Hacking the latest firmware of 3DS - ARM9 Hack

Discussion in '3DS - Tutorials' started by 173210, Aug 1, 2015.

Aug 1, 2015
  1. 173210
    OP

    Member 173210 GBAtemp Regular

    Joined:
    Jan 22, 2014
    Messages:
    245
    Location:
    Japan
    Country:
    Japan
    Notice
    You may know that I do NOT intend to promote piracy. I believe PSP hacking scene was so successful because less people regarded piracy as their goal.

    What is ARM9
    3DS has two CPU and they have different architectures. I'll call them with the name of their architecture: ARM9 and ARM11.
    The main reason why it has two CPU is compatibility; ARM9 is compatible with DS while ARM11 is used to improve the performance. However, the design also improves the security by letting ARM9 play the role related to the security.

    Vulnerability on ARM9
    ARM9 has all permissions on 3DS and it can do most things. For example, ARM9 can make ARM11 execute arbitrary code. It means ARM9 is always the target for hacking.

    Practice
    ARM9 has several interfaces and you'll hack it with them. The most largest part is PXI.

    PXI
    PXI is the interface for Process9, a process running on ARM9. Process9 has services which executes commands sent by ARM11. 3dbrew.org has the list for those services.
    http://3dbrew.org/wiki/PXI_Services/

    The protocol is also explained on the site.
    http://3dbrew.org/wiki/PXI_Registers/

    The site also has descriptions for commands, but they are incomplete.
    http://www.3dbrew.org/wiki/Services_API/

    As you can see, it doesn't have so many commands. That's the advantage of the design. You must hack those commands, which are the most secure part.
    But it doesn't mean 3DS can't be hacked. It depends on who does.

    Debugging
    Unfortunately, we don't have a debugger working "well". The largest reason is that few people tried to do that. But I don't recommend you to make a new debugger. As I said, the system is divided into ARM9 and ARM11 and ARM9 plays only the security-related role. It's nearly impossible to communicate with PC via Wi-Fi or IR.
    However you don't have to abandon. I developed an exception handler for ARM9 on rxTools which displays exceptions on the display. I recommend to use this.

    rxTools
    It hooks SWI on ARM11 because it needs ARM11 to handle LCD. So something must call SVC on ARM11. Anyway, "something" should always call SVC even if you don't.

    When an exception occurred, the handler sets the address of the framebuffer to the top of the VRAM (0x18000000) and it writes exception information to VRAM. You can change the color of the background by clearing VRAM before an exception occurred because the rest is left as it is. Otherwise it shows garbage on VRAM.

    2015-07-31-exception.jpg
    You can see what is the "garbage". In the next, I'll explain the information described on the display.

    Type
    The document by ARM is good for this.
    http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.ihi0014q/I84795.html

    If you have "Data Abort" with a writing instruction, it may be exploitable.
    If you have "Prefetch Abort", it may be exploitable.
    If you have "Data Abort" with a reading instruction, disassemble and study well. If you can't figure out, try to input some valid value, or ask someone skillful.

    Registers
    ARM provides documentation.
    http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.ddi0337h/Chdedegj.html

    If you got LR control, you are likely to exploit it. The final goal is to control PC (and execute your own code) .
     
    Last edited by 173210, Aug 1, 2015 - Reason: Fix URLs


  2. zoogie

    Member zoogie simple pimp tool

    Joined:
    Nov 30, 2014
    Messages:
    5,531
    Country:
    United States
    Nice work.
    Is this Debugger you made built into the main rxtools branch?
     
    Alkéryn likes this.
  3. 173210
    OP

    Member 173210 GBAtemp Regular

    Joined:
    Jan 22, 2014
    Messages:
    245
    Location:
    Japan
    Country:
    Japan
    Not yet, but I think it will be included soon.
     
    Margen67 and zoogie like this.
  4. Xenon Hacks

    Member Xenon Hacks GBAtemp Guru

    Joined:
    Nov 13, 2014
    Messages:
    7,005
    Country:
    United States
    I love you bro <3
     
    Margen67 likes this.
  5. DarkFlare69

    Member DarkFlare69 GBAtemp Psycho!

    Joined:
    Dec 8, 2014
    Messages:
    4,467
    Location:
    Ohio
    Country:
    United States
    Is this serious?
     
  6. zoogie

    Member zoogie simple pimp tool

    Joined:
    Nov 30, 2014
    Messages:
    5,531
    Country:
    United States
    He's not announcing an exploit, he's just discussing how to approach developing a new arm9 exploit.
    Developer stuff.
     
    Margen67 likes this.
  7. DarkFlare69

    Member DarkFlare69 GBAtemp Psycho!

    Joined:
    Dec 8, 2014
    Messages:
    4,467
    Location:
    Ohio
    Country:
    United States
    My bad, I clicked on the EoF and it redirected me to this forum. It looked legit but I was wondering why it was in the EoF. Then i saw it was in the proper forum.
     
  8. motezazer

    Member motezazer GBAtemp Maniac

    Joined:
    Feb 6, 2015
    Messages:
    1,214
    Country:
    France
    The problem is that, without an ARM11 kernel exploit, we can't send arbitrary PXI commands to ARM9...
    And yellows8 said ARM11 kernel was now pretty airtight. Hacking new firmwares that way is terribly difficult, I warn you.
     
  9. 173210
    OP

    Member 173210 GBAtemp Regular

    Joined:
    Jan 22, 2014
    Messages:
    245
    Location:
    Japan
    Country:
    Japan
    I don't know what yellows8 said, but unless they enable ASLR, it can't be tighter than PSP.
    And, in my assumption, ninjhax2 may have ARM11 kernel exploit. But it's just an assumption.
     
    Margen67 likes this.
  10. Bug_Checker_

    Member Bug_Checker_ GBAtemp Advanced Fan

    Joined:
    Jun 10, 2006
    Messages:
    925
    Country:
    United States
    Warning: Spoilers inside!

    Can you edit out the trailing '/' on the PXI/ 3Dbrew links? (otherwise they link to invalid pages)
     
  11. motezazer

    Member motezazer GBAtemp Maniac

    Joined:
    Feb 6, 2015
    Messages:
    1,214
    Country:
    France
    ninjhax2 doesn't have access to any services. It doesn't have a kernel exploit.

    Anyway, ASLR isn't needed to make a secure kernel.
    1) We don't have that much interfaces with the kernel (if we except syscalls). The kernel don't do a lot and the services are filtering.
    2) Syscalls were secured from buffer overflows in 5.0
    3) SlabHeap was secured in 8.0
    4) Memory chuncks were secured in 9.3

    There isn't really a lot of things left for attacking.
     
    Arcanuskun likes this.
  12. gudenaurock

    Member gudenaurock Never a unique idea

    Joined:
    Jul 7, 2010
    Messages:
    3,095
    Location:
    /dev/random
    Country:
    United States
    So, did you get ARM11 from ARM9?
     
  13. 173210
    OP

    Member 173210 GBAtemp Regular

    Joined:
    Jan 22, 2014
    Messages:
    245
    Location:
    Japan
    Country:
    Japan
  14. Ryu Kenshin

    Member Ryu Kenshin GBAtemp Regular

    Joined:
    Jul 15, 2015
    Messages:
    186
    Country:
    Vietnam
    How about jtag or modchip, I think if the software based hack is blocked, we can switch to hardware based :D
     
    Margen67 and Attila13 like this.
  15. Selim873

    Member Selim873 Nunnayobeesnes

    Joined:
    Jul 31, 2010
    Messages:
    1,133
    Location:
    Chillin' with Bob Ross
    Country:
    United States
    Most people spent their money on Cubic Ninja, I don't think they'll want to spend even more. :P
     
  16. Intronaut

    Member Intronaut An star maker

    Joined:
    Nov 18, 2014
    Messages:
    726
    Country:
    Chile
    I don't know if it's technically possible, but maybe we can hack newer firmwares trying to get control to AM service and downgrade (or a kind of) to 9.2 with legit CIAs.

    Yeah, but we have to get access to AM service first :cry:
     
  17. motezazer

    Member motezazer GBAtemp Maniac

    Joined:
    Feb 6, 2015
    Messages:
    1,214
    Country:
    France
    And how do you install a downgraded NATIVE_FIRM?

    — Posts automatically merged - Please don't double post! —

    Hint : JTAG is disabled on the New 3DS!
    And modchips are very difficult, because:
    -you can't mod ARM9 RAM or ARM11 kernel RAM
    -FCRAM is difficult to mod, and a tech would have to spend hours to do that. Not consumer-friendly.
     
  18. WateredFire19

    Banned WateredFire19 Banned

    Joined:
    Aug 23, 2014
    Messages:
    643
    Country:
    United States
    I think gaining access to the AM service should be the priority. Because 4.0 - 9.2 has the most amount of hacks, it be easier to create one for 9.3+ to go to lower firmwares then recreating all the 4.0 - 9.2 stuff for 9.3+.
     
  19. motezazer

    Member motezazer GBAtemp Maniac

    Joined:
    Feb 6, 2015
    Messages:
    1,214
    Country:
    France
    Only NIM has access to AM:NET
     
  20. WateredFire19

    Banned WateredFire19 Banned

    Joined:
    Aug 23, 2014
    Messages:
    643
    Country:
    United States
    I know that, but if we find an exploit that will let us access the AM service and getting FBI to work will be easier then going right to unsigned CIA's. I think unsigned CIA's should never be what we are aiming for in 9.3 and up. Getting a way to install legit CIA's would be better and allow downgrading.
     

Share This Page