#77497 - HyperHacker - Sat Apr 01, 2006 10:14 am
I was poking through the firmware, hoping to find a way to trick games into running in debug mode, and I found something even better. I'd noticed that the firmware turns the microphone on while looking for programs in DS Download Play... I couldn't imagine why, figured it must be a glitch. But then I noticed it's actually reading in data from the microphone. But why?
After another few minutes of poking, I figured out why, and almost fell out of my chair. The firmware is looking for a specific byte sequence to come in through the microphone. When it finds this sequence, it goes into a sort of debug mode itself. It doesn't run games in debug mode, unfortunately, but it does do a few cool things. Pressing L+R+X+Y will wipe the user settings. There's also a way to edit the MAC address, but I haven't figured out how to activate it yet. But most importantly... it doesn't do any RSA check on Download Play! O_O So once you activate it, you can just send your favourite homebrew through WMB and have fun!
Of course, getting that specific byte sequence in through a little microphone isn't easy. You'd need some sort of precision control. Well, I found a way! A little-known feature of many modern-day PC motherboards is that you can change CPU, memory and fan speeds through an I/O port on the real-time clock chip. Specifically, you can control the fan in the power supply. And so by manipulating the fan and holding the DS up to it, you can 'blow' that exact byte sequence (or for that matter, any other) into the mic!
I call this exploit BlowMe. The program is here, source code will come soon but I need sleep now. Just run it; it'll give you all the instructions you need. Then use WMB to send your program just as you would with FlashMe. (Hell, you can even send FlashMe.) I haven't tested with DS Lite, and it doesn't appear to affect cartridge encryption.
Enjoy! :-)
#77498 - Mighty Max - Sat Apr 01, 2006 10:17 am
What a nice day :D
Well done
_________________
GBAMP Multiboot
#77499 - DesktopMan - Sat Apr 01, 2006 10:22 am
Dude it works!
#77500 - linus - Sat Apr 01, 2006 10:22 am
props on the name
#77501 - JaJa - Sat Apr 01, 2006 10:22 am
Posted: Sat Apr 01, 2006 9:14 am Post subject: Firmware flaw allows unsigned code execution!
Need I say more?
Surely someone who's been looking at the firmware for months (like loopy or sgstair) would have found this before?
#77503 - LiraNuna - Sat Apr 01, 2006 10:32 am
?_?
nice joke man.
#77506 - caitsith2 - Sat Apr 01, 2006 10:51 am
| Code: |
#include <stdio.h>
int main(int argc, char *argv[])
{
printf("BlowMe V1.0 - Nintendo DS Homebrew Loader by HyperHacker\n"
"http://hypernova.amarok-shadow.com\n\n"
"Instructions:\n"
"1) Turn on your DS and enter DS Download Play.\n"
"2) Hold the microphone up to the fan in your computer's power supply.\n"
"3) Press any key to begin.\n\n");
while(!getch()) sleep(100);
printf("Sending...\n");
sleep(6000); //April Fools joke happens here. If end user is running flashme, he already can run unsigned code.
printf("RSA check disabled. You should now be able to run unsigned code via Wireless\n"
"Multiboot. Note that you will need to do this each time you want to run\n"
"unsigned code.\n"
"Press any key to exit.\n");
while(!getch()) sleep(100);
return 0;
}
|
Awesome april fools joke.
#77524 - chishm - Sat Apr 01, 2006 2:44 pm
I'm not going to run this, it might brick my PC! What happens if the fan speed modulation fails, and my CPU overheats?!?!
_________________
http://chishm.drunkencoders.com
http://dldi.drunkencoders.com
#77526 - lambi1982 - Sat Apr 01, 2006 3:20 pm
This has to be by far the funniest "HACK" ever.... and I mean ever.
BlowME........ HAhaHAhaHAhaHA
_________________
Who, Me?
#77544 - Diffuse - Sat Apr 01, 2006 4:47 pm
Man... while reading that I had forgotten it was April Fools! Well, the fan thing to send the byte sequence seemed quite odd...
_________________
http://www.ndscene.net
Diffuse is Tepples #1 fan! w00t!
#77592 - pas - Sat Apr 01, 2006 10:05 pm
Is this a joke now, or is this real ?
If this is a joke is there any other way to overgo the RSA Signature of the DS Downloadplay ( Exept Flashme of Course) ?
#77593 - pas - Sat Apr 01, 2006 10:09 pm
@chishm:
Are you joking or what ? :)
#77599 - HyperHacker - Sat Apr 01, 2006 10:29 pm
| chishm wrote: |
| I'm not going to run this, it might brick my PC! What happens if the fan speed modulation fails, and my CPU overheats?!?! |
Your CPU fan should be able to handle it for the whole 6 seconds it takes to do this.
#77620 - chishm - Sun Apr 02, 2006 12:38 am
| HyperHacker wrote: |
| chishm wrote: | | I'm not going to run this, it might brick my PC! What happens if the fan speed modulation fails, and my CPU overheats?!?! |
Your CPU fan should be able to handle it for the whole 6 seconds it takes to do this. |
I know :D
I was joking (after all, it was a joke thread).
But my CPU idles at 65?, so it would quickly die without a fan.
_________________
http://chishm.drunkencoders.com
http://dldi.drunkencoders.com
#77623 - Maverick - Sun Apr 02, 2006 1:10 am
#77663 - HyperHacker - Sun Apr 02, 2006 7:03 am
Hahaha! That's crazy... just explodes right away.
So yeah, if you couldn't tell, this was a joke. The name "BlowMe" popped into my head when someone was listing all the other methods and I noticed they all ended in "Me". Caitsith2 freaked me out with how close the code he posted was to the real thing; I had to double check that I didn't accidentally include it in the file.
| Code: |
#include "main.h"
/*
Entry point
*/
int APIENTRY WinMain(HINSTANCE hInstance,HINSTANCE hPrevInstance,LPSTR lpCmdLine,int nCmdShow)
{
printf(
"BlowMe V1.0 - Nintendo DS Homebrew Loader by HyperHacker\nhttp://hypernova.amarok-shadow.com\n\n"
"Instructions:\n"
"1) Turn on your DS and enter DS Download Play.\n"
"2) Hold the microphone up to the fan in your computer's power supply.\n"
"3) Press any key to begin.\n\n");
while(!getch()) Sleep(100);
printf("Sending...\n");
Sleep(6000);
printf(
"RSA check disabled. You should now be able to run unsigned code via Wireless\n"
"Multiboot. Note that you will need to do this each time you want to run\n"
"unsigned code.\n"
"Press any key to exit.\n");
while(!getch()) Sleep(100);
}
|
Even got the sleep amounts right. o_o A cookie for you!
#77666 - caitsith2 - Sun Apr 02, 2006 7:23 am
Thats one of the very things IDA is useful for. Took me less than 5 minutes to figure out what was going on in the code.
#77669 - pas - Sun Apr 02, 2006 9:27 am
@HyperHacker:
Could you give as a video or something like a slideshow that prove this, or do you admit that you were lying ?
#77670 - MaHe - Sun Apr 02, 2006 9:29 am
Come on, it was Aprils Fools he was JOKING, jeez >_>
_________________
[ Crimson and Black Nintendo DS Lite | CycloDS Evolution | EZ-Flash 3-in-1 | 1 GB Transcend microSD ]
#77671 - JaJa - Sun Apr 02, 2006 9:33 am
APRIL FOOLS!!!11
This thread was an April Fools.
It doesn't work.
Got the message now?
APRIL FOOLS!!!11\
#77762 - HyperHacker - Sun Apr 02, 2006 10:31 pm
| pas wrote: |
@HyperHacker:
Could you give as a video or something like a slideshow that prove this, or do you admit that you were lying ? |
| HyperHacker wrote: |
| So yeah, if you couldn't tell, this was a joke. |
#77901 - crudhacker - Mon Apr 03, 2006 11:19 pm
| HyperHacker wrote: |
I was poking through the firmware, hoping to find a way to trick games into running in debug mode, and I found something even better. I'd noticed that the firmware turns the microphone on while looking for programs in DS Download Play... I couldn't imagine why, figured it must be a glitch. But then I noticed it's actually reading in data from the microphone. But why?
After another few minutes of poking, I figured out why, and almost fell out of my chair. The firmware is looking for a specific byte sequence to come in through the microphone. When it finds this sequence, it goes into a sort of debug mode itself. It doesn't run games in debug mode, unfortunately, but it does do a few cool things. Pressing L+R+X+Y will wipe the user settings. There's also a way to edit the MAC address, but I haven't figured out how to activate it yet. But most importantly... it doesn't do any RSA check on Download Play! O_O So once you activate it, you can just send your favourite homebrew through WMB and have fun!
Of course, getting that specific byte sequence in through a little microphone isn't easy. You'd need some sort of precision control. Well, I found a way! A little-known feature of many modern-day PC motherboards is that you can change CPU, memory and fan speeds through an I/O port on the real-time clock chip. Specifically, you can control the fan in the power supply. And so by manipulating the fan and holding the DS up to it, you can 'blow' that exact byte sequence (or for that matter, any other) into the mic!
I call this exploit BlowMe. The program is here, source code will come soon but I need sleep now. Just run it; it'll give you all the instructions you need. Then use WMB to send your program just as you would with FlashMe. (Hell, you can even send FlashMe.) I haven't tested with DS Lite, and it doesn't appear to affect cartridge encryption.
Enjoy! :-) |
WWWWWWWWWWWOOOOOOOOOOOOOOOOWWWWWWWWWWWW!!!!!!!! finally a way to JUST pass code through the DS without the RSA check. Dude luck or not THANK YOU!
.......... great. didn't know this was a joke. u piss me off. i thought this was real. u really piss me off
_________________
MKDS friend code-
051599-251600
PM me so i can add u
crack this encrypted message-
BNSRIAYTNEDCLTFJQEZGNWDXHO
key- skip first letter then skip 2,3 till 4 then go back down
#77991 - m2pt5 - Tue Apr 04, 2006 12:34 pm
This thread should probably be clearly labeled "joke" and closed, so as not to confuse any further newbs.
_________________
Don't sign your posts, it's dumb.
#78045 - derula - Tue Apr 04, 2006 8:38 pm
duuuude...
"too extrame" ^^
_________________
visit my blog. please.
#78123 - Sebbo - Wed Apr 05, 2006 8:15 am
65? when idle and your in canberra? damn...i don't want to see it when its churning out BF2
mine barely gets to 50? on a hot summer's day and i'm in brisbane
btw, great joke HyperHacker, its a serious bummer it wasn't true though
_________________
Here's some ideas I have for when I know enough to act on them, or for others to have a look at when they're bored: www.wayne.sebbens.com/ds_ideas.htm
#78143 - chishm - Wed Apr 05, 2006 12:18 pm
Well, it's an Athlon XP running on a Gigabyte K7N400 Pro 2 mother board, which seems to have a design flaw -- it's minimum CPU voltage is 1.72V. However, my PC has been running fine for 2 years and the only problem has been dead RAM.
_________________
http://chishm.drunkencoders.com
http://dldi.drunkencoders.com
#78228 - HyperHacker - Thu Apr 06, 2006 2:25 am
Running that hot's gotta be wearing it down, though. Mine (Sempron @ 1.7 ghz) practically never exceeds 40?C. Stick some fans in there or something.
#78270 - JaJa - Thu Apr 06, 2006 9:29 am
Silcon chips have the same failure rate ay any reasonable temperature.
As long as you don't exceed like 70C it should be fine.
I had a PIII that you could use as a kettle (and i did for a while) and it didn't feel any ill effects (until it got a static shock).
#78274 - chishm - Thu Apr 06, 2006 11:12 am
I have enough fans. It is fine. When it dies, it will be a good excuse to upgrade.
_________________
http://chishm.drunkencoders.com
http://dldi.drunkencoders.com