Hi all,
I'm in the process of documenting what is/was going in the 3ds scene for a little presentation for security enthusiasts at my university and I have some questions I am not able to find in 3dsbrew so any help is appreciated.
Maybe I'll have more questions along the way. You don't have to be too precise on the answer, if you feel like I could find the info searching a little hint for me will suffice, I'll do the research.
Questions:
Pending:
Figured out:
1) At the first steps of the scene, was MSET 4.X the only place to go or there was some kind of user mode execution then?
There was no homebrew scene at the time, but devs were already working hard on useful looking vulnerabilities.
2) Was MSET 4.X a discovery of GW team?
Nope it's not! The discovery belongs to a user called Ichifly in 2012. A long year before GW came.
3) What came first: MSET 6.X or HBL?
MSET 6.X as exploit came first, but it was not-so-useful. More complete support for it was written after HBL, with rxtools and half the initial homebrew scene.
4) The first supported version for HBL was the first version available webkit payloads?
HBL was designed for Cubic Ninja. *hax came afterwards.
5) Is the ARM11 code execution in *hax handled just by gspwn or it used another exploit in the past?
6) In the 9.0 to 9.2 versions, what is the exploit enabling ARM9 code execution and how fits brahma in this?
Brahma is in fact a privilege elevation exploit to easily execute a valid ARM9 payload into the 3ds system. This looks like is widely used on 9.0/9.2 as the main method to gain full ARM9 access. (if I'm not mistaken cfws, D9 and ET9 work this way; I even think gateway does something along this way, but not brahma)
With gspwn help, Rohax helps to achieve the firmlaunchhax. Both are used in (at least) the original brahma code. This grants ARM9 code execution. I got this part figured out then. I guess the response to 5 is also quite obvious now. Gspwn is still alive in 10.5 and it will be around for good.
Approximate Scene Timeline:
I'm in the process of documenting what is/was going in the 3ds scene for a little presentation for security enthusiasts at my university and I have some questions I am not able to find in 3dsbrew so any help is appreciated.
Maybe I'll have more questions along the way. You don't have to be too precise on the answer, if you feel like I could find the info searching a little hint for me will suffice, I'll do the research.
Questions:
Pending:
Figured out:
1) At the first steps of the scene, was MSET 4.X the only place to go or there was some kind of user mode execution then?
There was no homebrew scene at the time, but devs were already working hard on useful looking vulnerabilities.
2) Was MSET 4.X a discovery of GW team?
Nope it's not! The discovery belongs to a user called Ichifly in 2012. A long year before GW came.
3) What came first: MSET 6.X or HBL?
MSET 6.X as exploit came first, but it was not-so-useful. More complete support for it was written after HBL, with rxtools and half the initial homebrew scene.
4) The first supported version for HBL was the first version available webkit payloads?
HBL was designed for Cubic Ninja. *hax came afterwards.
5) Is the ARM11 code execution in *hax handled just by gspwn or it used another exploit in the past?
6) In the 9.0 to 9.2 versions, what is the exploit enabling ARM9 code execution and how fits brahma in this?
Brahma is in fact a privilege elevation exploit to easily execute a valid ARM9 payload into the 3ds system. This looks like is widely used on 9.0/9.2 as the main method to gain full ARM9 access. (if I'm not mistaken cfws, D9 and ET9 work this way; I even think gateway does something along this way, but not brahma)
With gspwn help, Rohax helps to achieve the firmlaunchhax. Both are used in (at least) the original brahma code. This grants ARM9 code execution. I got this part figured out then. I guess the response to 5 is also quite obvious now. Gspwn is still alive in 10.5 and it will be around for good.
Approximate Scene Timeline:
Code:
Q2 2011 - Release of O3DS
2012 - Discovery of MSET exploit
Q3 2013 - Release of MSET 4.X and Gateway
Q3 2013 - Update 6.1 rolls in
Q4 2013 - Release of 2DS
Q4 2013 - Update 7.0 released (MSET exploit fixed)
Q4 2014 - 9.0 Update released
Q4 2014 - The homebrew launcher appears! (It uses gspwn and rohax!)
Q4 2014 - 9.3 Update released (rohax is fixed)
Q1 2015? - MSET 6.X release for Rxtools
Q2 2015 - 9.5 Update released (firmlaunchhax is fixed)
Q2 2015 - Release of N3DS/N3DSXL
Q2 2015 - Ninty secretly rolls browser update nag support with 9.9
Q3 2015 - themehax/menuhax, browserhax releases!
Q3 2015 - Ninty browser update nag detonates with 10.1
Q4 2015 - Update 10.3 rolls in
Q4 2015 - 32c3 Talk. Memchunkhax2, ntrcardhax and arm9loaderhax are revealed.
Q1 2016 - The great downgrade happening. Hundreds of systems going 9.2 and bricked thanks to memchunkhax2.
Q1 2016 - Updates 10.4 and 10.5 roll in a week appart. Memchunkhax2 is fixed on 10.4 ( :( )
Q1 2016 - The entire secret sector of n3ds is leaked and decrypted, along with the 0x11 keyslot. N3DS users can go to the latest emunand! (Some devs have went into the 1.X land and grabbed nice things)
Q1 2016 - A known vulnerability is exploited to admit a firm replacement in updates 10.4 and 10.5 to recover memchunkhax2, but requires hardmod.
Q1 2016 - People is downgrading to very low versions (2.1.0) to grab the OTP register from his system, allowing them to use arm9loaderhax!
Q1 2016 - Update 10.6 rolls in and it's still vulnerable to te firm replacement downgrade! Menuhax and Browserhax have (temporally?) died :'(.
Last edited by Urbanshadow,