Hacking [WIP] KARL3DS - Kernel access on N3DS via Ninjhax + Loadcode

[tony_2018]

So far, I've looked at 3dbrew, Yifanlu's blog, smea's blog, the 3ds itself and my own knowledge... Is there anywhere else you would recommend, I'm always open to suggestions.

I really wish I knew coding instead of getting into SaaS storage...sorry dude.

 

[Rokkubro]

I'd be absolutely glad to help, but I don't have a New 3DS and am pretty busy with my own cfw'ish hacks at the moment. If you need any help with technical stuff though, feel free to ask questions!

Cool thanks, I'll keep you posted if anything comes up!

 

[WulfyStylez]

2b. Gaining Arm11 userland code execution

1. Porting Yifan Lu's LoadCode to N3DS Skater(what I am currently working on) and mapping out the correct values in the global address space(can possibly be avoided by smart coding in the 2nd stage) - if you're currently working on this, did you manage to find an exploit in SKATER and get ROP off of it that quickly?​

2. Injecting the ported code to replace Ninjhax's Thread 0 ROP​

3. Testing with UVLoader(or some other publicly available code)​

3b. Gaining kernel access from within userland

1. Converting Gateway's Arm11 exploit to New3DS(as usual, using Yifan's writeup and the info on 3dbrew) - fairly simple - why are you doing this if you're launching from cubic ninja? also you should know by this point that writeups are useless for reimplementing things. you're going to want to look at gateway's actual exploit code, obviously.​

2. Converting Gateway's Arm9 exploit to New3DS(it is possible we could use Roxas' work here, it'd probably be more work though) - quite difficult - same as before, look at gw's actual payload. not very hard.​

4. Utilising our new-found power! (I haven't thought too much about this to be honest, so just ideas)

1. Work out nand interface and dump nand - you're going to need to understand the SD interface really well to get emunand working anyways...​

2. Work out cartridge interface and dump cartridge - you won't be able to get this from GW's code unless you're really good with reading MIPS. better to figure out this interface yourself with info from 3dbrew​

3. Work out decryption and do that (maybe look at VOID?) - this stuff is all open-source, thank god​

4. Figure out how to create and boot a region free REDNand - this is done through patching process9​

5. On the fly game patching - probably the last thing you're gonna want to do​

6. Modify Sysnand to boot into our kernel code - literally just do patches without redirecting nand, if i'm understanding you right?​

7. Use 3ds as a remote control for our pet flying pig(with gyroscope function!) - do it​

​

Just a few things I noticed.

 

[Rokkubro]

Uh oh, you said the "p" word *waits for the angry kids to come in*

Also, you don't need to touch skater. Just trigger memchunkhax from your 3dsx homebrew. Then you can port over firmlaunchhax for arm9. I would do it myself if I had a N3DS. It's not that hard.

I think I understand the method you refer to now.

To do this, I need to exploit memchunkhax via gspwn using Gsp::GPU within ninjhax to write to axiwram, then I need to write to the FIRM area that arm9 boots from and trigger a soft reboot. I can find this method with the old 3ds's memory addresses in the gateway file, albeit with a slightly different second stage which runs from userland. I could deobfuscate the gateway launcher.dat, and translate using the excellent address mapping info on 3dbrew or just have some fun and do it from scratch.

If I've made any mistakes anyone feel free to correct me, otherwise I'll see you all in a couple of weeks! (Nah, I'll post updates every couple of days or so, I promise...)

 

[Apache Thunder]

From what I understand, the exploit is timing based and you have to write to a certain address after the command to reboot Arm9 is sent as it checks the code to make sure it's signed correctly and is in a memory address only it can see. Then it will reboot. But before it does, Arm11 changes the code on that region quickly before Arm9 has a chance to reboot. When Arm9 reboots, it reads it. That's from what I understand of it from reading yifun_lu's blog page on it. Just making sure you didn't forget about that.

 

[Rokkubro]

From what I understand, the exploit is timing based and you have to write to a certain address after the command to reboot Arm9 is sent as it checks the code to make sure it's signed correctly and is in a memory address only it can see. Then it will reboot. But before it does, Arm11 changes the code on that region quickly before Arm9 has a chance to reboot. When Arm9 reboots, it reads it. That's from what I understand of it from reading yifun_lu's blog page on it. Just making sure you didn't forget about that.

Thanks! I hadn't forgotten but I did forget to write it up :/. This relates to why I was saying earlier that this part of the exploit was fairly complicated compared to memchunkhax; because it has the set up. Anyway I need to get some sleep, I've been working on this for too long... I'll see you all tomorrow! I might share a few snippets...

 

[WulfyStylez]

I think I understand the method you refer to now.

To do this, I need to exploit memchunkhax via gspwn using Gsp::GPU within ninjhax to write to axiwram, then I need to write to the FIRM area that arm9 boots from and trigger a soft reboot. I can find this method with the old 3ds's memory addresses in the gateway file, albeit with a slightly different second stage which runs from userland. I could deobfuscate the gateway launcher.dat, and translate using the excellent address mapping info on 3dbrew or just have some fun and do it from scratch.

If I've made any mistakes anyone feel free to correct me, otherwise I'll see you all in a couple of weeks! (Nah, I'll post updates every couple of days or so, I promise...)

If you're not familiar with the 3DS, you'll need some background on how a lot of things work that aren't really covered by anybody's documentation. Try tearing apart yellows8's leaked 'cfw' and GW's pre-2.0 launcher and you'll learn loads about the platform. I say this assuming you haven't already done it, though.

You mention doing firmlaunch-hax, but do you even know what that's used for? It's not in Yifan's documentation per se.

 

[Rokkubro]

If you're not familiar with the 3DS, you'll need some background on how a lot of things work that aren't really covered by anybody's documentation. Try tearing apart yellows8's leaked 'cfw' and GW's pre-2.0 launcher and you'll learn loads about the platform. I say this assuming you haven't already done it, though.

You mention doing firmlaunch-hax, but do you even know what that's used for? It's not in Yifan's documentation per se.

Gateway stage 3 uses firmlaunchhax, and therefore it is in Yifanlu's documentation, see here.

 

[peter14ji]

I think skater based exploit would be helpful for those who can't afford to buy a copy of Cubic Ninja(which has a skyrocketed collector's price)or a Sky3DS.Please keep this in your todo list.And Cell9 has already had a code insert platform called NTR CFW working on 4.5.Just use his work if he agrees.

 

[shinyquagsire23]

Eh, I made an attempt at getting ARM11 kernel from ninjhax. So far no go, it crashes with svc 0x8 (or rather, it never enters ARM11 kernel at all or seemingly never returns from the svc). Also tried it on my N3DS, it has a newer kernel version (22e0000) which I don't know what the patch offset for svcCreateThread is. I'm guessing though that part of the issue with my 3DS is that it's on 4.5, it seems the ARM11 kernel loader that yifanlu has is based more on that version (although I at least got gspwn to write properly and I believe I got it to write the value to the kernel right). Not sure what it could be aside from maybe a stack issue or something, idk. Also, apparently something I did with gspwn makes it so I can take out my cartridge while my homebrew runs. Neat.

 

[Rokkubro]

Eh, I made an attempt at getting ARM11 kernel from ninjhax. So far no go, it crashes with svc 0x8 (or rather, it never enters ARM11 kernel at all or seemingly never returns from the svc). Also tried it on my N3DS, it has a newer kernel version (22e0000) which I don't know what the patch offset for svcCreateThread is. I'm guessing though that part of the issue with my 3DS is that it's on 4.5, it seems the ARM11 kernel loader that yifanlu has is based more on that version (although I at least got gspwn to write properly and I believe I got it to write the value to the kernel right). Not sure what it could be aside from maybe a stack issue or something, idk. Also, apparently something I did with gspwn makes it so I can take out my cartridge while my homebrew runs. Neat.

Hey, well if you managed to make it possible for the cartridge to be removed, RegionThree may be possible on the N3DS which is interesting... so many different things to look at now, I may have to go back to my original approach if it isn't possible to get Arm11 kernel from within ninjhax, and I was making progress too (or so I thought).

 

[shinyquagsire23]

Hey, well if you managed to make it possible for the cartridge to be removed, RegionThree may be possible on the N3DS which is interesting... so many different things to look at now, I may have to go back to my original approach if it isn't possible to get Arm11 kernel from within ninjhax, and I was making progress too (or so I thought).

Well I'm sure it's possible, gspwn works just fine under ninjhax. I probably just messed something up or my 3DS is just at a bad version to test it at. You could probably also fit it into the secondary exploit of ninjhax (after you scan the QR code initially) so that it would work from there to launch stuff. The problem as of now it seems is that you can't even launch applications from ninjhax, and even if I threw my code in the earlier stages of ninjhax it probably wouldn't work (but who knows?). The thing is though, I'm not sure what actually causes this to happen at all, it's quite odd.

 

[Rokkubro]

Well I'm sure it's possible, gspwn works just fine under ninjhax. I probably just messed something up or my 3DS is just at a bad version to test it at. You could probably also fit it into the secondary exploit of ninjhax (after you scan the QR code initially) so that it would work from there to launch stuff. The problem as of now it seems is that you can't even launch applications from ninjhax, and even if I threw my code in the earlier stages of ninjhax it probably wouldn't work (but who knows?). The thing is though, I'm not sure what actually causes this to happen at all, it's quite odd.

Yeah, original it was my thought to load the exploit through the second stage of the ninjhax exploit but when Yifan said this was possible I switched to doing this because obviously it's a lot faster and easier... Unsure of why you're having trouble though... Just having a quick look at it, it appears to be a quick and dirty port of the gateway exploit, have you tried cutting out the obfuscation? And would you mind terribly if I messed around with it? I'd prefer to try to use this method for as long as I can...

 

[shinyquagsire23]

Yeah, original it was my thought to load the exploit through the second stage of the ninjhax exploit but when Yifan said this was possible I switched to doing this because obviously it's a lot faster and easier... Unsure of why you're having trouble though... Just having a quick look at it, it appears to be a quick and dirty port of the gateway exploit, have you tried cutting out the obfuscation? And would you mind terribly if I messed around with it? I'd prefer to try to use this method for as long as I can...

Feel free to mess with it, all the testing the better. I take no credit at all for that port since it's just a port from yifanlu's stuff. I'm not terribly sure what the obfuscation is for tbh, it could be for something, but it could also not be for anything at all. If you're on 8.1 or above, I'd change the patch offset in the arm11 kernel method to what it is in yifanlu's code, maybe it'll work then. I had it set to the 4.1 value and it didn't work for me.

 

[marksteele]

I can't really contribute here (as I only vaguely understand what your attempting), but I do want to say that I think it's great that your not only trying a new way to hack the N3DS but also making it public. Far too many people keep these kind of things in private or small hidden collaborative groups (I get the reasons but...). Anyway who knows perhaps I'll start following this and learn a thing or 2

 

[enarky]

I think skater based exploit would be helpful for those who can't afford to buy a copy of Cubic Ninja(which has a skyrocketed collector's price)or a Sky3DS.Please keep this in your todo list.And Cell9 has already had a code insert platform called NTR CFW working on 4.5.Just use his work if he agrees.

Prices are way down again. Currently goes for 25 EUR over here, amazon.com has it for 17 USD.

 

[Kracken]

Prices are way down again. Currently goes for 25 EUR over here, amazon.com has it for 17 USD.

JPN prices are a lot higher, plus shipping costs. I think many people are hoping this would be a way to play US/EU games on JPN N3DS. That was my hope, but at this point waiting for GW support is probably a better option as I already own a GW card.

 

[WulfyStylez]

Gateway stage 3 uses firmlaunchhax, and therefore it is in Yifanlu's documentation, see here.

Yes, but what I was getting at was the fact that Gateway does more during/after the reboot that Yifan didn't cover, and you're going to want to be familiar with what it does if you want to do anything on useful on 9.2 or run newer emunand versions.

 

[Rokkubro]

Eh, I made an attempt at getting ARM11 kernel from ninjhax. So far no go, it crashes with svc 0x8 (or rather, it never enters ARM11 kernel at all or seemingly never returns from the svc). Also tried it on my N3DS, it has a newer kernel version (22e0000) which I don't know what the patch offset for svcCreateThread is. I'm guessing though that part of the issue with my 3DS is that it's on 4.5, it seems the ARM11 kernel loader that yifanlu has is based more on that version (although I at least got gspwn to write properly and I believe I got it to write the value to the kernel right). Not sure what it could be aside from maybe a stack issue or something, idk. Also, apparently something I did with gspwn makes it so I can take out my cartridge while my homebrew runs. Neat.

The patch offset for svcCreateThread is identical for old3ds and new3ds 8.0-9.2 as they have the same physical address mapping for AXIWRAM(0x1FF00000), you can see this on 3dbrew here. I made an extremely small edit to your code(just changed the final else to the correct patch address instead of printing unknown kversion, as I don't know the correct kversion for old3ds 9.0) and I've been able to remove the cubic ninja cartridge and get the weird crash you were talking about. I'll keep looking at it to see why it's occurring, but at the moment I'm as stumped as you are.

Edit: By the way, does it just repeat 'deadead' for you, as if it keeps trying to verify it has kernel code execution? And I think the ability to remove the cartridge is useless, it appears to be a complete system crash...
Edit2: And nope, it's not useless, I can get it to do things while the cartridge is out.

 

[WulfyStylez]

The patch offset for svcCreateThread is identical for old3ds and new3ds 8.0-9.2 as they have the same physical address mapping for AXIWRAM(0x1FF00000), you can see this on 3dbrew here.

noooooooooooooonononononono. Just because the kernel is loaded to the same location in memory doesn't mean its offsets are the same. N3DS has its own NATIVE_FIRM because there's a bunch of new stuff the system has to do. Thus, every single specific patch offset for 9.x old 3DS will differ.
You should be getting your offsets from N3DS NATIVE_FIRM, not conjecture. You can grab it from NUS and decrypt it with an exploitable old 3DS. It's like super duper critical that you familiarize yourself with the NATIVE_FIRM of the system and sw version you're trying to hack. If you plan on doing almost everything you mentioned wanting to do, you're going to need to map out quite a few things in Process9 in order to make patches.