Hacking 3DS update process analyzed

[Knyaz Vladimir]

I'm going to get my EU 3DS soon, so I could try swapping videos.
Could somebody post some detailed info on how to do it?

We don't know how to do that yet. We might, if we could post the video onto a SD card and play it from there, but that's impossible right now.

 

[Xuphor]

Better act quickly, that video will be gone at the next firmware update, it says that at the very end.

 

[Knyaz Vladimir]

Better act quickly, that video will be gone at the next firmware update, it says that at the very end.

Problem: We'll only be able to do that when the May update hits. So, I have a copy saved on my PC for now.

 

[carlitos92jose]

Better act quickly, that video will be gone at the next firmware update, it says that at the very end.

Problem: We'll only be able to do that when the May update hits. So, I have a copy saved on my PC for now.

how do you make the copy of the video?

 

[Cyan]

I'm going to get my EU 3DS soon, so I could try swapping videos.
Could somebody post some detailed info on how to do it?
For that we would first need the URL of the US video (nobody posted it yet?), so you can download it to your computer.
Then set up a proxy on your computer (CF3B5 proxy is easy to use and free) to replace the NUS URL for the European video with the file stored on your computer.
Set the Console to use a proxy instead of direct connexion to internet, and point to your computer IP (strangely, they use keyboard instead of numbers).

When you update, instead or receiving the european video, the proxy will serve the local file to the console which will (should) think it's from NUS.

But, I think you might either :
- have the US channel working fine
- have the US channel not working (region locked)
- brick the 3DS because of region lock?

The video is actually a complete channel instead of a single video to play in a video player, so it should have a region set.


QUOTE(carlitos92jose @ Mar 29 2011, 11:25 PM) how do you make the copy of the video?

Check few page back, There's a direct link to the European one.
Or check my first post, there are all 9 European Updated files URL. (you need to append the NUS domain to it)

 

[Antoids]

I'm going to get my EU 3DS soon, so I could try swapping videos.
Could somebody post some detailed info on how to do it?

For that we would first need the URL of the US video (nobody posted it yet?), so you can download it to your computer.
Then set up a proxy on your computer (CF3B5 proxy is easy to use and free) to replace the NUS URL for the European video with the file stored on your computer.
Set the Console to use a proxy instead of direct connexion to internet, and point to your computer IP (strangely, they use keyboard instead of numbers).

But, I think you might either :
- have the US channel working fine
- have the US channel not working (region locked)
- brick the 3DS because of region lock?

The video is actually a complete channel instead of a single video to play in a video player, so it should have a region set.

Is there a way for me to get the url after having already downloaded it? I'd like to help if I can.

 

[Cyan]

no.

Someone with USA 3DS not updated yet should check the requested URL using any sort of logs.
It can be packet sniffer program (what I used) like Etheral+Winpcap.
or a proxy with URL logging capability (CF3B5 does it, no config needed, leave 0.0.0.0 as ip, port 8080, and no need to check a console type.)
Maybe some router logs?

Then while doing the update, it will log the 9 files for the update.
I'm curious to see the difference in the URL. Maybe some files are identical.

 

[cbutters]

Brute Force a Private key? Let me put it this way, if they used 256 bit encryption, the number of variables is roughly equal to the number of atoms in the universe! Someone brute forced a 64 bit key and it took them 5 years with some heavy duty computers, 256 vs 64 bit encryption is a billion trillion (or something to that affect... MUCH MUCH MORE SECURE) times more difficult to bypass. It would take 200 years with all the computers in the world working on it present and future. Hopefully it is just leaked, or more plausible, we find ways around the encryption tricking the system to accept unencrypted code....

 

[DeadlyFoez]

Brute Force a Private key? Let me put it this way, if they used 256 bit encryption, the number of variables is roughly equal to the number of atoms in the universe! Someone brute forced a 64 bit key and it took them 5 years with some heavy duty computers, 256 vs 64 bit encryption is a billion trillion (or something to that affect... MUCH MUCH MORE SECURE) times more difficult to bypass. It would take 200 years with all the computers in the world working on it present and future. Hopefully it is just leaked, or more plausible, we find ways around the encryption tricking the system to accept unencrypted code....

Honestly, you have a horrible understanding of atoms, the universe, and about cryptology. It isn't the amount of variables, it's the amount of possible keys. There actually isn't all that many variables at all in encryption, from a programming standpoint, that is if YOU understand what a variable actually is. And 200 years is really low balling that guesstimate. Brute forcing could possibly take a heck of a lot longer, in theory. That is if you don't get lucky and find the right key within a certain period of time. But usually when people figure the amount of time to bruteforce a key, they figure the amount of time it would take to try every possible key. In reality, no one knows at what point the key would be found. It could be found in five minutes or 500 years.

The 3DS will be cracked. I highly doubt it will take long. I expect a few months at the most. The problem is, people will crack it, but many of them will keep that info to themselves and never publicly release it.

 

[Coto]

Perhaps some kind of buffer overflow at reading miis? I know the CPU pins are covered in some kind of glue, besides RAM. But someone (i don´t even have a 3DS) should be able to sniff data sent through RAM while accessing miis and dump data.

However those units seem pretty expensive now =(

So I say we should find a way to "undo" that glue covering CPU chip.

my 2 cents

 

[popoffka]

But, I think you might either :
- have the US channel working fine
- have the US channel not working (region locked)
- brick the 3DS because of region lock?

Seems too risky to me

 

[cbutters]

Brute Force a Private key? Let me put it this way, if they used 256 bit encryption, the number of variables is roughly equal to the number of atoms in the universe! Someone brute forced a 64 bit key and it took them 5 years with some heavy duty computers, 256 vs 64 bit encryption is a billion trillion (or something to that affect... MUCH MUCH MORE SECURE) times more difficult to bypass. It would take 200 years with all the computers in the world working on it present and future. Hopefully it is just leaked, or more plausible, we find ways around the encryption tricking the system to accept unencrypted code....

Honestly, you have a horrible understanding of atoms, the universe, and about cryptology. It isn't the amount of variables, it's the amount of possible keys. There actually isn't all that many variables at all in encryption, from a programming standpoint, that is if YOU understand what a variable actually is. And 200 years is really low balling that guesstimate. Brute forcing could possibly take a heck of a lot longer, in theory. That is if you don't get lucky and find the right key within a certain period of time. But usually when people figure the amount of time to bruteforce a key, they figure the amount of time it would take to try every possible key. In reality, no one knows at what point the key would be found. It could be found in five minutes or 500 years.

The 3DS will be cracked. I highly doubt it will take long. I expect a few months at the most. The problem is, people will crack it, but many of them will keep that info to themselves and never publicly release it.

As far as the atom statement, I'm just going off of this post: http://www.zdnet.com/blog/ou/is-encryption...y-crackable/204

You have me on the variables, as in reality the number of variables is not a super high number, in reality you only have two variables within the bit, a 0 or a 1, I guess what I meant is that the number of possible combinations or keys in a 256 bit key is a very high number (2^256 or 1.15792e^77).

Yes you are right, it is possible to brute force a 256 bit key in seconds if the key is
[00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000001]
However that is not likely that someone would choose a key so simple.

Despite some flaws in terminology, the point of my post is that it would be ridiculous to try to start a group computing effort to try to brute force the private key because it would take an incredible amount of time and resources and would most likely not produce results for centuries or more.

 

[Cyan]

Instead of doing all the possibilities in the counting order, users usually use a randomly generated key (at best with a log system to prevent doing it twice).


Nobody got the USA update URL yet ?
I don't think it's too complicated, just use the proxy I gave earlier to log the URL while updating.

1) On Windows :
- Download and install CF3B5's proxy. (or any other logging enabled proxy)
- Launch the application and click start. (no settings needed)

2) On the console :
- go to settings > internet settings > connection settings
- select your usual connection (or create a new one if you never put the console online).
- go to proxy > use server : yes > preferences > server : your PC IP, port : 8080 > ok
- page 2 > automatic identification : no (no identification needed)
save all and do a connection test, you should see "http://conntest.nintendowifi.net/" in CF3B5's logs tab. then all worked fine, you can do the update and you will log all the NUS URL.

To disable proxy, just say "no" to the "use proxy ?" screen on your 3DS settings.

 

[doyama]

Brute Force a Private key? Let me put it this way, if they used 256 bit encryption, the number of variables is roughly equal to the number of atoms in the universe! Someone brute forced a 64 bit key and it took them 5 years with some heavy duty computers, 256 vs 64 bit encryption is a billion trillion (or something to that affect... MUCH MUCH MORE SECURE) times more difficult to bypass. It would take 200 years with all the computers in the world working on it present and future. Hopefully it is just leaked, or more plausible, we find ways around the encryption tricking the system to accept unencrypted code....

Honestly, you have a horrible understanding of atoms, the universe, and about cryptology. It isn't the amount of variables, it's the amount of possible keys. There actually isn't all that many variables at all in encryption, from a programming standpoint, that is if YOU understand what a variable actually is. And 200 years is really low balling that guesstimate. Brute forcing could possibly take a heck of a lot longer, in theory. That is if you don't get lucky and find the right key within a certain period of time. But usually when people figure the amount of time to bruteforce a key, they figure the amount of time it would take to try every possible key. In reality, no one knows at what point the key would be found. It could be found in five minutes or 500 years.

The 3DS will be cracked. I highly doubt it will take long. I expect a few months at the most. The problem is, people will crack it, but many of them will keep that info to themselves and never publicly release it.

I'm never really sure why people somehow make the leap of logic that the 3DS will be 'cracked in days/months' time frame. Note that the DSi took almost 2 years to crack, and that's even with a save game exploit and having the key.bin file available during that time. Also having the encryption key only then allows you to read the actual data. Whether there's an exploit in there is a totally different question. Remember the DSi key was already known for a very long time but didn't yield any useful hacks until the Sudoku DSiWare one, which was then promptly closed.

Having the key.bin file would be a nice FIRST step but would be useless by itself. I wouldn't hold your breath waiting for a 3DS hack. Not that it couldn't happen. But previous history does not bode well for it.

 

[doyama]

Brute Force a Private key? Let me put it this way, if they used 256 bit encryption, the number of variables is roughly equal to the number of atoms in the universe! Someone brute forced a 64 bit key and it took them 5 years with some heavy duty computers, 256 vs 64 bit encryption is a billion trillion (or something to that affect... MUCH MUCH MORE SECURE) times more difficult to bypass. It would take 200 years with all the computers in the world working on it present and future. Hopefully it is just leaked, or more plausible, we find ways around the encryption tricking the system to accept unencrypted code....

Just to clarify though, there a difference between key length and key strength. Even a 256bit encryption scheme can have far less key strength depending on how it's implemented. So you don't necessarily need to parse out all 256-bits. At this point even 128bit encryption is 'good enough for consumer products' since generally the keyspace for that can be cracked in a few years. Most governments requires 256 bit encryption schemes so that even a dedicated government agency would need several hundred years to decrypt it. Though it's usually just easier to make the user tell you the password

You can undermine the security of a system by not following the specifications as well. This is what happened to the PS3, which has 256bit encryption on their ELF and loaders, but then proceeded to use the SAME random key to encrypt them. Which then went from a 256bit encryption, to a 3 variable algebra equation a high schooler could solve in 10 minutes.

 

[doyama]

Instead of doing all the possibilities in the counting order, users usually use a randomly generated key (at best with a log system to prevent doing it twice).


Nobody got the USA update URL yet ?
I don't think it's too complicated, just use the proxy I gave earlier to log the URL while updating.

I suppose you could do it on those demo units they have floating around. I'm sure I won't look suspicious running Wireshark+Privoxy on my laptop while playing with a 3DS. What could possibly go wrong

 

[spiritofcat]

Instead of doing all the possibilities in the counting order, users usually use a randomly generated key (at best with a log system to prevent doing it twice).


Nobody got the USA update URL yet ?
I don't think it's too complicated, just use the proxy I gave earlier to log the URL while updating.

1) On Windows :
- Download and install CF3B5's proxy. (or any other logging enabled proxy)
- Launch the application and click start. (no settings needed)

2) On the console :
- go to settings > internet settings > connection settings
- select your usual connection (or create a new one if you never put the console online).
- go to proxy > use server : yes > preferences > server : your PC IP, port : 8080 > ok
- page 2 > automatic identification : no (no identification needed)
save all and do a connection test, you should see "http://conntest.nintendowifi.net/" in CF3B5's logs tab. then all worked fine, you can do the update and you will log all the NUS URL.

To disable proxy, just say "no" to the "use proxy ?" screen on your 3DS settings.

Thanks for the step-by-step!
I'll do this when I update my Australian 3DS later today. We can see if it is identical to the European one.

Edit: Just finished updating mine now. All the URLs were the same as those listed in the first post.

 

[wuebas]

Brute Force a Private key? Let me put it this way, if they used 256 bit encryption, the number of variables is roughly equal to the number of atoms in the universe! Someone brute forced a 64 bit key and it took them 5 years with some heavy duty computers, 256 vs 64 bit encryption is a billion trillion (or something to that affect... MUCH MUCH MORE SECURE) times more difficult to bypass. It would take 200 years with all the computers in the world working on it present and future. Hopefully it is just leaked, or more plausible, we find ways around the encryption tricking the system to accept unencrypted code....

Honestly, you have a horrible understanding of atoms, the universe, and about cryptology. It isn't the amount of variables, it's the amount of possible keys. There actually isn't all that many variables at all in encryption, from a programming standpoint, that is if YOU understand what a variable actually is. And 200 years is really low balling that guesstimate. Brute forcing could possibly take a heck of a lot longer, in theory. That is if you don't get lucky and find the right key within a certain period of time. But usually when people figure the amount of time to bruteforce a key, they figure the amount of time it would take to try every possible key. In reality, no one knows at what point the key would be found. It could be found in five minutes or 500 years.

The 3DS will be cracked. I highly doubt it will take long. I expect a few months at the most. The problem is, people will crack it, but many of them will keep that info to themselves and never publicly release it.

if a PC takes 500 years, 500 pcs for 1 year
1000 pc - 6 months
6000 pc - 1 month
This post has 8,013 visits. if each user runs a program of the brute force partitioning key ranges in 20 days or less appear the key

 

[Cyan]

I'll do this when I update my Australian 3DS later today. We can see if it is identical to the European one.

Edit: Just finished updating mine now. All the URLs were the same as those listed in the first post.Thank you for the test

So Australian and European are the same region, like for the wii.


I also noted that when the console talk with the Nintendo server for SSL certificate, it's from Nintendo USA, not Japan.
Not an important information, it's just to say what I noticed.


Wuebas : it's not 500 years, see for a 126bit key and the DSi common key brute forcer:
QUOTE(Sephi @ Feb 12 2010, 01:27 AM) I hope everyone realizes it would take many, many, many, many years to get the key.
2^126 is how many keys we have to check (2^128 without the 1's from loopy)

here are how many keys there are to check

85,070,591,730,234,616,000,000,000,000,000,000,000
we did close to .................................2,000,000,000,000 after about a week

just about 85,070,591,730,234,615,999,998,000,000,000,000,000 to go

it would take about 42,535,295,900,000,000,000,000,000 weeks
or 817,986,459,000,000,000,000,000 years if we were to check all the keys.
It would most likely take close to 50% of the above time to get the key, assuming we are checking correctly

Bruteforcing is a waste of time, you can't just crack 128bit encryption so easily

and this is only 126 bits, not 256

 

[fearofshorts]

Yeah. Brute-force is, imo, the dumbest method anyone can use these days for getting past security. It's like being a spy and deciding get through an entire army by assassinating every single soldier rather than sneaking through the ranks and then devising a method to get at the general.