From Smea's devblog:
"Stage 3 : getting access to more services and SDMC by taking over spider/SKATER (aka spiderto/SKATERto)
Description : the 3DS runs a fully multitasking OS which is able to execute applets simultaneously to the main application. These applets include the home menu and the web browser (aka spider on the 3DS, and SKATER on the New 3DS). It is possible to launch such an applet from any usermode app through APT commands.
Problem : while system applets such as spider usually keep their .text in the 0×26800000+ region, they use a heap to store information, including stacks for secondary threads. This heap is below the cutoff for FCRAM GPU DMA access. This allows us to takeover that thread using GPU DMA and some neat timing tricks. From there we can takeover spider’s main thread, and use that to run the next stage, all through ROP. From there, we use NS:SendParameter to give Cubic Ninja spider’s ro and fs session handles.
Limitations : this only gives us ROP execution under spider/SKATER, not actual code execution."
@
x65943:
@
JuanMena:
