Homebrew Merry Christmas - Have some RAM Dumping!

[Plainscript]

https://web.archive.org/web/20130927060400/http://gorope.me/about

Thanks for the link/heads up, but this won't work for the searchfunction on that site. (eg samples)

This file has some tho'.

http://media.blackhat.com/bh-us-11/Le/BH_US_11_Le_ARM_Exploitation_ROPmap_Slides.pdf

With x86 comparisons too btw.

 

[minexew]

PS3 homebrew hero naehrwert has released some helpful python scripts related to 3ds RAM dumping. The ramdump.py script generates a launcher.dat that is functionally similar to waffle's RAM dumper, but this is can be additionally useful as it shows how the ROP chain was generated and thus might be a useful thing to study for those interesting in ROPing the 3DS themselves.

https://github.com/naehrwert/p3ds

Dumb question: if there was no NX bit, would it be enough to just overflow the stack with <addr_of_this+4><payload code>?

 

[elhobbs]

In addition to the nx bit there is also read and write controls on the different memory regions. So you would still be limited to the memory available to the stack.

 

[zecoxao]

naehrwert is one of the nicest people i ever had the pleasure of talking with on irc. the best part is that he's doing this for fun, and not because he's obligated to anything on anyone's part
i suggest you guys take a look at his work on the ps3 scene.
besides that, congratulations on your joint work with him, fierce waffle. i hope you guys get stable code execution soon.

 

[Kane49]

Can someone explain the deadlock stuff in the source ?

naehrwert is one of the nicest people i ever had the pleasure of talking with on irc. the best part is that he's doing this for fun, and not because he's obligated to anything on anyone's part
i suggest you guys take a look at his work on the ps3 scene.
besides that, congratulations on your joint work with him, fierce waffle. i hope you guys get stable code execution soon.

Ive been pestering him on github and twitter

 

[zecoxao]

Can someone explain the deadlock stuff in the source ?

Ive been pestering him on github and twitter

he won't answer you that's how he rolls

 

[Kane49]

he won't answer you that's how he rolls

Thats fine its not like he has any obligation but not asking won't help me either

 

[Kane49]

Oh noes, fiercewaffles page went down !

 

[fierce waffle]

Oh noes, fiercewaffles page went down !

My hosting service is currently down. Should be back up soon enough.

 

[Kane49]

My hosting service is currently down. Should be back up soon enough.

Okay I remembered you writing something about the self parameter that i wanted to read again as the file_open in my ram dump has 4 arguments while it is called with only 3 in launcher.dat.

 

[fierce waffle]

Okay I remembered you writing something about the self parameter that i wanted to read again as the file_open in my ram dump has 4 arguments while it is called with only 3 in launcher.dat.

No. Ours both have 3 arguments.

Mine : IFile_Open_1 _this, PATH_ADDR1, OPEN_WRITE|OPEN_CREATE
His : r.call(0x1B82AC,[0x279000,Ref("fname"),6],5)

 

[Kane49]

No. Ours both have 3 arguments.

Mine : IFile_Open_1 _this, PATH_ADDR1, OPEN_WRITE|OPEN_CREATE
His : r.call(0x1B82AC,[0x279000,Ref("fname"),6],5)

Thats true but not what i ment, my fault for not knowing how to clearly communicate what I'm confused about ^^

I made a ram dump and right now I'm trying to statically analyse it to get a general picture of whats going on in there, the file open function i found in there
(somewhat identified by how it splits the filename at ':') seems to have 4 arguments instead of the 3 you and him use.

My guess is that I don't understand the arm assembly well enough and it actually only has 3 arguments or less likely that i got the wrong function.

 

[deoFusion]

Has anyone successfully tested the ROP loader on 4.4 (without bricking DS mode initially)?

 

[n1ghty]

Has anyone successfully tested the ROP loader on 4.4 (without bricking DS mode initially)?

Works without bricking on my 4.4 3DS XL.

 

[xyzmanas]

Still not able to get it to work on 4.3, everything works fine just the dump.bin doesn't get created.

 

[Kane49]

Still not able to get it to work on 4.3, everything works fine just the dump.bin doesn't get created.

Hi !
Reinstall the ROP Loader but when it finishes don't press (A), just press Home

 

[mathieulh]

Does anyone know who maintains the 3dsbrew website ? It seems like I can't signup using my current nick because it's blacklisted for some reason, I wanted to add some infos in there but I'll wait till I can do it using my nick (or not at all)

 

[Kane49]

Does anyone know who maintains the 3dsbrew website ? It seems like I can't signup using my current nick because it's blacklisted for some reason, I wanted to add some infos in there but I'll wait till I can do it using my nick (or not at all)

I'm guessing you checked out yesterdays commit ?
3DSBrew has blacklisted the nick /.*/

 

[ernilos]

Does anyone know who maintains the 3dsbrew website ? It seems like I can't signup using my current nick because it's blacklisted for some reason, I wanted to add some infos in there but I'll wait till I can do it using my nick (or not at all)

yellows8 and neimod, ask to him to join to 3dBrew (http://chat.efnet.org:9090/)

 

[mathieulh]

I'm guessing you checked out yesterdays commit ?
3DSBrew has blacklisted the nick /.*/

Yeah it seems like the blacklisted every single nick out there xD

Wrong timing for me to join I guess.