Hacking Does the new wiiu browser exploit have any possible implications for the 3ds?

[reaper527]

i was reading about the following exploit earlier today:

http://wololo.net/2014/06/20/wiiu-browser-exploit-leaked-possible-vita-compatibility/

while the exploit may look like a dead end on the vita due to the permissions given to their webbrowser, it doesn't seem unrealistic to suspect that the 3ds's webbrowser could be implemented in a similar way to the wii-u.

has anyone heard anything about if a similar browser based exploit would be possible on the 3ds?

 

[Abcdfv]

Might not go anywhere. I'll set it up later and see what happens.

 

[st4rk]

I try it, the 3DS Browser can't load the web page.

And, i think if it really work, will work in user-mode.

 

[Huntereb]

I try it, the 3DS Browser can't load the web page.

If it does this, it probably means it's a handled error on the 3DS. It would be cool to see if it can be tweaked to actually get loading, though.

 

[Duo8]

I try it, the 3DS Browser can't load the web page.

And, i think if it really work, will work in user-mode.

Should be user mode and sandboxed.
People tried crashing it before, it just exits to HOME Menu.

 

[Thirty3Three]

Vita would be so cool, hacked. I love my eCFW, but I'd gladly change that for a native exploit.

 

[Foxi4]

The reason why the exploit works on the Wii U's web browser is that it somehow overrides the eXecute Never routine of the CPU, so it won't translate to platforms which have this problem covered, or at least so I've read.

 

[Thirty3Three]

The reason why the exploit works on the Wii U's web browser is that it somehow overrides the eXecute Never routine of the CPU, so it won't translate to platforms which have this problem covered, or at least so I've read.

I've read the same, friend. I dislike linking sites, but if you look on Wololo's /Talk forum, you'll see a guy is trying to work with it. I really don't know much about hacking. Only what I've learned through reading up on 3DS/PSP hacking, but I don't really see it going anywhere on the Vita. Kind of bummed though because you know... Sony... and their whole, "We're treating it as an accessory now" thing.

 

[Foxi4]

I've read the same, friend. I dislike linking sites, but if you look on Wololo's /Talk forum, you'll see a guy is trying to work with it. I really don't know much about hacking. Only what I've learned through reading up on 3DS/PSP hacking, but I don't really see it going anywhere on the Vita. Kind of bummed though because you know... Sony... and their whole, "We're treating it as an accessory now" thing.

I'm still not giving up hope, it's a great device and I'm sure third-parties will continue to support it, no doubt we'll see the occasional first-party as well. I mean, Sony's announced three upcoming localizations of their games, that should have users covered for 2014 and early 2015 in terms of first-party content.

That being said, cracking the device wide open would be pretty sweet too. The CPU and GPU might've aged since it was first released, but they're still up to scratch and unlike most mobile devices, the PSVita comes with fast-speed VRAM, not just standard RAM system memory, which is a big plus when it comes to working with the GPU.

There are some native hacks for the PSVita, but developers have been hush-hush about them since their initial announcement - SKFU's content instantly comes to mind. I guess only time will tell when the device gets officially and publicly hacked, until then, we can only wait and speculate. For now, all the exploit does on the PSVita is putting it in a refresh loop, which doesn't build my confidence - it looks like the exception is handled by the system. Then again, so were initial DS Profile edits on the 3DS, so what do I know? I'm not a hacker myself.

 

[Thirty3Three]

I'm still not giving up hope, it's a great device and I'm sure third-parties will continue to support it, no doubt we'll see the occasional first-party as well. I mean, Sony's announced three upcoming localizations of their games, that should have users covered for 2014 and early 2015 in terms of first-party content.

That being said, cracking the device wide open would be pretty sweet too. The CPU and GPU might've aged since it was first released, but they're still up to scratch and unlike most mobile devices, the PSVita comes with fast-speed VRAM, not just standard RAM system memory, which is a big plus when it comes to working with the GPU.

There are some native hacks for the PSVita, but developers have been hush-hush about them since their initial announcement - SKFU's content instantly comes to mind. I guess only time will tell when the device gets officially and publicly hacked, until then, we can only wait and speculate. For now, all the exploit does on the PSVita is putting it in a refresh loop, which doesn't build my confidence - it looks like the exception is handled by the system. Then again, so were initial DS Profile edits on the 3DS, so what do I know? I'm not a hacker myself.

Ya never know, then, eh? Hah. I personally love my Vita. I was a day-1 buyer. I've got one for homebrew, and one for... Vita... stuff. I'd like to see if someone could possibly put this "browser" thing to use. That'd be Christmas, haha!

And pfft. Oh yeah, no, I'm sure Sony will still bring games to the Vita. I'm anxiously awaiting my InFAMOUS: Vita B)

And good to know! I'm confident it'll be hacked eventually. In the meantime, however, looks like I'll keep playing my Mario (pronounced, "mair-ee-oh") Kart 7 on my 3DS, and Oracle of Ages on my Veeter. It's a fine day to be a gamer, eh?

 

[Relys]

<Relys> Would it be possible to use the Web Browser as a new entry point to replace the mset DS user settings exploit?
<sm> yes
<Relys> I wonder if the webkit bug that was in the recent Wii U browser is also present in the 3DS browser....
<Relys> I have a complete writeup of the vuln with complete changelogs. I'm compairing the Wii U and 3DS webkit sources.
<shuffle2> the vuln was published before it was used on wiiu
<yifanlu> it's a pretty known vuln afaik. used at pwn2own right?
<shuffle2> https://twitter.com/MrMarionumber1/status/478270117227151360
<Relys> Does anyone know if it exsists in the 3DS webkit version?
<@yellows8> Relys: already tried that on 3ds >=v7.1, no crash.
<Relys> Hmmmm, any other potential canidates? I know comex's original webkit based exploit for the wii u used a different vuln which allowed him to dump memory but was patched after 3.x. I started researching the wii u last week but I just got a 3DS with firmware 4.4 so I'm going to start working on that too.
<Relys> Took me freaking forever to find one with a low serial number XD LOL
<Namidairo> yeah they're starting to get rarer
<Namidairo> iirc the 3ds uses some browser from a japanese comany
<Namidairo> but it's still webkit underneath
<Namidairo> hmm ninty nuked the old link to the 3ds webkit source
<profi200> I guess the 3DS web browser is way more secure than the Wii U web browser. We very rarely find something vulnerable.
<Namidairo> the features lists is weird
<Namidairo> lists compliance with some noname japanese law about parental controls
<Namidairo> "Equipped with a function to notify applications of connected URLs, making it possible for the application to accept or reject the connection"
<Namidairo> I call it a stop button but ok
<profi200> I can say that we have a vuln which is in use currently, but it's a vuln which is of no use for the public because it works like 1 of 10 times. And as always. It only allows ROP.
<nakami> what does ROP stand for?
<profi200> Return oriented programming.
<profi200> Using code already in memory, because we can't load our own.
<Relys> Does that vuln work with 7.2?
<profi200> Every browser version to date.
<nakami> Relys: i think that's not too important right now
<nakami> yeah the browser is one of the most obvious nintendo vulnerability over all
<Relys> Isn't that what ssspwn is for? privledge escilation.
<sm> I don't have ssspwn so I could be wrong but I'm pretty sure it's just a way to bypass DEP
<nakami> i think wiiu's browser supports flash and javascript while the 3ds's does not
<nakami> correct me if im wrong
<nakami> in the wiiu browser?
<profi200> 3DS.
<Namidairo> depends how much you want your 3ds to crash and burn

 

[Thirty3Three]

<Relys> Would it be possible to use the Web Browser as a new entry point to replace the mset DS user settings exploit?
<sm> yes
<Relys> I wonder if the webkit bug that was in the recent Wii U browser is also present in the 3DS browser....
<Relys> I have a complete writeup of the vuln with complete changelogs. I'm compairing the Wii U and 3DS webkit sources.
<shuffle2> the vuln was published before it was used on wiiu
<yifanlu> it's a pretty known vuln afaik. used at pwn2own right?
<shuffle2> https://twitter.com/MrMarionumber1/status/478270117227151360
<Relys> Does anyone know if it exsists in the 3DS webkit version?
<@yellows8> Relys: already tried that on 3ds >=v7.1, no crash.
<Relys> Hmmmm, any other potential canidates? I know comex's original webkit based exploit for the wii u used a different vuln which allowed him to dump memory but was patched after 3.x. I started researching the wii u last week but I just got a 3DS with firmware 4.4 so I'm going to start working on that too.
<Relys> Took me freaking forever to find one with a low serial number XD LOL
<Namidairo> yeah they're starting to get rarer
<Namidairo> iirc the 3ds uses some browser from a japanese comany
<Namidairo> but it's still webkit underneath
<Namidairo> hmm ninty nuked the old link to the 3ds webkit source
<profi200> I guess the 3DS web browser is way more secure than the Wii U web browser. We very rarely find something vulnerable.
<Namidairo> the features lists is weird
<Namidairo> lists compliance with some noname japanese law about parental controls
<Namidairo> "Equipped with a function to notify applications of connected URLs, making it possible for the application to accept or reject the connection"
<Namidairo> I call it a stop button but ok
<profi200> I can say that we have a vuln which is in use currently, but it's a vuln which is of no use for the public because it works like 1 of 10 times. And as always. It only allows ROP.
<nakami> what does ROP stand for?
<profi200> Return oriented programming.
<profi200> Using code already in memory, because we can't load our own.
<Relys> Does that vuln work with 7.2?
<profi200> Every browser version to date.
<nakami> Relys: i think that's not too important right now
<nakami> yeah the browser is one of the most obvious nintendo vulnerability over all
<Relys> Isn't that what ssspwn is for? privledge escilation.
<sm> I don't have ssspwn so I could be wrong but I'm pretty sure it's just a way to bypass DEP
<nakami> i think wiiu's browser supports flash and javascript while the 3ds's does not
<nakami> correct me if im wrong
<nakami> in the wiiu browser?
<profi200> 3DS.
<Namidairo> depends how much you want your 3ds to crash and burn

Hey guy. Care to "TL;DR" this for us?

 

[Relys]

Hey guy. Care to "TL;DR" this for us?

If you don't read all the details you'll never learn anything.

The Wii U free after use vuln isn't in the 3DS Webkit. However, there's another vuln that works.

Also, the source for the 3DS webkit is completely available since it is under open source licensing:

http://www.nintendo.co.jp/support/oss/

To find exploits you can search http://www.webkit.org/ changelog for pull requests for patched vulnerabilities in the date range of the 3DS/Wii U Webkit versions.. You can then compare the 3DS/Wii U webkit source to see if they still exist.

 

[Thirty3Three]

If you don't read all the details you'll never learn anything.

The Wii U free after use vuln isn't in the 3DS Webkit. However, there's another vuln that works.

Also, the source for the 3DS webkit is completely available since it is under open source licensing:

http://www.nintendo.co.jp/support/oss/

To find exploits you can search http://www.webkit.org/ changelog for pull requests for patched vulnerabilities in the date range of the 3DS/Wii U Webkit versions.. You can then compare the 3DS/Wii U webkit source to see if they still exist.

I'm not in it for the lesson. It's just 2am, and I'd like my posts summarized. But thanks for the explanation. I appreciate it.

 

[reaper527]

thanks for the input and irc log. it's a shame that there wasn't more common code between the 3ds and wiiu. would have been great to have seen this existing in both.

 

[st4rk]

I tried the Wii U exploit in my DSi(it's just say: can't load complete page), and 3DS don't load complete page.

I think, really exist a Browser exploit, but this is not the correct way to do it