Hacking [Release] 3DSafe: In-NAND PIN lock for 3DS

[BARNWEY]

Now we just need a luma CFW updated that will also replace "emergency.bin" in CTRNAND

You need the latest nightly, you can download it from Luma3dsUpdater/StarUpdater. Then you can copy it directly to the nand using gm9/FBI/3dsafe as emergency.bin (located in /3dsafe/emergency.bin). You may then configure it from there, if you need help you can ask on the thread and someone should reply (I usually reply quickly).

--------------------- MERGED ---------------------------

So i noticed on my O3DS that in order to run luma from the nand, I need path.txt both on the sd card and in CTRNAND. Has anyone else noticed this? Otherwise when rebooting (reboot hook), and arm9 error occurs. Not an arm11 error, ARM9

 

[Naked_Snake]

You need the latest nightly, you can download it from Luma3dsUpdater/StarUpdater. Then you can copy it directly to the nand using gm9/FBI/3dsafe as emergency.bin (located in /3dsafe/emergency.bin). You may then configure it from there, if you need help you can ask on the thread and someone should reply (I usually reply quickly).

--------------------- MERGED ---------------------------

So i noticed on my O3DS that in order to run luma from the nand, I need path.txt both on the sd card and in CTRNAND. Has anyone else noticed this? Otherwise when rebooting (reboot hook), and arm9 error occurs. Not an arm11 error, ARM9

No I copied my path.txt to where you said and everything went smoothly although I'm running a n3ds sis non xl and yeah I know about the nightly builds I'm just saying a hombres to implement it automatically to ctrnand would be awesome instead of manually copying it over

 

[BARNWEY]

No I copied my path.txt to where you said and everything went smoothly although I'm running a n3ds sis non xl and yeah I know about the nightly builds I'm just saying a hombres to implement it automatically to ctrnand would be awesome instead of manually copying it over

I see now, the way you originally worded it sounded like you were talking about the nightly builds. Sorry for misunderstanding.

 

[Naked_Snake]

I see now, the way you originally worded it sounded like you were talking about the nightly builds. Sorry for misunderstanding.

All good mate, were all here for ideas and what not and I apologize I worded it incorrectly to create confusion

 

[BARNWEY]

So I found out something, If you have your sd in and luma is installed to the nand, it will read from the sd no matter what. It will not read your nand luma folder if the sd is in, meaning if everything is on your nand, you need to transfer it to your sd as well. The nand luma folder is only used when there's no sd.

 

[mashers]

IMPORTANT: PLEASE UPDATE TO 3DSAFE 0.12
​

A bug was identified in 3Safe 0.11 which caused the SHA dumping to dump the same data for all consoles, and this data was NOT the OTP hash. This meant not only that any sha.bin would work on any console, but also that sha.bin could not be generated by manually hashing otp.bin. This has now been fixed along with a few other changes. Please delete any copies of sha.bin you have from previous versions of 3DSafe and re-dump it from 3DSafe 0.12.

• SHA bypass dump now dumps the correct hash
• PIN can now be bypassed with either dumped sha.bin, or the console's OTP (just put either the dumped sha.bin or otp.bin in the root of the SD card)
• PIN entry screen no longer displays underscores for empty character positions (to make it harder to guess the PIN from its length)
• The PIN is now cleared after installing a payload using the built-in SafeA9LHInstaller. You will be prompted to set a new PIN after rebooting. This avoids possible future problems with reading PIN files should the format differ between versions.

@gamesquest1 @metroid maniac @ghostpotato @Skyshadow101
Would you mind testing with this version and let me know if the bypass works on your consoles? I want to ensure it works on as many regions and console types as possible.

--------------------- MERGED ---------------------------

Sorry, the 0.12 release archive on GitHub was missing the 3dsafe folder for the images. I've uploaded a new archive now. You will need to re-copy this folder when updating to 0.12 as there are some changes and additions to the graphics. Don't forget to backup your lost.bin if you have one before replacing the folder.

 

[metroid maniac]

Bypass works with a real otp.bin or sha.bin.
Bypass fails with nonsense otp.bin and sha.bin.

Also just for certainty's sake I took my otp.bin and hashed the first 0x90 bytes with sha256. It matches the new sha.bin exactly.

As always, I'm using a EUR 2DS.

Minor note - there's still no prompt in the 3DSafe menu that says L dumps your sha.bin. I'm not sure if this is an intentional decision or not. I'm not using graphical mode.

 

[mashers]

Bypass works with a real otp.bin or sha.bin.
Bypass fails with nonsense otp.bin and sha.bin.

Also just for certainty's sake I took my otp.bin and hashed the first 0x90 bytes with sha256. It matches the new sha.bin exactly.

As always, I'm using a EUR 2DS.

Minor note - there's still no prompt in the 3DSafe menu that says L dumps your sha.bin. I'm not sure if this is an intentional decision or not. I'm not using graphical mode.

Thanks buddy! I really appreciate you taking the time to confirm not only that the real OTP and sha work, but that the garbage ones don't and that the sha.bin matches the OTP hash. Legend!

As for the missing txt on the menu, no that's not intentional. I'll add it now and it'll be in the next update (which I think will be 1.0).

 

[gamesquest1]

IMPORTANT: PLEASE UPDATE TO 3DSAFE 0.12
​

A bug was identified in 3Safe 0.11 which caused the SHA dumping to dump the same data for all consoles, and this data was NOT the OTP hash. This meant not only that any sha.bin would work on any console, but also that sha.bin could not be generated by manually hashing otp.bin. This has now been fixed along with a few other changes. Please delete any copies of sha.bin you have from previous versions of 3DSafe and re-dump it from 3DSafe 0.12.

• SHA bypass dump now dumps the correct hash
• PIN can now be bypassed with either dumped sha.bin, or the console's OTP (just put either the dumped sha.bin or otp.bin in the root of the SD card)
• PIN entry screen no longer displays underscores for empty character positions (to make it harder to guess the PIN from its length)
• The PIN is now cleared after installing a payload using the built-in SafeA9LHInstaller. You will be prompted to set a new PIN after rebooting. This avoids possible future problems with reading PIN files should the format differ between versions.

@gamesquest1 @metroid maniac @ghostpotato @Skyshadow101
Would you mind testing with this version and let me know if the bypass works on your consoles? I want to ensure it works on as many regions and console types as possible.

--------------------- MERGED ---------------------------

Sorry, the 0.12 release archive on GitHub was missing the 3dsafe folder for the images. I've uploaded a new archive now. You will need to re-copy this folder when updating to 0.12 as there are some changes and additions to the graphics. Don't forget to backup your lost.bin if you have one before replacing the folder.

working fine here, sha dump worked, one note is that with this

PIN entry screen no longer displays underscores for empty character positions (to make it harder to guess the PIN from its length)

its purpose is kinda defeated by the fact that you can only enter the correct number of inputs required anyway

 

[mashers]

working fine here, sha dump worked,

Thanks mate!

one note is that with this

PIN entry screen no longer displays underscores for empty character positions (to make it harder to guess the PIN from its length)

its purpose is kinda defeated by the fact that you can only enter the correct number of inputs required anyway

Can you elaborate please? I don't understand what you mean.

 

[gamesquest1]

Thanks mate!


Can you elaborate please? I don't understand what you mean.

well if i make a 4 button pin then the screen will only indicate its wrong upon entering 4 buttons, so it would be easy to determine that i would be looking for a 4 button combo, just as easy as if it had the dashes at the bottom of the screen still, as i cannot enter less than 4 buttons as it will always just wait untill 4 have been entered and i cant enter more than 4 as it immediately jumps to failed once i enter 4

again no biggie, it just means i cant use a 2 button pin and avoid it not being really obvious that they only have to try 2 button combos

might be an idea to just add like a 1-2 second delay before accepting a pin and allowing people to enter more than the current number of buttons so its not so easy to figure out the length of the pin, or requiring the start button once you want to enter the pin so people can enter any valid number of buttons thus making the length non deterministic

 

[mashers]

well if i make a 4 button pin then the screen will only indicate its wrong upon entering 4 buttons, so it would be easy to determine that i would be looking for a 4 button combo, just as easy as if it had the dashes at the bottom of the screen still, as i cannot enter less than 4 buttons as it will always just wait untill 4 have been entered and i cant enter more than 4 as it immediately jumps to failed once i enter 4

again no biggie, it just means i cant use a 2 button pin and avoid it not being really obvious that they only have to try 2 button combos

might be an idea to just add like a 1-2 second delay before accepting a pin and allowing people to enter more than the current number of buttons so its not so easy to figure out the length of the pin, or requiring the start button once you want to enter the pin so people can enter any valid number of buttons thus making the length non deterministic

Ahhhhh, this is a bug! It shouldn't do that. It should only stop allowing you to enter characters if what you enter matches the PIN, or if you enter 10 or more characters. I've just tested it myself with a 6-character PIN and you're right - it fails after entering six characters (not 10) if you enter it wrong.

Thanks for the heads-up!

 

[mashers]

@gamesquest1
Done

 

[RemixDeluxe]

Unfortunately I don't see any way to implement some sort of pass code retrieval without the thief having the same advantages. Assuming the thief has the same integral knowledge of the homebrew scene what is to stop them from pretending they are the true owner to the 3ds and doing whatever to get the pin unlocked.

I agree with what most people said and to just save the pin somewhere safe on your PC or phone where you can access it readily.

 

[mashers]

Unfortunately I don't see any way to implement some sort of pass code retrieval without the thief having the same advantages. Assuming the thief has the same integral knowledge of the homebrew scene what is to stop them from pretending they are the true owner to the 3ds and doing whatever to get the pin unlocked.

The only way to bypass it without either the otp.bin or the otp hash is by hardmodding, dumping the NAND, hex editing some stuff in the NAND, and then writing it back. And the chances of a person with those skills stealing your 3DS are pretty low. The average thief would give the PIN a few tries and then give up. They might perhaps try removing the SD card if they've used a 3DS before, but that won't help since the PIN is stored in the NAND.

 

[gamesquest1]

The only way to bypass it without either the otp.bin or the otp hash is by hardmodding, dumping the NAND, hex editing some stuff in the NAND, and then writing it back. And the chances of a person with those skills stealing your 3DS are pretty low. The average thief would give the PIN a few tries and then give up. They might perhaps try removing the SD card if they've used a 3DS before, but that won't help since the PIN is stored in the NAND.

*get your bypasses here!!*

nah i doubt you would hear about it if someone did steal a 3ds with this on, it would more than likely end up on ebay with "i forgot my password honest hurrrdurrr"

 

[mashers]

*get your bypasses here!!*

Oooh I've just opened up a gap in the market for you. You're welcome

nah i doubt you would hear about it if someone did steal a 3ds with this on, it would more than likely end up on ebay with "i forgot my password honest hurrrdurrr"

Yeah probably. Also, if the owner created a lost.bin then it would have their real contact details. That way even if somebody posted here saying that they forgot their PIN, they might be exposed if somebody in the know asked for a photo of the screen (which would show the contact details for the real owner).

 

[ghostpotato]

IMPORTANT: PLEASE UPDATE TO 3DSAFE 0.12
​

A bug was identified in 3Safe 0.11 which caused the SHA dumping to dump the same data for all consoles, and this data was NOT the OTP hash. This meant not only that any sha.bin would work on any console, but also that sha.bin could not be generated by manually hashing otp.bin. This has now been fixed along with a few other changes. Please delete any copies of sha.bin you have from previous versions of 3DSafe and re-dump it from 3DSafe 0.12.

• SHA bypass dump now dumps the correct hash
• PIN can now be bypassed with either dumped sha.bin, or the console's OTP (just put either the dumped sha.bin or otp.bin in the root of the SD card)
• PIN entry screen no longer displays underscores for empty character positions (to make it harder to guess the PIN from its length)
• The PIN is now cleared after installing a payload using the built-in SafeA9LHInstaller. You will be prompted to set a new PIN after rebooting. This avoids possible future problems with reading PIN files should the format differ between versions.

@gamesquest1 @metroid maniac @ghostpotato @Skyshadow101
Would you mind testing with this version and let me know if the bypass works on your consoles? I want to ensure it works on as many regions and console types as possible.

--------------------- MERGED ---------------------------

Sorry, the 0.12 release archive on GitHub was missing the 3dsafe folder for the images. I've uploaded a new archive now. You will need to re-copy this folder when updating to 0.12 as there are some changes and additions to the graphics. Don't forget to backup your lost.bin if you have one before replacing the folder.

Sure! I'll do this today.

 

[mashers]

Sure! I'll do this today.

Thanks buddy!

 

[Posghetti]

IMPORTANT: PLEASE UPDATE TO 3DSAFE 0.12
​

A bug was identified in 3Safe 0.11 which caused the SHA dumping to dump the same data for all consoles, and this data was NOT the OTP hash. This meant not only that any sha.bin would work on any console, but also that sha.bin could not be generated by manually hashing otp.bin. This has now been fixed along with a few other changes. Please delete any copies of sha.bin you have from previous versions of 3DSafe and re-dump it from 3DSafe 0.12.

• SHA bypass dump now dumps the correct hash
• PIN can now be bypassed with either dumped sha.bin, or the console's OTP (just put either the dumped sha.bin or otp.bin in the root of the SD card)
• PIN entry screen no longer displays underscores for empty character positions (to make it harder to guess the PIN from its length)
• The PIN is now cleared after installing a payload using the built-in SafeA9LHInstaller. You will be prompted to set a new PIN after rebooting. This avoids possible future problems with reading PIN files should the format differ between versions.

@gamesquest1 @metroid maniac @ghostpotato @Skyshadow101
Would you mind testing with this version and let me know if the bypass works on your consoles? I want to ensure it works on as many regions and console types as possible.

--------------------- MERGED ---------------------------

Sorry, the 0.12 release archive on GitHub was missing the 3dsafe folder for the images. I've uploaded a new archive now. You will need to re-copy this folder when updating to 0.12 as there are some changes and additions to the graphics. Don't forget to backup your lost.bin if you have one before replacing the folder.

I can confirm that the old SHA.bin dumps don't bypass anymore on my JAP (N3DS) and USA (N3DS, O3DS)