Difference between revisions of "DSi exploits"

From DSiBrew
Jump to navigation Jump to search
(Removing direct links to the pirate forum)
 
(157 intermediate revisions by 42 users not shown)
Line 1: Line 1:
This page's [[Talk:DSi hacks|talk page]] is dedicated to the discussion and furthering of an exploit on the DSi that can be used for homebrew.  We will use this page to update important updates in the project.  Feel free to contribute.
+
This page is dedicated to the listing of exploits for the Nintendo DSi. Anyone may contribute to this list. This page my not, however be deleted in any way, this ensures that that development of this page is not slowed down. Due to the fact that this page has not changed for over a year due to resets, no more resets.
  
== Current Hacks ==
+
== Type of exploits ==
 +
Here is a general list of all the different types/terms of exploits to know. This is to know the differences of each exploit.
 +
== NTR/NDS-Mode Exploits ==
 +
These are ARM9 exploits that takes over a NDS-mode cartridge. These cartridges (on the back) are labeled as ''NTR''. These type of exploits are very limited since there's no SD or NAND access. They can be used to run a small binary payload making these exploits almost useless.
  
 +
{| class="wikitable" border="1"
 +
!  Name
 +
!  Description
 +
!  Author
 +
!  Source
 +
|-
 +
| [[FIFA NDS]]
 +
| Every single FIFA game on the Nintendo DS has been exploited.
 +
| Everyone
 +
| [https://github.com/CTurt/Dara CTurt's Source Code]
 +
|-
 +
| [[Bangai-O-Sploit]]
 +
| A ''primary'' entrypoint for the game, ''Bangai-O Spirit'', on the Nintendo DS. This game was successfully exploit through sound.
 +
| smealum
 +
| [https://github.com/smealum/bangai-o-sploit Install]
 +
|-
 +
| [[NDS-ILH-Save-Exploit]]
 +
| "I Love Horses" Nintendo DS save exploit
 +
| [https://github.com/mojobojo/ mojobojo]
 +
| [https://github.com/mojobojo/NDS-ILH-Save-Exploit Install]
 +
|-
 +
| [[ABR-NDS-SaveExploit]]
 +
| A stack smash savegame exploit for the game "Asterix Brain Trainer"
 +
| [https://github.com/WemI0/ Weml0]
 +
| [https://github.com/WemI0/ABR-NDS-SaveExploit Install]
 +
|-
 +
| [[HaxxStation]]
 +
| DS Download Station exploit, allowing one to run any commercial homebrew over from the DS download play application.
 +
| shutterbug2000, Gericom, and Apache Thunder
 +
| [https://github.com/Gericom/dspatch See Here]
 +
|-
 +
| [[BreakingNews]]
 +
| A stack smash savegame exploit for the game "The New York Times: Crossword" resulting from stack buffer overflow (profile slot names).
 +
| [[User:ChampionLeake|ChampionLeake]]
 +
| [https://github.com/ChampionLeake/BreakingNews/ Install]
 +
|-
 +
| [[NDS-FC2008-Save-Exploit]]
 +
| A savegame exploit for the game "Führerschein Coach 2008".
 +
| [https://github.com/toombaumarkt/ toombaumarkt]
 +
| [https://github.com/toombaumarkt/NDS-FC2008-Save-Exploit Install]
 +
|}
  
=== Blasty's hack ===
+
== TWL/DSi-Enhanced Cart Exploits ==
 +
These are ARM9 exploits that take over a enhanced DSi-mode cartridge. These cartridges (on the back) are labeled as ''TWL''. Unfortunately they don't have SD or NAND access but can be used to gather console information and maybe find other vulnerabilities. These exploits can also be used for dslink, which can load homebrew applications via internet connections.
  
Blasteh (Blasty) has posted a video on Youtube showing code being run in DS mode on the DSi using [http://en.wikipedia.org/wiki/Fifa_08 Fifa '08]. Several people are currently working on this hack.
+
{| class="wikitable" border="1"
 +
!  Name
 +
!  Description
 +
!  Author
 +
!  Source
 +
|-
 +
| [[The Biggest Losers]]
 +
| Exploit for The Biggest Loser which runs in DSi mode if you use a real cartridge on a DSi or 3DS system, otherwise, it runs in DS mode.
 +
| st4rk
 +
| [https://github.com/st4rk/The-Biggest-Loser Install]
 +
[https://davejmurphy.com/dslink/ WinterMute's dslink]
 +
|-
 +
| [[Cookhack]]
 +
| DSi Cooking Coach exploit
 +
| WinterMute
 +
| [https://github.com/WinterMute/savesploits/tree/master/cookhack PoC]
 +
[https://davejmurphy.com/dslink/ dslink]
 +
|-
 +
| [[Classichack]]
 +
| DSi Classic Word Games exploit
 +
| WinterMute
 +
| [https://github.com/WinterMute/savesploits/tree/master/classichack PoC]
 +
[https://davejmurphy.com/dslink/ dslink]
 +
|-
 +
| [[SystemFlaaw]]
 +
| The first DSi exclusive cartridge title to be exploited for the game, SystemFlaw
 +
| zoogie
 +
| [https://github.com/zoogie/SystemFlaaw Install]
 +
|}
  
[http://www.youtube.com/watch?v=7QHO7ctWuZ8 Video]
 
  
=== Yasu's hack ===
+
== DSiWare (True DSi-Mode) Exploits ==
 +
These are ARM9 exploits that take over a DSiWare title. They run in the same context that the DSi-Enhanced games do, but with additional SD and NAND access. These exploits are valuable since they can be used to downgrade the console firmware to older versions, or install a persistent exploit such as Unlaunch. You can also run commercial homebrew applications from the SD card. However this doesn't allow any cartridge access.
  
Inthegray has posted a video on Youtube showing homebrew but it is not known whether it is a real exploit or just a flashcart.(he should obviously show if he is) Yasu is credited as the programmer.
+
{| class="wikitable" border="1"
 +
!  Name
 +
!  Description
 +
!  Author
 +
!  Source
 +
|-
 +
| [[Sudokuhax]]
 +
| One of the first DSiWare exploits for the Nintendo DSi on the game SUDOKU by EA. (You must have the 1st version of this game in order to use the exploit as it was patched.
 +
| TeamTwiizer, yellows8
 +
| [https://github.com/yellows8/dsi/tree/master/exploits/sudokuhax Install]
 +
|-
 +
| [[grtpwn]]
 +
| A Gameloft DSiWare savegame exploit for the game, Guitar Rock Tour!
 +
| yellows8
 +
| [https://github.com/yellows8/dsi/tree/master/exploits/grtpwn Install]
 +
|-
 +
| [[exidiahax]]
 +
| A Gameloft DSiWare savegame exploit for the game, Legend of Exidia!
 +
| yellows8
 +
| [https://github.com/yellows8/dsi/tree/master/exploits/exidiahax Install]
 +
|-
 +
| [[fieldrunhax]]
 +
| A Subatomic Studios DSiWare savegame exploit for the game, FIELDRUNNERS!
 +
| yellows8
 +
| [https://github.com/yellows8/dsi/tree/master/exploits/fieldrunhax Install]
 +
|-
 +
| [[4swordhax]]
 +
| A DSiWare savegame exploit for the game, The Legend of Zelda: Four Swords Anniversary Edition!
 +
| yellows8
 +
| [https://github.com/yellows8/dsi/tree/master/exploits/4swordhax Install]
 +
|-
 +
| [[Flipnote ( ͡° ͜ʖ ͡°)]] and [[ugopwn]]
 +
| A Primary entrypoint for the DSiWare Application, Flipnote Studio! This exploit was first exploit by shutterbug2000. Later, WinterMute and fincs released a stable version of the exploit.
 +
| shutterbug2000, WinterMute, fincs, zoogie
 +
| [https://davejmurphy.com/%CD%A1-%CD%9C%CA%96-%CD%A1/ Install]
 +
|-
 +
| [[UNO*pwn]]
 +
| A DSiWare savegame exploit for the game, UNO, that involves a simple stack buffer overflow within the player's username with the settings functionality of the game!
 +
| [[User:ChampionLeake|ChampionLeake]]
 +
| [https://github.com/ChampionLeake/UNO-pwn Install]
 +
|-
 +
| [[Memory Pit]]
 +
| A primary exploit for the DSi that involves the system application "Camera"! All you need is an SD Card to use this exploit.
 +
| shutterbug2000, [[User:ChampionLeake|ChampionLeake]]
 +
| [https://github.com/ChampionLeake/BrokenPit See Here]
 +
|-
 +
| [[petit-compwner]]
 +
| The last string argument of interpreter command "COLSET" is not bounds checked, thus a trivial stack smash can occur if the string is overly long.
 +
| zoogie
 +
| [https://github.com/zoogie/petit-compwner/releases Release]
 +
|-
 +
| [[stylehax]]
 +
| A primary entrypoint, using a use-after-free in Opera 9.50 (which uses WebKit under the hood).
 +
| @0x1337cafe
 +
| [https://github.com/nathanfarlow/stylehax Release], [https://farlow.dev/2023/03/02/hacking-the-nintendo-dsi-browser Writeup]
 +
|}
  
[http://www.youtube.com/watch?v=s1OT4oSUKtc Nintendo DSi Homebrew (Pop'n DS)] <br />
+
== ARM7 Exploits ==
[http://www.youtube.com/watch?v=uaKxWSENwGo Hello World] <br />
+
These exploits take over the ARM7 processor. In the DSi, these processor handles critical operations and cryptography operations, among other things. These exploits are extremely rare and there's no concrete targets. The DSi menu (The Launcher) is known to run in the ARM7 context. At the moment there's only one exploit known as RocketLauncher. These exploits allow FULL ACCESS with the DSi launcher.
[http://tinycartridge.com/post/58843578/homebrew-ds-game-played-on-dsi-yasu-the-same Source]
+
{| class="wikitable" border="1"
 +
!  Name
 +
!  Description
 +
!  Author
 +
!  Source
 +
|-
 +
| [[RocketLauncher]]
 +
| One of the first ever unlocked ARM7 DSi exploit involving the DS Cart White list in secton 3. This exploit only works on firmwares v1.4!
 +
| ApacheThunder, stuckpixel, NoCash, Gericom, and Normmatt
 +
| [https://github.com/ApacheThunder/RocketLauncher source]
 +
|}
  
=== Dub-T's Nintendo DSi Shop Hack ===
 
  
Not so much of a hack as a conundrum. Hacker Dub-T has captured packets through Wireshark. While he captured the packets he downloaded the Nintendo DSi Browser. Using the "Export as HTML Object" he saved it to file. The file has no extensions and is named "00000000". This matches the name of a "compiled" Browser. eg: "484E4745.bin" The sizes are almost exactaly the same except for a few bytes. (Understandable, as the DSi changes the file) What we need is someone to find out the encryption and replay the packets to trick the DSi to download and install the faked browser. This is just a suggestion and is not known if possible. To download a .zip with both the "00000000", "484E4745.bin", a file sorting file (Seems to tell the DSi what to show to the user.), and the .pcap capture file, go to:
+
== Bootcode Exploits ==
  
http://www.mediafire.com/?4eyimjdnh0o                            (File is 31.4MB)
+
These exploits gain full SCFG_EXT access rights immediately after powering on the system (right before starting the launcher). These exploits are significantly rare and concrete targets can be the launcher's ''title.tmd''. At the moment, nocash's exploit, ''Unlaunch'' is the only known usable exploit.
  
Due to the fact that the files may be encrypted by RSA, it may be nearly impossible to encryt the files. But if so edit this page to tell if so. It may be also possible to resend this file to a DSi and succesfully giving the DSi a "authentic" file to install. This can be useful because now we will be able to "donate" our dumps from Wireshark and reupload them to our DSi's for FREE!!! Without the DSi encrypting them first! So this can be a way to run homebrew.  
+
{| class="wikitable" border="1"
 
+
!  Name
If anyone knows how to fake a site and get the DSi to connect and download our file, edit this line and please explain how.
+
! Description
 
+
! Author
== Working on a hack ? ==
+
! Source
 
+
|-
If you are working on a hack for the Nintendo DSi and need help, feel free to talk about it on the talk page or update this page to write informations on your hack. Please only do this if you have actually made any progress, and have proof (for example a video or some technical information on what you have done or what you have found out from doing it) proving that you have. This is not a list for possible ideas or team recruitment.
+
| [[Unlaunch]]
 +
| Possibly one of the first bootcode exploit for the Nintendo DSi! This exploit deals with taking advantage of the launcher's "title.tmd" size as it's not checked, allowing esculated permissions!
 +
| NoCash
 +
| [https://problemkaputt.de/unlaunch.htm Install & Writeup]
 +
|-
 +
| Unnamed modchip
 +
| A modchip that exlploits the bootROMs of the Nintendo DSi. It enables code execution on both cores before boot ROM lockout.
 +
| PoroCYon
 +
| [https://media.ccc.de/v/37c3-11736-nintendo_hacking_2023_2008 37c3 talk], [https://icosahedron.website/@pcy/111676158956228552 video], [https://github.com/dsi-modchip/guide DIY guide]
 +
|}

Latest revision as of 12:40, 2 January 2024

This page is dedicated to the listing of exploits for the Nintendo DSi. Anyone may contribute to this list. This page my not, however be deleted in any way, this ensures that that development of this page is not slowed down. Due to the fact that this page has not changed for over a year due to resets, no more resets.

Type of exploits

Here is a general list of all the different types/terms of exploits to know. This is to know the differences of each exploit.

NTR/NDS-Mode Exploits

These are ARM9 exploits that takes over a NDS-mode cartridge. These cartridges (on the back) are labeled as NTR. These type of exploits are very limited since there's no SD or NAND access. They can be used to run a small binary payload making these exploits almost useless.

Name Description Author Source
FIFA NDS Every single FIFA game on the Nintendo DS has been exploited. Everyone CTurt's Source Code
Bangai-O-Sploit A primary entrypoint for the game, Bangai-O Spirit, on the Nintendo DS. This game was successfully exploit through sound. smealum Install
NDS-ILH-Save-Exploit "I Love Horses" Nintendo DS save exploit mojobojo Install
ABR-NDS-SaveExploit A stack smash savegame exploit for the game "Asterix Brain Trainer" Weml0 Install
HaxxStation DS Download Station exploit, allowing one to run any commercial homebrew over from the DS download play application. shutterbug2000, Gericom, and Apache Thunder See Here
BreakingNews A stack smash savegame exploit for the game "The New York Times: Crossword" resulting from stack buffer overflow (profile slot names). ChampionLeake Install
NDS-FC2008-Save-Exploit A savegame exploit for the game "Führerschein Coach 2008". toombaumarkt Install

TWL/DSi-Enhanced Cart Exploits

These are ARM9 exploits that take over a enhanced DSi-mode cartridge. These cartridges (on the back) are labeled as TWL. Unfortunately they don't have SD or NAND access but can be used to gather console information and maybe find other vulnerabilities. These exploits can also be used for dslink, which can load homebrew applications via internet connections.

Name Description Author Source
The Biggest Losers Exploit for The Biggest Loser which runs in DSi mode if you use a real cartridge on a DSi or 3DS system, otherwise, it runs in DS mode. st4rk Install

WinterMute's dslink

Cookhack DSi Cooking Coach exploit WinterMute PoC

dslink

Classichack DSi Classic Word Games exploit WinterMute PoC

dslink

SystemFlaaw The first DSi exclusive cartridge title to be exploited for the game, SystemFlaw zoogie Install


DSiWare (True DSi-Mode) Exploits

These are ARM9 exploits that take over a DSiWare title. They run in the same context that the DSi-Enhanced games do, but with additional SD and NAND access. These exploits are valuable since they can be used to downgrade the console firmware to older versions, or install a persistent exploit such as Unlaunch. You can also run commercial homebrew applications from the SD card. However this doesn't allow any cartridge access.

Name Description Author Source
Sudokuhax One of the first DSiWare exploits for the Nintendo DSi on the game SUDOKU by EA. (You must have the 1st version of this game in order to use the exploit as it was patched. TeamTwiizer, yellows8 Install
grtpwn A Gameloft DSiWare savegame exploit for the game, Guitar Rock Tour! yellows8 Install
exidiahax A Gameloft DSiWare savegame exploit for the game, Legend of Exidia! yellows8 Install
fieldrunhax A Subatomic Studios DSiWare savegame exploit for the game, FIELDRUNNERS! yellows8 Install
4swordhax A DSiWare savegame exploit for the game, The Legend of Zelda: Four Swords Anniversary Edition! yellows8 Install
Flipnote ( ͡° ͜ʖ ͡°) and ugopwn A Primary entrypoint for the DSiWare Application, Flipnote Studio! This exploit was first exploit by shutterbug2000. Later, WinterMute and fincs released a stable version of the exploit. shutterbug2000, WinterMute, fincs, zoogie Install
UNO*pwn A DSiWare savegame exploit for the game, UNO, that involves a simple stack buffer overflow within the player's username with the settings functionality of the game! ChampionLeake Install
Memory Pit A primary exploit for the DSi that involves the system application "Camera"! All you need is an SD Card to use this exploit. shutterbug2000, ChampionLeake See Here
petit-compwner The last string argument of interpreter command "COLSET" is not bounds checked, thus a trivial stack smash can occur if the string is overly long. zoogie Release
stylehax A primary entrypoint, using a use-after-free in Opera 9.50 (which uses WebKit under the hood). @0x1337cafe Release, Writeup

ARM7 Exploits

These exploits take over the ARM7 processor. In the DSi, these processor handles critical operations and cryptography operations, among other things. These exploits are extremely rare and there's no concrete targets. The DSi menu (The Launcher) is known to run in the ARM7 context. At the moment there's only one exploit known as RocketLauncher. These exploits allow FULL ACCESS with the DSi launcher.

Name Description Author Source
RocketLauncher One of the first ever unlocked ARM7 DSi exploit involving the DS Cart White list in secton 3. This exploit only works on firmwares v1.4! ApacheThunder, stuckpixel, NoCash, Gericom, and Normmatt source


Bootcode Exploits

These exploits gain full SCFG_EXT access rights immediately after powering on the system (right before starting the launcher). These exploits are significantly rare and concrete targets can be the launcher's title.tmd. At the moment, nocash's exploit, Unlaunch is the only known usable exploit.

Name Description Author Source
Unlaunch Possibly one of the first bootcode exploit for the Nintendo DSi! This exploit deals with taking advantage of the launcher's "title.tmd" size as it's not checked, allowing esculated permissions! NoCash Install & Writeup
Unnamed modchip A modchip that exlploits the bootROMs of the Nintendo DSi. It enables code execution on both cores before boot ROM lockout. PoroCYon 37c3 talk, video, DIY guide