[INFO] SNShax, what it is and how it works

Discussion in '3DS - Homebrew Development and Emulators' started by dark_samus3, Dec 28, 2015.

  1. dark_samus3
    OP

    dark_samus3 GBAtemp Addict

    Member
    2,314
    1,712
    May 30, 2015
    United States
    In the recent talk by Smea, Derrek and Plutoo we learned about a new hack called SNShax

    News
    User JustPingo is doing testing of this exploit, he needs N3DS users with a hardmod to help with testing, he may have already gotten his tester(s), so don't be disappointed if he already has them, that just means it should be out soon.

    Tl;dr
    SNS means Safe Nintendo Shell, and the hax possible with it can be used to downgrade from 9.3-10.1 down to 9.2, and it is currently only possible on a new3ds, though Smea has said it may be possible on old3ds with a workaround. It was patched in system version 10.2

    Vuln
    SNShax is a small oversight by Nintendo, usually the NS service (possibly meaning Nintendo Shell, though that is speculation) is in an area inaccessible to the GPU, meaning gspwn isn't useful for using it. However the new3ds safemode version of NS can be launched and, since the original NS service is still in use, it has to be allocated in an area accessible by gspwn (provided the memory is set up properly) and access can be gained, with ROP, to the services it uses (am:u and others) which, in turn, can be used to downgrade. It is not possible on the o3ds (yet) as the Safe Nintendo Shell version the o3ds uses is prevented from launching while the standard version is still running. This wouldn't be a problem if NS wasn't required to start any version of itself up.

    Uses
    As stated above it is possible to use this to downgrade any system title, in turn allowing full system version downgrades. This makes it possible to downgrade to any system version which we have legit CIAs for.

    Q&A
    Q: I have an O3DS on 10.1, should I wait for a workaround?
    A: That is up to you, however memchunkhax 2 will probably be out before this and will be able to access am:u and downgrade your system

    Q: I'm on a system version below 10.1, do I have to update?
    A: No, this will work on system versions 9.3-10.1 (and maybe lower versions than that)

    Q: I'm on system version 10.2/10.3, am I screwed?
    A: No! Memchunkhax 2 works from 9.3-10.3! Just don't update beyond that or you're going to be back in the same boat
     
    Last edited by dark_samus3, Dec 30, 2015


  2. MassExplosion213

    MassExplosion213 .

    Member
    1,416
    958
    Feb 15, 2015
    United States
  3. TheZoroark007

    TheZoroark007 MK7 CT creator

    Member
    606
    234
    Apr 2, 2014
    Gambia, The
    Lake Constance
    Great. Just updated my New 3DS yesterday from 10.1 to 10.3...
     
  4. dark_samus3
    OP

    dark_samus3 GBAtemp Addict

    Member
    2,314
    1,712
    May 30, 2015
    United States
    Don't worry, memchunkhax 2.0 will be out soon which works on 10.3 :)
     
    Hoppy and The Minish LAN like this.
  5. TheZoroark007

    TheZoroark007 MK7 CT creator

    Member
    606
    234
    Apr 2, 2014
    Gambia, The
    Lake Constance
    But can I downgrade with memchunkhax2 ?
     
    The Minish LAN likes this.
  6. The Real Jdbye

    The Real Jdbye Always Remember 30/07/08

    Member
    GBAtemp Patron
    The Real Jdbye is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    11,875
    5,026
    Mar 17, 2010
    Norway
    Alola
    But from what I know ARM11 kernel isn't enough to allow downgrading.

    Where did you hear that it was patched in 10.2? I don't think that was mentioned in the stream, in fact they said "downgrading for all"
     
    The Minish LAN likes this.
  7. dark_samus3
    OP

    dark_samus3 GBAtemp Addict

    Member
    2,314
    1,712
    May 30, 2015
    United States
    Better, you don't need to downgrade, CFW launching directly from 10.3 :)

    — Posts automatically merged - Please don't double post! —

    In the memchunkhax 2.0 thread it was shown that Smea said on IRC that it was patched in 10.2
     
    The Minish LAN likes this.
  8. MassExplosion213

    MassExplosion213 .

    Member
    1,416
    958
    Feb 15, 2015
    United States
    ARM11 kernel is enough to downgrade. Uninstall the old title and install the new one.
     
    The Minish LAN likes this.
  9. The Real Jdbye

    The Real Jdbye Always Remember 30/07/08

    Member
    GBAtemp Patron
    The Real Jdbye is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    11,875
    5,026
    Mar 17, 2010
    Norway
    Alola
    Pretty sure CFW requires ARM9 kernel as well. ARM11 kernel isn't really enough to do most of the nice things.
     
    The Minish LAN and Ammako like this.
  10. Vappy

    Vappy GBAtemp Advanced Maniac

    Member
    1,507
    1,154
    May 23, 2012
    lol misread again
     
    Last edited by Vappy, Dec 28, 2015 - Reason: whoops
    The Minish LAN likes this.
  11. dark_samus3
    OP

    dark_samus3 GBAtemp Addict

    Member
    2,314
    1,712
    May 30, 2015
    United States
    Watch the talk, you'll see arm9 stuff was mentioned too :)

    — Posts automatically merged - Please don't double post! —

    Yeah I meant the SNShax stuff was mentioned being patched in that thread :)
     
    The Minish LAN and Vappy like this.
  12. The Real Jdbye

    The Real Jdbye Always Remember 30/07/08

    Member
    GBAtemp Patron
    The Real Jdbye is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    11,875
    5,026
    Mar 17, 2010
    Norway
    Alola
    I know, but using a custom DS cartridge that they will never manufacture. We'd have to wait for some chinese company to figure it out and mass produce them and charge $70 a piece. It'll be the Gateway all over again.
    Come to think of it, you might be right about that. I seem to recall someone saying ARM11 kernel would not be enough to gain access to am:u which we need, but since it's located within memory accessible by the ARM11 (and runs on the ARM11) it shouldn't really be an issue. I'm not knowledgeable enough to say for sure though.
     
    The Minish LAN and Ammako like this.
  13. dark_samus3
    OP

    dark_samus3 GBAtemp Addict

    Member
    2,314
    1,712
    May 30, 2015
    United States
    Actually there was more than just that, from what I gathered we can craft firm0 and 1 images that allow really really early arm9 access and possible cold booting :)

    — Posts automatically merged - Please don't double post! —

    Also, arm11 has access to am:u... All arm9 does is check the signatures and the version you're installing. Which is easily bypassed by uninstalling the previous title
     
    The Minish LAN and Ammako like this.
  14. Exavold

    Exavold GBAtemp Advanced Fan

    Member
    996
    1,055
    Nov 9, 2015
    France
    I already have a 9.2 but holy shit that's one hell of a hack.
     
  15. TR_mahmutpek

    TR_mahmutpek GBAtemp Advanced Fan

    Member
    630
    134
    Jul 28, 2015
    This threat mean we can cfw new 3ds firmware 10.1 and 9.3 ?
     
    The Minish LAN likes this.
  16. Exavold

    Exavold GBAtemp Advanced Fan

    Member
    996
    1,055
    Nov 9, 2015
    France
    Not directly but yes.
     
    The Minish LAN likes this.
  17. TR_mahmutpek

    TR_mahmutpek GBAtemp Advanced Fan

    Member
    630
    134
    Jul 28, 2015
    When we can downgrade 3ds? Also thank you for your reply
     
    The Minish LAN likes this.
  18. dark_samus3
    OP

    dark_samus3 GBAtemp Addict

    Member
    2,314
    1,712
    May 30, 2015
    United States
    When things are released to exploit the two new vulns that were just released today :)
     
  19. Exavold

    Exavold GBAtemp Advanced Fan

    Member
    996
    1,055
    Nov 9, 2015
    France
    When SFN will be released , smea will probably provide a download link with instructions.
     
    The Minish LAN and TR_mahmutpek like this.
  20. dark_samus3
    OP

    dark_samus3 GBAtemp Addict

    Member
    2,314
    1,712
    May 30, 2015
    United States
    Ehh, I HIGHLY doubt Smea will be supporting it (though I may be wrong)
     
    The Minish LAN likes this.