Homebrew Python Tools for 3DS

[Rinnux]

Sorry if this has already been posted. But someone named naehrwert has released some python tools. I don't know what it does but I thought I should post a thread about it

https://github.com/naehrwert/p3ds

 

[Felipe_9595]

I might actually get a 3ds witha gateway just for this lol

 

[Snailface]

I mentioned this in the Fierce Waffle ram dump thread. He is working with naehrwert to get an open homebrew solution going on the 3ds by reversing the GW launcher.dat and gaining code execution. They each have their own separate repos for their projects although naehrwert is the author of these scripts.

The python scripts serve two purposes. One generates a Ram Dumping launcher.dat not unlike Fierce Waffle's. The second, 3dsploit, also generates a launcher.dat but this one loads a 'PAYLOAD' string* of ARM11 assembly presumably to do 'fun things' with 3ds. I'm not sure if this is in kernel mode or not, maybe someone could clarify that or any other lie I've might have told in this post.

*its empty, presumably for the user to fill in their own 133t haxx

 

[Kane49]

a

 

[Deleted User]

Anyone can give me some pointers ?

0x51234514
0x11123456
0x81451243

 

[Kane49]

0x51234514
0x11123456
0x81451243

_@
http://pastebin.com/F07f3haU
http://pastebin.com/zMASMCMV
http://pastebin.com/sKRerzid

 

[Kane49]

http://pastebin.com/kxBdNayC

not mine.

 

[aliak11]

How do I compile the python file into the Lancher.dat file?

 

[Snailface]

How do I compile the python file into the Lancher.dat file?

Find these lines at the end of the script and remove the #'s to uncomment them.

#f = open("Launcher.dat", "wb")
#f.write(rop)
#f.close()

Then run the script to generate the launcher.dat

 

[aliak11]

Find these lines at the end of the script and remove the #'s to uncomment them.

#f = open("Launcher.dat", "wb")
#f.write(rop)
#f.close()

Then run the script to generate the launcher.dat

Thank you.

 

[aliak11]

After I add ARM code it will not compile, can someone help?

 

[Kane49]

After I add ARM code it will not compile, can someone help?

Uhm what do you consider arm code ?
As i understand it you need to compile the code and encode the bytecode in pythons format

 

[aliak11]

Uhm what do you consider arm code ?
As i understand it you need to compile the code and encode the bytecode in pythons format

What programs do I use for that?

 

[kalimero]

Can someone explain these addresses?

ramdump.py

r.call(0x1B82AC, [0x279000, Ref("fname"), 6], 5)
r.call(0x1B3B54, [0x279000, 0x279020, 0x100000, 0x300000], 9)

3dsploit.py

r.pop_r4(0x279020)
r.i32(0x1C1958)
r.i32(0x44444444)
r.call_lr(0x10C2AC, [0x279024])

 

[deoFusion]

What programs do I use for that?

If you have to ask all these trivial questions, it's not really intended towards you. You should stop before you brick your console.

 

[aliak11]

If you have to ask all these trivial questions, it's not really intended towards you. You should stop before you brick your console.

I am trying to learn.

 

[deoFusion]

Can someone explain these addresses?

ramdump.py

r.call(0x1B82AC, [0x279000, Ref("fname"), 6], 5)
r.call(0x1B3B54, [0x279000, 0x279020, 0x100000, 0x300000], 9)

3dsploit.py

r.pop_r4(0x279020)
r.i32(0x1C1958)
r.i32(0x44444444)
r.call_lr(0x10C2AC, [0x279024])

Can someone explain these addresses?

ramdump.py

r.call(0x1B82AC, [0x279000, Ref("fname"), 6], 5)
r.call(0x1B3B54, [0x279000, 0x279020, 0x100000, 0x300000], 9)

3dsploit.py

r.pop_r4(0x279020)
r.i32(0x1C1958)
r.i32(0x44444444)
r.call_lr(0x10C2AC, [0x279024])

http://gbatemp.net/threads/merry-christmas-have-some-ram-dumping.359697/page-11#post-4871942
http://pastebin.com/6CGwGKyh

 

[Kane49]

Can someone explain these addresses?

ramdump.py

r.call(0x1B82AC, [0x279000, Ref("fname"), 6], 5)
r.call(0x1B3B54, [0x279000, 0x279020, 0x100000, 0x300000], 9)

3dsploit.py

r.pop_r4(0x279020)
r.i32(0x1C1958)
r.i32(0x44444444)
r.call_lr(0x10C2AC, [0x279024])

#0x279000 is a handle

Apparently its not

http://gbatemp.net/threads/merry-christmas-have-some-ram-dumping.359697/page-11#post-4871942
http://pastebin.com/6CGwGKyh

Thanks for the pastie

 

[Bond697]

#0x279000 is a handle

no it's not. they're C++ classes. it's a _thiscall. it's this->

if you were doing this in C++, you wouldn't even see it being passed around.

 

[Kane49]

no it's not. they're C++ classes. it's a _thiscall. it's this->

if you were doing this in C++, you wouldn't even see it being passed around.

Thanks alot