How Exploits Breached The Security of the Nintendo 3DS.

How+Exploits+Breached+The+Security+of+the+Nintendo+3DS.
Image text reads 'How Exploits Broke the Nintendo 3DS. The early days of 3DS hacking!'

Diamond Garcia-Alvarez, Editor in Chief 2021-2022

EDITOR’S NOTE: There’s likely a chance that this story may have inspired you to modify and/or hack your Nintendo 3DS, and check out all of the Homebrew applications and services available. However, please, please, do NOT follow a video tutorial online. Although Nintendo is starting to discontinue the eShop for both the Wii U and 3DS, that doesn’t mean that there will be future updates to those systems. The majority of the video guides on YouTube are outdated. These videos also leave out important details that will add unnecessary danger to the process. Additionally, content creators will modify the files to hack the 3DS. Even though they don’t know what they’re doing. There are some great resources to find. Such as 3ds.guide that is up-to-date. If you use a video guide, you’re only putting your system in unnecessary danger. Please keep in mind that this article is for informational purposes only. If you decide to Homebrew your system, do it at your discretion. The WestSide Story does not condone Piracy and is not responsible for any actions taken. 

 

Whenever Nintendo releases a new console, hackers aren’t usually too far behind. An example of this can be the Wii. The 3DS is no exception. Just like with their previous consoles, it immediately became a high target the moment it was released back in 2011. But after learning from their failed attempts to protect the Wii, Nintendo substantially improved its security. Which led to a back-and-forth struggle. Not only between Nintendo and hackers, but also among the hackers themselves. This article will cover the timeline of the early days of 3DS hacking. At this time, I do not have a platform to write about all of my past experiences and hobbies related to technology. But the Nintendo 3DS, just like others, is very nostalgic to me and brings back many fond memories. 

 

Context – Backwards Compatibility. 

 

The early days of hacking the Nintendo 3DS has a unique and frankly, early start. Which is unsurprising. Just like the Wii, the 3DS had a backward compatibility feature for Nintendo DS games. Which explains why Nintendo has gone out of its way to prohibit such possibilities. Nevertheless, hackers already conquered the Nintendo DS long ago. This was done so by Flash Carts that could run backups of retail games, and Homebrew applications made by the community. Although you could run custom code on the system, that’s all you can do. The reason being is how the 3DS runs these games. 

 

Because of some similarities between the hardware of the two consoles, the 3DS has the capability to run a virtual Nintendo DS. This may sound like emulation, but it isn’t. It’s practically a Virtual Machine. Such as VMware or VirtualBox running Windows 7 on your Windows 11 PC. In this article, I’ll be referring to this feature on the 3DS as VirtualDS. Although it is programmed to near-perfect compatibility for Nintendo DS games, there isn’t much we can do with it. 

 

Your DS games are run within the confines of VirtualDS. You can gain control of it, but that’s it. From this virtual point, you cannot access any features the 3DS has. But you still have all your favorite DS games on one Cart, ROM hacks, and Homebrew that was made for the system back then. Such as custom games, emulators, and ports. It was a start. 

 

Nintendo’s Response. 

 

It was around this time that Nintendo was attempting to block these Flash Carts. But their attempts were easily bypassed by Flash Cart updates from the companies that manufactured them. These companies made sure to advertise that their products worked with the 3DS. This doesn’t mean progress wasn’t being made on the 3DS. But as with any recently released system, hackers were nowhere near gaining enough understanding or control of the 3DS to run Homebrew. Being able to take control of the system is something that is accomplished later. Near the end of its lifespan. The first methods that are released to the internet are commonly a long, complicated project, or a direct hardware modification to the system itself. 

 

Two Years Later… 

 

In 2013, a company, GATEWAY, released a Flash Cart that not only worked on the latest versions of the 3DS but played backups of 3DS games. No hardware modifications were needed. It simply worked! This eventually led to an interesting conflict 

 

The Driving Force That Persists with Every New Console…

 

If you’ve seen TikToks that I’ve made on this topic, you may already know where this is going. 

I’ve already mentioned the hacking community’s driving force behind hacking a game system. Their primary interest is a powerful device that they have full access to. Whether that’d be for custom code, or even modifying existing titles. However, there’s another very present driving force that persists with every new console. Piracy. This community is not just comprised of hackers. Rather they consist of many pirates. Their motives can range from those who prefer to try before they buy, to those who refuse to pay for video games. A small portion of pirates are hackers. While they do care about the developing process of a device hack, it’s because they want free games. This creates somewhat of a conflict of interest. Although hacking enables Piracy, the majority of hackers do not condone that practice. It is not their objective to enable Piracy while even taking drastic measures to prevent it. If you would like to see custom shell scripts that I’ve demonstrated, they can be found on my Instagram and TikTok. As a result, I’ve taken the time to look at other work on the Nintendo 3DS that’s on the internet. At the time of this generation of consoles, Homebrew paved the way for hacking. This means that Piracy was a result of Homebrew and hacking. 

 

GATEWAY & Piracy. 

 

GATEWAY’s main objective was to enable Piracy. GATEWAY did not contribute to the Homebrew community. Despite its ability to run games, it wasn’t possible to run Homebrew. It was a situation where Piracy was leading the hacking scene, and GATEWAY was reaping all the benefits. As you may already know, GATEWAY couldn’t be less interested in the developing process of the hacking scene. 

 

The Story of GATEWAY’s MSET Exploit.

 

According to wololo.net GATEWAY made millions of dollars in its prime. Needless to say, GATEWAY didn’t want anyone to know how it worked. Which didn’t age very well. GATEWAY came with two carts. A red cart, and a blue cart. The only purpose for the blue cart was to allow you to launch the red one. Which contained what was necessary. The blue cart is simply a normal Nintendo DS Flash Cart that uses an exploit. As mentioned earlier, there isn’t a method to tamper with the 3DS from VirtualDS. Although that is the case, these two operating systems directly communicate in some ways. One of which is the DS Profile. The profile on the DS consists of your name, and a message used for WFC. To change this, you would go into your settings on your DS. But there isn’t a settings application in VirtualDS. Instead, you will fill this out in System Settings on your 3DS. Then, the 3DS changes it accordingly for VirtualDS. This is when GATEWAY’s MSET Exploit is used. 

 

Since it is trivially easy to take control of VirtualDS, GATEWAY took advantage of its limited features. GATEWAY’s blue cart changes the DS Profile’s information to a long set of characters. If someone were to then go to their DS Profile Settings, the 3DS would retrieve that long string of characters and would remain vulnerable. From here, custom code can be run. For example, code to run an unauthorized 3DS Cart. However, the MSET Exploit is only an entry point. If you’re passionate enough to run anything else besides unauthorized code, you would need to do some programming research. These methods are called an “Exploit Chain.” This exploit wasn’t top secret! People already knew about this exploit before GATEWAY used it. 

 

System Updates and Malicious Code. 

 

While this was a useful entry point, GATEWAY’s code wasn’t useful for Homebrew. The problem with Homebrew, and any unauthorized code running on an OS are frequent updates. So it is no surprise that the entry point was patched three months later. This put GATEWAY users in a predicament. They could update and lose access to GATEWAY or stay on their current firmware and lose access to Nintendo Network. Like the eShop. GATEWAY’s solution to this was to do both. This was done through an update GATEWAY released to their carts that added the feature that provided the option to copy your firmware on an SD Card and run online services from there. This is known as EmuNAND. This allowed users to keep their System NAND on their old firmware that could use GATEWAY, and keep the EmuNAND on your SD Card with the latest version for online features. From that point forward, you were able to dual boot on your 3DS. This was going to be GATEWAY’s strategy until another exploit was found. 

 

GATEWAY For Profit! 

 

This doesn’t mean that everything for GATEWAY was ideal. GATEWAY had new competition to deal with in the form of clones. Numerous clones of GATEWAY were being released using their codes. GATEWAY, proudly for profit, handled this situation aggressively. The release notes for Gateway v2.0.b1 stated that they added “many stability improvements over previous beta release.” Which turned out to be malicious code. The code in question looks for changes and if any were found, it assumes that the cart is a clone. This prevents the code from being run, as well as anything else. As a result, this bricks the entire system. Rendering it bootless. When understandably angry GATEWAY owners with bricked systems confronted GATEWAY, they blamed it on the “faulty” hardware of their competitors. This goes further than protecting their methods. This is malware! If GATEWAY can force other clones to brick systems, their reputation will plummet. Thus making GATEWAY the only trusted method. This would be the case if this didn’t brick their code. After taking a look at the code, it is obvious that this was intentional. As a result, countless systems were bricked. 

 

This would’ve ruined GATEWAY’s reputation, but it didn’t. Although their code bricked systems, their carts were the only exciting product in the 3DS hacking scene. Not to mention, this was the only way to play ROM hacks and games outside your region at the time. However, that did not last for very long. As it soon turned out 

 

SSSPwn. 

 

A few months later, a programmer named smea updated his blog. Which covered a new exploit he discovered called SSSPwn. This exploit would not only access Homebrew but worked on the latest firmware. At the time, this was very big in the 3DS hacking scene. This was an unpatched, useful exploit. Understandably, information on the exploit would not be available. If he were to release this exploit, Nintendo would have time to patch it, and it would not work. The longer it’s held on to, the more firmware versions it would work on. Additionally, any finding that enables Homebrew eventually enables Piracy. Interestingly enough, however, the blog post states that “ssspwn cannot by itself enable piracy. That’s right, it’s the sweet spot that gives us just enough to get awesome homebrew running in arm11 user mode, but not enough to break the system bad enough to let anyone do whatever the hell they want.” Meaning while Piracy is still most likely an inevitability with this exploit, it would require more than just the exploit to achieve Piracy. The post went on to say that while he wasn’t ready to release it to the public he wanted to get it out to trusted developers that would enable a successful release. Over time, everything was going according to plan, and smean announced that you would need a specific game to access the exploit. He did not however reveal what the game was. Likely out of fear that scalpers would purchase it and sell the game at a higher price. The reason being is that there wasn’t any fear that the exploit could be fixed without a software update. The developers of the game in question went out of business. Unfortunately, Nintendo did manage to delay the release of the exploit. Without an update at the time. During a Japanese Nintendo Direct presentation in late 2014, it was announced that a new model of the Nintendo 3DS will be released. The New Nintendo 3DS sports more buttons, an analog stick on the right, various hardware upgrades, and amiibo compatibility. This prompted smea to hold on to the exploit for a few months. The reason being is because of the timing of the exploit. The only way to ensure that the new model would be hackable was to delay the exploit. Time passed, and it was confirmed that the exploit worked on the New Nintendo 3DS. In November, smea prepared for release once again. As he finally revealed what game was going to be used as an entry point. 

 

Ninjhax. 

 

Ninjhax is a piece of software that allows you to run unsigned code on your 3DS. In practice, this means being able to run Homebrew applications such as games, tools, and emulators. The entry point was in the game Cubic Ninja. Cubic Ninja is a game where you move your character by tilting your Nintendo 3DS. Because of its poor critical reception and general unpopularity, you could easily find this game for under $10. Since this was an accessible entry point. Several people bought Cubic Ninja. As a result, copies of the title were difficult to find. Copies that were still in stock were being sold for higher prices. It wasn’t long before the game was nearly impossible to find worldwide, and the Japanese digital version was taken off of the Nintendo eShop. Unsurprisingly, GATEWAY users were able to pirate the game and take advantage of its entry point. 

 

Cubic Ninja gave users the ability to design their own levels, and have others play them online. The data that these levels have are supposed to be a certain size. However, the game does not check to confirm that the data is stable. This meant that users could customize their levels with as much data as they wanted. This is how users were able to access the entry point. The release of ninjhax was a milestone for the 3DS hacking scene. Not only was ninjhax the first exploit to enable Homebrew, but it worked on every 3DS on the latest firmware at the time. As was promised, Piracy was nearly impossible. 

 

GATEWAY’s Outdated Update. 

 

With a new year, GATEWAY was still decently relevant at this point and released an update to their Flash Carts. This update was marketed as GATEWAY Ultra. GATEWAY Ultra used an exploit for firmware v9.2 that didn’t require a game. Although this seems better, the latest version at the time was 9.4 U. The company still went out of its way to protect its exploits. The code itself was encrypted. However, the majority of the code wasn’t useful. The reason being is likely to make any attempts to reverse engineer it more difficult. A member of the PS Vita hacking scene, YiFanLu, completely reverse-engineered the entire script. This vulnerability at the time took advantage of  WebKit, a browser engine. Most browsers have already patched the vulnerability. The Exploit Chain itself contained very useful information. 

 

At this point, GATEWAY no longer leads the 3DS hacking scene. Homebrew now leads the community once again. From this point forward, there were only improvements! Everyone now uses a custom firmware called Luma3DS. The majority of the source code for what was covered can be found on GitHub and 3ds.guide