Hacking Question regarding DS profile exploit

[Chaldron]

I heard that the DS profile exploit is still available in 6.x - it just doesn't grant kernel access. Is this true? Just wondering.

Thanks!

 

[how_do_i_do_that]

no it is not in 6.X, it was fix in 5.0, somebody lied to you.

 

[Chaldron]

no it is not in 6.X, it was fix in 5.0, somebody lied to you.

Really? Just to confirm, the DS NVRAM exploit was patched in 5.0, not the kernel access because of that?

Thanks.

 

[Drenn]

According to smealum's blog, the ds profile exploit was never fixed as of 6.3. It's not much use without the kernel exploit, which was patched.

Edit:

It’s interesting that such a vulnerability even exists in mset; apparently, such an approach had been attempted on the DSi and it was not vulnerable to it. Additionally, the crash had been documented on 3Dbrew for a while, and yet somehow the vulnerability is still open to this day (on 6.3. Of course, user mode stack smashes can be achieved through other vectors...)

 

[how_do_i_do_that]

Not being able to use the exploit is the same as being technically closed. Not explaining how an exploit is technically blocked gives non-technical people the wrong impression which Smea has done there.

 

[Drenn]

Are you saying that it has been blocked? If not, I don't understand what we're disagreeing about. The ds profile exploit will still come in handy if another 2nd-stage exploit is ever found in 6.3.

 

[how_do_i_do_that]

It is partially blocked, making it no longer 100% of the time exploitable.

In real world terms for non-technical, a partial block is the same as a fully blocked exploit, because if a hacker is not attempting to make it a reliable exploit again it is effectively dead.

 

[RenegadeKid]

Yeah so they have to find an another exploit to hack the 3DS on 6.3 or on higher firmware.

 

[yifan_lu]

Yes, the DS profile exploit still works on 6.3. In theory, it could allow for homebrew on 6.3 provided that homebrews are compiled into ROP lists. Also, if another kernel exploit is found, it'll allow 6.3 to run your pirated games (versus if Nintendo patches the DS profile exploit in 6.4+, then even a new kernel exploit would be useless until another Usermode exploit is found. You need both to run unsigned code).

 

[how_do_i_do_that]

Yes, the DS profile exploit still works on 6.3. In theory, it could allow for homebrew on 6.3 provided that homebrews are compiled into ROP lists. Also, if another kernel exploit is found, it'll allow 6.3 to run your pirated games (versus if Nintendo patches the DS profile exploit in 6.4+, then even a new kernel exploit would be useless until another Usermode exploit is found. You need both to run unsigned code).

There is no need to theorycraft this exploit as still usable or not when there is a real world example of this exploit in the form of the gateway flashcart and clones, it is the same exploit used by Smea to run his version of emuNAND. These all have the same limitations of the exploit, it is effectively dead on a 3DS firmware of 5.0 or higher a this time.

Your confusing the "exploit still exists" for "exploit still works", these are 2 different things.

 

[megazig]

the exploit still works. you can use it with a ROP chain as yifanlu says. it still exists and works. you're confusing working/existing and usable for morons. the latter is not exactly what a hacking section should be focused on

 

[Drenn]

OP knows that there is no usable exploit for 5.0+ systems. The question is whether the ds profile exploit can still be used in case a new kernel exploit is discovered in 6.3. I'll believe that the answer to that question is "yes" unless you have some source saying otherwise.

 

[how_do_i_do_that]

the exploit still works. you can use it with a ROP chain as yifanlu says. it still exists and works. you're confusing working/existing and usable for morons. the latter is not exactly what a hacking section should be focused on

OP knows that there is no usable exploit for 5.0+ systems. The question is whether the ds profile exploit can still be used in case a new kernel exploit is discovered in 6.3. I'll believe that the answer to that question is "yes" unless you have some source saying otherwise.

I see you two are going to make me wait for 6.4 or higher to come out to vindicate who knows what to be correct. Incidentally that would also give an absolute answer to the op's question on that matter.

 

[RenegadeKid]

Yes, the DS profile exploit still works on 6.3. In theory, it could allow for homebrew on 6.3 provided that homebrews are compiled into ROP lists. Also, if another kernel exploit is found, it'll allow 6.3 to run your pirated games (versus if Nintendo patches the DS profile exploit in 6.4+, then even a new kernel exploit would be useless until another Usermode exploit is found. You need both to run unsigned code).

Thank you for your useful explanations

Yifan Lu is a genius in the hacking scene. He would deserve more respect and gratitude.

 

[snikerz]

There is no need to theorycraft this exploit as still usable or not when there is a real world example of this exploit in the form of the gateway flashcart and clones, it is the same exploit used by Smea to run his version of emuNAND. These all have the same limitations of the exploit, it is effectively dead on a 3DS firmware of 5.0 or higher a this time.

Your confusing the "exploit still exists" for "exploit still works", these are 2 different things.

Maybe you should look up who you are arguing with.

 

[cearp]

It is partially blocked, making it no longer 100% of the time exploitable.

makes me remember chickhen for psp, had to run that like 40 times until it worked... ha

 

[McHaggis]

There is no need to theorycraft this exploit as still usable or not when there is a real world example of this exploit in the form of the gateway flashcart and clones, it is the same exploit used by Smea to run his version of emuNAND. These all have the same limitations of the exploit, it is effectively dead on a 3DS firmware of 5.0 or higher a this time.

You're confusing matters. The "exploit" to which you're referring, used by smea and Gateway, is actually made to exploit more than one vulnerability. Exploiting the first vulnerability gets you access to the user mode, where a second-stage vulnerability is exploited to allow "kernel mode" access. The latter is required for all the patches to the system that smea's "CFW" and Gateway's "Gateway mode" make. The former (user mode) vulnerability still exists in the latest firmware and it is entirely usable. That's all the OP wanted to know.

tl;dr the vulnerability in question isn't "effectively dead". More like it's dormant until it becomes useful again.

 

[smealum]

just fyi : i haven't actually tried exploiting the ds profile vuln on 6.3 or looked into it at all. all i know is the crash still happens, but it's entirely possible that it happens differently and isn't exploitable afaik. i should have reflected that in my article, sorry about that.
nevertheless, McHaggis has the right idea.

 

[Chaldron]

Okay, thanks for all the replies! I understand it better now.

So if a kernel exploit is found, it might be possible to use the DS NVRAM exploit as "gateway" (no pun intended) to get to the kernel access, correct?

Thanks again.

 

[profi200]

The mset haxx vuln exist, even in 6.3, but no ARM9 vuln exist.

Have not tried to do something with mset haxx >4.5, because i don't have useful ROP-gadget's. And yes, mset haxx works a bit different after the 5.X update, but it is not fixed or updated since 5.X.