Hello all.
First of all, excuse me if this is the wrong section for this thread. Feel free to move it accordingly.
I am fairly new to the 3DS scene (bought a 2DS like two weeks ago), but I've already gone through most of the concepts and managed to mess around with my unit.
The thing is, my 2DS came with version 8.1.0 preinstalled, so the only known exploit I could use was the webkit exploit. Everyone is well aware of the "must have an internet connection" limitation, and some may also know that there are several Android apps to set up a hotspot with the payloads hosted there.
Still, this feels like it's not enough. Thus, I have two ideas for possible offline exploitation of the webkit vulnerability:
First of all, excuse me if this is the wrong section for this thread. Feel free to move it accordingly.
I am fairly new to the 3DS scene (bought a 2DS like two weeks ago), but I've already gone through most of the concepts and managed to mess around with my unit.
The thing is, my 2DS came with version 8.1.0 preinstalled, so the only known exploit I could use was the webkit exploit. Everyone is well aware of the "must have an internet connection" limitation, and some may also know that there are several Android apps to set up a hotspot with the payloads hosted there.
Still, this feels like it's not enough. Thus, I have two ideas for possible offline exploitation of the webkit vulnerability:
- Check if the Internet Browser mounts the SD card, and if it does, browse to the payloads directly in the SD card. This fairly trivial, so I guess someone else must have checked before. If not, what would I need to check if the Internet Browser app mounts the SD card? Extract the NAND, decrypt it, then reverse-engineer the binaries? Any pointers for this last step?
- Modify the content of certain apps that use HTML and flash it back to sysNAND. I've seen (at the 3dbrew wiki) that title 0004001B00018102 includes some HTML files for the Miiverse offline mode starting from 7.0.0-13. In principle, if these are rendered using a vulnerable version of webkit (apparently in 0004001B00018202), it would be possible to modify them and then trigger the exploit by going to the Miiverse offline mode. Again, has anyone tried this before, or is anyone aware of any hash/signature checks performed on these HTML files before they are rendered?