Hacking GO Exploit

[bytor]

I don't have a Scooby Doo what any of this means lol

If it's a browser exploit isn't this going to be easily patchable by Nintendo by updating the browser in a future firmware update..? So we could all be stuck on 9.4 forever..?

 

[PewnyPL]

Functionally similar, if not identical, both confined to usermode ROP, no arbitrary execution.

So it should be possible to launch all the old Launcher.dat homebrew that existed for MSET exploit with it then?

 

[Vappy]

So it should be possible to launch all the old Launcher.dat homebrew that existed for MSET exploit with it then?

If they were pure ROP, sure, but most of them weren't. They also made use of the chained Process9 exploit present on 4.5.
Wintermute ported mset to 6.x, so if a homebrew will work with that on 6.x, it's a safe bet you'll be able to make it work with this webkit exploit too.

 

[Arras]

I don't have a Scooby Doo what any of this means lol

If it's a browser exploit isn't this going to be easily patchable by Nintendo by updating the browser in a future firmware update..? So we could all be stuck on 9.4 forever..?

It's already limited to 9.2.

 

[PewnyPL]

If they were pure ROP, sure, but most of them weren't. They also made use of the chained Process9 exploit present on 4.5.
Wintermute ported mset to 6.x, so if a homebrew will work with that on 6.x, it's a safe bet you'll be able to make it work with this webkit exploit too.

Hmmm, so in other words current ROP chain doesn't give the ARM 9 exec, it's the Launcher.dat that contains the final exploit, unlike the old chain. Gotcha then.

 

[ernilos]

If they were pure ROP, sure, but most of them weren't. They also made use of the chained Process9 exploit present on 4.5.
Wintermute ported mset to 6.x, so if a homebrew will work with that on 6.x, it's a safe bet you'll be able to make it work with this webkit exploit too.

Not really, Launcher.dat might had big changes in the way they exploit the console for get Kernel execution, if I remeber rewrite the Exception vTable it was already fixxed, so it might have another exploit letting code execution on that range of firmware.
Browser is just one entrypoint, it isn't an exploit...

 

[bytor]

It's already limited to 9.2.

Sorry, missed EmuNAND from my post!

 

[Kylecito]

Is it possible to crawl the domain to see if they have a test version for n3ds? If they work on different timezones they must have something up online for testing

 

[Zidapi]

Is it possible to crawl the domain to see if they have a test version for n3ds? If they work on different timezones they must have something up online for testing

No. Because the n3DS doesn't use the same entry point (the browser) to launch the loader.

I think others have said that you are prompted to update your system when you launch the web browser on the n3DS.

It's believed the new3DS will use the Mii maker entrypoint that SonyUSA showed of in her n3DS setup guide last week.

It'd been mentioned prior to that, by piratesephiroth and a few other people, but it kind of went unnoticed or just forgotten about because no one knew who MathewE was, or how to get in contact with him. And it's almost certain he won't be publicly releasing his work either way.

Actually it's suggested above that he may be involved with the PS3 scene, if this is the case there may be hope for a release after all.

A well know ps3 hacker. Matthew cfw and so on if I remember right

 

[ken28]

No. Because the n3DS doesn't use the same entry point (the browser) to launch the loader.

I think others have said that you are prompted to update your system when you launch the web browser on the n3DS.

It's believed the new3DS will use the Mii maker entrypoint that SonyUSA showed of in her n3DS setup guide last week.


Actually it's suggested above that he may be involved with the PS3 scene, if this is the case there may be hope for a release after all.

i am not sure on that one, i may aswell just confuse the name.

 

[Zidapi]

i am not sure on that one, i may aswell just confuse the name.

Oh, damn. You got my hopes up. Oh well.

 

[dela]

Mathewe as updated pastebin

http://pastebin.com/yv4pmJtm

CFW - 9.2.0-20, EmuNAND > 9.4.0-21
Swebug v124

keyX: 0x01 0x39 0x72 0xAE 0x6D 0xDD 0x49 0x31 0x32 0x95 0xEE 0xF5 0xCE 0x21 0xDE 0xB6
keyY: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00

0x0000:CTR1: 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0x01 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF
CTR-: 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF

0x0010CODE
Gateway Card Patch
Roms from sdmc
Unsigned roms
High level access roms
Write to ram
AR-like codes (experimental)
Decryption (cmd1 file filetype keyslot)
NCCH patch
0-key acception
no key acception (boost arm9)
Loading unsigned NATIVE_FIRM from sdmc ("Native.bin")

revision 21 http://www.filedropper.com/execute

 

[williamcesar2]

It looks like the "GO Exploit" is the Swebug exploit that the enigmatic MathewE documented on this pastebin in early December, as it mentions the 0x200 bytes in the notes.

The Swebug 3DS bug

Bug found: 12/6/14 9:24 PM
Posted: 12/8/14 12:36 AM
Updated: 12/8/2014 7:32 PM
 
Bug tested on:
-New 3DS 9.2.0-20J
-2DS 9.0.0-20E
-3DS 4.5.0-4U
--EmuNAND 9.2.0-20U
-3DS 5.0.0-11E
-3DS 6.3.0-12J
-3DS 9.1.0-20J
-3DS XL 9.0.0-20U
--EmuNAND 9.2.0-20U
-3DS XL 9.2.0-20U
-Dev 3DS (2)
-New 3DS 9.0.0-20E
-New 3DS 9.3.0-21J
 
Bug worked:
-New 3DS 9.2.0-20J
-New 3DS 9.0.0-20E
-New 3DS 9.3.0-21J
 
Bug location:
Internet Browser
Repeating CTR Savegame
 
"boot.12.8.14.zip" MD5: CE CE F5 8B 99 47 C5 61 DA 52 44 D3 72 3D 85 39
"revision.12.8.14.zip" MD5: 23 CE 1B 24 4E 56 E7 0C 9D A8 17 31 F4 5F 24 00
 
Contents:
"webkit_root.zip" webkit bug
"savetest_multi.zip" pre-written savegame bug (AQNx) (ACVx)
"savecreate_root.zip" savegame bug
"extdata_root.zip" savegame bug for extdata
"hellow_world.khb" test homebrew

The notes

savegame bug:
rop:
set 0x00 as start instead of 0x2000
0x00000100
0x00000010
0x00004120
0x00000200
0x0000FF20
0x01111110
0x00001210
0x00000100
0x0023A010
0x0023A010
0x00000100
0x0000FF20
0x0023A010
0x0B1BCE90
0x0000FF20
0x0000FF20
0x0023A010
0x0000A1B0
0x0000A1B0
0x0000A1B0
0x0000A1B0
0x0000A1B0
0x0000A1B0
0x00000100
0x0023A010
0x0023A010
0x0023A010
0x00000100
0x00000100
0x0BIBCE90
0x00000100
0x0A121730
0x0000FCF0
0x0000FCF0
0x0000FCF0
0x0A121730
0x0A121730
0x0A121730
0x00000100
0x00004120
0x00004120
0x00004120
0x00004120
jump to internetBrowser
 
webkit bug:
localhost.***/savegame/gameID/1112/bug.html
FF FF FF FF 01 22 00 20
byte 4
FF^0x1
0xF(G)/FF 01/(02)
(0x0102 02 01)

yeah, I think GW team bought this exploit from him

 

[dela]

yeah, I think GW team bought this exploit from him

ok; what this is http://www.filedropper.com/execute

 

[williamcesar2]

ok; what this is http://www.filedropper.com/execute

I don't know

 

[CalebW]

Mathewe as updated pastebin

http://pastebin.com/yv4pmJtm

So does this allow the CFW to be on 9.2?

 

[ken28]

So does this allow the CFW to be on 9.2?

the least it could mean is savegame decryption.

 

[williamcesar2]

So does this allow the CFW to be on 9.2?

I think so, I think he's finishing his work

 

[Maximilious]

Sorry, missed EmuNAND from my post!

You're running this exploit before you're even in emunand on your SysNAND 9.2 system. Once you're in emunand there is no need to run this exploit again, so no worry about being stuck on a particular firmware in emunand.

 

[Kakkoii]

Mathewe as updated pastebin

http://pastebin.com/yv4pmJtm

CFW - 9.2.0-20, EmuNAND > 9.4.0-21
Swebug v124

keyX: 0x01 0x39 0x72 0xAE 0x6D 0xDD 0x49 0x31 0x32 0x95 0xEE 0xF5 0xCE 0x21 0xDE 0xB6
keyY: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00

0x0000:CTR1: 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0x01 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF
CTR-: 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF

0x0010CODE
Gateway Card Patch
Roms from sdmc
Unsigned roms
High level access roms
Write to ram
AR-like codes (experimental)
Decryption (cmd1 file filetype keyslot)
NCCH patch
0-key acception
no key acception (boost arm9)
Loading unsigned NATIVE_FIRM from sdmc ("Native.bin")

revision 21 http://www.filedropper.com/execute

This would be fucking amazing if it's actually a 9.2 cfw... bump for visibility. Hopefully someone more knowledgeable can take a look at this.