Announcing RocketLauncher! The first exploit with unlocked Arm7!

Discussion in 'NDS - Emulation and Homebrew' started by Apache Thunder, Jul 2, 2017.

  1. Apache Thunder
    OP

    Apache Thunder I have cameras in your head!

    Member
    4,061
    3,831
    Oct 7, 2007
    United States
    Levelland, Texas


    Today I can finally announce a new exploit for the Nintendo DSi. I found this flaw back on May 29th. Almost a year after NoCash initially discovered a oversight by Nintendo involving the DS Cart White list which this exploit takes advantage of (Nintendo forgot to reimplement the RSA checks on it lolz). I was fudging with various things in the white list to try and get a crash. I got system menu to crash by using large values in section 3! So I contacted NoCash and a few other devs about this to investigate it and to see if it's exploitable. Well long story short it was!


    Summery of the above video:

    1. The exploit requires 1.4.0 firmware! Older or newer fw revisions do not work!
    2. The exploit requires a flashcart that you are able to modify the internal rom it presents to the system.
    3. Details on which cards will be compatible will be revealed at a later time.
    4. The exploit involves a buffer overflow flaw involving section 3 of the white list.
    5. This overflow occurs on arm7 thus allowing overwriting memory exclusive to arm7.
    6. As a result a large enough overflow will hit the IRQ interrupt handler. This is how we gain code execution.
    7. Arm9 was relatively easy to take over. Though data caching presented a minor roadblock while testing on hardware. :P
    8. I currently use a modified build of nds-bootloader from WinterMute's github. You know, that portion of hbmenu responsible for booting SRLs. :P
    9. Because we already gained arm7 we only had to put arm9 in the correct wait state so that nds-bootloader can do it's thing. :D
    10. The exploit in theory can work from the menu once it's running. But we currently make use of the auto boot feature to ensure a stable consistant environment. Tests with a second console suggest that is the case. Note that the exception vector for arm7 seems to either be somewhere else once the menu GUI is running or the overflow hits something else causing arm7 to crash early. Currently we plan to only target exploiting the system with an autoboot rom as it's more predictable.
    11. The exact machanics of the arm9 take over and how nds-bootloader is loaded may change. Currently the entire payload fits on the cart. But we may allow reading a payload off SD instead.

    Credits to NoCash, Gericom, and Normmatt for help testing/figuring this out. Big credit to StuckPixel who put in most of the coding needed to make this happen. My contribution was finding the flaw and help with testing on hardware.


    I will release further details as we finalize this exploit and prepare stuff that will make installing it easier.

    Note you will either need a nand mod or a DSiWare based exploit to downgrade your console/install the modified white list needed for this to work. Hopefully we'll have a better solution then simply using fwtool to do this so that may be the factor that determines release date so please be patient!

    When things are ready I will update this thread!
     
    Last edited by Apache Thunder, Jul 15, 2017 at 1:44 AM


  2. Jhynjhiruu

    Jhynjhiruu GBAtemp Regular

    Member
    212
    31
    Dec 31, 2016
    AWESOME
    Edit: First!
     
    Last edited by Jhynjhiruu, Jul 2, 2017
    Anonymous456 and NutymcNuty like this.
  3. Dr. Dew

    Dr. Dew GBAtemp Regular

    Member
    230
    55
    Oct 31, 2015
    Mauritania
    Nouakchott
    Heck yeah!
     
  4. Coto

    Coto GBAtemp Addict

    Member
    2,337
    390
    Jun 4, 2010
    Chile
    ARM9 write back method (not just the name, but also HOW it is useful for speeding up read/writes) takes some time to figure (this is old docs I had for years) .

    Brief definition of drain write buffer ability
    Code:
    
        //http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.ddi0201d/I1033977.html <-- good explanation.
        //Basically TCM is allowed to write-miss / write-back without causing external access (to whatever memory is connected to TCM).
        // If write-miss, data (changes) is buffered locally. If write-back happens the cache-line is marked as dirty ONLY (no external access), causing two scenarios:
        //a) if a read happens, and ALSO causes a cache-hit, no external accesses happen. Speedups everything, literally.
        //b) later, sooner or later, when a read cache-miss happens, before the old cache-line dirty is updated, a write-back happens.
        //Basically: Access/Write external memory, ONLY when reads cause a cache-miss. Otherwise Writes are "cached".
     
        //DrainWrite buffer Opcode makes sure all writes buffered HAPPEN! if Data Writes mode is set to Write-back.
    
    
    
    Then we have Data / Instruction Caches enabled for regions but that is another topic.
     
    Last edited by Coto, Jul 2, 2017
    I pwned U! and DinohScene like this.
  5. DinohScene

    DinohScene DinohScene <З MartyDreamy

    Member
    GBAtemp Patron
    DinohScene is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    15,046
    11,437
    Oct 11, 2011
    Antarctica
    В небо
    Unfortunately, I already have a hacked DSi, none the less, very neat.
    Especially since this doesn't involves soldering which makes extracting data from DSi's easier in the future for archival purposes.
     
  6. DrCrygor07

    DrCrygor07 Italian Wario Ware bootleg©

    Member
    1,679
    619
    Sep 4, 2014
    Italy
    That's really cool! Thanks for developing this!
     
    Last edited by DrCrygor07, Jul 2, 2017
  7. Thunder Hawk

    Thunder Hawk Firefox Master Race

    Member
    435
    266
    Jan 21, 2013
    United States
    Long live Buzzhax RocketLauncer!
     
    TeamScriptKiddies likes this.
  8. metroid maniac

    metroid maniac An idiot with an opinion

    Member
    1,796
    716
    May 16, 2009
    Amazing work, I'm glad that we finally have a hack that grants full control of the platform.
    Now I just have to hope that it'll work with my trusty AK2i. And I'll need to get a DSi as well!
     
  9. CeeDee

    CeeDee "Yo!"

    Member
    GBAtemp Patron
    CeeDee is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    3,738
    5,117
    May 4, 2014
    United States
    I can't wait to see mass produced hack cards for this and ntrboothax. Coldboot full system hax are wonderful things.
     
  10. Valery0p

    Valery0p GBAtemp Regular

    Member
    182
    70
    Jan 16, 2017
    Italy
    That's a pretty awesome teamwork!
    And still we haven't seen that mysterious dsiware exploit/s *coff* *coff*
    @Normmatt sorry to bother You, but do You think all the flashcards reversed to work with (3ds)magnetHax, will work with rocketLauncer?
     
    MyDePain likes this.
  11. Lilith Valentine

    Lilith Valentine GBATemp's Wolfdog™ Kneel before the Queen

    Member
    18,828
    18,698
    Sep 13, 2009
    Antarctica
    Between insane and insecure
    It took way too long for interest in the DSi to spark, but I am happy to see that it did spark
     
  12. Ranomez

    Ranomez Advanced Member

    Newcomer
    62
    17
    Feb 13, 2016
    Romania
    When a new DSiWare hax appears (if it does) will we get a guide on how to downgrade to 1.4?
     
  13. tntmod54321

    tntmod54321 Member

    Newcomer
    20
    3
    Mar 26, 2017
    United States
    Michigan
    WHOOP WHOOP!
     
  14. Zabhahs

    Zabhahs Goron

    Member
    171
    38
    Sep 20, 2015
    United States
    Seattle area
    rip 1.4.5 users... i guess ill wait for that other exploit :(
     
  15. Billy Acuña

    Billy Acuña GBAtemp Advanced Maniac

    Member
    1,740
    1,011
    Oct 10, 2015
    Mexico
    Nahh, you just hardmod or dsiwarehax to downgrade.
     
  16. Plstic

    Plstic Guru Meditation Error

    Member
    603
    194
    Apr 21, 2010
    United States
    Milwaukee WI
    swag swag. hopefully downgrading is ez if you already have sudohax.
     
  17. The Real Jdbye

    The Real Jdbye Always Remember 30/07/08

    Member
    GBAtemp Patron
    The Real Jdbye is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    11,016
    4,472
    Mar 17, 2010
    Norway
    Alola
    Well, that depends on if the devs implement support for all of the same cards. But potentially yes, since both exploits have the same requirements (a flashcart with a reflashable ROM), the rest is up to the devs.
     
    Gamer4647 likes this.
  18. sieroi

    sieroi GBAtemp Regular

    Member
    125
    54
    Apr 29, 2015
    Fantastic. So many years later, too!
     
  19. eduall

    eduall GBAtemp Regular

    Member
    216
    45
    May 29, 2014
    i'm 1.4.5 :( and don't have dsiware hax :/
     
  20. sieroi

    sieroi GBAtemp Regular

    Member
    125
    54
    Apr 29, 2015
    If you have Flipnote Studio and the DSi Browser installed, there'll be an exploit for one of those along at some point. It's apparently in the works.