cubic ninja best hope for n3ds =<9.2 (kernel access)

Discussion in '3DS - Flashcards & Custom Firmwares' started by bsod, Feb 19, 2015.

  1. bsod
    OP

    bsod Member

    Newcomer
    12
    4
    Feb 19, 2015
    THIS IS NOT NINJHAX
    Some (all?) n3ds are shipping at 9.0, because of the new browser we cannot use it for ROP, but we can still use cubic ninja! "Oh this is a homebrew post, wrong forum." Nope, this is about using CN for kernel (privileged) code execution, complete control. This is not MSET, it works beyond 4.5 to my knowledge it was patched in 9.2.

    I'm not going to say what others have said better http://yifan.lu/ <this man has worked with yellows8 or at least been in contact with him, and is a known vita hacker. Yifan Lu contacts sema on sema's writeup of ninjhax commenting on the GPU vulnerability (stage 2 of sema's writeup,also mentioned in Yifan's writeup), sema's reply is in relation to ninjhax and irrelevant for our exploit (except that cubic ninja hasnt been patched!) http://smealum.net/?p=517. We also learn a little from an Anon comment in response to sema, we learn that gateway uses stage 2 of the exploit but not sema's stage 3 or stage 4. Something quick to note is gateway uses the browser for ROP, (stage 1) which is no longer an option on the n3ds. It's my guess the people at gateway are trying to find a new way to get ROP capability and thats why we haven't seen a n3ds model/update yet. BUT WE HAVE CUBIC NINJA!!

    If this is possible why hasn't sema done it already? Because sema does not want to give us kernel access. He is worried it will cause the spread of piracy, a noble stance but your homebrew is mainly emulators. I guess old ROMs are okay huh?

    With Yifan's work and NInjhax now being open source this should be done.
     


  2. Apache Thunder

    Apache Thunder I have cameras in your head!

    Member
    4,101
    4,024
    Oct 7, 2007
    United States
    Levelland, Texas
    Gateway's current "Launcher" isn't setup to be launched from Cubic Ninja currently. The entry point isn't the same so you'd have to build a new rop chain pretty much. Ninjhax rop chain isn't setup to get kernel access in it's current form and if you did, the memory environment might not be the same so Gateway's current payloads for other stages of the exploit might not work correctly or needs retweaking.


    Gateway will release their N3DS exploit by the time someone reverses engineers Ninjhax for kernal access. You're pretty much doing a full on CFW at this point and we all know the track record for that is. The only reason the old 4.5 CFW even exists was due to a leak... :(
     
  3. luney

    luney GBAtemp Fan

    Member
    383
    87
    Aug 30, 2006
    United States
    Well hop to it! What are you waiting for? Sorry that was @ bsod and not you Apache, heh.
     
  4. VinsCool

    VinsCool Delusional

    Member
    GBAtemp Patron
    VinsCool is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    11,706
    27,742
    Jan 7, 2014
    Canada
    Another World
    In soon(tm) we trust :)
     
    2Hack, Margen67, SLiV3R and 1 other person like this.
  5. WulfyStylez

    WulfyStylez SALT/Bemani Princess

    Member
    1,149
    2,609
    Nov 3, 2013
    United States
    Like others have said, it's more than possible and it's already been done by some people. If you're actually capable of doing this though, gateway is completely useless. Counterproductive even.
     
    Margen67 likes this.
  6. Rokkubro

    Rokkubro GBAtemp Regular

    Member
    115
    141
    Apr 4, 2014
    Technically it's possible to inject a modified version of Yifan's LoadCode(which is much easier to use than gateway's method) into the Thread 0 ROP of Ninjhax and use it to load the rest of the exploit now that you have userland.
    There are a couple of issues though, mainly that LoadCode is a Spider 4096(old3ds 9.x) ROP chain, which means you'd have to port it to Skater(N3DS), which is difficult unless you know what you're doing (you might be able to work out the values by inspecting the code of Ninjhax). Also, the Gateway exploit loads some specific addresses into memory during the first stage (ROP) to be used by the second stage (ARM11). You'd need to load these addresses during your custom LoadCode AND you'd need to use memory locations that work for N3DS. In the first place though, you'd need to be able to change Smealum's Ninjhax code, and to do this you need(at the very least) the proprietary Blowfish key, which is somewhere within the code of Cubic Ninja(which is difficult to decrypt if you only have a N3DS). Additionally, the version of ctrulib Smealum lists as a dependency for Ninjhax doesn't work, unless you manually add some functions yourself. On top of all this once you actually DO get kernel access, you'll have to learn how to do everything yourself, as ctrulib and devkitarm only support userland code.

    Wow, I wrote a lot... Sort of became a rant in the end :P
    TL;DR - It's a #@%#ing pain to do and I've been working on it for over a week. Wait for Gateway, they'll probably be faster.
     
    Azel likes this.
  7. Kracken

    Kracken GBAtemp Regular

    Member
    257
    98
    Jan 12, 2015
    United States

    The more people working on this the better. If people have the technical know-how and the ambition to help push things forward on N3DS than I'd say go for it. Some of the best work in the various console scenes has been done by ambitious people who never received much financial compensation, if any. It's thanks to people like them that any scene even exists.
     
    Margen67 and SLiV3R like this.
  8. Rokkubro

    Rokkubro GBAtemp Regular

    Member
    115
    141
    Apr 4, 2014
    Thanks, I'm still working on it! I don't have much free time during the week, but this weekend I'll have time to work on it (almost) full time. Hopefully I'll have something to show off soon... Probably just the basic UVLoader from Spider3DS tools on N3DS
     
    Margen67 and Kracken like this.
  9. Kracken

    Kracken GBAtemp Regular

    Member
    257
    98
    Jan 12, 2015
    United States
    I have no idea what you are talking about, but thank you for doing it.
     
    Margen67 likes this.
  10. Rokkubro

    Rokkubro GBAtemp Regular

    Member
    115
    141
    Apr 4, 2014
    Oh, it's just the point at which I know I have userland code execution. More importantly though, it's the first point at which I'll be able to see that I've made any progress.
     
    Margen67 likes this.
  11. bsod
    OP

    bsod Member

    Newcomer
    12
    4
    Feb 19, 2015
    This was acutally my plan but I first cast out a net to see who else may be doing the same thing. No need to start at page 1 if i can help someone in progress.

    In my post i focused mainly on the n3ds, this is also a gateway free solution for the old 3ds as-well. The actual exploits would be slightly different, mem locations, spider/slater etc.

    Apache Thunder
    I am aware this would not work "out-of-the-box" merely referencing gateway and ninjhax as a proof of concept
    Deathracelord
    You make a VERY good point about a possible new memory configuration, I wasn't thinking about that at the time of post. Perhaps it would be easier to first create the exploit for the old 3ds then modify it for th n3ds? I was laid off recently and would like to offer any help I can to you, currently I have some free time.

    I may begin work on the old 3ds first. more is known about it. I have both a 9.2 old 3ds and a 9.0 n3ds
     
    Margen67 likes this.
  12. gamesquest1

    gamesquest1 Nabnut

    Member
    14,119
    9,454
    Sep 23, 2013
    and if this happened the price of cubic ninja would sky-rocket again....or everyone would buy sky3ds cards
     
    satel likes this.
  13. bsod
    OP

    bsod Member

    Newcomer
    12
    4
    Feb 19, 2015
    Kernel by ways of Cubic Ninja will happen.
    I guess it HAS happened.
    I will be working on this and others (Deathracelord). It seems like private efforts are completed and functioning. Gateway or CB whichever is cheaper I'd say. Does sky have privileged mode? From what I ha gathered gateway>sky, I own neither.

    edit: every time I try to link deathracelord it links DeaTh instead :glare:
     
    Margen67 likes this.
  14. Slushie3DS

    Slushie3DS Cold Beverage Lover

    Member
    707
    294
    Jan 9, 2015
    United States
    Tfw spiderhax can have its offsets changed to work with SKATER, making this post useless.

    [​IMG]
     
  15. bsod
    OP

    bsod Member

    Newcomer
    12
    4
    Feb 19, 2015
    Then why hasn't it been done? Kernel mode has yet to be achieved publicly by use of cubic ninja. YOUR post was useless. Thanks.
     
    Margen67 likes this.
  16. Slushie3DS

    Slushie3DS Cold Beverage Lover

    Member
    707
    294
    Jan 9, 2015
    United States
    It's already been confirmed as possible directly in Smea's Regionthree readme, which, again uses spiderhax. No one has really cared to do it yet because a lot of REs are are waiting until the N3DS is more matured.
     
  17. bsod
    OP

    bsod Member

    Newcomer
    12
    4
    Feb 19, 2015
    I did not read Regionthree because I do not need region free, I will go read it after posting. What about the old 3ds then? the same exploit can be used on it, all the information is there, why is there no kernel access for it? (no gateway, no sky talking only cubic ninja)
     
    Margen67 likes this.
  18. bsod
    OP

    bsod Member

    Newcomer
    12
    4
    Feb 19, 2015
    Even if sema has it he's not going to give it to us. He is against new game piracy.
     
  19. shinyquagsire23

    shinyquagsire23 SALT/Sm4sh Leak Guy

    Member
    1,962
    3,231
    Nov 18, 2012
    United States
    Las Vegas
    I was under the impression that skater was not vulnerable to the same overflow as spider. Is it just not being "overflown" enough by the current exploit?
     
  20. Slushie3DS

    Slushie3DS Cold Beverage Lover

    Member
    707
    294
    Jan 9, 2015
    United States
    Spiderhax, otherwise known as WebKit exploiting, is possible without the game. It is used in Yifan Lu's spider3DStools to gain ARM11 kernel access, and I believe it was used in another exploit system to gain ARM9. It crashes the browser into a panic while injecting a binary. Yifan Lu is already working on a way to open the Homebrew Launcher's boot.3DSX via the browser in his exploit dubbed spiderninja, which you can see below, and was only shown for a bit before removed. In the Regionthree Readme, Smea states that the exploit will not work with SKATER, but the code is there, and he hinted that anyone can do it. I haven't looked much into SKATER, as I do not own an N3DS, but it's pretty safe to assume that it still uses WebKit, meaning it should still be possible, with a bit of rewriting. You seem to be very dependent on a game, which ultimately, is not something a long term exploit should depend on.

    [​IMG]



    Why wouldn't it be? If SKATER is still relying on WebKit, which I am pretty sure it is, I don't see why it wouldn't work on it. Again, I'm just working off of what Smea hinted at in his Readme.

    [​IMG]