Homebrew [Questions] Technical details of scene status

[Urbanshadow]

Hi all,
I'm in the process of documenting what is/was going in the 3ds scene for a little presentation for security enthusiasts at my university and I have some questions I am not able to find in 3dsbrew so any help is appreciated.

Maybe I'll have more questions along the way. You don't have to be too precise on the answer, if you feel like I could find the info searching a little hint for me will suffice, I'll do the research.

Questions:

Pending:

Figured out:
1) At the first steps of the scene, was MSET 4.X the only place to go or there was some kind of user mode execution then?
There was no homebrew scene at the time, but devs were already working hard on useful looking vulnerabilities.

2) Was MSET 4.X a discovery of GW team?
Nope it's not! The discovery belongs to a user called Ichifly in 2012. A long year before GW came.

3) What came first: MSET 6.X or HBL?
MSET 6.X as exploit came first, but it was not-so-useful. More complete support for it was written after HBL, with rxtools and half the initial homebrew scene.

4) The first supported version for HBL was the first version available webkit payloads?
HBL was designed for Cubic Ninja. *hax came afterwards.

5) Is the ARM11 code execution in *hax handled just by gspwn or it used another exploit in the past?
6) In the 9.0 to 9.2 versions, what is the exploit enabling ARM9 code execution and how fits brahma in this?
Brahma is in fact a privilege elevation exploit to easily execute a valid ARM9 payload into the 3ds system. This looks like is widely used on 9.0/9.2 as the main method to gain full ARM9 access. (if I'm not mistaken cfws, D9 and ET9 work this way; I even think gateway does something along this way, but not brahma)

With gspwn help, Rohax helps to achieve the firmlaunchhax. Both are used in (at least) the original brahma code. This grants ARM9 code execution. I got this part figured out then. I guess the response to 5 is also quite obvious now. Gspwn is still alive in 10.5 and it will be around for good.

Approximate Scene Timeline:

Q2 2011 - Release of O3DS
   2012 - Discovery of MSET exploit
Q3 2013 - Release of MSET 4.X and Gateway
Q3 2013 - Update 6.1 rolls in
Q4 2013 - Release of 2DS
Q4 2013 - Update 7.0 released (MSET exploit fixed)
Q4 2014 - 9.0 Update released
Q4 2014 - The homebrew launcher appears! (It uses gspwn and rohax!)
Q4 2014 - 9.3 Update released (rohax is fixed)
Q1 2015? - MSET 6.X release for Rxtools
Q2 2015 - 9.5 Update released (firmlaunchhax is fixed)
Q2 2015 - Release of N3DS/N3DSXL
Q2 2015 - Ninty secretly rolls browser update nag support with 9.9
Q3 2015 - themehax/menuhax, browserhax releases!
Q3 2015 - Ninty browser update nag detonates with 10.1
Q4 2015 - Update 10.3 rolls in
Q4 2015 - 32c3 Talk. Memchunkhax2, ntrcardhax and arm9loaderhax are revealed.
Q1 2016 - The great downgrade happening. Hundreds of systems going 9.2 and bricked thanks to memchunkhax2.
Q1 2016 - Updates 10.4 and 10.5 roll in a week appart. Memchunkhax2 is fixed on 10.4 ( :( )
Q1 2016 - The entire secret sector of n3ds is leaked and decrypted, along with the 0x11 keyslot. N3DS users can go to the latest emunand! (Some devs have went into the 1.X land and grabbed nice things)
Q1 2016 - A known vulnerability is exploited to admit a firm replacement in updates 10.4 and 10.5 to recover memchunkhax2, but requires hardmod.
Q1 2016 - People is downgrading to very low versions (2.1.0) to grab the OTP register from his system, allowing them to use arm9loaderhax!
Q1 2016 - Update 10.6 rolls in and it's still vulnerable to te firm replacement downgrade! Menuhax and Browserhax have (temporally?) died :'(.

 

[Urbanshadow]

Thanks to the kind mod for moving this to its appropiate forum!

Update:
Ok so I found partial info on 6 but it's incomplete. Brahma is in fact a privilege elevation exploit to easily execute a valid ARM9 payload into the 3ds system. This looks like is widely used on 9.0/9.2 as the main method to gain full ARM9 access. (if I'm not mistaken cfws, D9 and ET9 work this way; I even think gateway does something along this way, but not brahma)

As the brahma documentation states, it's based on two known (defined as "commercial", wat) exploits in the system. It does not say what two exploits, but we don't have ARM9 execution over 9.2 so it must been fixed at least on 9.3.X. I have not found any exploit in 3dbrew matching this, but have some suspects. Then again in the brahma docs explain how a firm_reboot() call must be made for the ARM9 payload to run.

So as long as I can understand, what fuels the scene on 9.2 is:
-A 1st grade hax capable of start a ROPchain. (Webkit exploits for the keks)
-Gspwn or another ARM11 user code execution enabler exploit.
-A homebrew for ARM11 userland with the brahma code compiled.
-A valid ARM9 brahma payload.

Somehow brahma does not work over 9.2 and I can't find exactly what exploit was fixed and how it was fixed to achieve that. After this, people are going full memchunkhax2 (which I undestand well enough) to expose am:u and downgrade to recover the brahma exploit.

Before this, geez, I'm not really sure. Yeah, I mean, MSET and everything. And it's documented on 3dbrew, but I'm not there yet.

 

[Games&Stuff]

Wow... I think you're one of the first one here asking some interesting/good questions and not: HOW DO I GET CFW ON 10.5 PLEEZ I WUN FREE GAMZZ

 

[GalladeGuy]

6) In the 9.0 to 9.2 versions, what is the exploit enabling ARM9 code execution and how fits brahma in this?

I believe it is Rohax.

 

[Urbanshadow]

I believe it is Rohax.

That's one of my suspects indeed. But brahma documentation refers to two exploits. I will continue dwelling on 3dbrew.

The memory mapping syscalls are really useful, but that doesn't grant you magical ARM9 access.

Update: Here it was! with gspwn help, Rohax helps to achieve the firmlaunchhax. Both are used in (at least) the original brahma code. This grants ARM9 code execution. I got this part figured out then. I guess the response to 5 is also quite obvious now. gspwn is still alive in 10.5 and it will be around for good.

firmlaunchhax is fixed on 9.5, but is unreachable in 9.4 and 9.3 because rohax was fixed in 9.3
I wonder now if a posterior memchunkhax2 could have aided to reach firmlaunchhax on 9.4...

 

[Urbanshadow]

Oh, I found partial info on 2:

The MSET exploit is an exploit for the System Settings application of the Nintendo 3DS (MSET). The vulnerability was originally discovered by ichfly in 2012, and was later used by the GateWay 3DS. The exploit uses a flaw in the Nintendo DS profile settings, where a long nickname or message will cause a stack buffer overflow, crashing the 3DS part of the console.

Pretty straightforward. And as it turns out, not gateway's fault. Was fixed on 7.X.

So definetly HBL came before MSET 6.X for Rxtools (I thought it was the other way around!). HBL was first supported by ninjhax as smea did it that way.

 

[atkfromabove]

I really like this thread. Thanks for the great information!

 

[shinyquagsire23]

If you're documenting history, yifanlu published the first public implementation of Memchunkhax, which I ported to ninjhax as bootstrap, which then forked to Brahma and bootstrap-arm9. Libkhax was another implementation designed to patch the system and exit cleanly, allowing kernel for homebrew. Might be worth mentioning the OSKA/KARL deal as well which happened before Pasta and the subsequent modified RxTools which added signature removals.

 

[Urbanshadow]

If you're documenting history, yifanlu published the first public implementation of Memchunkhax, which I ported to ninjhax as bootstrap, which then forked to Brahma and bootstrap-arm9. Libkhax was another implementation designed to patch the system and exit cleanly, allowing kernel for homebrew. Might be worth mentioning the OSKA/KARL deal as well which happened before Pasta and the subsequent modified RxTools which added signature removals.

I wasn't going that deep because I only have about an hour to say everything, but its nice having you around here
I will go search everything you said, but I don't know how much of it would end on the final talk.

--------------------- MERGED ---------------------------

I really like this thread. Thanks for the great information!

It's everything out there, seriously. It's only hidden or scattered.

 

[Roboman]

Brahma references two exploits because the arm9 exploit requires arm11 kernel to execute. The first exploit elevates it to arm11 kernel, then the second gives arm9.
Memchunkhax was fixed in 9.3 but the arm9 exploit wasn't fixed until 9.5
That's why 9.3 arm9 isnt around
(Although with memchunkhax 2 it's doable again)

 

[Mrrraou]

rohax isn't an ARM9 exploit. In 5.0 to 9.2, it's firmlaunchhax, which needs to be done as Kernel11.

 

[GalladeGuy]

rohax isn't an ARM9 exploit. In 5.0 to 9.2, it's firmlaunchhax, which needs to be done as Kernel11.

Wait, then what's Rohax?

 

[Mrrraou]

Wait, then what's Rohax?

It's an exploit in a service which allows to take over it, to be able to access more RAM.

 

[GalladeGuy]

It's an exploit in a service which allows to take over it, to be able to access more RAM.

Ahh, I see. Thanks for clearing that up!

 

[Quantumcat]

Thanks for providing this history, it is useful. However, there are a lot of members of this forum who live in the southern hemisphere. Where I live, Summer is December-February and Winter is June-August. So it makes it really confusing to follow your timeline. Fixed for inclusivity:

Early 2011 - Release of O3DS
2012 - Discovery of MSET exploit
Mid 2013 - Release of MSET 4.X and Gateway
Mid 2013 - Update 6.1 rolls in
Late 2013 - Release of 2DS
End of 2013 - Update 7.0 released (MSET exploit fixed)
Late 2014 - 9.0 Update released
End of 2014 - The homebrew launcher appears! (It uses gspwn and rohax!)
End of 2014 - 9.3 Update released (rohax is fixed)
Early 2015? - MSET 6.X release for Rxtools
Early 2015 - 9.5 Update released (firmlaunchhax is fixed)
Early 2015 - Release of N3DS/N3DSXL
Mid 2015 - Ninty secretly rolls browser update nag support with 9.9
Mid/Late 2015 - themehax/menuhax, browserhax releases!
Late 2015 - Ninty browser update nag detonates with 10.1
End of 2015 - Update 10.3 rolls in
End of 2015 - 32c3 Talk. Memchunkhax2, ntrcardhax and arm9loaderhax are revealed.
Start of 2016 - The great downgrade happening. Hundreds of systems going 9.2 and bricked thanks to memchunkhax2.
Start of 2016 - The 0x11 keyslot is revealed. N3DS users can go to the latest emunand! (Some devs have went into the 2.1 land and grabbed nice things)
Start of 2016 - Updates 10.4 and 10.5 roll in a week appart. Memchunkhax2 is fixed on 10.4 ( :( )
Start of 2015 (do you mean 2016 here?) - A firm replacement for updates 10.4 and 10.5 has been found. Recovers memchunkhax2, but requires hardmod.
Start of 2016 - People is downgrading to very low versions to grab the OTP register from his system, allowing them to use arm9loaderhax!

 

[Mrrraou]

By the way, for the "timeline":
It's not the 0x11 keyslot, but the whole decrypted N3DS secret sector leaked. And the devs went into the 1.0 land, not 2.1, since they had Cubic Ninja.
IIRC, the 10.4 occured before the leaked secret sector.
Firm replacement wasn't found, it was a known vulnerability.

 

[The Real Jdbye]

Oh, I found partial info on 2:



Pretty straightforward. And as it turns out, not gateway's fault. Was fixed on 7.X.

So events right now are like this for me:

Spring 2011 - Release of O3DS
During 2012 - Discovery of MSET exploit
Summer 2013 - Release of MSET 4.X and Gateway
Summer 2013 - Update 6.1 rolls in
Fall 2013 - Release of 2DS
winter 2013 - Update 7.0 released (MSET exploit fixed)
Fall 2014 - 9.0 Update released
Winter 2014 - The homebrew launcher appears! (It uses gspwn and rohax!)
Winter 2014 - 9.3 Update released (rohax is fixed)
Start/Spring 2015? - MSET 6.X release for Rxtools
Spring 2015 - 9.5 Update released (firmlaunchhax is fixed)
Spring 2015 - Release of N3DS/N3DSXL
Summer 2015 - Ninty secretly rolls browser update nag support with 9.9
Summer/Fall 2015 - themehax/menuhax, browserhax releases!
Fall 2015 - Ninty browser update nag detonates with 10.1
Winter 2015 - Update 10.3 rolls in
Winter 2015 - 32c3 Talk. Memchunkhax2, ntrcardhax and arm9loaderhax are revealed.
Start of 2016 - The great downgrade happening. Hundreds of systems going 9.2 and bricked thanks to memchunkhax2.
Start of 2016 - The 0x11 keyslot is revealed. N3DS users can go to the latest emunand! (Some devs have went into the 2.1 land and grabbed nice things)
Start of 2016 - Updates 10.4 and 10.5 roll in a week appart. Memchunkhax2 is fixed on 10.4 ( :( )
Start of 2015 - A firm replacement for updates 10.4 and 10.5 has been found. Recovers memchunkhax2, but requires hardmod.
Start of 2016 - People is downgrading to very low versions to grab the OTP register from his system, allowing them to use arm9loaderhax!

So definetly HBL came before MSET 6.X (I thought it was the other way around!). HBL was first supported by ninjhax as smea did it that way.

Mset 6.x existed for a long time before HBL but it was not very useful because we had no arm9/arm11 kernel exploit for 5.0+ at the time, so it was only useful for simple homebrew, and there was not much of a homebrew ecosystem at the time.

 

[Urbanshadow]

Thanks for providing this history, it is useful. However, there are a lot of members of this forum who live in the southern hemisphere. Where I live, Summer is December-February and Winter is June-August. So it makes it really confusing to follow your timeline. Fixed for inclusivity:

Ugh, that's entirely on me. Give me a second, I'll chage it to a quarters notation.

--------------------- MERGED ---------------------------

Mset 6.x existed for a long time before HBL but it was not very useful because we had no arm9/arm11 kernel exploit for 5.0+ at the time, so it was only useful for simple homebrew, and there was not much of a homebrew ecosystem at the time.

Oh, so the late one was the implementation of it on rxtools. Do you happen to know aproximately when in the timeline appeared?

--------------------- MERGED ---------------------------

Firm replacement wasn't found, it was a known vulnerability.

Yup, but the vulnerability itself consist of running a diferent system titles version with a lower minor version of a firm, Is it? This makes possible the recovery of mch2 and run it on 10.4 and 10.5 system titles thus allowing to downgrade from there. (I mean, the phrase needs rewording but it's not entirely wrong, is it?)

EDIT: Merged the info into the OP, just for clarification- Your contributions are very helpful!

 

[Mrrraou]

Yup, but the vulnerability itself consist of running a diferent system titles version with a lower minor version of a firm, Is it? This makes possible the recovery of mch2 and run it on 10.4 and 10.5 system titles thus allowing to downgrade from there. (I mean, the phrase needs rewording but it's not entirely wrong, is it?)

No, it's because only the revision (<KERNEL_VERSIONMAJOR>.<KERNEL_VERSIONMINOR>-<KERNEL_VERSIONREVISION>) since 9.6, and the titled are just saying which major version and which minor version they want, so it allows to downgrade to a 9.6 FIRM and lower.