I never noticed that. I thought it booted into kernel mode to install Cias, Maybe it does work, maybe it doesn't.
I'm not sure how it gets the permission needed to install CIA files though, legit or not. Apps don't normally have access to that. Might be a side effect of how ninjhax works, so yeah, as you say, it may or may not work in 2.0.
I remember it uses browser permissions to in Ninjhax and 2.0. Maybe the permissions are accessed there? Since the browser could be further exploited with Ninjhax, that I remember correctly.
Pretty sure the browser doesn't have access to that. Permissions on 3DS are very limited and apps only have permissions they absolutely need. And the browser is never used to install anything, so there's no reason it would have that.
So I'm not really sure how it works, maybe ninjhax 1.x gets the permission through rohax (which is patched) or maybe it gets it through gpuhax (which isn't) but smea's ninjhax writeup doesn't go into that much detail about it.
Most likely. What are the remaining hacks we have left? I remember gspwn and something else. I dunno what it all lets us do, or what rohax let us do.
rohax is used to get access to some more system calls, so ninjhax can remap memory and mark it as executable and such, it doesn't seem related though, but neither does any of the other stuff there, he is probably intentionally leaving out a lot of details. It could also be gpuhax/gspwn but the usefulness of that seems to be heavily limited by the memory regions it can access.
http://smealum.net/?p=517
rohax was the only one of the used exploits that were patched, so ninjhax 2.0 is basically just working around that.
Last edited by The Real Jdbye,
If we can run FBI we actually may be able to downgrade the consoles to a lower firmware with 3dNUS or put the MSET vuln back in... Not sure if MSET used rohax or not... If not then I'm sure that we could easily port over a cfw like cakes or rxPasta when it's released and then we'd have cfw accessable on any fw with no worries about updating and whatnot, also I think that all you need to install CIAs is just access to files on the NAND or SD card (which I believe the browser does have) because most of what FBI does is copy files here and there unsigned ofc which means that they'd not be able to run without patching signature checks if it was an unsigned CIA to begin with.... Anyways before I ramble on more I just thought I'd leave my two cents
It's mentioned that rohax wasn't completely patched, and you can still load unsigned CROs.
As for FBI, I assume it uses ctrulib and am to install titles. Though I don't know how it obtains the permission to do so.
Only by uninstalling them first.
DevMenu 2.x can overwrite them for some reason though.
You can no longer get code execution under the ro module, which was the point of rohax. I'm not sure how much use being able to load unsigned CROs is with the new checks in place.
Interesting theory. Downgrading that way should work if FBI does. I'm kind of doubting that FBI will work right away on 9.3+ though, if it's at all possible. It must be relying on some sort of exploit, as NINJHAX does not get permission to the "am" service which FBI uses. I can't find the exploit loader in the source code though, which is strange.
Porting over a CFW won't be easy, or maybe even possible, the ARM11 kernel exploit (memchunkhax) was fixed in 9.3 and the ARM9 kernel exploit (firmlaunchhax) was fixed in 9.5, current CFWs (apart from NTR-CFW, that only uses ARM11) rely on both to work.
But we wouldn't need to if we could downgrade, and it takes far less permissions to run a CIA installer than a CFW, so it is plausible for the future.
Last edited by The Real Jdbye,
Steveice10 made his own library for C++ (most stuff is written in C for the 3ds so maybe check there for some kind of exploit?) Again though I think for installing CIAs it just installs everything by copying files and I'm pretty sure that Nintendo didn't bother putting any security except encryption which at this point is fairly defeated with all of the keys that we have and whatnot
No, it uses the am service according to the source code. Simply copying over files wouldn't work as an encryption key needs to be generated and added to movable.sed (only for SD card data), and the data has to be encrypted with said encryption key. The title key must also added to the ticket.db on NAND so that it will actually recognize the installed data. All of this is done by the am service, although it could theoretically be done manually that would require other permissions that NINJHAX does not have and I don't think anyone's tried that yet.
Attachments
