Toggle sidebar

Homebrew Trying to hack DSi Webbrowser (with PoC)

  • Thread starter Thread starter derplayer
  • Start date Start date
  • Views Views 19,999
  • Replies Replies 79
  • Likes Likes 17
Dionicio3 said:
Oh, must have missed that
Click to expand...
maciek12305 said:
But: nothing is over yet, i've an another one that looks very promising.
That one is capable of causing corruptions (look at the loading symbol in imgur picture bellow). Result is general application instability that leads then to an final crash.
PoC will come when its "stable" enough i guess it's a very fresh one.

Preview:
imgur.com/vPCf1T4.jpg
Click to expand...
 
  • Like
Reactions: Dionicio3
If I understand correctly:
Just because an app crashes, that means it’s an exploit (as long as you have a payload in the right place) So anyone can make an exploit as long as they get an app to crash
Am I correct?
I honestly have no understanding of how exploits are even made
 
Last edited by Alex4nder001,
Alex4nder001 said:
If I understand correctly:
Just because an app crashes, that means it’s an exploit (as long as you have a payload in the right place) So anyone can make an exploit as long as they get an app to crash
Am I correct?
I honestly have no understanding of how exploits are even made
Click to expand...
This is what alot of people think. The amount of threads here titled "I think i found an exploit" with the contents being an app crashing are too high. While a crash is part of most exploits, the crash has to open up a flaw in the system to allow a payload to run. Also, a crash is when a piece of software encounters an error and causes something to happen which prevents the software from continuing. Occasionally it allows an exploit but most of the time its a simple error.

*throws ds on floor*
Person: oo it crashed, must be an exploit
Everyone Else: -_-
 
  • Like
Reactions: Slackot
Mnecraft368 said:
This is what alot of people think. The amount of threads here titled "I think i found an exploit" with the contents being an app crashing are too high. While a crash is part of most exploits, the crash has to open up a flaw in the system to allow a payload to run. Also, a crash is when a piece of software encounters an error and causes something to happen which prevents the software from continuing. Occasionally it allows an exploit but most of the time its a simple error.

*throws ds on floor*
Person: oo it crashed, must be an exploit
Everyone Else: -_-
Click to expand...
I thought so
 
There are two camps here with regards to exploit discovery.
1. I made Thing crash! I found exploit! I will make a thread on GBAtemp and become famous!
2. You made Thing crash? Useless! Nothing ever comes from non-programmers finding crashes! GBAfail, amirite?

Both camps here are wrong, but the truth is closer to #2.
In any event, the best thing to do if you find a crash is to contact someone with a record of exploitation and tell them about it rather than make a gbatemp thread and risk embarrassment. The hacker will give you some credit if the crash amounts to something.
 
Last edited by zoogie,
  • Like
Reactions: Julie_Pilgrim, wicksand420 and (deleted member)
zoogie said:
There are two camps here with regards to exploit discovery.
1. I made Thing crash! I found exploit! I will make a thread on GBAtemp and become famous!
2. You made Thing crash? Useless! Nothing ever comes from non-programmers finding crashes! GBAfail, amirite?

Both camps here are wrong, but the truth is closer to #2.
In any event, the best thing to do if you find a crash is to contact someone with a record of exploitation and tell them about it rather than make a gbatemp thread and risk embarrassment. The hacker will give you some credit if the crash amounts to something.
Click to expand...

You know what. Given the number of people there are round here taking credit for exploits they didn't discover I'd say post away and understand that not all crashes are necessarily exploits. The potential is there for every crash though.
 
  • Like
Reactions: Julie_Pilgrim, ry755, ChampionLeake and 2 others
This isn't a viable exploit, as I cannot find a single way to use a ROP chain.
The amount of memory available is greatly limited, and I don't even know if the browser has SD card access privileges.
 
SimonMKWii said:
This isn't a viable exploit, as I cannot find a single way to use a ROP chain.
The amount of memory available is greatly limited, and I don't even know if the browser has SD card access privileges.
Click to expand...
Yes memory is limited but there are still many options if you can get ROP.... I have a IS-TWL-DEBUGGER so if you need anything tested please let me know.
 
  • Like
Reactions: zoogie
Normmatt said:
Yes memory is limited but there are still many options if you can get ROP.... I have a IS-TWL-DEBUGGER so if you need anything tested please let me know.
Click to expand...
There is absolutely no way whatsoever to get ROP using this method.
EDIT: Holy shit! Completely ignore everything I just said! This is 100% exploitable!
I was able to send arbitrary addresses to RAM to make the top or bottom screen turn a chosen colour on crash!
Someone else needs to modify the code to send a ROP chain, I'm not an expert with this, and I'm not sure what to send to kernel.
 
Last edited by SimonMKWii,
SimonMKWii said:
There is absolutely no way whatsoever to get ROP using this method.
EDIT: Holy shit! Completely ignore everything I just said! This is 100% exploitable!
I was able to send arbitrary addresses to RAM to make the top or bottom screen turn a chosen colour on crash!
Someone else needs to modify the code to send a ROP chain, I'm not an expert with this, and I'm not sure what to send to kernel.
Click to expand...
Quoting this so people can see your edit.

Best unintentional April Fools ever :p
 
  • Like
Reactions: wicksand420
zoogie said:
Quoting this so people can see your edit.

Best unintentional April Fools ever :P
Click to expand...
Trust me, it was 100% intentional!
Unfortunately nobody seemed to get it...
You need to change 0x18000 RAM addresses to fill both screens with a solid colour anyway, and good luck fitting that in the 2KB html file...
All it does is crash the browser, which I can do about 100 other ways!
Looking at the script, from the outset, it would be literally impossible to send any kind of arbitrary code whatsoever to the kernel.
 

Site & Scene News

Go to forum More news

Popular threads in this forum

Tutorial  Build DSi NAND from scratch

Homebrew app  A-Pix DS 0.4 – Pixel art editor for Nintendo DS/DSi!

Hardware Misc  JIS or Phillips: What to use on a DSi?

If someone is interested in something, let me know :)

Hardware  After teardown nintendo dsi doesn't fit in its housing

Pokemon White

Hacking  Save File corruptes:(

using the ds's mic as a practical one?