Merry Christmas - Have some RAM Dumping!

Discussion in '3DS - Homebrew Development and Emulators' started by fierce waffle, Dec 25, 2013.

  1. Bug_Checker_

    Bug_Checker_ GBAtemp Advanced Fan

    Member
    5
    Jun 10, 2006
    United States
    A lot of the dev wikis (dsibrew/wiibrew/wiiubrew/3dbrew) get account creation bots spamming links for people looking to influence seo.
    Usually, because they haven't updated their software.

    There was a time when spamming was so bad that innocent people got caught up in friendly fire.

    Warning: Spoilers inside!
     
  2. fierce waffle
    OP

    fierce waffle GBAtemp Regular

    Member
    2
    Sep 15, 2012
    United States
  3. Lyrra

    Lyrra Member

    Newcomer
    1
    Dec 19, 2013
    United States
    Awesome, keep up the good work!
     
  4. mathieulh

    mathieulh GBAtemp Fan

    Member
    5
    Feb 28, 2008
    France

    Not to kill the mood or anything but you just need to compile an ARM9 payload to use along the rsa_verify request exploit.
    The exploit has now been public for several days here https://github.com/naehrwert/p3ds/blob/master/3dsploit.py
    and addresses such as the ones for fopen, fwrite... can be bruteforced rather easily.
    There should be about 20ish people that can run an ARM9 payload hanging around the #3dsdev channel right now.

    All in all, I'd say your initial ram dumper (using ROPs) was a lot more impressive than this, as running an ARM9 payload was just a matter of following each ROP in the chain from the gateway Launcher.dat file once you had a valid ram dump.

    What I find astonishing is the amount of people who do not know how the bug technically works, they know from the launcher.dat that they need to use specific ROP gadgets in a specific sequence to trigger the exploit, they know what some/most of the ROP gadgets do, they know where to paste their payload, but they don't know much beyond that, they don't know that the bug is actually tied to a huge rsa_verify request for which the lenght isn't checked, they don't know that the payload written by gateway's ROP chain at 0x080C3EE0 is copied somewhere in the 0x20000000 area by the kernel and what triggers it to jump to the code later on.

    I just find it sad that so many people just reuse what's written by the Gateway engineers, only caring about the end result and not knowing how it actually works in the first place, even though it's very interesting from an educational standpoint.

    Ok, that was just my 2 cents xD
     
    Margen67, samljer, futaris and 12 others like this.
  5. Kane49

    Kane49 GBAtemp Fan

    Member
    3
    Nov 4, 2013
    Gambia, The
    While the exploit is obviously a piece of genius and I can appreciate what it took to discover / utilize it, it is still only a piece of the puzzle and its one that has already been solved.

    Personally I'm grateful for every layer of abstraction that allows me not to care about the internals as much, that doesn't mean they are any less important. For example I like coding in c but I hate asm with a fiery passion ^^
     
  6. aliak11

    aliak11 Pokemon Master

    Member
    7
    Dec 5, 2010
    United States
    Florida
    Same here, I understand c/c++, but am having a hard time trying to figure out asm.
     
  7. Kane49

    Kane49 GBAtemp Fan

    Member
    3
    Nov 4, 2013
    Gambia, The
    I mean x86 asm though, arm asm is a lot more fun
     
    Gericom likes this.
  8. tyons

    tyons GBAtemp Advanced Fan

    Member
    3
    Jul 11, 2012
    Italy
    now make a cheat codes feature *.*
     
    Margen67 likes this.
  9. mr. fancypants

    mr. fancypants that´s ´Sir´ for you!

    Member
    2
    Jul 16, 2013
    Netherlands
    right here, right now
    great and what do you want to do with it?
     
  10. xyzmanas

    xyzmanas GBAtemp Regular

    Member
    2
    Jun 7, 2013
    Could you please point towards more stuff which explains the working of this exploit in detail relating to code injection.
     
  11. minexew

    minexew ayy lmao

    Member
    3
    Mar 16, 2013
    It's no secret that the x86 ISA is an abomination. ARM or AVR on the other hand is a joy even when it gets down to counting cycles :)
     
  12. xyzmanas

    xyzmanas GBAtemp Regular

    Member
    2
    Jun 7, 2013
    Is Arm ASM much different from the 8086 MP ASM i did in college? I mean except the number and size of registers are the commands same?
     
  13. liquidsolidyetboth

    liquidsolidyetboth Advanced Member

    Newcomer
    1
    Dec 6, 2013
    United States
    Los Angeles
    good job man!!
     
  14. FAST6191

    FAST6191 Techromancer

    pip Reporter
    23
    Nov 21, 2005
    United Kingdom
    I have not dropped down as low as 8086 (where real mode and protected mode appear is where I came in there, with the GBA and DS it was basically all Real mode though but that changed a bit for the 3ds it seems) and I am hesitant to blindly assume the Z80 stuff is similar enough without checking. However reading through the instructions and memory handling (and allowing for the extras the GBA/DS and presumably 3ds BIOS/coprocessing capabilities will afford) you are not going to be out of your depth like if you were thrown into the deep end with modern X64 and told to play with SIMD and all the nice multimedia stuff.

    The GBA and DS has no divide (though the coprocessor has it), no floating point either. The GBA and DS stuff has THUMB mode but that is not so hard to wrap your head around (16 bit instructions but with 32 bit registers). Likewise memory handling is usually done by DMA (which is usually quite civil and without too many odd quirks) and dedicated instructions (you can not mov to or from an address or anything, only limited immediates* and registers). Likewise the amount of registers is enough that instructions become generic unlike some of the SNES stuff were they would have mov equivalents for each (all three of them if you count the accumulator) of the general registers. The ARM stuff is also a great fan of shifting

    *you need to fit the immediate and the command into the instruction. Your assembler will probably have psuedo instructions to sort this (ROP might be a different matter of course) and you can do things like movn to inverse the value of your immediate or referenced register.

    Have a read of http://www.coranac.com/tonc/text/asm.htm , http://quirkygba.blogspot.com/2008/12/things-you-never-wanted-to-know-about.html http://drunkencoders.com/files/2013/03/unequivocal-answer.html and http://nocash.emubase.de/gbatek.htm
    If you want to get a bit more general http://www.heyrick.co.uk/assembler/ and http://www.heyrick.co.uk/armwiki/Main_Page

    The ARM manuals are also free and worth a look.

    Speaking to people and scanning around http://www.3dbrew.org/wiki/Main_Page it seems the 3ds gained a few more features and now more closely resembles a system developed this century (which is to say it has a kernel and the idea of userland) but that will probably be nothing too hard to work with/around.
     
    Margen67, hashcheck1, minexew and 3 others like this.
  15. minexew

    minexew ayy lmao

    Member
    3
    Mar 16, 2013
    Great summary. Only thing (maybe obvious) I'd like to add is that there is still quite the gap between coding with devkitPro in C++ vs. building a ROP chain from assembly gadgets. Which is why I'm glad that we have an ARM9 loader now. The possibility of 3DS homebrew has never been so real.
    Also +1 for mentioning Noca$h GBAtek, it's pretty much the dream of every hardware hacker coming true. I read noca$h docs before sleep for the pure enjoyment, they're just wonderful :lol:
     
  16. WatchGintama

    WatchGintama GBAtemp Maniac

    Member
    5
    Feb 22, 2009
    United States
    I installed this and now I get an error when running DS flashcart or DS games. Any way to fix?
     
  17. Snailface

    Snailface My frothing demand for 3ds homebrew is increasing

    Member
    10
    Sep 20, 2010
    Engine Room with Cyan, watching him learn.
  18. WatchGintama

    WatchGintama GBAtemp Maniac

    Member
    5
    Feb 22, 2009
    United States
    bostonBC and Snailface like this.
  19. samljer

    samljer GBAtemp Regular

    Member
    2
    Oct 4, 2012
    Canada
    I hope something comes of this, id love to finally put Gateway3DS to rest; dont trust those guys.
    a real rom loader would be sweet.
     
  20. gamesquest1

    gamesquest1 Nabnut

    Moderator
    21
    GBAtemp Patron
    gamesquest1 is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    Sep 23, 2013
    yeah.....gateway is pure fake, doesn't work at all..........:huh:
     
Loading...