# Nintendo 3DS Hacking: Why, How, and What Happened?
###### tags: `Information Security` `Information Security Final Written Report` `3DS`
111-2 Information Security Team 12
- Fan Chi-Yu likemasster@gmail.com
- Chen Yu-Heng starcyh@gmail.com
- Hung Shih-Kai sky9109@gmail.com
---
## Abstract
Since its release in 2011, the Nintendo 3DS has been a popular gaming console. In recent years, more and more players have begun to modify their consoles to play custom games and run homebrew applications. We have modified our consoles and have been using the modified 3DS for some time. However, we do not have a sufficient understanding of the 3DS's hacking mechanisms, so we decided to delve deeper into its principles.
Through this research, we hope to gain a more comprehensive understanding of the 3DS's hacking and customization features and share this knowledge with other interested players. We will explore the methods and tools for hacking the 3DS, as well as the potential risks and limitations. We will also explore the potential advantages of a hacked 3DS, such as players enjoying a wider range of game choices and customization features. This research will provide players with basic knowledge about 3DS hacking and help them make informed decisions to avoid potential problems. We expect this research to be helpful for players interested in 3DS hacking, while also promoting a deeper understanding and discussion in the field of game console modification and customization.
---
## Introduction
Developed by the Japanese company Nintendo and released in 2011, the Nintendo 3DS has sold over 75.94 million units worldwide, making it the most successful and best-selling handheld console to date. Because Nintendo discontinued the sale of all 3DS games on the eShop in early 2023, players can no longer purchase non-physical games through any official channels, and can only play these gems of game development history through the second-hand market or other means.
Compared to other consoles, the 3DS is most distinguished by its dual-screen design, glasses-free 3D functionality, and inter-console communication features. Unlike other emulators, it is difficult to replicate the experience of these features without an actual console, which is why it is so important to find ways to preserve these games and be able to play them freely on the native system.
Fortunately, since Ninjhax was discovered in August 2014 to be able to launch ARM9 and ARM11 Homebrew, users from all over the world have created a Homebrew Community through 3DS Hacking, allowing the 3DS to be fully utilized and enabling it to do many things that it normally cannot.
In this report, we will cover the following points:
- An introduction to the hacking steps for the latest version of the 3DS, and which steps have been omitted compared to other versions, lowering the barrier to Hacking the 3DS to almost zero knowledge.
- An introduction to the hardware architecture of the 3DS family, including the original and New 3DS series, as well as the hardware knowledge needed to understand the hacking principles.
- The hacking principles of the 3DS. Because the actual hacking principles are too numerous to cover, we will focus on the hardware-assisted execution vulnerability of ARM11 as our main point of explanation.
---
## 3DS Architecture Introduction
### Hardware Specifications
The general specifications of an original 3DS, 3DS XL, and 2DS are as follows:
- Released between 2011 ~ 2013
- Stereoscopic "3D" display
- CPU: 2x ARM11 MPCore (268MHz)
- GPU: DMP PICA
- RAM: 128MB FCRAM, 6MB VRAM
- 2nd CPU: ARM946
- Backwards compatible with DS games
The New 3DS, New 3DS XL, and New 2DS released after 2014 have the following additions:
- "Super Stable" Stereoscopic "3D" display that allows the front camera to detect your eyes so the 3D effect doesn't disappear or distort.
- CPU changed from dual-core to quad-core, and there are games that can only be run on the New 3DS (I don't have one, sniff).
- RAM increased from 128MB to 256MB.
Below is a rough diagram of the original 3DS's structure, which is not highly relevant to the content of this project:
### Privilege Architecture
The 3DS basically has three user privilege levels, each with different permissions and for different scenarios: ARM11 user mode (also known as userland), ARM11 kernel mode, and ARM9 kernel mode.
ARM11 user mode has the least privileges, and most programs at this level can be accessed, such as games, the browser, and the menu. Programs with ARM11 kernel mode access also have ARM11 user mode access, but cannot access ARM9 kernel mode. These levels are defined by the processor used (ARM9 or ARM11) and the operating mode (user mode or kernel mode). Each processor can access specific resources, and each mode determines a program's level of access to the resources provided by the processor.
User mode is a mode where a program has limited access to the processor's resources. Kernel mode, on the other hand, provides a program with full access to the processor's system resources, including memory addresses, etc. Therefore, ARM11 Kernel mode has higher privileges than ARM11 User mode.
### Hardware Architecture
The processor used in the 3DS is the **A**dvanced **R**ISC **M**achines (ARM), and it has two types of CPUs: ARM9 and ARM11. The ARM11 is the main processor (dual-core or quad-core, depending on the model) and is responsible for most tasks, including the operating system. The ARM9 only runs process9 in user mode and is responsible for lower-level tasks and cryptographic functions, such as encryption and signature checking. In the 3DS architecture, ARM11 and ARM9 can access different resources to ensure the separation of access points. ARM11 and ARM9 share access to main memory resources (WRAM, VRAM, and FCRAM), while ARM9 maintains a RAM containing its own code and data, which ARM11 cannot access. ARM9 also has its own access to the key scrambler and AES engine, which are the main encryption methods of the 3DS.
In the diagram, WRAM is used to store ARM11 kernel code, data, etc., while FC RAM is used to store Applications (including games/apps), System (including applets, menu, browser, etc.), and Base (including system modules, MMU tables, and handle tables). It's important to note that WRAM, VRAM, and FCRAM are shared with ARM9, which is called Shared Memory. Although this report will only briefly mention it, it's important to know that this is the entry point for manipulations when performing an ARM9 hack.
In short, to run Custom Firmware on the 3DS, we need to obtain ARM9 kernel mode privileges. The following introduces the principle of hacking from ARM11 User mode to kernel mode.
---
## Hacking Principles
Today, we will focus on the arm11 hack.
### ASLR
ASLR
ASLR (Address Space Layout Randomization) is a security technique used to protect computer systems, especially operating systems and software applications, from various types of attacks, such as buffer overflow exploits.
ASLR works by randomizing the memory addresses of system components and loaded executables. By introducing this randomness, it becomes difficult for an attacker to predict the memory layout and exploit vulnerabilities within it.
However, since the 3DS does not have ASLR, the following functions are not achievable. We will use <font color = 'red'>red to indicate this.</font>
Here is a simple explanation of how ASLR works:
---------------
- <font color='blue'>During system boot or program execution, ASLR randomizes the base addresses of executable modules, libraries, and critical system components.</font>
- <font color='red'>During system boot or program execution, the base addresses of executable modules, libraries, and critical system components are not randomized.</font>
---------------
- <font color='blue'>When a program is loaded into memory, the starting addresses of its code, data, and stack segments are randomly determined.</font>
- <font color='red'>When a program is loaded into memory, the starting addresses of its code, data, and stack segments are fixed.</font>
---------------
- <font color='blue'>Each time the program is executed, the addresses are randomized again, making it difficult for an attacker to know the exact location of critical data or code.</font>
- <font color='red'>Each time the program is executed, the addresses are fixed, allowing an attacker to know the exact location of critical data or code.</font>
---------------
- <font color='blue'>The purpose of ASLR is to make it more difficult for attackers to exploit memory-related vulnerabilities. By introducing randomness, it increases the complexity and unpredictability of the memory layout, reducing the likelihood of a successful attack.</font>
- <font color='red'>Because the 3DS does not use ASLR, attackers can exploit memory-related vulnerabilities. Without randomness, the memory layout is predictable, allowing attackers to achieve a successful attack.</font>
ASLR is considered an effective mitigation technique.
Because there is no ASLR, attackers can use this as an entry point.
### EntryPoint
This method forcibly disables `DEP` (Data Execution Prevention, also known as NX bit or No-eXecute), using any application or game as a secondary entry point.
The 3DS homebrew community has discovered countless entry points.
The entry points are named as:
- [name]-Hax, where [name] is the media or application used.
- **NinjHax**:
- Here we introduce an initial and classic method.
- It uses a QR code to allow other players to read the map you designed, but this QR code is actually an entry point for players to execute homebrew software.
- **SoundHax**:
- Soundhax was developed by Ned Williamson and exploits a vulnerability in the 3DS's audio application to run homebrew software. It was released in 2016 and is compatible with different firmware versions. This attack method uses a custom malicious m4a file.
### GSPWN
GSPwn is an exploit tool for the Nintendo 3DS game console. It takes advantage of a vulnerability in the GPU (GSP) module of the 3DS system, which is responsible for handling graphics and video-related tasks. By successfully exploiting GSPwn, an attacker can achieve system privilege escalation, such as running homebrew software, modifying system settings, or executing unauthorized programs.
The emergence of GSPwn opened up the possibility of developing homebrew software and modifying the system on the 3DS. It provided a platform for developers and researchers to conduct in-depth system exploration and create new applications. However, as I mentioned before, we should be aware that using GSPwn or conducting system attacks may violate laws or the terms of use of game manufacturers. Before conducting any such activities, please be sure to consult local laws and regulations and adhere to legal and ethical guidelines.
In addition, please note that the use of GSPwn may be limited by the system firmware version.
### ROP
ROP (Return-Oriented Programming) is an attack technique often used to execute malicious operations by exploiting existing code segments (often called gadgets). ROP is based on the concept of code reuse and can bypass certain security protection mechanisms, such as stack canaries or code execution permissions.
The core idea of a ROP attack is to use existing code segments (gadgets), which can be loaded libraries, executables, or code snippets from the program itself. Attackers usually use stack overflows or other vulnerabilities to control the return address of program execution, pointing the return address to an existing code segment. Then, based on the target task, the attacker chains multiple gadgets together to achieve malicious operations, such as executing specific instructions, modifying memory contents, or performing privileged operations.
The key to the ROP attack technique is to find suitable gadgets that must follow specific combinations and constraints in order to be linked together to achieve the attacker's purpose. This attack technique is relatively complex and depends on the specific state and environment of the target system. Therefore, defending against ROP attacks requires appropriate security measures, such as Address Space Layout Randomization (ASLR) and execution permission control, to reduce the number of available gadgets and decrease the likelihood of a successful attack.
It should be noted that ROP attacks themselves are not malicious; they are a concept and technique that can be used in security testing and vulnerability research. However, malicious attackers can also use ROP techniques to carry out malicious acts. Therefore, the importance of protecting systems from ROP attacks cannot be ignored.
Below is the ROP payload injected into the 3DS:
```c
.word ROP_POP_R0PC ; pop {r0, pc}
.word dst ; r0
.word ROP_POP_R1PC ; pop {r1, pc}
.word src ; r1
.word ROP_POP_R2R3R4R5R6PC ; pop {r2, r3, r4, r5, r6, pc}
.word size ; r2
.word 0xDEADBABE ; r3 (garbage)
.word 0xDEADBABE ; r4 (garbage)
.word 0xDEADBABE ; r5 (garbage)
.word 0xDEADBABE ; r6 (garbage)
.word MEMCPY
```
### SANDBOX ESCAPE
Sandbox Escape refers to the act of breaking out of a sandbox environment, which is a security mechanism designed to isolate and restrict the execution of untrusted or potentially malicious code. A sandbox is a controlled environment that limits a software's access and operations, preventing it from interacting with critical system resources or other applications.
In the security field, sandbox escape involves finding and exploiting vulnerabilities or weaknesses in the sandbox implementation to gain unauthorized access or execute malicious operations outside the sandbox environment. It allows an attacker to bypass established security boundaries and gain higher privileges or access sensitive data.
Sandbox escape techniques often involve exploiting software vulnerabilities, such as memory corruption vulnerabilities or logical flaws, to manipulate the sandbox's behavior and execute arbitrary code. An attacker can use these vulnerabilities to disable or weaken the sandbox's restrictions, thereby enabling it to interact with the underlying operating system or other processes.
Today, our goal is to escape the 3DS's game mode sandbox, trying to enter the core area, break out of user mode and into kernel mode. We will also bypass the sandbox's gatekeeper, the menu, by using ROP.
### Secondary EntryPoint: SNSHAX
Used to achieve system privilege escalation and execute homebrew software. It was developed by the Smilehax team in 2016 and exploits a vulnerability in the 3DS's StreetPass feature.
The principle of SNShax is to exploit a vulnerability in the data exchange between game consoles using the StreetPass feature, by transmitting a specially crafted StreetPass data packet to execute custom code. Through SNShax, users can run homebrew software, modify system settings, or perform other high-privilege operations.
Because this data exchange vulnerability involves hardware settings, it can be used to achieve memory intrusion, re-defining memory locations to point to the kernel's location. This allows us to perform operations on the Arm11 kernel.
---
## Hacking Steps
The following demonstrates the hacking process using Chen Yu-Heng's 3DS XL. After completing the entire process and hacking the 3DS, you can not only run basic homebrew but also run arm9loaderhax/brahma homebrew, execute BootROM-level homebrew, install custom themes, install/read save files, run games from other regions (region-free), play online with games from another region, run 3DS ROMs, install content from different region eShops (like DLC), play hacked ROMs, play DS ROMs, use Custom Firmware (CFW) / EmuNAND, install unsigned CIAs, and even downgrade the system, among many other possibilities. You can refer to the [3DS Homebrew Wiki](https://wiki.gbatemp.net/wiki/3DS_Homebrew) to find everything you can do.
### 1. Check Custom Firmware and System Version
By holding down the "Select" button while booting, check if you enter the custom firmware system (Luma3DS) to confirm if custom firmware can already be executed. Go to settings to confirm the system version, as shown in the picture: Ver. 8.1.0-14T.
### 2. Install boot9strap via Soundhax
Old 3DS Ver. 8.1.0-14T is suitable for using Soundhax as a secondary entry point for hacking.
Soundhax (when used with universal-otherapp) is compatible with European, Japanese, Korean, and American consoles with firmware versions 1.0.0 to 11.3.0.
#### Prerequisites
- The latest release of [Soundhax](http://soundhax.com/) (for your region, console, and version)
- The latest release of [SafeB9SInstaller](https://github.com/d0k3/SafeB9SInstaller/releases/download/v0.0.7/SafeB9SInstaller-20170605-122940.zip) (direct download)
- The latest release of [boot9strap](https://github.com/SciresM/boot9strap/releases/download/1.4/boot9strap-1.4.zip) (direct download)
- The latest release of [Luma3DS](https://github.com/LumaTeam/Luma3DS/releases/latest) (the Luma3DS .zip file)
- The latest release of [universal-otherapp](https://github.com/TuxSH/universal-otherapp/releases/latest) (otherapp.bin)
Place the above files on the 3DS's SD card.
### 3. Trigger Soundhax
Enter the 3DS Sound application and play the malicious m4a music file "<3 nedwill 2016" that you just downloaded from http://soundhax.com/.
### 4. Successfully Enter SafeB9SInstaller
Follow the prompts on the top screen and enter the key combination given to install boot9strap.
### 5. boot9strap Installation Process
### 6. boot9strap Installation Complete!
### 7. Successfully Enter Luma3DS Configuration Menu
Press (A) to restart. After that, the console will boot directly into the Luma3DS system by default.
### 8. Successfully Boot into Luma3DS System After Restart
You can already see the black program icon (a previously failed homebrew installation).
#### Prerequisites
- The latest release of [Anemone3DS](https://github.com/astronautlevel2/Anemone3DS/releases/latest) (the .cia file)
- The v3.7.4 release of [Checkpoint](https://github.com/BernardoGiordano/Checkpoint/releases/tag/v3.7.4) (the .cia file)
- The latest release of [Homebrew Launcher Wrapper](https://github.com/mariohackandglitch/homebrew_launcher_dummy/releases/latest) (the .cia file)
- The latest release of [Universal-Updater](https://github.com/Universal-Team/Universal-Updater/releases/latest) (the .cia file)
- The latest release of [FBI](https://github.com/Steveice10/FBI/releases/latest) (both the .cia and .3dsx files)
- The latest version of [GodMode9](https://github.com/d0k3/GodMode9/releases/latest) (select the GodMode9 .zip file)
Place the above files on the 3DS's SD card.
### 9. Update the System to the Latest Version in Luma3DS
After installing B9S + Luma, it is safe to perform a system update.
### 10. System Updating...
### 11. Launch the "Download Play" Application ()
### 12. Launch the Rosalina Menu and Temporarily Switch the Download Play Title to Homebrew Launcher
1. Press 'L' + 'Down' + 'Select' simultaneously to launch the Rosalina menu.
2. Select 'Miscellaneous options'.
3. Select 'Switch the hb. title to the current app.'
4. Press 'B' to continue.
5. Press 'B' to return to the Rosalina main menu.
6. Press 'B' to exit the Rosalina menu.
7. Press 'Home' to exit the application and press 'X' to close Download Play.
### 13. Successfully Enter Homebrew Launcher
Re-enter Download Play, and you will find that you have successfully entered the Homebrew Launcher.
### 14. Synchronize the 3DS Internal Clock with the Actual Time and Dump the Sound Firmware
P.S. This is necessary for some homebrew software to use sound correctly.
#### Re-enter Rosalina
1. Press 'L' + 'Down' + 'Select' simultaneously to launch the Rosalina menu.
2. Select 'Miscellaneous options'.
3. Select 'Dump DSP firmware'.
4. Press 'B' to continue.
5. Select 'Nullify user time offset'.
6. Press 'B' to continue.
7. Press 'B' to return to the Rosalina main menu.
8. Press 'B' to exit the Rosalina menu.
### 15. Use FBI to Install Homebrew CIAs from the SD Card
1. Return to the Homebrew list and launch the FBI manager.
2. Navigate to SD -> cias.
3. Select '<current directory>'.
4. Select 'Install and delete all CIAs' and press 'A' to confirm.
5. Press the 'Home' button and close the 'Download Play' application.
### 16. Successfully Installed Homebrew Software in Luma3DS System!
### 17. CTRNAND Luma3DS
Use a script to copy some Luma3DS files to the internal storage so they can be accessed even without an SD card inserted.
#### 18. Enter GodMode9
1. Turn off the console.
2. Hold down the "Select" button while booting. This will launch GodMode9.
3. When prompted to back up important files, press 'A' to continue, and after completion, press 'A' to continue.
4. When prompted to correct the RTC date and time, press 'A' to continue, set the date and time, and then press 'A' to continue.
### 19. Setup Luma3DS to CTRNAND
1. Press the 'Home' button to bring up the main menu.
2. Select 'Scripts…'.
3. Select 'GM9Megascript'.
4. Select 'Scripts from Plailect’s Guide'.
5. Select 'Setup Luma3DS to CTRNAND'.
6. When prompted, press 'A' to continue.
7. Press 'A' to unlock write protection for SysNAND (lvl1), then press the key combination as prompted.
8. Press 'A' to continue.
9. Select 'Cleanup SD Card'.
10. When prompted, press 'A' to continue.
11. Press 'A' to continue.
12. Press 'B' to return to the main menu.
### 20. Backup Essential Files
Backup files that can be used to recover from a brick or restore data.
1. Select 'Backup Options'.
2. Select 'SysNAND Backup'.
3. Press 'A' to confirm. This process will take some time.
4. Press 'A' to continue.
5. Press 'B' to return to the main menu.
6. Select 'Exit'.
7. When prompted, press 'A' to disable file write lock.
8. Navigate to `[S:] SYSNAND VIRTUAL`.
9. Select `essential.exefs` and press 'A' to select it.
10. Select 'Copy to `0:/gm9/out`'.
10-2. If you see 'Destination already exists', then select 'Overwrite file(s)' and press 'A'.
11. Press 'A' to continue.
12. Press the 'Home' button to bring up the main menu.
13. Select “Poweroff system” to power off your console.
14. Insert the SD card into your computer.
15. From the `/gm9/out/` folder on the SD card, copy
`<date>_<serialnumber>_sysnand_##.bin`,
`<date>_<serialnumber>_sysnand_##.bin.sha`, and
`essential.exefs` to a safe location on your computer (these backup files can be used to repair your system files in the future if your console gets bricked).
16. From the `/gm9/out/` folder on the SD card, delete `<date>_<serialnumber>_sysnand_##.bin` and
`<date>_<serialnumber>_sysnand_##.bin.sha`.
17. Copy the `/luma/backups/` folder from your SD card to a safe location on your computer.
### 21. All Done!!!
Sign in with Wallet
Connect another wallet