Topic: A PSA to 3DS owners concerned with potential theft

Recent developments in 3DS security that I will not delve into detail here and are fairly accessible elsewhere (and to @gcunit, I apologize for being completely ignorant on discussing this exact topic previously on here) have a few effects on the general 3DS user population. This post will discuss the effect on theft of 3DS consoles, including those with special editions that are often considerably more valuable than more commonplace 3DSes.

Prior to said recent developments, a program could be used to lock a 3DS console entirely. Said program would not allow a 3DS to boot up unless a multi-button PIN was entered. After the PIN is successfully entered, the program would allow other programs (including one that allows the console to boot) to run. If one forgot their PIN, they could use a console unique file that only the owner of a 3DS console would have to work around the PIN. If a 3DS with said program was stolen, it would not be usable at all by the thief, because it would be locked. In addition, the screen that a user enters the PIN on would offer contact information so it could be returned to its original owner. Lastly, if a user forgot their PIN and did not have a dump of their console unique file, but they had a backup of their console without the program installed, they could use a hardware modification to restore their console. Luckily, these backups are also console unique, so thieves would not be able to use this bypass either. As is evident, this program worked as intended, until recently. Now, with recent developments, the console unique file used as a PIN workaround can be easily dumped without restriction on boot using a key combination, which is a feature this is completely baked into the exploit code itself. In addition, this new method, which gains arbitrary code execution during boot, can overwrite such a PIN program, since it runs earlier in boot than the PIN program. To make matters worse for security (but not for those wanting easy 3DS hacks), installation of this new method can be performed on any 3DS with a relatively simple hardware modification (although it requires soldering experience) and without such a modification on specific system versions.

What does this mean for the general end user? Well, it means that if a 3DS is stolen, hacked or not, it is even less likely that you will ever get it back. This is especially true for special editions, since the cost of doing the hardware mod usually required could be easily covered by selling the console at the typical markup for collectible consoles. Even for those with completely unhacked ("stock") consoles, this is still very much an issue. A thief could steal your 3DS, install the bootrom exploit (with or without a hardware modification, depending on system version), wipe the NNID completely from your console by installing a blank Nintendo Network ID data file (which you can only do with hacks), delete all downloaded titles and save data (possibly through system format or manually), and then sell it. The only possible thing you could recover would be your eShop account/content, and that's only if you buy a replacement console.

Previously, if you had a 3DS that you wanted protected from theft, you could hack it for free or at low cost, install the PIN program, and your 3DS would be completely safe from any unauthorized use. Kids, other people, thieves, you name it. However, that is no longer the case, since this new method of loading arbitrary code uses a bootrom exploit, and unfortunately for console security, bootrom exploits cannot be fixed in a "stability" update of any kind. Such an exploit requires a hardware revision to fix. For those considering the New 2DS XL, it is unknown whether this new hardware revision will have fixed the bootrom exploit. However, if said console ships on 11.4 and if the bootrom exploit is fixed, it will be irrelevant for console security, as 11.4 is currently unhackable under the old, no bootrom exploit method. This means that installing the PIN program would be impossible on the New 2DS XL anyway, if this ends up to be the case. This is because 11.4 can only be hacked using the new, bootrom exploit based method.

Ultimately, this issue is just something to keep an eye on. If you care about your save data, back it up (this will require hacks, but I find even just this specific feature is important enough to go through the trouble of getting such hacks set up). Take precautions if you use your 3DS on public transportation, crowds, large events, etc. But overall, common sense should be enough.

But as a bonus warning, the discovery of this new bootrom exploit revealed another security issue: A 3DS will attempt to boot from a DS cartridge when a specific key combination is held when the shell is closed. However, the shell requirement can be easily bypassed by a magnet, making this boot method feasible. It is believed that this cartrige is used as either some type of factory testing or as a way for Nintendo Support to restore a completely bricked console. Regardless of the purpose, this boot method in the future could be abused if a custom DS cartridge is developed to get bootrom code execution. Since this execution would occur even earlier than the bootrom arbitrary code execution we have now, even if a PIN program equivalent was developed for the current bootrom exploit, booting from such a cartridge would bypass it. Since this cartridge could be developed to completely reflash the firmware, it could be essentially used as the 3DS equivalent of the "magic memory stick" on the PSP. Luckily, nobody has implemented this yet, so it's not really a concern. However, if it is ever developed, then it really would be game over if a 3DS is stolen.

On the upside, the bootrom exploit installation has virtually no brick chance - there's no downgrading to firmware versions people have never heard before or cared about, and the process is as significantly faster than before. CHN and TWN regions are now supported, which have never been previously for any type of hacks before this. But this exact same exploit that enables all of these benefits also contributes to the problems discussed above. Ultimately, like any complicated topic worth debate and discussion, "There are no solutions. Only tradeoffs."

No worries. My screen is broken, which provides the best protection!

@TheLZdragon Yeah, you could call that protection 3DCracked /s

My personal theft protection is I just use my original 3DS while traveling (I leave my N3DS XL at home) since there's no warranty or repairs offered anymore for original 3DSes anyway. Plus I have backups of all of my game save data, which is really what any stock user would be bummed out of losing if their console was stolen.

I never cared much for the 3DS hacking scene. I enjoyed my time with the system. Sold it then moved on after owning a few over the past 5 years. I do miss playing it from time to time. Enjoy the homebrewing.

@MegaMari0 Overall I think it's crazy how much everything has progressed. The whole thing went from one company developing emuNAND to the whole scene being led by open source devs that not only improved on that basic formula, but also created better ones. Essentially:

Stock boot (2011): Bootrom -> Bootrom lockout -> Arm9loader -> OTP lockout -> Firmware

Emu/RedNAND boot (2013-2015): Bootrom -> Bootrom lockout -> Arm9loader -> OTP lockout -> Firmware -> [Boot Manager] -> emuNAND

Arm9loaderhax (A9LH) boot (2016-2017): Bootrom -> Bootrom lockout -> Arm9loader -> OTP lockout -> [custom firmware loaded] -> custom firmware patched updateable sysNAND

Sighax/Boot9Strap boot (2017-): Bootrom [custom firmware loaded] -> Bootrom lockout -> Arm9Loader -> OTP lockout -> [updated, custom firmware patched updateable sysNAND]

Some very clever people out there.