And Super Secret arm11/9 3ds 11+ exploit has been patched.

Discussion in '3DS - Flashcards & Custom Firmwares' started by Priyam, Oct 26, 2016.

  1. Priyam
    OP

    Priyam Member

    Newcomer
    39
    31
    Jul 27, 2012
    India
    So, the super secret 3ds exploit that was being teased for months and was super guarded has been patched in the latest fw 11.2.
    https://twitter.com/TuxSH/status/791058471298994176

    It was supposed to be an exploit which would have allowed us to install A9HL on our 11.0 and 11.1 3ds.
    But, sadly it never released and now it has been patched. This is the biggest downside of withholding exploits and this is one fine example.

    SO, folks who have upgraded to 11.2 and still waiting for the secret arm9/arm11 exploit should just pack back home.
    And those who haven't updated yet, wait for the exploit, it should be released soon as there is no point in withholding any longer.
    https://www.reddit.com/r/3dshacks/comments/59eiby/dont_update_to_112_if_you_dont_have_cfw_patches/
     
  2. Posghetti

    Posghetti Greninja Master

    Member
    GBAtemp Patron
    Posghetti is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    1,064
    360
    Mar 15, 2016
    United States
    Michigan
    Ahh well that sucks. Gotta go back to the dsiwarehax when my Sun and Moon 3DS comes in. ):
     
    RustInPeace likes this.
  3. Akira

    Akira I'm not a SHRIMP!!!!

    Member
    988
    330
    Apr 28, 2013
    Still this can be used by a lot of users(if they release it) since pretty much Nintendo haven't dispatched(hope so) 3ds consoles on 11.2.
     
  4. hellionz

    hellionz GBAtemp Advanced Fan

    Member
    514
    104
    Feb 24, 2007
    hummm interesting...i pray they release this soon, for 11.0 users...for soft is so hard and risk 2 consoles in the process

    Greetings
     
  5. astronautlevel

    astronautlevel Finding a reason, waiting for a miracle

    Member
    4,044
    5,083
    Jan 26, 2016
    United States
    That Nightly Site™
    Allow me to explain a bit (since I posted the reddit thread) -

    The exploit doesn't straight up let us install arm9loaderhax on 11.0/11.1.

    If you remember back in 11.0, Nintendo added an anti downgrade patch. When installing a title, the 3ds would check against a hardcoded version list stored in process9, and if the version was too low, it would fail. However, this method was imperfect, and is vulnerable to a type of race condition known as a TOCTTOU, or Time Of Check To Time Of Use. A TOCTTOU is an exploit where the data is changed after the validity of the data is checked, but before the data is used. In short, the way the process should work is:

    Application manager is asked to install newer version -> Version is checked against the process9 minimum version list -> Version is higher than minimum version -> Install

    or

    Application manager is asked to install older version -> Version is checked against the process9 minimum version list -> Version is lower than minimum version -> Abort

    The way it can end up working though is:

    Application manager is asked to install newer version -> Version is checked against the process9 minimum version list -> Version is higher than the minimum version -> Data is swapped out with older title -> Install older title

    This would basically allow us to downgrade NATIVE_FIRM to 10.4 (kind of like a hardmod downgrade) using software only and no secondary 3ds and no DSiWare.

    The reason I'm saying we only downgrade NATIVE_FIRM is because of the nature of the exploit. Although it would be perfectly possible to downgrade the entire system, the race condition would need to work for every single title you install, and due to the inherently unreliable nature of race conditions, it would be easier to downgrade NFIRM only and then downgrade normally.

    As far as I know, no code has been written for this yet.

    What happened in 11.2 was Nintendo prevented this race by doing a second version check. This effectively prevents the race.

    Note that even if this comes through for 11.0/11.1, we still won't be able to downgrade without an arm11 kernel exploit. An arm11 kernel exploit, however, was patched on 11.2. This kernel exploit, known as slowhax, has been implemented and gets arm11 kernel access (albeit after 20 minutes of waiting). It's possible now that it's been patched the author of the exploit will release it.
     
  6. KiiWii

    KiiWii GBAtemp Psycho!

    Member
    3,867
    1,387
    Nov 17, 2008
    United Kingdom
    Lol 20 min "slowhax".
     
  7. astronautlevel

    astronautlevel Finding a reason, waiting for a miracle

    Member
    4,044
    5,083
    Jan 26, 2016
    United States
    That Nightly Site™
    Basically the way slowhax works is it spawns a ton of new processes.

    The way Nintendo does "permissions" for services is that anything with a PID lower than the number of system modules gets full service access. Slowhax keeps creating new processes until the PID overflows to 0 (pid is stored unsigned), and then that process has full service access. Nintendo patched this by making the kernel panic if a userland process tries to make a new process with a PID of 0.
     
  8. Mikemk

    Mikemk GBAtemp Advanced Maniac

    Member
    1,570
    563
    Mar 26, 2015
    United States
    I also like the name.
     
  9. Autz

    Autz GBAtemp Advanced Fan

    Member
    565
    264
    Feb 18, 2016
    Venezuela
    Just another normal day of a Temp user.
     
    XxShalevElimelechxX likes this.
  10. gamesquest1

    gamesquest1 Nabnut

    Member
    GBAtemp Patron
    gamesquest1 is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    14,150
    9,502
    Sep 23, 2013
    i like the name :/ seems bizzare they would patch exploits and still leave that stupid DSi downgrade method open....like wtf nintendo, up the FIRM version or pull the games, they have now patched an exploit that was unnecessary because they are stupid and allow the dsidowngrade method to continue to work for like 6 updates
     
    peteruk likes this.
  11. C0mm4nd_

    C0mm4nd_ Aspirant Wii U homebrew dev :P

    Member
    697
    338
    Oct 9, 2016
    Italy
    I'm in 11.1.0-34 :) Is there a way to launch a game that needs a firm update(DNS changing?)
     
  12. scorpiotaisho

    scorpiotaisho Harmoknight

    Newcomer
    56
    18
    Mar 25, 2013
    Cote d'Ivoire
    I don't think I follow. They patched it because of the flaws, not because of being a private exploit...
     
    Quantumcat and astronautlevel like this.
  13. Ar5chK3ks

    Ar5chK3ks GBAtemp Regular

    Member
    132
    14
    Mar 14, 2016
    Gambia, The
  14. gamesquest1

    gamesquest1 Nabnut

    Member
    GBAtemp Patron
    gamesquest1 is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    14,150
    9,502
    Sep 23, 2013
    dont try point out that if this was released months ago then it would have been patched way before now anyway, and there was no point releasing something to be patched while there was perfectly usable alternatives, and that nobody has been stopped from downgrading by keeping this exploit back.....i mean.....come on what would people have to moan about then :creep:
     
  15. C0mm4nd_

    C0mm4nd_ Aspirant Wii U homebrew dev :P

    Member
    697
    338
    Oct 9, 2016
    Italy
  16. gamesquest1

    gamesquest1 Nabnut

    Member
    GBAtemp Patron
    gamesquest1 is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    14,150
    9,502
    Sep 23, 2013
    what game would need a update to 11.2, it was only released a couple of days ago, its probably just a title update afaik httpwn allows you to access the eshop to grab the update without updating your FW
     
  17. RustInPeace

    RustInPeace Samurai Cop

    Member
    3,117
    2,498
    Oct 13, 2014
    United States
    Yeah man.
     
  18. C0mm4nd_

    C0mm4nd_ Aspirant Wii U homebrew dev :P

    Member
    697
    338
    Oct 9, 2016
    Italy
    A title that isn't released (Moon :P)
     
  19. astronautlevel

    astronautlevel Finding a reason, waiting for a miracle

    Member
    4,044
    5,083
    Jan 26, 2016
    United States
    That Nightly Site™
    There is no private exploit; no code has been written for the exploit. The only thing that exists is a bug and it hasn't been exploited yet.

    Also, @gamesquest1 is exactly right. Even if there was a working exploit written it would make more sense to hold it back until DSiWare downgrading was patched.
     
    peteruk and Quantumcat like this.
  20. el_gonz87

    el_gonz87 GBAtemp Advanced Maniac

    Member
    1,559
    929
    Aug 24, 2016
    United States
    I don't have a dog in the fight since both my N3DS have A9LH, but if this new bug has been patched in 11.2, what's the point of holding it back until DSiWare downgrading gets patched (if ever by Nintendo, their 2DS margin is prob skyrocketing off of it LOL)?

    It would seem to me that if/when the dswiwarehax get's patched this new exploit will be useless on that FW, I could be wrong but it seems that was my understanding.

    Any who, thx for the info, hopefully more bugs keep popping up!
     
    astronautlevel likes this.