 27-30: smea, derrek, nedwill, naehrwert

[zoogie]

TL;DR Summary of Talk:​

• Soundhax - Excellent, convenient, and free userland primary that hacks the built in sound application with just an MP3 on the sd card. Will be released soon according to nedwill.

• Fasthax - New arm11 kernel expoit (like memchunkhax, waithax, etc.) also by nedwill. Works on latest firm and should be released soon just like Soundhax. Should allow nfirm downgrading on latest firm when more advanced dsiware injection techniques are released very soon.

• Method to dump arm9 bootrom detailed by derrek. Hash given as proof. The same technique has been worked on for months already by #Cakey devs, so this will likely take quite a bit more time for a public dump to show up. One benefit of bootrom dumping is faster PC based crypto stuff instead of slow 3ds methods. The second benefit is the next exploit:

• Sighax - The big one. Flaw discovered in the bootrom's RSA parsing process of the 3ds's firmware partition. This will allow us to sign our own custom firm and no more having to do risky downgrades and 100 step guides to get the OTP. Unfortunately, we need a bootrom dump to implement this and that is an issue, see above bullet point for why. You will also still need a way to actually write to system NAND, and even k11 hax usually isn't enough for that. Hardmod is also an option, but it's expensive and inconvenient. That should always be an option, at least, given sighax itself is unpatchable without hardware revision.

• Method to dump arm11 bootrom and hash of it given by derrek. This isn't considered important.

(skip yt video ahead to 20:00 for 3ds part of the speech - full talk at link below)

https://media.ccc.de/v/33c3-8344-nintendo_hacking_2016

​

Last year, this very event produced groundbreaking new 3ds hacks such as arm9loaderhax and memchunkhax2 that really shook up the scene. What will happen this year?
Looks like our 32c3 friend derrek will return, but this time tagging along will be fresh new talent nedwill and Nintendo/Sony scene veteran naehrwert. Gonna be big, so stay tuned!
​

Day: 2016-12-27

Start time: 20:30 (German time)
Duration: 01:00
Room: Saal 2
Track: Security
Language: en

lecture: Nintendo Hacking 2016
Game Over
​

​

This talk will give a unique insight of what happens when consoles have been hacked already, but not all secrets are busted yet. This time we will not only focus on the Nintendo 3DS but also on the Wii U, talking about our experiences wrapping up the end of an era. We will show how we managed to exploit them in novel ways and discuss why we think that Nintendo has lost the game.

As Nintendo's latest game consoles, the 3DS and Wii U were built with security in mind.
While both have since been the targets of many successful attacks, certain aspects have so far remained uncompromised, including critical hardware secrets.

During this talk, we will present our latest research, which includes exploits for achieving persistent code execution capabilities and the extraction of secrets from both Wii U and 3DS.

Basic knowledge of embedded systems, CPU architectures and cryptography is recommended, though we will do our best to make this talk accessible and enjoyable to all. We also recommend watching the recording of last year's C3 talk called "Console Hacking - Breaking the 3DS".

​

Courtesy of Julian20
​

Update6: Jan. 09 - WiiU Summary point removed. Nobody cares.
Update5: Dec. 27 - Youtube recording posted, thanks @Sasori
Update5: Dec. 27 - Event complete
Update4: Dec. 27 - Smealum sighting
Update3: Dec. 26 - Countdown added courtesy of@gnmmarechal
Update2: Dec. 22 - Video links added.
Update1: Dec. 17 - 33c3 Bingo courtesy of @Suiginou
Update0: Dec. 15 - Event date/time and other details.

Source​

 

[Exavold]

Hype !

 

[Skylinedeadline]

I take it this is the best bet for slowhax to be released? If so neat.

 

[Vappy]

https://twitter.com/smealum/status/799397964066103296
Smea apparently won't be there. No doubt derrek, ned and naehrwert have more than enough interesting material to present. C'mooon, bootroms.

 

[metroid maniac]

These presentations are always the best Christmas presents.

I can't wait.

 

[Deleted-379826]

Wooo let's go!

 

[kingraa777]

awsome cant wait for this

 

[Aletron9000]

HYPE! when is 33c3?

 

[zoogie]

HYPE! when is 33c3?

Its pretty bad when people don't read the topic's title much less the OP.

Nevertheless, I added the date to the OP as well.

 

[Aletron9000]

Its pretty bad when people don't read the topic's title much less the OP.

Nevertheless, I added the date to the OP as well.

Oh, just saw that, sorry.

 

[Alex658]

This speech last year was what allowed me to finally downgrade my 9.4 second 3ds back into a hackable state
Good times.

They really think nintendo has lost the game? They must have something pretty powerful/unpatchable to think that. Because a9lh is already released and nintendo hasn't been able to patch it yet, they must be talking about something else then.

 

[Deleted User]

Neat, but what are the benifits of being able to dump and have bootroms?

 

[Vappy]

Neat, but what are the benifits of being able to dump and have bootroms?

https://www.reddit.com/r/3dshacks/c..._the_bootrom/d2alk5r/?st=ivsu8ing&sh=e5654253

At least the following:

1. If there's any vulnerabilities in there, it's an even earlier entrypoint that likely won't depend on an OTP dump and risky downgrades.
2. Every currently missing key. With that, we can call it a day and just use PCs for all 3DS-related crypto. rip xorpads, rip Decrypt9, rip everything that sucks
3. Easier emulation due to keys; decryption of titles using a 3DS is no longer necessary. I'm looking at you, XDS.

 

[Conn0r]

Neat, but what are the benifits of being able to dump and have bootroms?

More decryption keys so we can do everything on a computer. Also with the dumped code we could search for a bootrom exploit though unlikely.

Edit: Ninja'd ;(

 

[WiiUBricker]

I don't hink Santa Hax will bring us anything this year. Maybe a downgrade from latest firmware, maybe NES Classic Mini hax, but I don't expect anything.

 

[Vappy]

I believe nedwill's already said he planned to release musichax and slowhax after 33c3, but I could never find a direct quote from him, just other people saying he said it. I'm pretty confident they've got some cool surprises in store, not necessarily as a direct release but certainly for information, since the Wii U and 3DS were both pretty thoroughly covered in previous years. Maybe that elusive boot1 fail0verflow couldn't quite get.
Shame that marcan's potential PS4 presentation apparently isn't happening, supposedly because it was applied for with the same presentation name as this one.

 

[einhuman197]

Time for arm7loaderhax P
I expect bootrom cracking, sound hax, slowhax, an arm9 Exploit from nedwill and browserhax and menuhax for the latest fw's

 

[Osakasan]

3ds is already wide open. Let's lube those Us, beibe <3

 

[daxtsu]

Hopefully Derrek won't be as nervous this time, poor guy was white as a sheet at last year's talk.

 

[noctis90210]

i hope they will release a way run nds/dsi on home screen as a rom located on sd, installed as cia... :-)