Question regarding DS profile exploit

Discussion in '3DS - Flashcards & Custom Firmwares' started by Chaldron, Dec 9, 2013.

  1. Chaldron
    OP

    Chaldron GBATemp's Official Attorney

    Member
    434
    238
    Mar 29, 2013
    United States
    `Murica
    I heard that the DS profile exploit is still available in 6.x - it just doesn't grant kernel access. Is this true? Just wondering.

    Thanks!
     
  2. how_do_i_do_that

    how_do_i_do_that Blue Wizard is about to die.

    Member
    4,952
    270
    May 16, 2008
    Antarctica
    You have insufficient posts to view user location.
    no it is not in 6.X, it was fix in 5.0, somebody lied to you.
     
  3. Chaldron
    OP

    Chaldron GBATemp's Official Attorney

    Member
    434
    238
    Mar 29, 2013
    United States
    `Murica

    Really? Just to confirm, the DS NVRAM exploit was patched in 5.0, not the kernel access because of that?

    Thanks.
     
  4. Drenn

    Drenn GBAtemp Advanced Fan

    Member
    573
    497
    Feb 22, 2013
    Canada
    According to smealum's blog, the ds profile exploit was never fixed as of 6.3. It's not much use without the kernel exploit, which was patched.

    Edit:
     
  5. how_do_i_do_that

    how_do_i_do_that Blue Wizard is about to die.

    Member
    4,952
    270
    May 16, 2008
    Antarctica
    You have insufficient posts to view user location.
    Not being able to use the exploit is the same as being technically closed. Not explaining how an exploit is technically blocked gives non-technical people the wrong impression which Smea has done there.
     
  6. Drenn

    Drenn GBAtemp Advanced Fan

    Member
    573
    497
    Feb 22, 2013
    Canada
    Are you saying that it has been blocked? If not, I don't understand what we're disagreeing about. The ds profile exploit will still come in handy if another 2nd-stage exploit is ever found in 6.3.
     
  7. how_do_i_do_that

    how_do_i_do_that Blue Wizard is about to die.

    Member
    4,952
    270
    May 16, 2008
    Antarctica
    You have insufficient posts to view user location.
    It is partially blocked, making it no longer 100% of the time exploitable.

    In real world terms for non-technical, a partial block is the same as a fully blocked exploit, because if a hacker is not attempting to make it a reliable exploit again it is effectively dead.
     
  8. RenegadeKid

    RenegadeKid GBAtemp Fan

    Member
    447
    138
    Aug 11, 2013
    France
    Yeah so they have to find an another exploit to hack the 3DS on 6.3 or on higher firmware.
     
  9. yifan_lu

    yifan_lu @yifanlu

    Member
    663
    1,387
    Apr 28, 2007
    United States
    Yes, the DS profile exploit still works on 6.3. In theory, it could allow for homebrew on 6.3 provided that homebrews are compiled into ROP lists. Also, if another kernel exploit is found, it'll allow 6.3 to run your pirated games (versus if Nintendo patches the DS profile exploit in 6.4+, then even a new kernel exploit would be useless until another Usermode exploit is found. You need both to run unsigned code).
     
  10. how_do_i_do_that

    how_do_i_do_that Blue Wizard is about to die.

    Member
    4,952
    270
    May 16, 2008
    Antarctica
    You have insufficient posts to view user location.
    There is no need to theorycraft this exploit as still usable or not when there is a real world example of this exploit in the form of the gateway flashcart and clones, it is the same exploit used by Smea to run his version of emuNAND. These all have the same limitations of the exploit, it is effectively dead on a 3DS firmware of 5.0 or higher a this time.

    Your confusing the "exploit still exists" for "exploit still works", these are 2 different things.
     
  11. megazig

    megazig SU

    Member
    467
    93
    Oct 25, 2008
    United States
    the exploit still works. you can use it with a ROP chain as yifanlu says. it still exists and works. you're confusing working/existing and usable for morons. the latter is not exactly what a hacking section should be focused on
     
    tHciNc likes this.
  12. Drenn

    Drenn GBAtemp Advanced Fan

    Member
    573
    497
    Feb 22, 2013
    Canada
    OP knows that there is no usable exploit for 5.0+ systems. The question is whether the ds profile exploit can still be used in case a new kernel exploit is discovered in 6.3. I'll believe that the answer to that question is "yes" unless you have some source saying otherwise.
     
  13. how_do_i_do_that

    how_do_i_do_that Blue Wizard is about to die.

    Member
    4,952
    270
    May 16, 2008
    Antarctica
    You have insufficient posts to view user location.
    I see you two are going to make me wait for 6.4 or higher to come out to vindicate who knows what to be correct. Incidentally that would also give an absolute answer to the op's question on that matter.
     
  14. RenegadeKid

    RenegadeKid GBAtemp Fan

    Member
    447
    138
    Aug 11, 2013
    France
    Thank you for your useful explanations:)

    Yifan Lu is a genius in the hacking scene. He would deserve more respect and gratitude.
     
    megazig and cearp like this.
  15. snikerz

    snikerz GBAtemp Advanced Fan

    Member
    502
    59
    Nov 30, 2008
    Lesotho
    Maybe you should look up who you are arguing with.
     
    megazig and cearp like this.
  16. cearp

    cearp the ticket master

    Member
    7,555
    4,819
    May 26, 2008
    Tuvalu
    makes me remember chickhen for psp, had to run that like 40 times until it worked... ha
     
    Arras likes this.
  17. McHaggis

    McHaggis Fackin' Troller

    Member
    1,725
    941
    Oct 24, 2008
    You're confusing matters. The "exploit" to which you're referring, used by smea and Gateway, is actually made to exploit more than one vulnerability. Exploiting the first vulnerability gets you access to the user mode, where a second-stage vulnerability is exploited to allow "kernel mode" access. The latter is required for all the patches to the system that smea's "CFW" and Gateway's "Gateway mode" make. The former (user mode) vulnerability still exists in the latest firmware and it is entirely usable. That's all the OP wanted to know.

    tl;dr the vulnerability in question isn't "effectively dead". More like it's dormant until it becomes useful again.
     
    Snailface and cearp like this.
  18. smealum

    smealum growing up sucks.

    Member
    635
    2,035
    May 1, 2006
    United States
    SF
    just fyi : i haven't actually tried exploiting the ds profile vuln on 6.3 or looked into it at all. all i know is the crash still happens, but it's entirely possible that it happens differently and isn't exploitable afaik. i should have reflected that in my article, sorry about that.
    nevertheless, McHaggis has the right idea.
     
    Schizoanalysis, Dartz150 and cearp like this.
  19. Chaldron
    OP

    Chaldron GBATemp's Official Attorney

    Member
    434
    238
    Mar 29, 2013
    United States
    `Murica
    Okay, thanks for all the replies! I understand it better now.

    So if a kernel exploit is found, it might be possible to use the DS NVRAM exploit as "gateway" (no pun intended) to get to the kernel access, correct?

    Thanks again.
     
  20. profi200

    profi200 Banned

    Banned
    330
    216
    Sep 3, 2011
    Gambia, The
    The mset haxx vuln exist, even in 6.3, but no ARM9 vuln exist.

    Have not tried to do something with mset haxx >4.5, because i don't have useful ROP-gadget's. And yes, mset haxx works a bit different after the 5.X update, but it is not fixed or updated since 5.X.