Announcing RocketLauncher! The first exploit with unlocked Arm7!

UPDATE:
Looks like NoCash found an exploit that is even better then RocketLauncher:

https://problemkaputt.de/gba.htm

He titled it Unlaunch. The exploit works by exploiting a flaw in Stage2 and apparently works on all firmware versions. It requires you run the installer from a DSiWare based hax environment as access to SD/NAND is required. (thus you can't run this from Slot-1 based TWL exploit)

The flaw in stage2 is a buffer overflow involving Launcher's TMD file. If you provide a larger then normal TMD file, it will attempt to load the TMD into ram anyways (this occurs before it does the RSA check) This causes it to overwrite some code in arm9 ram causing arm9 to execute the custom payload. The full details are found in the info menus in the installer.

Note however the installer does not appear to work correctly at the moment. I'd advise you not attempt to install it from the installer. Use the manual install method instead. BUT I'd highly recommend you have a hard mod before attempting manual install. If you have had experience modifying your nand you may be ok doing this. But for safety sake I would just advise against that until the installer works properly.

(this is one reason why RL hasn't been released yet. No proper installer tools are available yet and we don't want people bricking consoles trying to install it)

The release of this exploit may impact our plans regarding RocketLauncher. I'll post more about this once StuckPixel has decided to comment on this.


Important Notice:

Do NOT visit Data Management in DSi System Settings or use the 3DS Transfer tool after installing unlaunch. You WILL brick the console. Wait until HiyaCFW is refined/released properly so that SD redirected version of Launcher can be used or when NoCash decides to implement his own version of the SD redirect patch.








Today I can finally announce a new exploit for the Nintendo DSi. I found this flaw back on May 29th. Almost a year after NoCash initially discovered a oversight by Nintendo involving the DS Cart White list which this exploit takes advantage of (Nintendo forgot to reimplement the RSA checks on it lolz). I was fudging with various things in the white list to try and get a crash. I got system menu to crash by using large values in section 3! So I contacted NoCash and a few other devs about this to investigate it and to see if it's exploitable. Well long story short it was!


Summery of the above video:

1. The exploit requires 1.4.0 firmware! Older or newer fw revisions do not work!
2. The exploit requires a flashcart that you are able to modify the internal rom it presents to the system.
3. Details on which cards will be compatible will be revealed at a later time.
4. The exploit involves a buffer overflow flaw involving section 3 of the white list.
5. This overflow occurs on arm7 thus allowing overwriting memory exclusive to arm7.
6. As a result a large enough overflow will hit the IRQ interrupt handler. This is how we gain code execution.
7. Arm9 was relatively easy to take over. Though data caching presented a minor roadblock while testing on hardware. :P
8. I currently use a modified build of nds-bootloader from WinterMute's github. You know, that portion of hbmenu responsible for booting SRLs. :P
9. Because we already gained arm7 we only had to put arm9 in the correct wait state so that nds-bootloader can do it's thing. :D
10. The exploit in theory can work from the menu once it's running. But we currently make use of the auto boot feature to ensure a stable consistant environment. Tests with a second console suggest that is the case. Note that the exception vector for arm7 seems to either be somewhere else once the menu GUI is running or the overflow hits something else causing arm7 to crash early. Currently we plan to only target exploiting the system with an autoboot rom as it's more predictable.
11. The exact machanics of the arm9 take over and how nds-bootloader is loaded may change. Currently the entire payload fits on the cart. But we may allow reading a payload off SD instead.

Credits to NoCash, Gericom, and Normmatt for help testing/figuring this out. Big credit to StuckPixel who put in most of the coding needed to make this happen. My contribution was finding the flaw and help with testing on hardware.


I will release further details as we finalize this exploit and prepare stuff that will make installing it easier.

Note you will either need a nand mod or a DSiWare based exploit to downgrade your console/install the modified white list needed for this to work. Hopefully we'll have a better solution then simply using fwtool to do this so that may be the factor that determines release date so please be patient!

When things are ready I will update this thread!
 
Last edited by Apache Thunder,

JimmyZ

Sarcastic Troll
Member
Joined
Apr 2, 2009
Messages
681
Trophies
0
XP
762
Country
Zimbabwe
I don't know if it's useful for that tool, but you should know that godmode9 can mount TWLN and TWLP partitions from a (3ds?) Nand backup;
Thanks for providing reference, but I don't have technical difficulty so far, it's already able to mount: https://github.com/Jimmy-Z/fwTool/tree/dsi-nand-file-manager

But this kind of tool needs a hardmodded DSi to test thoroughly, while I can only test on 3DS, currently I only enabled read only mount, next step would be mounting a nand image and inject some files, then test the image in no$gba, then the final step enable direct R/W mount, this will need volunteers with hardmod to test.

This is not hard to write, nor take too much time, since libraries provides most facilities, don't be surprised if somebody else got it done before me. libnds has plans to add NAND file system support, it will be even simpler after that.

(and if you still want to write it by now, seeing what happened :( )
What? the quarrel in another thread?
 
  • Like
Reactions: Deleted User

Deleted member 424658

Annoying Weaboo Girl
Member
Joined
Jun 4, 2017
Messages
499
Trophies
0
Age
24
Website
www.reddit.com
XP
677
Country
United States
Thanks for providing reference, but I don't have technical difficulty so far, it's already able to mount: https://github.com/Jimmy-Z/fwTool/tree/dsi-nand-file-manager

But this kind of tool needs a hardmodded DSi to test thoroughly, while I can only test on 3DS, currently I only enabled read only mount, next step would be mounting a nand image and inject some files, then test the image in no$gba, then the final step enable direct R/W mount, this will need volunteers with hardmod to test.
Wanted to brick my DSi but it doesn't build dang it.
 

JimmyZ

Sarcastic Troll
Member
Joined
Apr 2, 2009
Messages
681
Trophies
0
XP
762
Country
Zimbabwe
Wanted to brick my DSi but it doesn't build dang it.
You need newer(git head) libnds to compile, also it's impossible to brick in it's current form, it just mount the 1st partition read only and show root directoy on the top screen.
 

JimmyZ

Sarcastic Troll
Member
Joined
Apr 2, 2009
Messages
681
Trophies
0
XP
762
Country
Zimbabwe
It's in relation to the "impossible to brick," I'm saying that someone could probably still find a way to brick.
Okay, it seems insomnia has impaired my ability of relativity thinking, but is it a legitimate brick if it can be "unbricked" just by pulling out said SD card?
 

Deleted member 424658

Annoying Weaboo Girl
Member
Joined
Jun 4, 2017
Messages
499
Trophies
0
Age
24
Website
www.reddit.com
XP
677
Country
United States
Okay, it seems insomnia has impaired my ability of relativity thinking, but is it a legitimate brick if it can be "unbricked" just by pulling out said SD card?
Yeah it booted up when I pulled out the SD and it hasn't happened since then.
I've also got the homebrew built and it doesn't seem to work. It can't get the ConsoleID from RAM (gives all 0s), and says "Invalid boot signature(0x55, 0xaa) bootstrap on DSi should be all zero
invalid partition table most likely Console ID is wrong"
 

JimmyZ

Sarcastic Troll
Member
Joined
Apr 2, 2009
Messages
681
Trophies
0
XP
762
Country
Zimbabwe
Yeah it booted up when I pulled out the SD and it hasn't happened since then.
I've also got the homebrew built and it doesn't seem to work. It can't get the ConsoleID from RAM (gives all 0s), and says "Invalid boot signature(0x55, 0xaa) bootstrap on DSi should be all zero
invalid partition table most likely Console ID is wrong"
It's expected behavior, I've got no reliable way to get Console ID on site, when the Console ID is wrong, the decrypted NAND data is also wrong, thus the complaining about invalid boot signatures.
You can put a "console_id.txt" hex string file in that FWxxxx dir, it will read from that.

Maybe I should port some srl extractor code and extract footer on site if there are any tad files on SD.

Oh, thanks for the testing and reporting.
 
Last edited by JimmyZ,

Deleted member 424658

Annoying Weaboo Girl
Member
Joined
Jun 4, 2017
Messages
499
Trophies
0
Age
24
Website
www.reddit.com
XP
677
Country
United States
It's expected behavior, I've got no reliable way to get Console ID on site, when the Console ID is wrong, the decrypted NAND data is also wrong, thus the complaining about invalid boot signatures.
You can put a "console_id.txt" hex string file in that FWxxxx dir, it will read from that.

Maybe I should port some srl extractor code and extract footer on site if there are any tad files on SD.

Oh, thanks for the testing and reporting.
Now I get:
loaded console_id.txt(16)
Console ID (from file):
0820168216088119
DSi mode
MBR OK
failed to mount NAND
press A to exit...
 

JimmyZ

Sarcastic Troll
Member
Joined
Apr 2, 2009
Messages
681
Trophies
0
XP
762
Country
Zimbabwe
Now I get:
loaded console_id.txt(16)
Console ID (from file):
0820168216088119
DSi mode
MBR OK
failed to mount NAND
press A to exit...
I suppose it only works in 3DS, for now.

Maybe I can figure out why it doesn't work on a DSi by mounting a DSi NAND image on 3DS, I have some from TWLbf.

update: I can reproduce this with a DSi NAND image on 3DS.
update: fixed
 
Last edited by JimmyZ,

Deleted member 424658

Annoying Weaboo Girl
Member
Joined
Jun 4, 2017
Messages
499
Trophies
0
Age
24
Website
www.reddit.com
XP
677
Country
United States
update: I can reproduce this with a DSi NAND image on 3DS.
update: fixed
Earlier I noticed that there was a commit that said it was fixed, that required a CID.txt for some reason.
Later on, another commit popped up. This one ignores console_id.txt.
Going to try the earlier commit now and see if that one works.
Earlier commit says that the cid.txt is invalid/missing even though it's exactly what shows in the commit I built yesterday and the most recent one built today (also tried byteswapping it).
Oh and the most recent commit ignores CID.txt it looks like.
 
Last edited by Deleted member 424658,

smf

Well-Known Member
Member
Joined
Feb 23, 2009
Messages
6,638
Trophies
2
XP
5,835
Country
United Kingdom
I remember something about waiting for safer tools, but not so specifically a file copier.

I might have read more into it, but a file copier is the safest tool as it only will update a few blocks and you must have the CID and console id correct to be able to mount the partition. There is much less chance of user error.

It could even check the signatures before overwriting the files etc.
 

JimmyZ

Sarcastic Troll
Member
Joined
Apr 2, 2009
Messages
681
Trophies
0
XP
762
Country
Zimbabwe
Earlier I noticed that there was a commit that said it was fixed, that required a CID.txt for some reason.
Later on, another commit popped up. This one ignores console_id.txt.
Going to try the earlier commit now and see if that one works.
Earlier commit says that the cid.txt is invalid/missing even though it's exactly what shows in the commit I built yesterday and the most recent one built today (also tried byteswapping it).
Oh and the most recent commit ignores CID.txt it looks like.
I'm so sorry for wasting your time, most commits are WIP and not friendly for testers, I'll post/ask if I need more testers.

cid.txt is needed for NAND image mount, thus I can test DSi NAND image on 3DS.
*.txt ignored/missing/invalid: because I removed the chdir("FWxxx") after switching to NAND image mount, so you need to put it in the same directory now.

The current HEAD is even more stupid if you really want to test, it's just a (fake) file list I'm working on.

BTW a friend gave me a DSi XL U, now I can test on real DSi, kinda exciting, but no hardmod so I'll still need testers when I finished injecting.
 
Last edited by JimmyZ,

Deleted member 424658

Annoying Weaboo Girl
Member
Joined
Jun 4, 2017
Messages
499
Trophies
0
Age
24
Website
www.reddit.com
XP
677
Country
United States
I'm so sorry for wasting your time, most commits are WIP and not friendly for testers, I'll post/ask if I need more testers.

cid.txt is needed for NAND image mount, thus I can test DSi NAND image on 3DS.
*.txt ignored/missing/invalid: because I removed the chdir("FWxxx") after switching to NAND image mount, so you need to put it in the same directory now.

The current HEAD is even more stupid if you really want to test, it's just a (fake) file list I'm working on.

BTW a friend gave me a DSi XL U, now I can test on real DSi, kinda exciting, but no hardmod so I'll still need testers when I finished injecting.
Alrighty. I'll probably keep building though, just to see how things are going.
 

JimmyZ

Sarcastic Troll
Member
Joined
Apr 2, 2009
Messages
681
Trophies
0
XP
762
Country
Zimbabwe
I might have read more into it, but a file copier is the safest tool as it only will update a few blocks and you must have the CID and console id correct to be able to mount the partition. There is much less chance of user error.

It could even check the signatures before overwriting the files etc.

I suck at UI, so I'm planning a minimum approach, instead of using buttons to manage files freely but awkwardly, I'll only allow user to choose a .sha1 hash file, then it will verify and copy files listed in the .sha1 file to NAND.

For example a "downgrade U.sha1" file, containing correct hashes and locations of all files needed to downgrade a region U console, this could be freely distributed AFAIK, so correctness could be guaranteed, the user had to provide the correct files though.

It's less freely but I think it will be safer. similar to GodMode9's script feature but easier to implement.

Future plans would be selecting a tmd file and forge a ticket on site.

--------------------- MERGED ---------------------------

Alrighty. I'll probably keep building though, just to see how things are going.
If you really want to test current head, you can comment out the fake menu test in main, NAND_IMG_MODE to 0, it should then mount (real) NAND and prompt to generate a list file or sha1 file of all NAND files. I'm afraid this is the most fun you could get from the repo for now.
 
  • Like
Reactions: MyDePain

Site & Scene News

Popular threads in this forum

General chit-chat
Help Users
  • No one is chatting at the moment.
  • Psionic Roshambo @ Psionic Roshambo:
    Batman joined the Trans Justice League
    +2
  • Sicklyboy @ Sicklyboy:
    based af
    +2
  • Sonic Angel Knight @ Sonic Angel Knight:
    Forget the base, get on the roof.
  • K3Nv2 @ K3Nv2:
    Is that a bat in your buckle or are you just happy to have me
  • Psionic Roshambo @ Psionic Roshambo:
    Wonder "Woman" lol you wonder if they are a woman?
  • Psionic Roshambo @ Psionic Roshambo:
    The Riddler has questions...
  • K3Nv2 @ K3Nv2:
    Played a little of snow day glad I didn't spend $30
  • K3Nv2 @ K3Nv2:
    It's asthetic is okay maybe a good $10 grab
  • Psionic Roshambo @ Psionic Roshambo:
    Lol is it a game about doing cocaine?
  • K3Nv2 @ K3Nv2:
    Probably in pvp
  • Psionic Roshambo @ Psionic Roshambo:
    I tried Balders Gate II on the PS2 a few minutes ago, not bad lol
  • Psionic Roshambo @ Psionic Roshambo:
    My back catalog of games is like that scene at the end of Indiana Jones where the arc of the covenant is being stored in a giant ass warehouse
  • K3Nv2 @ K3Nv2:
    At least I can will my game catalog to family members
    +1
  • K3Nv2 @ K3Nv2:
    It's your problem now bitches
  • Psionic Roshambo @ Psionic Roshambo:
    Put it in your will that in order to receive any money they have to beat certain games, hard games and super shitty games...
  • Psionic Roshambo @ Psionic Roshambo:
    Say 20 bucks per Ninja Gaiden on the NES lol 60 bucks for all 3
  • Psionic Roshambo @ Psionic Roshambo:
    People you like "Beat level 1 of Ms Pacman" lol
  • K3Nv2 @ K3Nv2:
    Hello kitty ds is required
    +1
  • Psionic Roshambo @ Psionic Roshambo:
    Beat Celebrity Death Match on the PS1 omg tried it earlier today .... Absolutely trash
  • Psionic Roshambo @ Psionic Roshambo:
    Like -37 out of 10
  • Psionic Roshambo @ Psionic Roshambo:
    One of the worst games I have ever played
  • K3Nv2 @ K3Nv2:
    Make them rank up every cod game out
  • K3Nv2 @ K3Nv2:
    "Now I know why he took his own life"
    K3Nv2 @ K3Nv2: "Now I know why he took his own life"