Abstract
The Nintendo DSi is a handheld gaming console released by Nintendo in 2008. In Nintendo’s line-up the DSi served as a successor to the DS and was later succeeded by the 3DS. The security systems of both the DS and 3DS have been fully analyzed and defeated. However, for over 14 years the security systems of the Nintendo DSi remained standing and had not been fully analysed. To that end this work builds on existing research and demonstrates the use of a second-order fault injection attack to extract the ROM bootloaders stored in the custom system-on-chip used by the DSi. We analyse the effect of the induced fault and compare it to theoretical fault models. Additionally, we present a security analysis of the extracted ROM bootloaders and develop a modchip using cheap off-the-shelf components. The modchip allows to jailbreak the console, but more importantly allows to resurrect consoles previously assumed irreparable.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
- 2.
The exact date is unclear. Nintendo never announced an official date when the DSi would go out of support, instead changing the console’s status silently. The 3DS was discontinued in 2020.
- 3.
Crazy Train, a downloadable DSiWare title.
- 4.
- 5.
- 6.
- 7.
Available at https://github.com/melonDS-emu/melonDS/pull/1583.
References
Bar-El, H., Choukri, H., Naccache, D., Tunstall, M., Whelan, C.: The sorcerer’s apprentice guide to fault attacks. Cryptology ePrint Archive, Paper 2004/100 (2004). https://eprint.iacr.org/2004/100
Barenghi, A., Breveglieri, L., Koren, I., Naccache, D.: Fault injection attacks on cryptographic devices: theory, practice, and countermeasures. Proc. IEEE 100(11), 3056–3076 (2012). https://doi.org/10.1109/JPROC.2012.2188769
Barker, E., Dang, Q.: NIST Special Publication 800-57 Part 3 Revision 1: Recommendation for Key Management: Application-Specific Key Management Guidance. National Institute of Standards and Technology (2015). https://doi.org/10.6028/NIST.SP.800-57pt3r1. http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57Pt3r1.pdf
Blömer, J., da Silva, R.G., Günther, P., Krämer, J., Seifert, J.-P.: A practical second-order fault attack against a real-world pairing implementation. In: 2014 Workshop on Fault Diagnosis and Tolerance in Cryptography, pp. 123–136 (2014). https://doi.org/10.1109/FDTC.2014.22
Copetti, R.: Nintendo 3DS architecture - a practical analysis (2023). https://archive.li/cGFtC. https://www.copetti.org/writings/consoles/nintendo-3ds/#anti-piracy-and-homebrew. Accessed 28 Sept 2023
Copetti, R.: Nintendo DS architecture - a practical analysis (2020). https://archive.ph/28Jmb. https://www.copetti.org/writings/consoles/nintendo-ds/%5C#security-mechanisms. Accessed 27 Mar 2022
dark samus, Worklog - Getting the DSi bootroms - BitBuilt, Online forum (2017). https://archive.ph/AvDsQ. https://bitbuilt.net/forums/index.php?threads/.948/. Accessed 27 Mar 2022
derrek, nedwill, naehrwert, Nintendo hacking 2016: game over. In: 33rd Chaos Communications Congress: ‘Works for Me’ (2016). https://media.ccc.de/v/33c3-8344-nintendo_hacking_2016. Accessed 27 Mar 2022
Dusart, P., Letourneux, G., Vivolo, O.: Differential fault analysis on A.E.S. Cryptology ePrint Archive, Paper 2003/010 (2003). https://eprint.iacr.org/2003/010
fail0verflow, PS4 Aux Hax 2: Syscon (2018). https://archive.ph/mt3YK. https://fail0verflow.com/blog/2018/ps4-syscon/. Accessed 09 Oct 2022
Galauner, A., Bazanski, S.: Glitching the switch. In: OpenChaos 2018 (2018). https://media.ccc.de/v/c4.openchaos.2018.06.glitching-the-switch. Accessed 05 Oct 2022
Gerlinsky, C.: Breaking code read protection on the NXP LPC-family microcontrollers. In: REcon 2017 Brussels Hacking Conference (2017). https://doi.org/10.5446/32392
den Herrewegen, J.V., Oswald, D., Garcia, F.D., Temeiza, Q.: Fill your boots: enhanced embedded bootloader exploits via fault injection and binary analysis. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2021(1), 56–81 (2020). https://doi.org/10.46586/tches.v2021.i1.56-81. https://tches.iacr.org/index.php/TCHES/article/view/8727
Korth, M.: GBATEK (2021). https://archive.ph/Ws1cO. https://problemkaputt.de/gbatek.htm. Accessed 04 Oct 2022
Korth, M.: GBATEK DSi Control Registers (SCFG) (2021). https://archive.ph/rPwKB. https://problemkaputt.de/gbatek-dsi-control-registersscfg.htm. Accessed 04 Oct 2022
Korth, M.: GBATEK DSi SD/MMC Internal NAND layout, See ‘boot info blocks’ (2021). https://archive.li/I7S9E. https://problemkaputt.de/gbatek-dsi-sd-mmc-internal-nand-layout.htm. Accessed 27 Mar 2022
Korth, M.: Unlaunch (2018). https://archive.ph/g5Qv0. https://problemkaputt.de/unlaunch.htm. Accessed 27 Mar 2022
Lu, Y.: Attacking hardware AES with DFA (2019). https://doi.org/10.48550/ARXIV.1902.08693. https://arxiv.org/abs/1902.08693. Supplementary text available at https://yifan.lu/2019/02/22/attacking-hardware-aes-withdfa/. https://archive.ph/oQlE7. Accessed 06 Oct 2022
Lu, Y.: Injecting software vulnerabilities with voltage glitching (2019). https://doi.org/10.48550/ARXIV.1903.08102. https://arxiv.org/abs/1903.08102
McClintic, M., Maloney, D., Scires, M., Marcano, G., Norman, M., Wright, A.: Keyshuffling attack for persistent early code execution in the Nintendo 3DS secure bootchain (2018). https://doi.org/10.48550/ARXIV.1802.00092. https://arxiv.org/abs/1802.00092
Moro, N., Dehbaoui, A., Heydemann, K., Robisson, B., Encrenaz, E.: Electromagnetic fault injection: towards a fault model on a 32-bit microcontroller (2013). https://doi.org/10.1109/FDTC.2013.9. http://arxiv.org/abs/1402.6421
National Institute of Standards and Technology, NIST Retires SHA-1 Cryptographic Algorithm (2022). https://archive.ph/zUJQk. https://www.nist.gov/news-events/news/2022/12/nist-retires-sha-1-cryptographicalgorithm. Accessed 27 Apr 2023
nocash, ApacheThunder, dark samus, Get BOOTROM/Key Scrambler? - 4dsdev, Online forum (2016). https://4dsdev.kuribo64.net/thread.php?id=130. https://archive.ph/qdu9x. Accessed 27 Mar 2022
oranav, eMMC hacking, or: how I fixed long-dead Galaxy S3 phones. In: 34th Chaos Communications Congress: ‘tuwat’ (2017). https://media.ccc.de/v/34c3-8784-emmc_hacking_or_how_i_fixed_long-dead_galaxy_s3_phones. Accessed 24 Feb 2023
Ordas, S., Guillaume-Sage, L., Maurine, P.: Electromagnetic fault injection: the curse of flip-flops. J. Cryptogr. Eng. 7(3), 183–197 (2017). https://doi.org/10.1007/s13389-016-0128-3. https://hal-lirmm.ccsd.cnrs.fr/lirmm-01430913
plutoo, derrek, smea, console hacking: breaking the 3DS. In: 32nd Chaos Communications Congress: ‘Gated Communities’ (2015). https://media.ccc.de/v/32c3-7240-console_hacking. Accessed 04 Oct 2022
Purdy, K.: Appliance makers sad that 50% of customers won’t connect smart appliances. Ars Technica (2023). https://arstechnica.com/gadgets/2023/01/halfof-smart-appliances-remain-disconnected-from-internet-makers-lament/. Accessed 17 May 2023
Raelize, Espressif ESP32: Controlling PC during Secure Boot (2020). https://archive.li/6vEgT. https://raelize.com/blog/espressif-systemsesp32-controlling-pc-during-sb/. Accessed 09 Oct 2022
Ren, J., Dubois, D.J., Choffnes, D., Mandalari, A.M., Kolcun, R., Haddadi, H.: Information exposure from consumer IoT devices: a multidimensional, network-informed measurement approach. In: Proceedings of the Internet Measurement Conference. IMC 2019, pp. 267–279. Association for Computing Machinery, Amsterdam (2019). https://doi.org/10.1145/3355369.3355577
Scire, M., Mears, M., Maloney, D., Norman, M., Tux, S., Monroe, P.: Attacking the nintendo 3DS boot ROMs (2018). https://arxiv.org/abs/1802.00359. https://doi.org/10.48550/ARXIV.1802.00359
SciresM, Myria, Normmatt, TuxSH, Hedgeberg, Sighax and Boot9strap (2017). https://web.archive.org/web/20211105063611/. https://sciresm.github.io/33-and-a-half-c3/. Accessed 27 Mar 2022
Scott, M.E.: DSi RAM tracing (2009). https://archive.ph/lhMYa. https://scanlime.org/2009/09/dsi-ram-tracing/. Accessed 27 June 2023
Shacham, H., Buchanan, E., Roemer, R., Savage, S.: Return-oriented programming: exploits without code injection. Black Hat USA 2008 Briefings (2008)
Shepherd, C., et al.: Physical fault injection and side-channel attacks on mobile devices: a comprehensive analysis. Comput. Secur. 111, 102471 (2021). https://doi.org/10.1016/j.cose.2021.102471
Sidorenko, A., van den Berg, J., Foekema, R., Grashuis, M., de Vos, J.: Bellcore attack in practice. Cryptology ePrint Archive, Paper 2012/553 (2012). https://eprint.iacr.org/2012/553
Stevens, M., Bursztein, E., Karpman, P., Albertini, A., Markov, Y.: The first collision for full SHA-1. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10401, pp. 570–596. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63688-7_19
Timmers, N., Mune, C.: Escalating privileges in Linux using voltage fault injection. In: 2017 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC) (2017)
Whelan, C., Scott, M.: The importance of the final exponentiation in pairings when considering fault attacks. In: Takagi, T., Okamoto, E., Okamoto, T., Okamoto, T. (eds.) Pairing 2007. LNCS, vol. 4575, pp. 225–246. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-73489-5_12
Wololo, Picofly: The \$3 Nintendo Switch hacking modchip is real, and it’s now available (2023). https://archive.li/Puo2C. https://wololo.net/2023/03/21/picofly-the-3-nintendo-switch-hacking-modchip-is-realand-its-now-available/. Accessed 17 Apr 2023
Wouters, L.: Glitched on earth by humans: a black-box security evaluation of the SpaceX starlink user terminal. In: DEF CON 2022 (2022)
Yuce, B., Schaumont, P., Witteman, M.: Fault attacks on secure embedded software: threats, design and evaluation. CoRR abs/2003.10513 (2020). arXiv: 2003.10513. https://arxiv.org/abs/2003.10513
Acknowledgments
We would like to thank Arthur Beckers for his practical help with setting up and conducting the fault injection run against the ARM7 boot ROM.
This work was supported by CyberSecurity Research Flanders with reference number VR20192203 and by the Research Council KU Leuven C1 on Security and Privacy for Cyber-Physical Systems and the Internet of Things with contract number C16/15/058. In addition this work was supported by the European Commission through the Horizon 2020 research and innovation program under grant agreement Belfort ERC Advanced Grant 101020005 695305, through H2020 Twinning SAFEST 952252, through the Horizon Europe research and innovation program under grant agreement HORIZON-CL3-2021-CS-01-02 101070008 ORSHIN.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Sluys, p., Wouters, L., Gierlichs, B., Verbauwhede, I. (2024). An In-Depth Security Evaluation of the Nintendo DSi Gaming Console. In: Bhasin, S., Roche, T. (eds) Smart Card Research and Advanced Applications. CARDIS 2023. Lecture Notes in Computer Science, vol 14530. Springer, Cham. https://doi.org/10.1007/978-3-031-54409-5_2
Download citation
DOI: https://doi.org/10.1007/978-3-031-54409-5_2
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-54408-8
Online ISBN: 978-3-031-54409-5
eBook Packages: Computer ScienceComputer Science (R0)