Talk:DSi exploits

From DSiBrew
Revision as of 13:53, 20 June 2009 by LoganA (talk | contribs)
Jump to navigation Jump to search

Dub-T's Nintendo DSi Shop Hack

Erm, doesn't this just follow from what I wrote on Hackmii? http://hackmii.com/2009/01/dsibrew/ --Bushing 11:41, 20 April 2009 (UTC)

Kasu's Hack

Fake ? Everyone can do that using a DSi flashcard and remove it after !
If it isn't a fake show us how you load the code ! --Ludo6431 16:39, 20 April 2009 (UTC)

Exploit via Opera?

The DSi Webbrowser is based on an older Opera 9.5/9.6 as I know and there are several security issues like the possibility of executing code through manipulated jpeg-images (here more detailed).

Wouldn't it be possible to use such a security hole to start homebrew from the SD card?


Advantages:

1. Opera DSi webbrowser runs in native DSi mode --> access to all DSi features

2. Easy to use: Just save your homebrew on your SD card, surf to the manipulated image an execute your homebrew

3. No extra game/stuff/anything needed, you just have to download the DSi webbrowser for free and then you can start using homebrew on your DSi


Disadvantage:

It has to be found out how to use such a security issue

I have no idea if this is possible and because I don't have the skills to do that, I thought I tell your about and you say if this idea is realistic.

--Makorus 09:19, 9 May 2009 (UTC)

This exploit use a buffer overflow by accesing to an URI (file://) with a very long adress but it's need that the file has to be in the disk. 

URI link with Nintendo DSi Browser doesnt't work.

[1] (link in French)

--Geniusdj 13:30, 9 May 2009 (CET)


I talked especially about manipulated jpegs, because I suppose (I don't really know, but I think so) they can contain the code that shall be executed.

--Makorus 17:53, 9 May 2009 (UTC)

I was looking for a sample of those manipulated jpegs for Opera < v9.64 and that seems that is it only a vulnerability and not an exploit. The only exploit is the one with URI : i tried two example of this : [2], the browser seems to be slower and after, it's show a page that says : "Out of memory. The page may not display correctly" or "The page have a wrong path".

Someone know the path to memory card of DSi ? 'Cause the exploit count on this by putting a file on the disk.

--Geniusdj 13:22, 9 May 2009 (CET)

If one of these is found, it could work, but it seems attempts have been fruitless so far. An OOM error is not the same as a crash, and the DSi's browser will not access its own filesystem or the SD card - they're not that stupid! Of course, searching for another exploit can do no harm, especially if it involves something in a web page, since then it's more likely to be able to load executable code from that same page. Muzer 18:41, 17 June 2009 (UTC)

Bannerbomb for DSi?

I think something like (Bannerbomb) should be possible, because the Firmware of the DSi is similar to the Firmware of the Wii.--Ninko 20:07, 16 May 2009 (UTC)

The problem with that is that the DSi uses simple bitmaps for banners, and not the intricate proprietary format Nintendo uses. So, unless Nintendo fail at bitmap parsing, there isn't likely to be an exploit there. Muzer 09:14, 17 May 2009 (UTC)
Oh, I didn't know that. Ninko 18:11, 17 May 2009 (UTC)
What if you were to attempt to load a corrupted file? Does the DSi have safeguards in place to prevent a malformed bitmap from being loaded? Ploogle 17:24, 24 May 2009 (GMT -8:00)
Well, there isn't much in a bitmap you can bork up. Also, I believe all this is encrypted and we still don't know any of the DSi's keys. You see, with the Wii, once one hardware exploit was found that is really hard to do, all the easier exploits followed. Absolutely none of the Wii exploits we have today would NEVER have existed if it weren't for the initial Twiizers attack. Trucha signing involves having some key so the disc's signature can be checked against, Twilight Hack requires the SD key, and Banner Bomb requires the key for encrypting channels (I can't remember which one is used, I think it might be the SD again). Of course, there's no harm in fiddling with the header of encrypted data to see if you can bork anything, but it's highly unlikely. Muzer 18:41, 17 June 2009 (UTC)

Camera or Sound Channel Exploit?

Has anyone looked into an exploit involving loading a corrupted sound or image file into the Sound or Camera channel via the SD card? How about a purposefully corrupted filesystem on the SD card? Ploogle 17:29, 24 May 2009 (GMT -8:00)

The DSi refuses to open JPEGs from a foreign source that aren't signed by the DSi. Audio files are another matter, but again, there isn't much in that format to bork up. If you get an audio file the DSi can play and fiddle with the first few bytes in a hex editor, see if you can get the DSi to crash. You could also try with a stupidly massive audio file/JPEG. It's unlikely there will be an exploit here, but possible. Muzer 18:41, 17 June 2009 (UTC)

Dsi Homebrew via DS Download play?

Wouldn't it be possible to develope an app for Wii, which sends a kind of Installer via WiFi to the dsi and then dowload and run it with DS download play? The Wii can send things to the DS(i) so the connectivity is given, isn't it? —Preceding unsigned comment added by Shadowchao (talkcontribs) 03:29, 12 June 2009 (UTC)

Sounds umm... interesting, but it would be inconvenient for users who don't own a wii TwoBladedKnight 09:49, 12 June 2009 (UTC)

Quite probably impossible, for the time being at least, unless there is an exploitable buffer overflow in download play. It was originally possible on an original DS with older firmware (using WiFiMe), but this was patched long ago, before even the DSi came out. Muzer 15:56, 13 June 2009 (UTC)

Well, might be, but i talk about the connectivity between Wii and DSi,which is surely not fixed. So Why don`t modify a .nds to make it work like an installer? Or did you mean to load modifyed apps is fixed? —Preceding unsigned comment added by Shadowchao (talkcontribs) 09:59, 17 June 2009 (UTC)

I'm talking about loading modified apps has been fixed. The DS's executables in download play are signed by Nintendo or something along those lines (can't remember what), and although there was some kind of exploit with the older DSs, that was fixed long ago. There may be other exploits of that type, or hell, they might have been idiots and reintroduced the same bugs. However, when we don't know much about the DSi's executable format, it's all very shot-in-the-dark. Muzer 18:41, 17 June 2009 (UTC)

Image Exploit

well the above topic about opera got me thinking. And while the opera exploit is a possibility (i think), couldnt we just use a ChickHEN like exploit, except for DSi. (ChickHEN is an exploit using images for PSP). I dont know the details on the workings of ChickHEN, but someone might want to check it out. --ChuckBartowski 05:07, 16 June 2009 (UTC)

Go to DSiDev IRC and asks them yourself if it's possible ! GeniusDJ —Preceding unsigned comment added by Geniusdj (talkcontribs) 12:49, 16 June 2009 (UTC)

ChickHEN uses TIFFs, which have many many exploitable fields. The DSi will only read JPEGs, and only JPEGs signed by that DSi at that. If you fiddle about with one in a text editor and find something that makes the DSi freeze, report it, but other than that, I doubt it would work. Muzer 18:41, 17 June 2009 (UTC)

Mario Kart DS?

In mario kart if you select time trials and goto the luigis mansion stage and goto the stairs before entering the mansion and press a+b while pressing up down left or right. the game freezes and the music loops. maybe an exploit can be found to let us run homebrew from the sd card. —Preceding unsigned comment added by WiiLee007 (talkcontribs) 00:48, 17 June 2009 (UTC)

I believe that this exploit would only be useful for DS mode and not DSi mode. Could be wrong though. --FUNKAMATIC ~talk 02:43, 17 June 2009 (UTC)
Funkamatic is right. Muzer 18:41, 17 June 2009 (UTC)