How a Terrible Game Cracked the 3DS's Security - Early Days of 3DS Hacking

Whenever Nintendo releases a new console hackers are usually not far behind and the 3ds is no exception, as with their previous consoles it immediately became a major target the moment it was released in

early

2011, but after learning from their failed attempts to protect. The Wii Nintendo substantially improved the

security

of its new handheld, leading to a huge back-and-forth fight not only between Nintendo and the hackers, but also between the hackers themselves, something that, in all honesty, i'm very excited to talk today so without further ado welcome to tech rules the 3ds

hacking

story has a pretty unique and frankly quite

early

start we're talking shortly after the early release thanks to the 3ds compatibility with

game

s from the original nintendo ds, the ds was already conquered by hackers a long time ago in the form of flash cards that could run retail

game

backups and of course awesome homebrew apps created by the hacker community, so having custom code running on the system was cool and all, but what did that mean for the rest of the system?

Well not much and the reason for this is because of how 3ds handles these ds carts in the first place, due to some similarities between the hardware of the two devices, 3ds can actually set up a virtual ds to run the game. It's not an emulation, it's more of a ds built into your 3ds we'll call it ds mode and while the way it's set up provides almost perfect compatibility with ds games there's not much we can do about it. Your DS games run within the limits of the DS mode that you can gain control of. but then from this virtual box there is no way to access any of the parts of 3ds that you know, but hey you still had all your favorite ds games in one cart, rom cheats and a lot of cool homebrew that was created for the ds.

We're talking about emulators, lots of custom games, useful tools, and versions of classics like Lemmings and Doom. It was certainly better than nothing. It was around this time that Nintendo was passively trying to block these flash cards, but their half-hearted attempts were easily prevented by a flash card update from the companies that made them, and while doing so, they made sure to advertise that their flash cards worked with a 3ds in the process, although they seem to have made it look like it runs 3ds games, haven't they? They're not lying, I assume their cards work with 3ds, but you know exactly what they were trying to imply with this, of course this obviously doesn't mean progress wasn't being made on the 3ds front, but as with anything released recently. system hackers were nowhere near gaining enough understanding and control of 3ds to run homebrew and being able to take control of the system is a goal that is usually only achieved much later, often near the end of life system, plus installation usually requires a painstakingly complicated process or direct modifications to the hardware itself, but it only took two years for something to happen to the 3ds.

In late 2013 a company called gateway released a flash cart that not only worked on the latest versions of the 3ds, but I also played backups of 3ds games without any cheats or hardware modifications, it just worked and this led to a conflict interesting. Look, I already mentioned the

hacking

community's driving force behind hacking a game system. Their main interest is a powerful device that they have full access to, whether creating their own games in a useful home version or modifying existing games, but there is another very present driving force that persists with each new console release - you guessed it, the hacking, this group of people is not just made up of hackers and enthusiasts, but is made up of hundreds of thousands.

Of pirates whose motives can range from those who like to try before you buy or live in a country where games are expensive to those who refuse to pay even a penny for video games, an extremely small number of them are actually pirates. computer scientists and while they care about the progress of hacking devices it's usually only because they want free games, this creates a bit of a conflict of interest because while hacking allows piracy, most people who hack game systems They are against it, it is not their goal to enable it, and sometimes they will take drastic measures. measures to ensure this doesn't happen as a result of their work, this generally meant that at least in this console generation, homebrew paved the way for piracy and piracy only eventually happened as a result of that work and that's what it did that this situation was so interesting.

The main goal of gateway was to enable piracy and they were not shy about it; in fact gateway actually managed to do almost nothing for the homebrew community despite its ability to run official games running a homebrew on it was basically impossible it was a situation where piracy was leading the hacking scene and gateway was reaping all profits and, as you've probably guessed, they couldn't be less interested in advancing in the hacking scene, according to some numbers analyzed by wololo.net, they ended up making millions of dollars in their prime, without needing to. They say they didn't want anyone to find out how it worked, so let's talk a little about how it worked.

The gateway actually came with not one but two cards, one red and one blue. The only purpose of the blue cart was to allow you to start the red card which really did all the work, so what's the secret? The blue cart is actually just a regular Nintendo DS flash cart doing something clever. I said before that there was no way to alter the 3DS from DS mode and while that is somewhat true, there are a few ways that they still communicate directly with each other, one of them is the ds profile, the profile in ds consists of your name and a message used to play online. normally you would change this in the ds settings menu but obviously the 3ds doesn't have one, instead you fill out this information in the 3ds settings app and 3ds changes it accordingly for ds mode.

This is where the gateway inserted exploit comes into play, as it is trivially easy to take control of ds mode. The blue card does something. a bit devious here it changes the ds profile information to an extremely long set of characters, if someone were to go to their ds profile settings 3ds would retrieve that long string and essentially overload itself with information and from this vulnerable state it can run custom code for example code to run a rogue 3ds cart, this might make some of you think well, if people figured out how it works, why not use the same method to run homebrew?

Simply put, the msat exploit is something we'll call an entry. period and although finding an entry point is the door to execute unauthorized code, that's literally all it is the door from here, you will need to investigate and discover other oversights in system programming to achieve your goal called exploit chain, in fact , people really knew it. of this exploit before gateway started using it and while it was a great entry point the rest of the gateway code wasn't very useful in making homebrew actually work very well of course the thing about 3ds and almost all the systems that appeared at this time.

It receives frequent firmware updates over the Internet, so it's no surprise that the exploit was eventually fixed in a firmware update a few months later, rendering the gateway inaccessible. This put gateway users in a situation where they could upgrade and lose access to the gateway or be stuck. on their current firmware and lose access to the eShop and basically all of Nintendo's online gateway services. The solution for this problem is simple. What I mean is that they released an update to their carts that added a new feature that provided the option to copy all firmware. to your SD card and run it from there, this is called immune and is an abbreviation for band emulated.

The idea is that users can keep their nand system on the old firmware that the gateway might use and then they can keep the immune system on their SD card on the newer version. version for online services, that's right, it was literally dual boot in 3ds. This was going to be Gateway's strategy while they hoped to find a new entry point they could take advantage of, but that doesn't mean everything was going perfectly for Gateway. They had new competition to deal with in the form of clones. Numerous gateway clones were being released using their codes and methods, and the gateway, as you know, proudly for-profit, was not very happy with this loss of revenue, the way they decided to address this problem was that we will say aggressive, the release notes for their new update indicated that they added many stability improvements, what is apparently a gateway that talks about malicious code, the code in question looks for changes in the software and if any are found, assumes the card it is running on. is a clone and self-destructs, it doesn't just kill the cart, it crashes the entire system running the card, rendering it unusable when, understandably, angry Brick 3ds owners confronted the gateway and blamed the hardware defective from its competitors.

Obviously it goes far beyond simply protecting your code, this is straight up sabotage. If they could force all clone cars to destroy 3dss, the reputation of the clones would plummet and the gateway would once again be the only safe and reliable method to run. Well, 3ds backups would have them if their awesome code didn't activate on the real gateway cards as well. Yes, not even the rightful owners were safe from the gateway's bloodthirsty attack. Anyway, the hackers finally took a look at the code and confirmed that yes, the bricks were very intentional. The final result. Out of this chaos were countless brick systems and gateways that promised to fix whatever system their legitimate cards ruined.

I'd like to say this ruined their company, but I wasn't sure they were basically shooting themselves in the foot, but what could be done about it? use gateway whether you like it or not, your flash cards were the only really exciting thing going on in the hacking scene at the time, not to mention the only way to play rom hacks or even play games outside of your region, however it soon turned out that this wouldn't work. This will be true for much longer, a few months later, at the end of March 2014, a talented hacker and programmer named smea updated his blog talking about a new exploit he discovered called ssspone.

Not only would this exploit provide access to real homebrew, but it would also work on Smeah's latest firmware had a big, extremely useful unpatched exploit, so it's understandable that he wanted to be careful how he used it. If he were to release this exploit at any time, Nintendo would patch it immediately and it would never work again the longer he kept it. The more versions of firmware it works, on top of that, any exploit that enables homebrew will eventually also enable hacking, interestingly, however the blog post actually mentions that this exploit cannot by itself enable hacking, which means that, while piracy remains highly likely, it is inevitable. with this exploit it would take more than just the exploit to achieve this.

Makes you wonder how smelly the exploit would have handled if that weren't the case. Anyway, the publication went on to say that while it was not ready to publish it. I still wanted to get it to trusted homebrew developers who would help create a successful release for the exploit. In the end everything went smoothly and Smear tweeted that the homebrew loader was almost ready for release and that you would need a specific game to use it, however he didn't reveal what game it was yet, most likely out of fear of resellers. They would buy the game and sell it at ridiculous prices.

I say this because there was actually no fear that the exploit could be fixed without a software update the company that created the game has already closed and a patch was unlikely to be implemented, unfortunately nintendo managed to stop the release of the exploit and the loader to time, but not in the way you might think during a Japanese Nintendo Direct presentation in In August 2014, Nintendo announced that in a few months it would launch a new 3DS model called that, the new Nintendo 3DS with more buttons, other compatibility with amiibo and various hardware updates, leading Smea to keep the exploit around for a bit longer. theThe reason was pretty obvious, if the exploit had been released on time, Nintendo would have had plenty of time to make sure it didn't work on their new 3DS.

The only way to ensure that the new model was hackable was to delay the exploit a bit. A little while later, of course, this was met with backlash from the community and smaya said that she was sorry but he didn't want to make any rash decisions. Time passed, the new 3ds came out in Japan and the exploit was confirmed to work in November, smeya. was set for release once again when he finally revealed that the game would be used as an entry point. Cubic Ninja was certainly an interesting game where you move the ninja by tilting your 3ds, but it may not be exactly good due to its poor critical reception and general unpopularity.

It was quite easy to find this game for under 10s, making it a great and accessible entry point for sss pwn or as it is now called ninjax for a few hours, everyone immediately started buying cubic ninja and the popularity of the game skyrocketed. shot at shopping sites. They were selling out left and right and the copies that were still in stock were selling for incredible prices before the day was over. Cubic Ninja was making it to the lists of the best 3DS games around the world. It wasn't long before the game was almost impossible to find and the Japanese digital version was removed from the eShop and in case you were wondering, yes, gateway users were able to hack the game perfectly and take advantage of the exploit, that is, if you were lucky enough to still have a firmware version that supported it.

The point of ninjax was pretty straightforward, this may surprise you, but this poorly received 3ds game didn't exactly have the best programming. Cubic Ninja featured a mode where you could design your own levels and have others play them. The chunks of data that make up these custom levels are supposed to be a certain size, but the game never checks that they're basically the right size. There's nothing stopping you from taking a custom level and adding as much extra data to these chunks as you want and if you add more than the game can handle well that's your entry point, the release of ninjax was a milestone for piracy from 3ds, it wasn't just ninjax. the first exploit that made homebrew possible, but it worked on all 3ds with the latest firmware, the real hacking scene was taking off and the iron gateway it had over the 3ds was gone or at least waning as smea He promised the nature of the exploit that was used made hacking virtually impossible and since the exploit had just been released, it would be a while before many impressive homebrews started appearing until then, cards still had the upper hand speaking of cards, It's worth mentioning that a pretty impressive one was released during all of this. ninjhax hype sky 3ds the difference between gateway and this new flash cart was their approach to running backups, while gateway relied on exploits to run unauthorized games.

Sky 3ds' chosen method was to replicate a legitimate game card, allowing it to run on virtually any firmware. The card itself had a red button to change games, you pressed this button and Sky 3DS changed to the next game loaded in the cart. This backup loading method had problems, although the main one was that it had to deal with the same restrictions. of a real 3ds cart, any tampering on the 3ds would no longer be cheated, this meant no rom hacks, no cheats, no games out of your region, for those reasons it was best to have an input card whenever your system could still run one, no I mentioned that the card had this weird restriction where it could only play 10 games, and to be clear, I don't mean 10 games at a time, but 10 games at a time.

Sky3ds keeps track of the games you have played on it one time. you've reached 10, it refuses to let you play more, you want to play more games, buy another cart, naturally this arbitrary limitation didn't go down well with the community and after some negative reception, lo and behold, a new version came out, this one had a blue color. button that was apparently a sign that the cart didn't have the stupid tin game limitation anyway time passed and 2014 concluded with a big step forward towards a more open and robust hacking scene for the 3ds gateway that follows still decently relevant at this point. its new year releasing a new update for their flash cards called gateway ultra, yes i forgot to mention that gateway likes to name their version updates from time to time, for some reason the last version was omega, i guess it's a matter of marketing, I don't know, so what was it? ultra over gateway, long story short, they had an exploit for 9.2 that didn't require a game like ninjax did and that was cool, but it would have been even better if the latest firmware at the time wasn't 9.4, but trust me, it was.

It didn't stop them from doing everything they could to protect their exploit the code itself was heavily encrypted and obfuscated a good portion of the code was just useless garbage designed to make reverse engineering even more difficult this is where yifon liu comes in with that name You can may sound familiar to those of you who followed the Vita hacking scene, where he was an active hacker in the scene and eventually became part of the Molecule team, but I guess he was looking for a change of pace because this time he was testing a 3DS exploit.

Not only did he completely reverse engineer it, but he also did a really good article on it, which is a pretty impressive change of pace. Don't you think? In case you were wondering, this time the entry point exploited a known vulnerability. in a browser engine, specifically webkit, most big name browsers like Chrome and Safari had already fixed it at that time, but I guess Nintendo hadn't fixed it yet, more importantly, although the whole chain of exploits contains very useful information that helped the hacking scene quite a bit thanks gateway ultra it wasn't long after these findings that rx tools were released a series of very useful, albeit old, 3ds-only tools created by temporary gba user roxx.

The main feature of 75 rx tools by roxx was that it could give you access. to the gateway immune solution without the need for an actual gateway cart, basically you could keep your 3ds on 9.2 for home access and still be able to boot with the latest firmware on your SD card; However, the rx tools didn't have their own way to easily configure homebrew to do this, your custom firmware would have needed to do something about signature checks. This part is a little complicated, but I'll do my best to keep it simple in this context. A signature is something that your 3ds checks when you try to run games and applications if they are not there or there is something wrong with them the application does not run each signature is unique to the program it was created for and it is impossible to create them without the proper tools, tools that unfortunately only Nintendo had to run their own app directly from the home screen without relying on additional exploits like ninjax, signature checks would have to be removed completely; however doing this would create a different piracy problem if rx tools removed signature checks any program could run on 3ds including games downloaded from the internet its a moral dilemma im sure this would remove the main feature of the gate link and would significantly hurt your hacking fuel profits, but I'm sure a good portion of hackers wouldn't want to be responsible for directly enabling a hacking method, it's not like anyone can create their own version of this custom firmware that does the job, whether rxtools and by extension the custom firmware rx mode was closed source, its source code was not public and roxas 75 did not want unauthorized changes to be made.

We did it a few months later, even though someone had leaked information about how to patch signature checks on Pastebin, a website designed for general code and text sharing. No one knows who did it, but it probably wasn't meant to be public. This information was published quickly. to use in cfw paste form the first custom firmware to enable custom apps directly from the start menu and it was open source to begin with, that being said it didn't have any of the cool features that the rx tools had which probably was what led to the rx tools being reverse engineered and modified to add these exclusive patches, as you might have guessed, Roxas was not happy about this and it created a lot of drama over the course of a few

days

.

I'll spare you. the details and saying that it ended with roxas finally making open source rx tools and adding signature patches himself and with that roxas announced his exit from the 3ds hacking scene, he stated that he would not blame himself for the mistakes he made too much and gave ownership of the rx tools project to the pasta team when he said goodbye and there you have it, now there was a custom firmware that ran homebrew on backups without the need to support gateway or any other flash card business, in at this point there wasn't much room for debate gateway was no longer the king of the 3ds scene and homebrew was paving the way once again covering pretty much the juicy bits of the early history of the hacking scene from here there were only improvements improvements improvements for a while it became 9.2 the firmware had to be on so you could run all this awesome stuff and methods were being created to downgrade 9.2 all the time, finally arm9 loader hacks appeared and that exploit persisted in system updates, for Typically, you could be on the latest firmware while still maintaining your hacks. uh as long as you had a way to put it in there and then the boot strap nine was released which did everything the arm9 charger hacks did and then more, it may or may not also beat real witchcraft they all use fancy custom firmware called luma3ds now it is as useful as it is easy to use and all this can be installed on the latest firmware thanks to sudoku.

No joke, it's literally possible due to carelessness in dsiware games like sudoku, not only has Nintendo had trouble fixing these tricks, but they have completely abandoned carelessness with the releases of new 3ds models, it's pretty safe to say that 3ds has been blown wide open now and I hope you enjoyed learning a little about how it happened, but some of you may be wondering what happened to gateway after all of these developments. Well after many failed attempts to stay relevant they announced the release of their new stargate flashcart which works much less than the current custom firmware for about eighty bucks and to be honest I'm not even sure how well it works because no one bought.

Frankly, no one cares anyway, I have something important to say, there is a chance that this video has inspired some of you to hack your 3ds and check out all the new, homebrew content it provides, if it's that interesting, but I have a warning, whatever it is. Please, please, don't follow a video guide you found on YouTube. Video guides are almost always outdated and usually leave out important details that add unnecessary danger to the process to make it worse. Many youtubers like to, for whatever reason, modify the files used to hack 3ds, even though they don't really know what they are doing, there are great resources like the 3ds.guide website that are complete and up to date if you use a video guide that only It's putting your 3DS in unnecessary danger anyway, those are the early

days

of 3DS hacking.

Shout out to the people in the 3ds hacking scene who generally document their findings pretty well. In fact, I have to give a special thanks to one person in particular named zoogie, who made an extremely helpful timeline on gba. temp a few years ago if I had discovered that earlier this video would have been much less complicated to make. If you have any suggestions for future videos, leave a comment or something. Contact me on Twitter. Also feel free to tell me any mistakes. I did it too. I'll put the corrections in a pinned comment below. I already have more videos planned, so I hope you'll stay tuned in the future for more tech rules.