Toggle sidebar

ROM Hack Rom modding on 9.9 ??

  • Thread starter Thread starter puss2puss
  • Start date Start date
  • Views Views 3,584
  • Replies Replies 26
puss2puss

puss2puss

.. well ..
Member
Level 6
Joined
Dec 18, 2013
Messages
927
Reaction score
500
Trophies
0
Age
39
XP
835
Country
Canada
Hell-o gba tempers and temperesses!
I have a small question that i think i already have the answer but just want to make sure before downgrading my nand...

...On N3DS 9.9, is there a way to mod game roms? Knowing that we cant install cias, and cannot use a cfw, i still hope there's a way to use a FsLayered plugin or something similar..
..if i dont have any choice, i'il flash me nand with my 9.2 backup..

Thanks.
 
Smea in twitter said he had an idea to do that for ninjhax users (if I remember well), but nothing more than that.
 
  • Like
Reactions: Margen67
Rusb said:
Smea in twitter said he had an idea to do that for ninjhax users (if I remember well), but nothing more than that.
Click to expand...
I doubt that will be possible on 9.9 since it's just one step away from ROM loading :P
It'd likely need a kernel exploit. It's possible with ARM11 kernel alone (NTR-CFW can do it and only has ARM11 kernel) and some people are speculating that Ninjhax 2.0 does in fact have ARM11 kernel access, but I'm not so sure I believe that.
 
The Real Jdbye said:
I doubt that will be possible on 9.9 since it's just one step away from ROM loading :P
It'd likely need a kernel exploit. It's possible with ARM11 kernel alone (NTR-CFW can do it and only has ARM11 kernel) and some people are speculating that Ninjhax 2.0 does in fact have ARM11 kernel access, but I'm not so sure I believe that.
Click to expand...
Ninjhax ARM11 kernel access... I think not, not by itself, can be used as entrypoint for other (unknown) exploits, but Smea, being anti-piracy as he is, I doubt he'll release that. And the game shouldn't have that level of privileges.
 
Rusb said:
Ninjhax ARM11 kernel access... I think not, not by itself, can be used as entrypoint for other (unknown) exploits, but Smea, being anti-piracy as he is, I doubt he'll release that. And the game shouldn't have that level of privileges.
Click to expand...
It doesn't, but ninjhax uses a series of exploits to gain more permissions. Without that, even running basic homebrew wouldn't be possible. One of the exploits Ninjhax used was patched in 9.3 and it's uncertain what's being used in place of that in Ninjhax 2.0, but people more experienced with hacking than you or I seem relatively sure that Ninjhax 2.0 has ARM11 kernel access. Of course this isn't exposed to homebrew though :P
 
The Real Jdbye said:
It doesn't, but ninjhax uses a series of exploits to gain more permissions. Without that, even running basic homebrew wouldn't be possible. One of the exploits Ninjhax used was patched in 9.3 and it's uncertain what's being used in place of that in Ninjhax 2.0, but people more experienced with hacking than you or I seem relatively sure that Ninjhax 2.0 has ARM11 kernel access. Of course this isn't exposed to homebrew though :P
Click to expand...

For now I'll try to made game crash and find how many bytes can I use to run code, if I find the thing what is smea using, it'll be easy to make a hello world. But only experimental, i don't know enough to do something more :\

(Of course, maybe i can't achieve it xD)
 
Arm11 on nh2, if it was the case, wouldnt we already have ability to make a cfw for it? Or people are waiting for GW to update?
..anyway, if i want to mod my games this week, i guess i definitly need to downgrade to 9.2 then, right?..
 
Rusb said:
For now I'll try to made game crash and find how many bytes can I use to run code, if I find the thing what is smea using, it'll be easy to make a hello world. But only experimental, i don't know enough to do something more :\

(Of course, maybe i can't achieve it xD)
Click to expand...
Making the game crash is only the first step... from there you need to figure out how to make it do something useful (e.g. execute a carefully crafted ROP chain that exploits a specific part of the system to gain unsigned code execution), then you go from there and exploit other parts of the system to gain more permissions. Pretty much how Ninjhax 1.0 works, check http://smealum.net/?p=517 for the details, I'm pretty sure he's intentionally leaving out some parts of the explanation, but it's fairly detailed.

puss2puss said:
Arm11 on nh2, if it was the case, wouldnt we already have ability to make a cfw for it? Or people are waiting for GW to update?
..anyway, if i want to mod my games this week, i guess i definitly need to downgrade to 9.2 then, right?..
Click to expand...
A proper CFW needs ARM9 kernel. And no one's RE'd Ninjhax 2.0 fully yet nor is it open source, so we're not exactly sure how it works, or what would be needed to make use of the ARM11 kernel access.
 
The Real Jdbye said:
Making the game crash is only the first step... from there you need to figure out how to make it do something useful (e.g. execute a carefully crafted ROP chain that exploits a specific part of the system to gain unsigned code execution), then you go from there and exploit other parts of the system to gain more permissions. Pretty much how Ninjhax 1.0 works, check http://smealum.net/?p=517 for the details, I'm pretty sure he's intentionally leaving out some parts of the explanation, but it's fairly detailed.


A proper CFW needs ARM9 kernel. And no one's RE'd Ninjhax 2.0 fully yet nor is it open source, so we're not exactly sure how it works, or what would be needed to make use of the ARM11 kernel access.
Click to expand...


Can't use the framebuffer adress to write directly to it, only exploiting the game? :\ you know, override return adress and run the code in the stack, i made it with lower versions of adobe reader and PoC of known program bugs, in 3DS never tried it.
 
Rusb said:
Can't use the framebuffer adress to write directly to it, only exploiting the game? :\ you know, override return adress and run the code in the stack, i made it with lower versions of adobe reader and PoC of known program bugs, in 3DS never tried it.
Click to expand...
Normal executable memory isn't writable by the game that's why Ninjhax 1.0 exploits part of the system so it can mark accessible regions of memory as executable. This was the exploit that was patched in 9.3, and I don't know how Ninjhax 2.0 does it. Maybe the other way around, marking already executable memory regions as writable? :P
The 3DS is a completely different beast than computers or most smartphones, everything is locked down at the CPU level.
 
The Real Jdbye said:
Normal executable memory isn't writable by the game that's why Ninjhax 1.0 exploits part of the system so it can mark accessible regions of memory as executable. This was the exploit that was patched in 9.3, and I don't know how Ninjhax 2.0 does it. Maybe the other way around, marking already executable memory regions as writable? :P
The 3DS is a completely different beast than computers or most smartphones, everything is locked down at the CPU level.
Click to expand...

Okay :wacko::dry:
 
probablygay said:
If I'm tubehaxed, could I use regionfree on an EUN3DS to load a US copy of Cubicninja to perform Ninjahax? I don't like being limited to having an internet connection to use Tubehax.
Click to expand...
.......errrr, if you need to use tubehax to load the out of region CN then you would still be needing internet access
 

Site & Scene News

Go to forum More news

Popular threads in this forum

Help on 3DS prices...

Homebrew app Emulator  [Release] 3DS-CLI - Run a real RISC-V Linux environment on the Nintendo 3DS

Hardware  2 Broken 3DSes, need help

Homebrew Homebrew app  [Release] GridLauncher Rosalina

Homebrew  My Secret World DS: is there a way to bypass the password lock?

please help, wont boot

Hardware  I Have 2 THQ Dev Kit 3DSes (Panda), Need Help On Preserving What’s Inside

Homebrew  reBadge - an open source Nintendo Badge Arcade and Theme Shop revival, done with ❤️