Homebrew Possible Nintendo 3DS exploit/vulnerability (Found by me!)

Status
Not open for further replies.

sychotix

Well-Known Member
Member
Joined
Jul 26, 2011
Messages
103
Trophies
0
XP
696
Country
United States
You guys arn't being creative enough with this. (Ignore the fact that it probably wouldn't work due to being unsigned code) What if someone was to place code to run in the same position in memory that is accesses when displaying the manual? You click manual it executes the code... etc. No, I'm not saying this will be an exploit that the 3DS gets hacked with, but you gotta get creative when dealing with these things =P
You clearly have no idea what you're talking about, but good luck with that.

How exactly do you intend to loading code INTO memory in that specific location? If you had some way of influencing memory to that extent, you'd probably already be running unsigned code, making it pointless.

Late response, but you misunderstood. If you insert a modified cartridge, or simply create a connection between the I/O device and some custom hardware, when the 3DS sends out a request for the manual, a modified request can be returned. If it is simply text that is executed, there may be a sort of buffer overflow exploit that can be used in order to execute external code.
 

SifJar

Not a pirate
Member
Joined
Apr 4, 2009
Messages
6,022
Trophies
0
Website
Visit site
XP
1,175
Country
You guys arn't being creative enough with this. (Ignore the fact that it probably wouldn't work due to being unsigned code) What if someone was to place code to run in the same position in memory that is accesses when displaying the manual? You click manual it executes the code... etc. No, I'm not saying this will be an exploit that the 3DS gets hacked with, but you gotta get creative when dealing with these things =P
You clearly have no idea what you're talking about, but good luck with that.

How exactly do you intend to loading code INTO memory in that specific location? If you had some way of influencing memory to that extent, you'd probably already be running unsigned code, making it pointless.

Late response, but you misunderstood. If you insert a modified cartridge, or simply create a connection between the I/O device and some custom hardware, when the 3DS sends out a request for the manual, a modified request can be returned. If it is simply text that is executed, there may be a sort of buffer overflow exploit that can be used in order to execute external code.

Every on cartridges is encrypted and signed. You'll need to get 3DS public and private keys first. Good luck with that.
 
  • Like
Reactions: 1 person

sychotix

Well-Known Member
Member
Joined
Jul 26, 2011
Messages
103
Trophies
0
XP
696
Country
United States
You guys arn't being creative enough with this. (Ignore the fact that it probably wouldn't work due to being unsigned code) What if someone was to place code to run in the same position in memory that is accesses when displaying the manual? You click manual it executes the code... etc. No, I'm not saying this will be an exploit that the 3DS gets hacked with, but you gotta get creative when dealing with these things =P
You clearly have no idea what you're talking about, but good luck with that.

How exactly do you intend to loading code INTO memory in that specific location? If you had some way of influencing memory to that extent, you'd probably already be running unsigned code, making it pointless.

Late response, but you misunderstood. If you insert a modified cartridge, or simply create a connection between the I/O device and some custom hardware, when the 3DS sends out a request for the manual, a modified request can be returned. If it is simply text that is executed, there may be a sort of buffer overflow exploit that can be used in order to execute external code.

Every on cartridges is encrypted and signed. You'll need to get 3DS public and private keys first. Good luck with that.

Which I mentioned in my original post =P But w/e. No point in arguing over it.
 

NathanDuma

Well-Known Member
Member
Joined
Mar 15, 2012
Messages
114
Trophies
0
XP
57
Actually guys, this is real.
I did this with Mario Kart 7. Just put it in there (don't push it in all the way) and wait for it to load. Keep pushing and pulling it back up really fast. Then put it back in then take it out as soon as the picture comes up. Then you can't open any app without it crashing. Also for some reason the music and animations are still going on the system menu.

It also takes a few more seconds to turn off.
 

Tom Bombadildo

Dick, With Balls
Member
Joined
Jul 11, 2009
Messages
14,573
Trophies
2
Age
29
Location
I forgot
Website
POCKET.LIKEITS
XP
19,186
Country
United States
Actually guys, this is real.
I did this with Mario Kart 7. Just put it in there (don't push it in all the way) and wait for it to load. Keep pushing and pulling it back up really fast. Then put it back in then take it out as soon as the picture comes up. Then you can't open any app without it crashing. Also for some reason the music and animations are still going on the system menu.

It also takes a few more seconds to turn off.
We never doubted whether it's real or not. He called it a "possible exploit/vulnerability", something we all know now that it isn't.
 
  • Like
Reactions: 1 person

Joseph2k

Member
Newcomer
Joined
Apr 7, 2012
Messages
12
Trophies
1
XP
292
Country
Mexico
I have to registry in this page for explain a crash in the legend of zelda ocarina of time, when link is adult, you go to gerudo fortress, when gerudo guard try to catching, but them can´t catch me, in one floor less, or can´t touch you, the game crash and you can´t do nothing only turn the power off pushing the button for 5 or 10 second.

P.D: yep i don´t have video, and i don´t know what have this bug, but i try to help in 3ds scene.
P.D.2: If you have the gerudo fortress pass, you can´t do this.
 

NathanDuma

Well-Known Member
Member
Joined
Mar 15, 2012
Messages
114
Trophies
0
XP
57
Okay, so I just tried this again and I found something odd. If you remove the sd card, the apps that are on your sd cards are still on the 3ds.
 

Wizerzak

Because I'm a potato!
Member
Joined
May 30, 2010
Messages
2,784
Trophies
1
Age
27
Location
United Kingdom
XP
873
Country
Okay, so I just tried this again and I found something odd. If you remove the sd card, the apps that are on your sd cards are still on the 3ds.
Can you still launch them though? I'm gonna take a guess that if the system has crashed and they're not launchable it's useless. Don't listen to me though, I'm no expert. :P
 

Thesolcity

Wherever the light shines, it casts a shadow.
Member
Joined
Oct 2, 2010
Messages
2,209
Trophies
1
Location
San Miguel
XP
1,138
Country
United States
Okay, so I just tried this again and I found something odd. If you remove the sd card, the apps that are on your sd cards are still on the 3ds.
This could lead to something.

Not really. Some apps install a shortcut on the 3DS but create the data onto the SD card. Like Android's "App 2 SD" function.
 

NathanDuma

Well-Known Member
Member
Joined
Mar 15, 2012
Messages
114
Trophies
0
XP
57
Okay, so I just tried this again and I found something odd. If you remove the sd card, the apps that are on your sd cards are still on the 3ds.
Can you still launch them though? I'm gonna take a guess that if the system has crashed and they're not launchable it's useless. Don't listen to me though, I'm no expert. :P
I'll test them right now. They probably won't load.
EDIT: I just tried Netflix and it won't open.
EDIT 2: I just got a spot pass notification from pokedex 3d, and the sd card is out.
 

loco365

Well-Known Member
Member
Joined
Sep 1, 2010
Messages
5,457
Trophies
0
XP
2,927
Okay, so I just tried this again and I found something odd. If you remove the sd card, the apps that are on your sd cards are still on the 3ds.
This could lead to something.

Not really. Some apps install a shortcut on the 3DS but create the data onto the SD card. Like Android's "App 2 SD" function.
No, but the fact that it knows there's a valid header there, but you could remove the SD, edit data (if you can find a key, doubt that'd happen) and place it back in. Then you'd go to the app you modified and launch the proper banner.

That's if we had the key. Alas, we don't so...
 
  • Like
Reactions: 1 person

Foxi4

Endless Trash
Global Moderator
Joined
Sep 13, 2009
Messages
30,818
Trophies
3
Location
Gaming Grotto
XP
29,789
Country
Poland
Yeah, bump aside...
Late response, but you misunderstood. If you insert a modified cartridge, or simply create a connection between the I/O device and some custom hardware, when the 3DS sends out a request for the manual, a modified request can be returned. If it is simply text that is executed, there may be a sort of buffer overflow exploit that can be used in order to execute external code.
Even if you manage to encrypt the content, this in no way guarantees code execution - what matters is how the buffer is declared within the system - you can't overflow any buffer you want, most have a fixed size or assign the size for themselves on the fly using a'la malloc(sizeof(filepath)); methods in areas of the memory that you cannot execute binary code from.

If life was that easy, the system would've been hacked with an image or a song file day one. :P
 
  • Like
Reactions: the_randomizer
Status
Not open for further replies.

Site & Scene News

Popular threads in this forum

General chit-chat
Help Users
    LeoTCK @ LeoTCK: hmm