ModChipCentral - Others


'SSSpwn' 3DS exploit - Running unsigned code on FW 6.3

Mar 31, 2014 - 5:31 PM - by garyopa
By smealum.

smealum has shared some more info and a video showcasing his 'SSSpwn' exploit for the Nintendo 3DS...


'SSSpwn' by smealum is a new 3DS exploit that supposedly allows to run unsigned code on FW 6.3 (the latest one).

He has shared some info about the exploit and a video of it in action. According to him, it has yet to be patched by Nintendo, but he doesn't plan to release it yet, as it could also work on 7.x, and possibly even 8.x+ 3DS FWs.

smealum also added that SSSpwn can NOT by itself allow piracy, making it great for Homebrew only. Here's the info:

Unfortunately I haven’t taken the time to document the work I’ve been doing on the 3DS lately here, even though it’s been pretty extensive. Normally, I’d try to cover things chronologically, but since I decided to reveal a new exploit today, it kind of takes priority as there’s a lot of stuff I need to clear up. To start off, here’s a video showing ssspwn in action :

What it is, what it isn’t

If you’ve read my (now really old and outdated) article on 3DS hacking, you’ll recall that for a number of reasons, hacking the console happened by chaining multiple exploits with one another. The most widely used hack (used by flashcart teams, myself and a number of other people) reliies on not one but two completely distinct exploits : the mset DS user settings exploit, which gives us arm11 usermode ROP capabilities, through which a FIRM vuln is exploited to obtain arm9 code exec. This last part was fixed with firmware version 5.0, and it’s the real critical part : while there’s a pretty high number of games that could potentially be exploited through saves to do usermode ROP, it’s useless if you don’t have another exploit to chain that gives you code exec capabilities. This is where ssspwn comes in; it essentially replaces the FIRM exploit we had on 4.5 and lets us execute arbitrary code. That’s why the video looks similar to the one I’d done when I got 4.5 code exec : the first stage exploit used is the same, just fine tuned to work on 6.3.

What does that mean ? Simply that because the two exploits are completely separate, there’s no reason to believe that just because the mset bug was fixed in 7.0, so was ssspwn. That’s right; ssspwn has yet to be plugged by Nintendo, and could in theory give us code exex on latest firmware version. This isn’t the case yet because we haven’t really looked for a new entrypoint, but that’s the next step.

To release or not to release

Generally speaking, the thing that’s been stopping me (and others) from releasing working exploits has been the fact that they might be used for piracy. Fortunately, that should not be a factor in this case, as by its very nature, ssspwn can not by itself allow piracy. That’s right, it’s the sweet spot that gives us just enough to get awesome homebrew code running in arm11 user mode, but not enough to break the system bad enough to let anyone do whatever the hell they want. As such, I personally have no qualms with releasing the exploit into the wild.

You might be wondering why there isn’t a download link available yet. The reason for that is that, as I mentioned, ssspwn has yet to be fixed. In my opinion, it would be dumb to burn such a nice vuln on just 6.3 when we know full well that we should be able to use this on 7.x, and possibly even 8.x+ with some work.

Plan of action

Now, while I don’t think it’s a good idea to release this publicly just yet, I do think it would be a good idea to get it into the hands of devs with consoles still on 4.5-6.3 so we can make progress creating 3DS homebrew development tools. We’ve been making tremendous progress as it is, but we could do much more with some more talented and motivated developers. As such, I want to share this with as many reputable and available devs as possible so that they can work on making things ready for the (hopefully) upcoming 7.1+ release.

Do note that I don’t have a developer-friendly version ready just yet, but I will let everyone know as soon as I do.

Other thoughts

This is, in my opinion, the best shot we have at making a successful and accessible 3DS homebrew scene happen. I’m going to try not to fuck it up. That means that unfortunately the number of devs I’ll feel comfortable sharing the current iteration of ssspwn with will be rather limited, in an effort to avoid premature leaks.
... [Read More]
4 Replies | 1,155 Views


AES obfuscation on the Wii U bootrom

Mar 07, 2014 - 2:40 PM - by garyopa
More info thanks to deroad.

deroad shares more info about the Wii U's bootrom, and how Nintendo did a good job hiding where and how it calls the AES code.


According to hacker deroad, Nintendo did a nice job hiding some aspects of the Advanced Encryption Standard (AES) code on the Wii U bootrom.

He also shares more info about the bootrom, saying that he found some interesting stuff in there, but NOT keys.

Take a look:

I've read the whole bootrom code and i have to admit, that big N has done a good job on hiding where and how it calls the AES code.

Finding the AES implementation is easy, it's just before the ancast header check function and after the most useless function.

Finding how the AES implementation is called, is a little bit hard, for two reasons:

  • there are no cross references in the text segment; This means you will not see something like:
  • bl AES_Decrypt
  • there are no addresses saved in the data segment:
  • AES_offset: .long AES_Decrypt

So how to find it? you have to read the code, because the value is hardcoded and saved into a memory on an unknown address (like 0xE0000000); then a function will load that addresses to the count (CTR) register and jumps there.

I'll make an example:

How normally should be:



How is obfuscated on the Wii U:




The last thing:

I had a lot of fun on reverse the whole bootrom. You'll find interesting stuff, there (but not keys :P).
NEWS SOURCE: AES obfuscation on Wii U bootROM (via) devRAM0

Our thanks to 'Gauss' for this news item!
0 Replies | 499 Views


Newo Asteroids for Wii released

Feb 26, 2014 - 1:22 AM - by garyopa
A homebrew game

And here we have a new homebrew game for hacked Wiis that will keep you sticked to the controller for days


We have been informed about a new homebrew game for the Wii, called Newo Asteroids and as you guessed is like the original Asteroids game but reimagined. Check it out:

Newo Asteroids is a game made in the style of classic Asteroids. In 2064 on a Wednesday, aliens disturb the asteroid belt sending asteroids hurdling towards the earth. It is your job to destroy every last asteroid in the solar system and bring peace to the galaxy.

Features

  • Use your little ship to destroy asteroids threatening the earth while UFOs try to stop you.
  • Large free space environment filled with asteroids.
  • Power-ups, custom colours and alternate fire (focused or spread)
  • Game modes; Easy, Normal, Hard and Classic. Speed run options: 3, 5 and 10 minutes.
  • Online Leaderboard
  • Achievements
  • Customizable colours and 3d graphics in Textured, Flat, Cellshaded and Wireframe mode.
  • Customizable controls schemes; Tank, Wii pointer (with nunchuk), Dual Analog, wiimote sideways and Eightway
  • Customizable camera views.
  • Title screen and Menu Sound effects designed by kenney.nl @kenneywings
  • Background music; Flesheaters by Matt Nida from freemusicarchive
  • 3d models by Julian
  • PowerUp Textures by JoostinOnline
  • Auto-Updates when new versions are released
You can get more info from the link below or just watch the trailer.


NEWS SOURCE: Newo Asteroids (via) WiiBrew

Our thanks to 'Kaos2K' for this news item!
0 Replies | 246 Views


Wii U Bootrom dumped

Feb 23, 2014 - 7:47 PM - by garyopa
Seems that the Wii U scene has just started...

Looks like the guys over at WiiUHax managed to dump the Wii U's bootrom with a exploit, and its hashes match the ones published by team fail0verfl0w.


MarioNumber1 and the guys from Wii U Hax have found an exploit to access the Wii U hardware, and they were able to dump the "bootrom.bin", the first file the console access to boot.

Apparently, the hashes match the ones published by team fail0verfl0w (but, as you may know, they never shared their exploit to public due to "lack of interest" in the Wii U).

Also, seems that the exploit works in Wii mode (vWii), and supposedly can't be patched by Nintendo through updates...

Info from Wii U Hax:

It’s one small step for man , one giant leap for the wii-u scene.

I Can Exclusively reveal that the first step to a wii-u hack has been completed & tested & working

I have personally tested the exploit and it is 100% REAL .

Here Are The Hashes of My Bootrom.bin
sha-256 (B3DEDC6CA2C411F54F1BFEAC07D6F57DBB06D3CB7AB9A331C F5A7CBF2A50AF69)
sha1 (3D331B3165F9638C6CD6221702B2F736F7FCF931)
MD5 (388726887621220A888E9F22E6DB1788)

They match Failoverflows

Many people have worked on bringing this to you , so please give all credit to Bubba , MarioNum1 , Hatax2 , Odcd007 , Joostinonline , Maxternal , Crower & Marcan

FILESIZE is 16,384 Bytes


Info from MarioNumber1:

As the person behind this, I should point out that Nintendo can't patch this exploit through firmware updates. What I (and fail0verflow before me) did was take advantage of a design flaw in the Boot ROM, and the Boot ROM can never be updated. Nintendo could change the Boot ROM with newer Wii U's, but all current Wii U's are vulnerable.

...

Dumping the Boot ROM is the first step of reproducing what fail0verflow did to hack the Wii U.

...

Yes, all you need to do is run a DOL in vWii mode with AHBPROT access.
So, it looks like the Wii U scene has just started. More info on the links below!

NEWS SOURCE #1: Wii U bootrom dumped welcome to the scene (via) WiiUHAX
NEWS SOURCE #2: Wii U bootrom dumped (via) GBATemp

Our thanks to 'Gauss' for this news item!
16 Replies | 2,221 Views


Nintendo wants U.S. government to fight piracy

Feb 16, 2014 - 4:29 PM - by garyopa
Asks more pressure on countries like Brazil and Spain.

Nintendo has asked the U.S. Government to put pressure on foreign countries to do a better job at tackling online piracy.


According to Nintendo's list of anti-piracy recommendations for the U.S. Trade Representative’s Special 301 report, they want the U.S. Government to put pressure on foreign countries – like Brazil, China, Mexico and Spain – to do a better job at tackling online piracy.

Here's the report by TorrentFreak:

The review is published annually and highlights countries that in the eyes of the U.S. are not doing enough to deter copyright infringement. Nintendo is one of the companies to submit recommendations on how other countries should tackle these issues.

The gaming company states that piracy is a chronic problem that results in “huge losses,” in part due to the inactivity of foreign countries who do very little to curb copyright infringement.

“In the past few years, the scope of online piracy for Nintendo has grown dramatically. Every month tens of thousands of illegal Nintendo game files are detected on the Internet. The legal environment to limit the flow of these files remains extremely challenging,” the company explains in its letter.

Like last year, Nintendo’s letter focuses on four countries – Brazil, China, Mexico and Spain – where these challenges remain unaddressed. For each of the countries the game company offers a set of recommendations on how the legal climate can be improved, hoping the United States Government will push for change.

According to statistics presented in the letter, no less than 16% of all online piracy of Nintendo products traces back to Spain. With 1.2 million downloads this is the second largest piracy market, just behind Italy with 1.4 million downloads.

While the volume of piracy has deceased somewhat compared to previous years, Nintendo wants Spain to take drastic action. Specifically, it points out that the local Intellectual Property Committee (IPC) should block pirate sites wherever possible.

“Since so many illegal video games are downloaded in Spain from foreign-based cyberlockers, and accessed through cyberlinkers or P2P linking sites hosted outside Spain, the IPC must address this issue by authorizing the blocking of linking sites,” Nintendo writes.

The irony of this suggestion is that Nintendo has made no efforts in the United States to have any of the major torrent or linking sites blocked. This is especially painful because their own research shows that many of the larger Spanish linking sites are hosted in America, and registered though U.S. companies.

In addition to blocking websites, the game company wants the U.S. Government to educate and train the Spanish on how to deal with copyright infringers effectively.

“The Spanish Government should work with the U.S. Government and rights holders to provide necessary IP training to Spanish prosecutors, judges and IPC officials, particularly focusing on Internet piracy and effective online investigation, prosecution, and adjudication of criminal copyright infringement on the Internet.”

Similar recommendations are made for Mexico, Brazil and China. In these countries Nintendo also wants ISPs to be held liable for their role in continuing high levels of Internet piracy. The gaming company says that this can be achieved by introducing notice and takedown procedures as well as stiffer penalties for companies that fail to take responsibility.

“Hold Internet Service Providers responsible for facilitating piracy under certain circumstances, including a requirement that ISPs expeditiously remove infringing content when notified by a rights holder representative,” Nintendo advises for Brazil.

Companies and individuals who continue to facilitate copyright infringement have to be prosecuted, Nintendo says, and to boost deterrence maximum penalties should be increased.

“Bring criminal prosecutions against major infringers, including those facilitating piracy on the Internet. The courts must impose stronger penalties against IP crimes, both traditional forms of piracy and online piracy, to raise awareness and foster deterrence,” Nintendo adds.

It is clear that Nintendo wants the U.S. to put more pressure on foreign countries, but
... [Read More]
13 Replies | 726 Views


GCN MemCard Recover v0.2 released

Feb 13, 2014 - 9:20 AM - by garyopa
A neat tool for recovering saves from corrupted GameCube memory cards!

GCN MemCard Recover allws you to crecover files from corrupted or reformatted GameCube memory cards.


GCN MemCard Recover by 'GerbilSoft', is a PC utility that can recover files from corrupted or reformatted GameCube memory cards. You'll obviously need first to dump the memory card image to a computer-readable format using a Wii.

Here's the changelog for the just released v0.2:

Database statistics in this release:

• USA: 83 files
• PAL: 59 files
• JPN: 4 files
• KOR: 0 files
• Unlicensed: 1 file
• Homebrew: 1 file

Changes:

  • Stability has been improved. In particular, the custom model for the QTreeView now handles all required signals correctly.
  • Some parts of the program now utilize C++ 2011 functionality. A compatibility header has been included for older compilers.
  • The toolbar that was formerly located in the "Memory Card" view is now a window toolbar, and contains additional items, such as the "Preferred Region" selection.
  • Added preliminary support for displaying scanning progress in the taskbar. Currently, only the D-Bus DockManager protocol is supported. Support for Ubuntu's Unity and Windows 7 will be added later.
  • GcImage and Checksum functions have been split out into their own library, libgctools. This library depends on libpng but does not depend on Qt.
  • Added support for the Qt translation system. Currently, translations for en_US, en_GB, es_CL, and "1337" are included.
  • Fixed some corner cases with full memory card images and certain save files.
  • Support for Japanese save files is improved.
  • Added preliminary support for compiling with Microsoft Visual C++. The primary distributions will still be compiled with gcc/MinGW.
  • Banners and icons can now be exported as image files. Banners and non-animated icons are always exported as PNG. Icons can be exported as APNG, PNG (file per frame), PNG (vertical strip), and PNG (horizontal strip).
  • Added "Preferred Region" support. Some games don't have any way to determine the region by simply looking at the description, and in some cases, might be identical in every way other than the region code in the game ID. "Preferred Region" allows you to specify which region you want to prefer in the case that multiple save files in different regions are detected.
  • Added support for multiple database files. The included databases are now split by region, e.g. USA, JPN, etc. Homebrew and Unlicensed titles are also contained in their own databases.
  • Added a new utility "gcbanner". This utility can extract banner images and icons from GameCube BNR1 and BNR2 opening.bnr files as well as Wii save files (both raw banner.bin and encrypted save files). Animated icons can be extracted to the same formats supported by GCN MemCard Recover's icon extraction function. Banners and static icons are always extracted in PNG format.
  • The current directory and block tables can now be switched on the fly. This may allow for easier recovery of files that were deleted in the GameCube file manager, as long as no other files have been saved or updated in the meantime.
  • Added a "top-secret" easter egg.
For download links (Windows / Linux) and usage instructions, go to the tool's official site at WiiBrew, below!

NEWS SOURCE: GCN MemCard Recover (via) WiiBrew

Our thanks to 'Gauss' for this news item!
0 Replies | 217 Views


New drug called 'Nintendo' surfaces in Belgium

Jan 24, 2014 - 2:14 PM - by garyopa
Nintendo gains popularity in Belgium... as an XTC pill...

It looks like people are getting 'high' on an actual drug called 'Nintendo', which reports say, is quite strong.


The BEWSD (Belgian Early Warning System on Drugs) has warned of a new drug drug called "Nintendo", an XTC pill that is gaining popularity, and can also be quite deadly.

The drug contains a large dose of MDMA, better known as Ecstasy, which could potentially prove fatal for users at a young age.

While the drug has surfaced thanks to a program in Belgium where individuals can bring their substances in for a quality spot-check, the origin has not entirely been established, though reports suggest it could originate from China.

A user reports that the pills contain "approximately 200mg of MDMA" and that within an hour of eating half a Nintendo, the effects were extremely noticeable:

* 11:15pm - my friend is literally rolling around the floor and i'm complaining that nothing is happening.

* 11:30pm - it starts to kick in for me and i start smiling and touching things, we're both feeling very euphoric and a little empathetic with each other, we realised this was going to be fun

* 12pm - both rolling hard, i'm guessing because it's our first time its real strong for us, we're rolling everywhere, staring at my lampshade and laughing for ages, saying how pretty the walls and lights are!

* 1am - from this point on everything is a bit of a blur, the other half kicked in hard and i felt on top of the world, we were both so euphoric and empathetic we spent one second dancing and the next minute cuddling saying we loved each other

The comments at PillReports.com corroborate the strength of Nintendo, but there's also a ton of misspelled words and typos so take those with a grain of salt.


As you can see, the pills contain the logo of Nintendo, something that the company probably is not very happy about, as they can be confused with candies.

What do you think?

NEWS SOURCE #1: Forum Thread #756788 (via) NeoGAF
NEWS SOURCE #2: Belgians find new drug dubbed Nintendo stronger than mushrooms (via) GameRevolution

Our thanks to 'Gauss' for this news item!
3 Replies | 935 Views


EU court: 'Jailbreaking' Nintendo consoles legal

Jan 23, 2014 - 2:53 PM - by garyopa
...Except when copying games.

An European court has ruled that Nintendo can only block illegal video games and that they are powerless against 'jailbreakers'.


The European Union's top court has ruled that Nintendo cannot prevent the use of hacking equipment on its consoles, except in case of illegally copied video games.

The court rejected an appeal by Nintendo to stop Italian company "PC Box" from unlocking its consoles to offer "extra features". Apparently, PC Box sells Nintendo's consoles with additional equipment allowing jailbreaking of the devices...

Here's the report:

Nintendo cannot prevent its consoles from being tampered with to play multimedia from other providers, except in the case of illegally copied video games, the European Union‘s top court ruled Thursday.

Nintendo uses encryption software to restrict what can be played on its portable DS and fixed Wii consoles, but Italian company PC Box sells the devices with additional equipment that circumvents the encryption.

The issue ended up before a court in Italy, where the Japanese gaming company said PC Box was attempting to bypass its anti-bootlegging measures.

PC Box, on the other hand, argued that Nintendo users should be granted access to movies, videos and MP3 files from other providers when they do not breach Nintendo coprights, the court said.

The Milan court asked the European Court of Justice (ECJ) to clarify how much Nintendo is protected by EU copyright laws.

The ECJ found that Nintendo could only take steps to protect itself against "unauthorized acts of reproduction, communication, public offer or distribution" of copyrighted material.

It could not prevent the use of hacking equipment on its consoles that has other "commercially significant" purposes, the court ruled.
NEWS SOURCE #1: Nintendo can only block illegal video games EU court rules (via) EuropeOnlineMagazine
NEWS SOURCE #2: Jailbreaking the Wii U legal except when copying games EU (via) TimesLive

Our thanks to 'Gauss' for this news item!
6 Replies | 1,168 Views


Smealum's sneak peek for 3DS Homebrew

Jan 21, 2014 - 2:53 PM - by garyopa
Custom/homebrew channels incoming?!

Take a look at this video by developer Smealum, showing a homebrew game (yeti3DS) running on the system as its own channel.


Developer 'Smealum' has released a video showcasing 'yeti3DS', a homebrew game, running on the Nintendo 3DS as its own channel.

Keep in mind that he is running code that only works on 4.1-4.5 FWs, but it's still a very nice progress, and it looks like the 3DS homebrew scene will finally take off!

Here's the info:

Sorry it’s been a while since my last post; I was really busy in November and December and basically got no 3DS work done back then. Fortunately though my schedule’s cleared up quite a bit since then and I’m happy to say that I’m back on track and making some fairly good progress. Let’s start with a little video I uploaded last night :

(VIDEO BELOW)

For those of you too lazy to watch the video (you know who you are…), it shows me booting into redNAND mode on 7.1 from 4.2 (works on 4.1-4.5 ofc) and running a homebrew game contained within its own little channel, complete with custom icon and banner. It also gives some other stuff.

This video is a glimpse at what I want for the up and coming 3DS homebrew scene, ie a way for people to make their own homebrew applications and install so that they’re directly accessible from home menu. This has a number of advantages over running code “on the bare metal” as some are already doing. For one thing, it means that homebrew code will be strictly limited to user mode code, the same way commercial games and applications are, which drastically lowers the likelihood of anyone’s (*cough*GW*cough*) code accidentally bricking your console. For another, it means that our code will be able to interface with every service provided by the 3DS’s OS; it’ll make stuff like FS, wifi and GPU access much easier. And of course, it just looks cool having your own channel in the menu, and being able to return to menu and switch between games instantly is a nice plus.

For that goal to become a reality, we basically need two things : a way to create new channels and a way to install them. I’m proud to say that I’m taking steps to make creating channels possible, by starting ctrulib (whose code is freely available on github). The idea is to make interfacing with 3DS services easier, by providing functions designed to do so and example code to understand how they’re used. Of course it’s not much at the moment; very few services are implemented and the examples don’t necessarily use them in exactly the way they were meant to be used. Nevertheless, it already provides the basics; enough to do basic interactions with NS, the HID module for user input and the GSP module for VRAM and later on GPU access. It’s very much a work in progress and will only keep growing. yeti3DS is an example of what can be achieved with ctrulib at the moment; not much, but a pretty cool start if you ask me. yeti3DS’s code is also available on github.

Now the thing is, there is at the moment no public way to install new channels, which means that even though you can just clone the ctrulib repo right now and compile it, you probably won’t be able to run what it produces. The reason for that is, basically, that I don’t have an installer ready. That’s the next big step for me and I’ll have to ask you to be patient. There is a fair bit of work involved and while I do expect to have an installer POC ready within the next couple weeks, there’s no telling how long it’ll take to get a safe package ready for mass consumption; users have already suffered through enough bricks, I’d rather my software didn’t add to the list.

So sit tight ! We’ll have nice 3DS homebrew soon enough. Feel free to ask any questions you may have (other than ETA requests), I’m not sure how clear this post was. (I’m pretty tired…)
Take a look at the video, below!


NEWS SOURCE #1: Smealum (via) Official Site
NEWS SOURCE #2: Smealum's sneak-peek for homebrew custom channels (via) GBATemp

Our... [Read More]
1 Reply | 1,059 Views


Recent Threads

  RatingTitle, Username, & Date Last Post Replies Views Forum
03-30-2014 04:59 PM
Today 12:55 AM
by Alteration
86 5,987 Official 'Gateway 3DS' Support Forum
Yesterday 06:09 AM
Today 12:22 AM
by Zelda
6 138 Official 'Gateway 3DS' Support Forum
Today 12:07 AM
Today 12:07 AM
by SPD
0 28 Official 'Gateway 3DS' Support Forum
Question about 3ds xl
kaplishkap011
Yesterday 09:29 PM
Yesterday 09:46 PM
by kaplishkap011
2 58 Official 'Gateway 3DS' Support Forum
Yesterday 01:36 AM
Yesterday 06:44 PM
by powertome
7 224 Official 'Gateway 3DS' Support Forum
Hi!!
antonioman86
Yesterday 04:06 AM
Yesterday 06:06 PM
by antonioman86
3 84 New Member Introductions
04-18-2014 04:20 AM
Yesterday 12:43 PM
by Drakul
2 184 Game Backup (ROM's) Discussion
Yesterday 12:40 PM
Yesterday 12:40 PM
by Aerione
0 82 Official 'Gateway 3DS' Support Forum
04-18-2014 08:44 PM
Yesterday 12:33 PM
by livingindoubt
5 192 Official 'Gateway 3DS' Support Forum
Yesterday 12:27 PM
Yesterday 12:27 PM
by garyopa
0 130 MaxConsole Wii U Hot Headlines
04-12-2014 10:55 AM
Yesterday 12:19 PM
by bloop
9 237 Game Backup (ROM's) Discussion
Yesterday 06:54 AM
Yesterday 11:50 AM
by alanyeoh2222
3 118 Game Backup (ROM's) Discussion
04-18-2014 01:15 PM
Yesterday 09:44 AM
by JonathanD
5 286 MaxConsole Wii U Rumor Debates
Yesterday 08:36 AM
Yesterday 08:36 AM
by Glioblastoma
0 58 Portuguese 'Gateway 3DS' Support
04-17-2014 07:03 PM
Yesterday 05:05 AM
by sunny47
3 143 Official 'Gateway 3DS' Support Forum
Powered by vBadvanced CMPS v4.2.1