Skip to main content
SpringerLink
Log in

An In-Depth Security Evaluation of the Nintendo DSi Gaming Console

  • Conference paper
  • First Online:
Smart Card Research and Advanced Applications (CARDIS 2023)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 14530))

  • 116 Accesses

Abstract

The Nintendo DSi is a handheld gaming console released by Nintendo in 2008. In Nintendo’s line-up the DSi served as a successor to the DS and was later succeeded by the 3DS. The security systems of both the DS and 3DS have been fully analyzed and defeated. However, for over 14 years the security systems of the Nintendo DSi remained standing and had not been fully analysed. To that end this work builds on existing research and demonstrates the use of a second-order fault injection attack to extract the ROM bootloaders stored in the custom system-on-chip used by the DSi. We analyse the effect of the induced fault and compare it to theoretical fault models. Additionally, we present a security analysis of the extracted ROM bootloaders and develop a modchip using cheap off-the-shelf components. The modchip allows to jailbreak the console, but more importantly allows to resurrect consoles previously assumed irreparable.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 49.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 64.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    See https://hackerone.com/nintendo/updates, https://archive.ph/Yh7YV.

  2. 2.

    The exact date is unclear. Nintendo never announced an official date when the DSi would go out of support, instead changing the console’s status silently. The 3DS was discontinued in 2020.

  3. 3.

    Crazy Train, a downloadable DSiWare title.

  4. 4.

    https://ghidra-sre.org/.

  5. 5.

    https://www.unicorn-engine.org/.

  6. 6.

    https://melonds.kuribo64.net/.

  7. 7.

    Available at https://github.com/melonDS-emu/melonDS/pull/1583.

References

  1. Bar-El, H., Choukri, H., Naccache, D., Tunstall, M., Whelan, C.: The sorcerer’s apprentice guide to fault attacks. Cryptology ePrint Archive, Paper 2004/100 (2004). https://eprint.iacr.org/2004/100

  2. Barenghi, A., Breveglieri, L., Koren, I., Naccache, D.: Fault injection attacks on cryptographic devices: theory, practice, and countermeasures. Proc. IEEE 100(11), 3056–3076 (2012). https://doi.org/10.1109/JPROC.2012.2188769

    Article  Google Scholar 

  3. Barker, E., Dang, Q.: NIST Special Publication 800-57 Part 3 Revision 1: Recommendation for Key Management: Application-Specific Key Management Guidance. National Institute of Standards and Technology (2015). https://doi.org/10.6028/NIST.SP.800-57pt3r1. http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57Pt3r1.pdf

  4. Blömer, J., da Silva, R.G., Günther, P., Krämer, J., Seifert, J.-P.: A practical second-order fault attack against a real-world pairing implementation. In: 2014 Workshop on Fault Diagnosis and Tolerance in Cryptography, pp. 123–136 (2014). https://doi.org/10.1109/FDTC.2014.22

  5. Copetti, R.: Nintendo 3DS architecture - a practical analysis (2023). https://archive.li/cGFtC. https://www.copetti.org/writings/consoles/nintendo-3ds/#anti-piracy-and-homebrew. Accessed 28 Sept 2023

  6. Copetti, R.: Nintendo DS architecture - a practical analysis (2020). https://archive.ph/28Jmb. https://www.copetti.org/writings/consoles/nintendo-ds/%5C#security-mechanisms. Accessed 27 Mar 2022

  7. dark samus, Worklog - Getting the DSi bootroms - BitBuilt, Online forum (2017). https://archive.ph/AvDsQ. https://bitbuilt.net/forums/index.php?threads/.948/. Accessed 27 Mar 2022

  8. derrek, nedwill, naehrwert, Nintendo hacking 2016: game over. In: 33rd Chaos Communications Congress: ‘Works for Me’ (2016). https://media.ccc.de/v/33c3-8344-nintendo_hacking_2016. Accessed 27 Mar 2022

  9. Dusart, P., Letourneux, G., Vivolo, O.: Differential fault analysis on A.E.S. Cryptology ePrint Archive, Paper 2003/010 (2003). https://eprint.iacr.org/2003/010

  10. fail0verflow, PS4 Aux Hax 2: Syscon (2018). https://archive.ph/mt3YK. https://fail0verflow.com/blog/2018/ps4-syscon/. Accessed 09 Oct 2022

  11. Galauner, A., Bazanski, S.: Glitching the switch. In: OpenChaos 2018 (2018). https://media.ccc.de/v/c4.openchaos.2018.06.glitching-the-switch. Accessed 05 Oct 2022

  12. Gerlinsky, C.: Breaking code read protection on the NXP LPC-family microcontrollers. In: REcon 2017 Brussels Hacking Conference (2017). https://doi.org/10.5446/32392

  13. den Herrewegen, J.V., Oswald, D., Garcia, F.D., Temeiza, Q.: Fill your boots: enhanced embedded bootloader exploits via fault injection and binary analysis. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2021(1), 56–81 (2020). https://doi.org/10.46586/tches.v2021.i1.56-81. https://tches.iacr.org/index.php/TCHES/article/view/8727

  14. Korth, M.: GBATEK (2021). https://archive.ph/Ws1cO. https://problemkaputt.de/gbatek.htm. Accessed 04 Oct 2022

  15. Korth, M.: GBATEK DSi Control Registers (SCFG) (2021). https://archive.ph/rPwKB. https://problemkaputt.de/gbatek-dsi-control-registersscfg.htm. Accessed 04 Oct 2022

  16. Korth, M.: GBATEK DSi SD/MMC Internal NAND layout, See ‘boot info blocks’ (2021). https://archive.li/I7S9E. https://problemkaputt.de/gbatek-dsi-sd-mmc-internal-nand-layout.htm. Accessed 27 Mar 2022

  17. Korth, M.: Unlaunch (2018). https://archive.ph/g5Qv0. https://problemkaputt.de/unlaunch.htm. Accessed 27 Mar 2022

  18. Lu, Y.: Attacking hardware AES with DFA (2019). https://doi.org/10.48550/ARXIV.1902.08693. https://arxiv.org/abs/1902.08693. Supplementary text available at https://yifan.lu/2019/02/22/attacking-hardware-aes-withdfa/. https://archive.ph/oQlE7. Accessed 06 Oct 2022

  19. Lu, Y.: Injecting software vulnerabilities with voltage glitching (2019). https://doi.org/10.48550/ARXIV.1903.08102. https://arxiv.org/abs/1903.08102

  20. McClintic, M., Maloney, D., Scires, M., Marcano, G., Norman, M., Wright, A.: Keyshuffling attack for persistent early code execution in the Nintendo 3DS secure bootchain (2018). https://doi.org/10.48550/ARXIV.1802.00092. https://arxiv.org/abs/1802.00092

  21. Moro, N., Dehbaoui, A., Heydemann, K., Robisson, B., Encrenaz, E.: Electromagnetic fault injection: towards a fault model on a 32-bit microcontroller (2013). https://doi.org/10.1109/FDTC.2013.9. http://arxiv.org/abs/1402.6421

  22. National Institute of Standards and Technology, NIST Retires SHA-1 Cryptographic Algorithm (2022). https://archive.ph/zUJQk. https://www.nist.gov/news-events/news/2022/12/nist-retires-sha-1-cryptographicalgorithm. Accessed 27 Apr 2023

  23. nocash, ApacheThunder, dark samus, Get BOOTROM/Key Scrambler? - 4dsdev, Online forum (2016). https://4dsdev.kuribo64.net/thread.php?id=130. https://archive.ph/qdu9x. Accessed 27 Mar 2022

  24. oranav, eMMC hacking, or: how I fixed long-dead Galaxy S3 phones. In: 34th Chaos Communications Congress: ‘tuwat’ (2017). https://media.ccc.de/v/34c3-8784-emmc_hacking_or_how_i_fixed_long-dead_galaxy_s3_phones. Accessed 24 Feb 2023

  25. Ordas, S., Guillaume-Sage, L., Maurine, P.: Electromagnetic fault injection: the curse of flip-flops. J. Cryptogr. Eng. 7(3), 183–197 (2017). https://doi.org/10.1007/s13389-016-0128-3. https://hal-lirmm.ccsd.cnrs.fr/lirmm-01430913

  26. plutoo, derrek, smea, console hacking: breaking the 3DS. In: 32nd Chaos Communications Congress: ‘Gated Communities’ (2015). https://media.ccc.de/v/32c3-7240-console_hacking. Accessed 04 Oct 2022

  27. Purdy, K.: Appliance makers sad that 50% of customers won’t connect smart appliances. Ars Technica (2023). https://arstechnica.com/gadgets/2023/01/halfof-smart-appliances-remain-disconnected-from-internet-makers-lament/. Accessed 17 May 2023

  28. Raelize, Espressif ESP32: Controlling PC during Secure Boot (2020). https://archive.li/6vEgT. https://raelize.com/blog/espressif-systemsesp32-controlling-pc-during-sb/. Accessed 09 Oct 2022

  29. Ren, J., Dubois, D.J., Choffnes, D., Mandalari, A.M., Kolcun, R., Haddadi, H.: Information exposure from consumer IoT devices: a multidimensional, network-informed measurement approach. In: Proceedings of the Internet Measurement Conference. IMC 2019, pp. 267–279. Association for Computing Machinery, Amsterdam (2019). https://doi.org/10.1145/3355369.3355577

  30. Scire, M., Mears, M., Maloney, D., Norman, M., Tux, S., Monroe, P.: Attacking the nintendo 3DS boot ROMs (2018). https://arxiv.org/abs/1802.00359. https://doi.org/10.48550/ARXIV.1802.00359

  31. SciresM, Myria, Normmatt, TuxSH, Hedgeberg, Sighax and Boot9strap (2017). https://web.archive.org/web/20211105063611/. https://sciresm.github.io/33-and-a-half-c3/. Accessed 27 Mar 2022

  32. Scott, M.E.: DSi RAM tracing (2009). https://archive.ph/lhMYa. https://scanlime.org/2009/09/dsi-ram-tracing/. Accessed 27 June 2023

  33. Shacham, H., Buchanan, E., Roemer, R., Savage, S.: Return-oriented programming: exploits without code injection. Black Hat USA 2008 Briefings (2008)

    Google Scholar 

  34. Shepherd, C., et al.: Physical fault injection and side-channel attacks on mobile devices: a comprehensive analysis. Comput. Secur. 111, 102471 (2021). https://doi.org/10.1016/j.cose.2021.102471

    Article  Google Scholar 

  35. Sidorenko, A., van den Berg, J., Foekema, R., Grashuis, M., de Vos, J.: Bellcore attack in practice. Cryptology ePrint Archive, Paper 2012/553 (2012). https://eprint.iacr.org/2012/553

  36. Stevens, M., Bursztein, E., Karpman, P., Albertini, A., Markov, Y.: The first collision for full SHA-1. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10401, pp. 570–596. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63688-7_19

    Chapter  Google Scholar 

  37. Timmers, N., Mune, C.: Escalating privileges in Linux using voltage fault injection. In: 2017 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC) (2017)

    Google Scholar 

  38. Whelan, C., Scott, M.: The importance of the final exponentiation in pairings when considering fault attacks. In: Takagi, T., Okamoto, E., Okamoto, T., Okamoto, T. (eds.) Pairing 2007. LNCS, vol. 4575, pp. 225–246. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-73489-5_12

    Chapter  Google Scholar 

  39. Wololo, Picofly: The \$3 Nintendo Switch hacking modchip is real, and it’s now available (2023). https://archive.li/Puo2C. https://wololo.net/2023/03/21/picofly-the-3-nintendo-switch-hacking-modchip-is-realand-its-now-available/. Accessed 17 Apr 2023

  40. Wouters, L.: Glitched on earth by humans: a black-box security evaluation of the SpaceX starlink user terminal. In: DEF CON 2022 (2022)

    Google Scholar 

  41. Yuce, B., Schaumont, P., Witteman, M.: Fault attacks on secure embedded software: threats, design and evaluation. CoRR abs/2003.10513 (2020). arXiv: 2003.10513. https://arxiv.org/abs/2003.10513

Download references

Acknowledgments

We would like to thank Arthur Beckers for his practical help with setting up and conducting the fault injection run against the ARM7 boot ROM.

This work was supported by CyberSecurity Research Flanders with reference number VR20192203 and by the Research Council KU Leuven C1 on Security and Privacy for Cyber-Physical Systems and the Internet of Things with contract number C16/15/058. In addition this work was supported by the European Commission through the Horizon 2020 research and innovation program under grant agreement Belfort ERC Advanced Grant 101020005 695305, through H2020 Twinning SAFEST 952252, through the Horizon Europe research and innovation program under grant agreement HORIZON-CL3-2021-CS-01-02 101070008 ORSHIN.

figure a

Author information

Authors and Affiliations

  1. COSIC, KU Leuven, Kasteelpark Arenberg 10, Heverlee, Belgium

    pcy Sluys, Lennert Wouters, Benedikt Gierlichs & Ingrid Verbauwhede

Authors
  1. pcy Sluys
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Lennert Wouters
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Benedikt Gierlichs
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Ingrid Verbauwhede
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to pcy Sluys .

Editor information

Editors and Affiliations

  1. Nanyang Technological University, Singapore, Singapore

    Shivam Bhasin

  2. NinjaLab, Montpellier, France

    Thomas Roche

Rights and permissions

Reprints and permissions

Copyright information

© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Sluys, p., Wouters, L., Gierlichs, B., Verbauwhede, I. (2024). An In-Depth Security Evaluation of the Nintendo DSi Gaming Console. In: Bhasin, S., Roche, T. (eds) Smart Card Research and Advanced Applications. CARDIS 2023. Lecture Notes in Computer Science, vol 14530. Springer, Cham. https://doi.org/10.1007/978-3-031-54409-5_2

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-54409-5_2

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-54408-8

  • Online ISBN: 978-3-031-54409-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation