Ideas for an offline webkit exploit

Discussion in '3DS - Homebrew Development and Emulators' started by fürdielulz, Jul 24, 2015.

  1. fürdielulz

    fürdielulz Newbie

    Jul 24, 2015
    Hello all.

    First of all, excuse me if this is the wrong section for this thread. Feel free to move it accordingly.

    I am fairly new to the 3DS scene (bought a 2DS like two weeks ago), but I've already gone through most of the concepts and managed to mess around with my unit.

    The thing is, my 2DS came with version 8.1.0 preinstalled, so the only known exploit I could use was the webkit exploit. Everyone is well aware of the "must have an internet connection" limitation, and some may also know that there are several Android apps to set up a hotspot with the payloads hosted there.

    Still, this feels like it's not enough. Thus, I have two ideas for possible offline exploitation of the webkit vulnerability:
    1. Check if the Internet Browser mounts the SD card, and if it does, browse to the payloads directly in the SD card. This fairly trivial, so I guess someone else must have checked before. If not, what would I need to check if the Internet Browser app mounts the SD card? Extract the NAND, decrypt it, then reverse-engineer the binaries? Any pointers for this last step?
    2. Modify the content of certain apps that use HTML and flash it back to sysNAND. I've seen (at the 3dbrew wiki) that title 0004001B00018102 includes some HTML files for the Miiverse offline mode starting from 7.0.0-13. In principle, if these are rendered using a vulnerable version of webkit (apparently in 0004001B00018202), it would be possible to modify them and then trigger the exploit by going to the Miiverse offline mode. Again, has anyone tried this before, or is anyone aware of any hash/signature checks performed on these HTML files before they are rendered?
    Thanks for reading!
  2. Vappy

    Vappy GBAtemp Advanced Maniac

    May 23, 2012
    I've no idea if either of those ideas could play out or not, but it might be worth you looking into downgrading MSET (the System Settings app). This allows you to exploit the console via the DS Profile Settings, no internet connection needed, and probably far less effort than trying to figure out a way to trigger the webkit bug without internet. :P
  3. tranxuanthang

    tranxuanthang GBAtemp Regular

    Jul 6, 2015
    Why dont u downgrade ur mset to 6.x so u can use ds profile exploit
  4. fürdielulz

    fürdielulz Newbie

    Jul 24, 2015
    Oh, wow. I didn't know such a thing was possible on the 2DS. That's much simpler... Still, out of curiosity it would be fun to explore the other two alternatives.
  5. NicEXE

    NicEXE GBAtemp Fan

    Dec 6, 2009
    You can try and see if file://... works but I am 99% that its disabled. Why would you have it on a handheld console anyway?
  6. froggestspirit

    froggestspirit D/P/Pt Demix Guy

    Jul 28, 2011
    United States
    That will break signatures, and will not load the modified app.
  7. MRJPGames

    MRJPGames Pretty great guy

    Aug 17, 2013
    The Netherlands
    Neither will work without modifying the internet app and if you can do that you already have a sysnand thats permahacked.