Hacking [SPECULATION] SSSpwn allows kernel access?

[WaryLouka]

The exploit and Homebrew Channel are not installed on the system. It is installed in the writable portion of the game card. No kernel access is ever used. End of story.

 

[Foxi4]

overwriting an systemodul souns pretty kernel for me.

It doesn't overwrite any system modules, if it did, the whole firmware would become corrupt because it's signed and you can't just randomly resign it. As it stands today, the firmware is wholly protected. If HBMenu uses services and syscalls, it can only use them because Cubic Ninja can - it inherits privileges. It's the exact same case with VHBL and userland exploits - they can run code, but only to the extent of what the original binary was allowed to do.

 

[endoverend]

i know what it means afaik full access to the system aside from sig checks etc

Ooohhhh okay. So Relys, the guy who *ahem* analyzed the exploit probably knows more about how it works that the guy who made the exploit. Noooww I get it. I herd Smealum iz illuminaty, too.

 

[ken28]

nevermind

 

[Ryanrocks462]

Ooohhhh okay. So Relys, the guy who *ahem* analyzed the exploit probably knows more about how it works that the guy who made the exploit. Noooww I get it. I herd Smealum iz illuminaty, too.

well we are talking about the guy who created the decryptors Nand and decryptor I'm pretty sure relys is able to understand a basic exploit ;3

 

[WaryLouka]

well we are talking about the guy who created the decryptors Nand and decryptor I'm pretty sure relys is able to understand a basic exploit ;3

Not really basic when it took months to develop it.

 

[endoverend]

well we are talking about the guy who created the decryptors Nand and decryptor I'm pretty sure relys is able to understand a basic exploit ;3

Decryptors for 3DS games. Not userland exploits.
Even if he is right, that still doesn't mean kernel access.

 

[The Real Jdbye]

All this guy does is talk shit, I wouldn't take his word for it.
However, that doesn't mean SSSpwn doesn't obtain kernel access. A while back it was claimed that you could not execute unsigned code without a kernel exploit. So if there's no kernel exploit there is at least something beyond simply userland that allows running homebrew.
I'll take smea's word for it that it doesn't obtain kernel access for now though

 

[Ryanrocks462]

Decryptors for 3DS games. Not userland exploits.
Even if he is right, that still doesn't mean kernel access.

well he also released his nand decryptor ;3
and if he is able to get and decryption I'm pretty sure he will understand user land

Not really basic

userland ;3

 

[Foxi4]

All this guy does is talk shit, I wouldn't take his word for it.
However, that doesn't mean SSSpwn doesn't obtain kernel access. A while back it was claimed that you could not execute unsigned code without a kernel exploit. So if there's no kernel exploit there is at least something beyond simply userland that allows running homebrew.
I'll take smea's word for it that it doesn't obtain kernel access for now though

That's the magic of it - Cubic Ninja is signed, it's a legit retail game. For all the ARM knows, the code is signed and verified - eXecute Never doesn't kick in because it thinks it's running something else entirely.

 

[WaryLouka]

1. QR Code Overflow
2. Jump to ROP chain in QR code payload
3. Download AES encrypted payload smealum.net/ninjhax/p/POST5_WEST_4096_4096.bin from internet.
4. Escalate privilege level by overwriting a sysmodule.
5. Transfer execution over to boot.3dsx

Ok, according to professionals, it is clearly written that the escalated privilege we got is Kernel mode. Of course, all other levels are impossible to be escalated because idiots are claiming it can only be the kernel.

I will also quote Foxi4;

It doesn't overwrite any system modules, if it did, the whole firmware would become corrupt because it's signed and you can't just randomly resign it. As it stands today, the firmware is wholly protected. If HBMenu uses services and syscalls, it can only use them because Cubic Ninja can - it inherits privileges. It's the exact same case with VHBL and userland exploits - they can run code, but only to the extent of what the original binary was allowed to do.

 

[Ryanrocks462]

All this guy does is talk shit, I wouldn't take his word for it.
However, that doesn't mean SSSpwn doesn't obtain kernel access. A while back it was claimed that you could not execute unsigned code without a kernel exploit. So if there's no kernel exploit there is at least something beyond simply userland that allows running homebrew.
I'll take smea's word for it that it doesn't obtain kernel access for now though

lolz ya I'm done arguing with everyone ill just keep my eye on gateway :3

 

[AndrewPH]

He will only be seen as a liar if someone proves him wrong.

The burden of proof lies on the accuser, in this case GovanifY.

 

[Foxi4]

The burden of proof lies on the accuser, in this case GovanifY.

So far GovanifY's only achievement was leaking something he hasn't even made himself, so his word isn't exactly worth much. He's more than welcome to demonstrate kernel-level access if he feels like it. In fact, anyone can investigate this - Homebrew Launcher is open source. Go nuts.

 

[Esppiral]

smea said he is willing to add region free support, and I don't think how such thing could be possible without kernel access...

 

[the_randomizer]

Two questions that I present to the members who read this thread, *ahem*

One - Who the hell is this guy?
Two - Why the hell should we care what he says again?

/useful informative thread

Edit: Ah, so he's the little braggart that leaked the CFW, meaning, whatever little credibility he "had" is lost. Just another fine day in the 3DS scene

 

[Foxi4]

smea said he is willing to add region free support, and I don't think how such thing could be possible without kernel access...

I don't remember him ever saying that, but such a modification would normally require kernel level access, unless there's some clever trick up smea's sleeve.

 

[ken28]

So far GovanifY's only achievement was leaking something he hasn't even made himself, so his word isn't exactly worth much. He's more than welcome to demonstrate kernel-level access if he feels like it. In fact, anyone can investigate this - Homebrew Launcher is open source. Go nuts.

the launcher is, not the exploit.
The question will still remain even if weaker until sources of the exploit are released.

 

[ken28]

I don't remember him ever saying that, but such a modification would normally require kernel level access, unless there's some clever trick up smea's sleeve.

he did, but somewhere he also said its quite compilcated if i remember right.

 

[The Real Jdbye]

That's the magic of it - Cubic Ninja is signed, it's a legit retail game. For all the ARM knows, the code is signed and verified - eXecute Never doesn't kick in because it thinks it's running something else entirely.

You still can't execute your own code though.
I'm talking about a different level of protection, memory protection.
It doesn't get write access to executable regions of memory, and there's no access to setting memory to be executable either. So there should be no way to actually execute your own code even if you can load it without a kernel exploit.