Homebrew Smealum's Ninjhax Writeup

[Psi-hate]

Smealum on his twitter recently released his writeup for Ninjhax so I thought it would possibly help or intrigue some people of how it works. Here's his tweet/a link to his blogpost:

Smealum: "you asked for it : here's a full technical writeup of ninjhax's inner workings http://smealum.net/?p=517 ; handle with care"

 

[DarkFlare69]

Now can someone make a new ninjhax with kernel access and all RAM?

 

[Psi-hate]

I can hardly think so, considering that it uses a lot of constricted data to even boot up usermode access. Who knows though. It'd probably have to use another exploit or way entirely to run that.

 

[berichan]

Apologies for my severe lack of 3DS knowledge & if this makes no sense at all, but smea mentions that

> The ro system module has access to a number of high-privilege system calls which, among other things, allow it to give regions of memory executable status within its own virtual memory space as well as other processes

and has access to 0x70. Using the same exploit, would it be possible to create a custom CRO to syscall 0x7B for creating ram dumps?

Again, sorry for my limited 3DS knowledge, baby steps

 

[Arisotura]

Syscall 0x7B isn't usable easily on the ARM11.

You need to pass it a kernel virtual address while you're typically in user mode. And you need to write your code in a memory region that will be writable in user mode and executable in kernel mode.

 

[A Burnt Taco]

Im in love!!!!!!

 

[filfat]

Now can someone make a new ninjhax with kernel access and all RAM?

You really think he wouldn't have done it already if the exploit used in ninjhax allowed you to?
Its a little bit like saying "now we have the ingredients to a pizza so lets make pie!"

 

[Slushie3DS]

While I was reading, I was hopeful that there would be a way to use GPU DMA hack to load a minimal homebrew setup through a webkit exploit, but Smea stated that spider/SKATER's .text is out of range. Hopefully, other people are seeing further than I am.

 

[smealum]

While I was reading, I was hopeful that there would be a way to use GPU DMA hack to load a minimal homebrew setup through a webkit exploit, but Smea stated that spider/SKATER's .text is out of range. Hopefully, other people are seeing further than I am.

you could just do spiderhax => rohax => full code exec under spider

 

[PhoenixWrightX]

http://gbatemp.net/threads/ninjhax-source-code.378364/#post-5273932

 

[gudenau]

Just need to find the NAND I/O patches GW uses, then patch the sig checks like in GW and have a nice CFW!

 

[Slushie3DS]

you could just do spiderhax => rohax => full code exec under spider

Whoa, I wasn't expecting a reply from you. Doing this would give us the same possibilities as Ninjhax, and would cut out the need for a cartridge, no?

 

[smealum]

Whoa, I wasn't expecting a reply from you. Doing this would give us the same possibilities as Ninjhax, and would cut out the need for a cartridge, no?

spider has access to way less RAM, and it would require an internet connection every time you want to run homebrew, so it would be somewhat impractical.

 

[Slushie3DS]

spider has access to way less RAM, and it would require an internet connection every time you want to run homebrew, so it would be somewhat impractical.

Hmm, I may take a crack at it just for the novelty. It could be used for other things, possibly. Text editors and other trivial stuff.

So, if spider is out of the equation, can you think of any other way?

Edit: Also, you're getting thoroughly trashed by some casuals.

 

[smealum]

Hmm, I may take a crack at it just for the novelty. It could be used for other things, possibly. Text editors and other trivial stuff.

So, if spider is out of the equation, can you think of any other way?

Edit: Also, you're getting thoroughly trashed by some casuals.

well, one nice thing about spider is that it's an applet, so it can run concurrently with an application.

what you could do is essentially the reverse from what ninjhax does, ie takeover an app from spider rather than takeover spider from an app. for instance, have the user run mii plaza or whatever, then return to menu and run spiderhax.

of course this makes the booting process more cumbersome but it would work.

 

[Slushie3DS]

well, one nice thing about spider is that it's an applet, so it can run concurrently with an application.

what you could do is essentially the reverse from what ninjhax does, ie takeover an app from spider rather than takeover spider from an app. for instance, have the user run mii plaza or whatever, then return to menu and run spiderhax.

of course this makes the booting process more cumbersome but it would work.

My only concern is the POWER. People bend over back for the ability to run 3rd party apps. They paid 40 USD+ for a terrible game just to do that, so I'm sure they wouldn't mind a bit of work to get their prize.

 

[gudenau]

well, one nice thing about spider is that it's an applet, so it can run concurrently with an application.

what you could do is essentially the reverse from what ninjhax does, ie takeover an app from spider rather than takeover spider from an app. for instance, have the user run mii plaza or whatever, then return to menu and run spiderhax.

of course this makes the booting process more cumbersome but it would work.

So, Pokéhax?

 

[Slushie3DS]

Wait, smealum, on the OFF chance that we are somehow able to obtain kernel access, would that mean we could somehow use a webkit exploit to execute code to install a boot.cia from your SDHC? Example: Putting the .cia on your SDHC, going to a webpage, and clicking a button activator to start the process so we could install the homebrew launcher directly to our 3DS home menu.

 

[gudenau]

Wait, smealum, on the OFF chance that we are somehow able to obtain kernel access, would that mean we could somehow use a webkit exploit to execute code to install a boot.cia from your SDHC? Example: Putting the .cia on your SDHC, going to a webpage, and clicking a button activator to start the process so we could install the homebrew launcher directly to our 3DS home menu.

We need the keys before we could do that. (Not the ones we have)

 

[Slushie3DS]

We need the keys before we could do that. (Not the ones we have)