One QR Code Destroyed The 3DS Forever

Added: 2026-06-04

[00:00:00]The year is 2014.

[00:00:02]A teenager in suburban Ohio is standing in line at a GameStop at 7:00 in the morning.

[00:00:08]He is holding $40 in crumpled bills. He skipped first period to be here.

[00:00:14]He is here for a video game that 2 weeks ago was sitting in a clearance bin [music] marked $5 for 2.

[00:00:21]A game that critics universally agreed was one of the worst titles ever released on the Nintendo 3DS.

[00:00:28]A game about a square ninja named CC who could only move when you physically tilted the entire console, ruining the only feature the 3DS was actually known for. The game is called Cubic Ninja.

[00:00:41]The teenager is not here because he wants to play Cubic [music] Ninja.

[00:00:46]Nobody in the entire history of the medium has ever wanted to play Cubic Ninja.

[00:00:52]He is here because somewhere in the broken, unresponsive, gyroscope-controlled code of this commercial disaster, [music] a 22-year-old French hacker named Jordan Rabet had discovered a single mathematical error, a digital box 1 in too small.

[00:01:10]And through that 1 in, the entire Nintendo 3DS, a console Nintendo had spent 3 years and millions of dollars engineering to be the most secure piece of consumer hardware in the world, was about to fall apart. This is the story of how a square ninja killed the fortress. The year is 2007.

[00:01:30]The original Nintendo DS is the best-selling handheld console on the planet. It will eventually move over 150 million units.

[00:01:39]It is also, by any honest accounting, the single most pirated piece of consumer hardware in human history. The reason for this is a small black cartridge called the R4.

[00:01:51]The R4 looks exactly like a real DS game. Slots into the console. It boots up. but inside the plastic shell is a microSD card slot. And on that card, a pirate can store every Nintendo DS game ever released, downloaded for free from the open internet. The R4 costs $15.

[00:02:11]It works on every DS ever sold. Nintendo has no software update mechanism powerful enough to stop it. They cannot patch it. They cannot block it. They cannot recall it.

[00:02:24]For the better part of a decade, Nintendo of Japan watches in slow, grinding horror as their flagship platform becomes the most lucrative piracy delivery system the industry has ever seen. Internal estimates of lost software revenue run into the hundreds of millions of dollars.

[00:02:42]Children, [music] the most valuable demographic Nintendo has ever cultivated, learn before they can drive a car that video games are something you download for free.

[00:02:53]When Nintendo's hardware engineers sit down in 2009 to draft the next handheld console, the mandate from corporate is not subtle.

[00:03:03]It is not negotiable. It is absolute.

[00:03:06]The next console must be unhackable. Not difficult to hack. [music] Not expensive to hack. Unhackable.

[00:03:13]Mathematically, cryptographically, architecturally unhackable.

[00:03:17]>> [music] >> What they design over the next 2 years is, by the standards of 2011, a masterpiece of paranoid engineering.

[00:03:25]>> [music] >> The Nintendo 3DS ships with not one, but two processors.

[00:03:30]The main processor, an ARM11, runs the games and the user interface. This is the part of the system the user can see.

[00:03:38]The second processor, an ARM9, is hidden. The user will never know it exists.

[00:03:44]The ARM9 has one job, and it does it with the cold focus of a prison guard.

[00:03:48][music] It controls every cryptographic operation on the entire device.

[00:03:53]It is the only chip allowed to talk to the AES encryption hardware.

[00:03:58]It is the only chip allowed to read or write the system's internal storage.

[00:04:04]It is the only chip that holds the keys to the kingdom.

[00:04:07]The two processors cannot read each other's memory.

[00:04:11]They cannot read each other's code.

[00:04:13]They live in physically separate regions of silicon.

[00:04:16]Separated by walls Nintendo's engineers [music] built specifically so that if the front-facing processor is ever compromised, >> [music] >> the attacker is still on the wrong side of the moat.

[00:04:28]To request anything sensitive, the ARM 11 must send a formal monitored message across a narrow communication channel called PXI.

[00:04:37]Like a prisoner slipping the note under a steel door, [music] the ARM 9 reads the note. If it approves, it returns the answer.

[00:04:45]The ARM 11 never touches the keys.

[00:04:48]On top of this physical separation, Nintendo layers cryptography.

[00:04:53]Every piece of firmware on the device is signed with RSA 2048, a mathematical signature >> [music] >> that requires Nintendo's secret private key to forge. Every boot sequence is verified by an immutable boot ROM.

[00:05:08]Code that is literally burned into the silicon [music] at the factory and cannot be changed by any software update ever for the entire life of the console.

[00:05:17]The encryption engine has 64 hardware key slots, designed so that once a key is written into a slot, the key itself can never be read back out. [music] You can use it, you can never see it.

[00:05:30]By every cybersecurity metric available in 2011, the Nintendo 3DS is a fortress.

[00:05:36]To break it, an attacker would have to find a flaw in a game, escape the game sandbox, >> [music] >> escape the operating system sandbox, hijack the message channel between processors. [music] Bridge the air gap to the ARM9 and somehow defeat hardware level encryption.

[00:05:54]The architecture is not just secure, it is showy.

[00:05:58]It is the kind of security that engineers show off at conferences.

[00:06:02]For 3 years it works.

[00:06:04]Flash card manufacturers try, they fail.

[00:06:07]>> [music] >> The few hacks that exist are fragile, patchable, and require soldering. The 3DS, the console that was supposed to never be another [music] R4 disaster, sits on store shelves untouched.

[00:06:20]And then a 19-year-old French university [music] student notices a level editor in a $5 puzzle game. Jordan Rabet, online handle Smealum, is not a pirate.

[00:06:31]This is important.

[00:06:33]Smealum has said it on the record, >> [music] >> in interviews, in forum posts, in conference talks, more times than anyone can count. [music] He does not pirate games.

[00:06:42]He does not believe in piracy.

[00:06:45]He thinks pirating games hurts the developers who make them.

[00:06:48]>> [music] >> And he refuses to release any tool whose primary purpose is to enable theft.

[00:06:53][music] What Smealum believes in is something older and stranger and harder to corporate PR away.

[00:07:01]Smealum believes that when you buy a piece of hardware, the hardware belongs to you, not in some abstract legal sense.

[00:07:08]In the actual sense. The plastic, the silicon, the circuitry, yours.

[00:07:14]And if you want to write your own programs and run them on your own machine, no corporation on Earth has the moral right to stop you. This belief has a name.

[00:07:24]It is called the homebrew ethos.

[00:07:27]It is the same belief that built the Apple II, the same belief that built Linux, the same belief that in the early 2010s was being slowly, deliberately strangled by every major hardware [music] manufacturer on the planet. Smealum wants to run Minecraft on his 3DS.

[00:07:44][music] He has, in fact, already written a version. He calls it 3DS Craft.

[00:07:50]He wants to write emulators [music] so that people can preserve classic Nintendo games that Nintendo itself has stopped selling. He wants to bypass the absurd regional locks that prevent an American 3DS from playing a Japanese game.

[00:08:06]He wants to make the machine he bought do what he wants it to do. [music] And to do any of this, he needs a way in.

[00:08:13]For 2 years, he hunts.

[00:08:15]He reads disassembled Nintendo code in the dark hours of the morning. He talks to a small network of collaborators on encrypted channels.

[00:08:23]Hackers operating under names like yellows8 and pluto and Derek. The slow accretion of a brain trust.

[00:08:32]They look at every game on the system.

[00:08:34]They look at every native application.

[00:08:36]They look at the web browser, the camera app, the street pass [music] system, the system settings.

[00:08:43]They are looking for one thing.

[00:08:45]A single piece of software that takes input from the outside world, >> [music] >> processes that input, and trusts it. And then somebody notices Cubic Ninja.

[00:08:54][music] Cubic Ninja is a disaster. The reviews are merciless.

[00:08:59]Metacritic [music] settles at 51. The controls are unplayable. The art is generic. The level design is sadistic.

[00:09:07]Critics specifically hate on the developer for building a game around tilting the console when tilting [music] the console destroys the auto stereoscopic 3D effect that is the entire selling point of the hardware.

[00:09:20]>> [music] >> The publisher, Ubisoft, releases it and immediately seems to forget about it.

[00:09:26]The original developer, AQ Interactive, goes out of business.

[00:09:31]The game sits in clearance bins. Nobody buys it. Nobody plays it. Nobody cares.

[00:09:36]But Cubic Ninja has one feature. You can build your own custom puzzle stages >> [music] >> and share them with your friends.

[00:09:44]And because this is 2011, and because the 3DS has a camera, [music] the sharing mechanism is a QR code. You design a level.

[00:09:53]The game encodes it into a barcode.

[00:09:56]Your friend points his camera at the barcode. The game decodes the data >> [music] >> and loads the level into memory.

[00:10:03]When Smealum looks at the code that loads a Cubic Ninja QR code into memory, what he sees is the kind of mistake that haunts software engineers in their dreams.

[00:10:13]The developers, sometime in 2010, had to decide how big a custom level could be.

[00:10:20]They picked a number. They wrote that number into the source code.

[00:10:25]They allocated a block of memory exactly that big to hold the [music] incoming level data when a QR code was scanned.

[00:10:32]And then, in a single fateful oversight that would eventually cost Nintendo control of an entire console generation, they forgot to check.

[00:10:42]The code never verifies that the incoming data is actually small enough to fit in the box. In computer security, this is called a stack buffer overflow.

[00:10:53]It is the oldest, most thoroughly documented, most preventable category of software vulnerability in existence.

[00:11:00]Universities teach freshmen how to find them.

[00:11:04]There are automated tools that scan for them.

[00:11:07]There are entire programming languages designed specifically to make them impossible.

[00:11:13]And in 2010, inside the code of a $5 puzzle game about a tilting ninja, AQ Interactive shipped one to the entire global market. Smealum writes a QR code that contains, [music] instead of a level, a payload.

[00:11:28]The payload is too big for the box.

[00:11:31]When Cubic Ninja tries to load it, the excess data spills out of the buffer and overwrites the surrounding memory.

[00:11:39]And because Smealum has calibrated the spillage with surgical precision, the bytes [music] that land on top of the program counter, the internal compass that tells the processor what to do next, are bytes that Smealum picked. The compass no longer points to the next puzzle tile.

[00:11:56]It points to Smealum's code. This is the moment the fortress falls, but this is only the first wall.

[00:12:03]The ARM 11 is breached, but Cubic Ninja is sandboxed. The exploit is sitting inside a tiny corner of the system with almost no permissions.

[00:12:13]It cannot touch the SD card. It cannot install software.

[00:12:18]It cannot do anything except run within the dying corpse of a tilting puzzle game. To actually do something useful, >> [music] >> Smealum needs to escape.

[00:12:27]He looks at the GPU.

[00:12:29]The 3DS's graphics processor, [music] like every modern graphics chip, has a feature called direct memory access. The GPU can read and write certain regions of system memory >> [music] >> without asking the CPU for permission.

[00:12:43]This is a performance feature. It exists so that [music] the GPU can quickly grab textures and dump rendered frames without waiting in line.

[00:12:53]It is not supposed to be a security [music] feature. Smealum realizes that some of the memory regions the GPU can [music] write are regions that the CPU sandbox would never let him touch.

[00:13:04][music] Specifically, the memory belonging to other applications, including the system's built-in web browser, which has dramatically [music] higher privileges than Cubic Ninja does.

[00:13:16]So, Smealum, sitting inside the corpse of Cubic [music] Ninja, sends rendering commands to the GPU. He instructs the graphics chip to act as a contract killer. [music] The GPU, oblivious, executes the commands.

[00:13:30]It writes Smealum's payload into the memory of the web browser.

[00:13:34]>> [music] >> The web browser, now silently corrupted, executes the payload.

[00:13:39]The browser connects to the internet, downloads a second stage installer from Smealum's server, and installs [music] a custom launcher onto the 3DS's home screen.

[00:13:50]This launcher is called the homebrew launcher. It can [music] run any unsigned program a user wants to write or download.

[00:13:57]The fortress is open. He calls the entire chain Ninjhax.

[00:14:02]On November 17, 2014, Smealum publicly announces that Ninjhax is real, that it works on every 3DS sold to that date, and that the trigger is Cubic Ninja. He had originally planned to release it earlier, but Nintendo had announced a hardware revision called the New Nintendo 3DS, and Smealum [music] tactically delayed his release until the new model was actually in stores, ensuring [music] that Nintendo could not patch the vulnerability before launch.

[00:14:33]The timing is brutal. The new hardware ships already broken.

[00:14:37]The internet does what the internet does.

[00:14:40]Within hours, [music] Cubic Ninja, a game that two days ago was sitting in clearance bins for $2, is being sold on eBay for $30, >> [music] >> then 40, then 60.

[00:14:52]Within a week, GameStop's algorithm has marked up used copies to $40, while their own database, still functioning on the assumption that Cubic Ninja is shovelware, lists new copies at $20 [music] in the same store. Customers walk into GameStop's across America >> [music] >> and explain to confused clerks that yes, they would in fact like to pay twice as much for a used copy of a game that has unsold new copies sitting on the same shelf.

[00:15:22]Some listings on Amazon reach $130.

[00:15:26]Isolated panic auctions on eBay reportedly cross $500.

[00:15:31]Collectors, hackers, and resellers strip the world's retail supply of Cubic Ninja in approximately 72 hours.

[00:15:39]>> [music] >> Nintendo of Japan, witnessing this in real time, does the only thing they can do.

[00:15:45]The game has a digital release on the Japanese eShop. They yank it.

[00:15:50]Within days, [music] Cubic Ninja is delisted, scrubbed from the Japanese storefront, removed from existence as a downloadable product.

[00:15:59]But in the rest of the world, where Cubic Ninja was only sold on physical cartridges, Nintendo can do nothing.

[00:16:06]The original publisher is bankrupt. The cartridges are in attics and dorm rooms [music] and backpacks all over the world.

[00:16:15]The weapon is already distributed, and here is where Nintendo discovers the worst part.

[00:16:21]They cannot patch the cartridge. The Cubic Ninja exploit is not a flaw in the operating system.

[00:16:27]It is a flaw in a game that Nintendo did not write, did not publish, and no longer controls. Every copy of Cubic Ninja that exists in the wild, on every 3DS forever, contains the original unpatched vulnerability.

[00:16:42]Nintendo can patch the GPU bug. They can patch the browser bug. They can patch the chain.

[00:16:48]They cannot patch the cartridge.

[00:16:51]As long as the cartridge exists, a sufficiently determined attacker can find a way to use it.

[00:16:57]What follows is 3 years of escalating war. Nintendo patches the GPU memory exploit.

[00:17:04]The community responds with a new attack >> [music] >> that uses corrupted save files in The Legend of Zelda: Ocarina of Time.

[00:17:11]Nintendo patches that. [music] The community releases an exploit using a forgotten eShop game called Freaky Forms Deluxe, Nintendo pulls Freaky Forms from the eShop. The community releases browser [music] hacks, an exploit in the built-in web browser triggered by visiting a single URL.

[00:17:30]Nintendo patches the browser.

[00:17:33]The community releases sound hacks, >> [music] >> an exploit that does not need internet, does not need a cartridge, does not need anything except a single specially encoded M4A audio file played in [music] the 3DS's native music app.

[00:17:48]Nintendo cannot remove the music app.

[00:17:50]They cannot remove the browser.

[00:17:53]They cannot remove any of these features without crippling the device for legitimate [music] users. Every patch lags. Every patch is incomplete.

[00:18:02]Every patch arrives weeks after the next exploit is already in circulation.

[00:18:07]>> [music] >> And while Nintendo is busy plugging holes in the ARM11, smealum and his collaborators are no longer interested [music] in the ARM11.

[00:18:17]They have set their sights on the ARM9.

[00:18:20]In December 2015 at the Chaos Communication Congress security conference in Hamburg, [music] smealum, derrek, and plutoo walk onto a stage and present their [music] findings to a room of professional security researchers.

[00:18:35]The talk is methodical.

[00:18:37]It is the kind of talk that, if you understand what you are watching, makes the hair on the back of your neck stand [music] up. They explain that Nintendo's ARM9 firmware, the holy of holies of the entire console, the part of the system that was supposed to be physically and cryptographically untouchable, was encrypted using AES in electronic codebook mode, ECB, the cryptographic mode that every textbook in the world specifically warns you not to use because [music] it preserves patterns in the encrypted data.

[00:19:12]They explain that Nintendo's firmware loader never bothered to verify whether the decryption key it was [music] using was actually the right key.

[00:19:21]It just decrypted whatever it was given and ran the result.

[00:19:26]This means that if an attacker writes garbage data into [music] the system's encryption key store, the firmware loader will dutifully decrypt the firmware into garbage [music] and try to execute it.

[00:19:37]Most of the time, the garbage will be nonsense and the system will crash.

[00:19:43]But by sheer mathematical chance, somewhere between 23 and 50% of the time, the garbage will resolve into a valid arm branch instruction and the processor will jump to wherever the branch points. If the attacker has carefully placed his own code at that destination ahead of time, the system will [music] execute it.

[00:20:03]On the arm 9 with full privileges, before the operating system has even loaded. This exploit becomes known as arm [music] 9 loader hacks. It is no longer a buffer overflow.

[00:20:16]It is no longer a clever trick.

[00:20:18]It is permanent custom firmware that loads milliseconds after the power button is pressed, [music] beneath the operating system itself, with absolute control over both processors. Fortress is not breached.

[00:20:31]>> [music] >> Fortress is occupied.

[00:20:33]And then in 2017, the final blow.

[00:20:37]A researcher named Derek begins analyzing the RSA 2048 signature verification in the boot ROM itself.

[00:20:45]The boot ROM, the immutable code burned into the silicon, the part of the system that Nintendo specifically designed to be impossible to patch, even by the company that built it. He finds a flaw in how the boot ROM parses cryptographic signatures.

[00:21:01]Specifically, in how it validates the PKCS standard padding around an RSA signature. The parser is sloppy.

[00:21:10]The padding fields are not properly checked.

[00:21:13]Derrick realizes that with a sufficiently creative forgery, he can construct an RSA signature that the boot ROM will accept as valid, even though it was never signed by Nintendo's private key. The math is [music] wrong. The signature is fake.

[00:21:29]The boot ROM does not care, but there is one catch.

[00:21:32]The forged signature has to be delivered through the system's hidden [music] factory recovery mode, which Nintendo designed for fixing bricked consoles on the assembly line.

[00:21:43]The recovery mode can only be triggered if a specific button combination is held down [music] while a special DS cartridge is inserted into the slot. And critically, [music] the system has to believe it is closed.

[00:21:56]On the clamshell 3DS models, this is a problem.

[00:22:00]You cannot hold a button combination while the lid is shut.

[00:22:04]The buttons are inside the closed shell where your fingers cannot reach.

[00:22:09]The community solves this with a refrigerator magnet.

[00:22:13]The 3DS detects whether the lid is closed using a small hall effect sensor that responds [music] to a magnet built into the screen housing.

[00:22:22]If you place a household magnet against the bottom shell of the console, the sensor reports that the lid is closed even while it is open.

[00:22:31]You hold the buttons. You insert the flash card. You boot the system. The boot ROM accepts the forged signature.

[00:22:39]The custom firmware loads.

[00:22:42]This exploit is called boot9strap.

[00:22:45]>> [music] >> It exists in the part of the chip that is physically incapable of being patched. Nintendo cannot issue a software update to fix it. They cannot recall the consoles.

[00:22:55]They cannot manufacture new units without redesigning the silicon.

[00:23:00]Every 3DS ever made, including every 3DS that will ever be made until Nintendo retools the entire production line, is permanently and irrevocably broken. The console is dead. In the aftermath, Nintendo does the only thing left to do.

[00:23:17]They start over.

[00:23:18]The Nintendo Switch is designed from scratch on a completely new operating system called Horizon.

[00:23:24]Horizon [music] is a microkernel. It is built on the assumption that every application will eventually be compromised.

[00:23:33]It assumes the attacker is already inside. Even if a buffer overflow is [music] found in a Switch game tomorrow, the attacker is trapped inside a sandbox that has no path to anywhere important.

[00:23:44][music] No file system access. No SD card access. No path to the kernel. The lessons of the 3DS are etched into every line of code. smealum, in the years [music] after, transitions to professional security research.

[00:23:59]He works on the Wii U. He works on the Switch. He works on iOS. He never sells an exploit to anyone. He never enables a piracy ring. He stays consistent with the only thing he ever said he believed in.

[00:24:14]The hardware belongs [music] to whoever bought it.

[00:24:17]Nintendo spent 3 years and millions of dollars building a fortress designed by some of the most paranoid hardware engineers in consumer [music] electronics.

[00:24:27]They built two processors. They walled off memory.

[00:24:31]They burned cryptography into the silicon. [music] They invented a security architecture so robust that the security community in 2011 considered the console mathematically impossible to compromise.

[00:24:45]And they were undone in the end [music] because a Japanese studio that no longer exists, working on a $5 puzzle game that nobody bought, forgot to check the size of a digital box.

[00:24:58]The teenager in Ohio, the one who skipped first period to stand in line at GameStop, walked out of the store that morning holding a copy of Cubic Ninja and a printed QR code from a French hacker's website. He went home. He pointed his console's camera at the barcode. The fortress fell open in his hands. Somewhere [music] in the silicon of every Nintendo 3DS ever sold, the ninja is still there.

[00:25:24]The box is still too small. Compass is still waiting to be pointed somewhere else.

[00:25:29]And as long as one cartridge survives >> [music] >> in one attic, on one shelf, in one closet, in one home, in one city in the world, the door cannot be closed again.

[00:25:39][music] Nintendo learned the hard way the oldest law in computer security.

[00:25:45]It does not matter how thick the walls are.

[00:25:48]It does not matter how clever the locks are.

[00:25:51]It does not matter how much you spent on the gate.

[00:25:55]The fortress is only as strong [music] as the dumbest piece of code that lives inside it.

[00:26:01]And somewhere in every fortress ever built, >> [music] >> there is a forgotten room with a forgotten door.

[00:26:07]And somebody, eventually, is going to walk through it.