Hacking Question regarding DS profile exploit

Chaldron

Chaldron

GBATemp's Official Attorney
OP
Member
Level 4
Joined
Mar 29, 2013
Messages
434
Trophies
0
Location
`Murica
XP
439
Country
United States
I heard that the DS profile exploit is still available in 6.x - it just doesn't grant kernel access. Is this true? Just wondering.

Thanks!
 
Drenn

Drenn

Well-Known Member
Member
Level 5
Joined
Feb 22, 2013
Messages
574
Trophies
0
XP
696
Country
Canada
According to smealum's blog, the ds profile exploit was never fixed as of 6.3. It's not much use without the kernel exploit, which was patched.

Edit:
It’s interesting that such a vulnerability even exists in mset; apparently, such an approach had been attempted on the DSi and it was not vulnerable to it. Additionally, the crash had been documented on 3Dbrew for a while, and yet somehow the vulnerability is still open to this day (on 6.3. Of course, user mode stack smashes can be achieved through other vectors...)
Click to expand...
 
Drenn

Drenn

Well-Known Member
Member
Level 5
Joined
Feb 22, 2013
Messages
574
Trophies
0
XP
696
Country
Canada
Are you saying that it has been blocked? If not, I don't understand what we're disagreeing about. The ds profile exploit will still come in handy if another 2nd-stage exploit is ever found in 6.3.
 
Y

yifan_lu

@yifanlu
Member
Level 9
Joined
Apr 28, 2007
Messages
663
Trophies
0
XP
1,671
Country
United States
Yes, the DS profile exploit still works on 6.3. In theory, it could allow for homebrew on 6.3 provided that homebrews are compiled into ROP lists. Also, if another kernel exploit is found, it'll allow 6.3 to run your pirated games (versus if Nintendo patches the DS profile exploit in 6.4+, then even a new kernel exploit would be useless until another Usermode exploit is found. You need both to run unsigned code).
 
  • Like
Reactions: Schizoanalysis, juins, cearp and 1 other person
how_do_i_do_that

how_do_i_do_that

Blue Wizard is about to die.
Member
Level 12
Joined
May 16, 2008
Messages
5,135
Trophies
1
Location
You have insufficient posts to view user location.
XP
2,942
Country
Antarctica
yifan_lu said:
Yes, the DS profile exploit still works on 6.3. In theory, it could allow for homebrew on 6.3 provided that homebrews are compiled into ROP lists. Also, if another kernel exploit is found, it'll allow 6.3 to run your pirated games (versus if Nintendo patches the DS profile exploit in 6.4+, then even a new kernel exploit would be useless until another Usermode exploit is found. You need both to run unsigned code).
Click to expand...

There is no need to theorycraft this exploit as still usable or not when there is a real world example of this exploit in the form of the gateway flashcart and clones, it is the same exploit used by Smea to run his version of emuNAND. These all have the same limitations of the exploit, it is effectively dead on a 3DS firmware of 5.0 or higher a this time.

Your confusing the "exploit still exists" for "exploit still works", these are 2 different things.
 
megazig

megazig

SU
Member
Level 3
Joined
Oct 25, 2008
Messages
467
Trophies
0
XP
232
Country
United States
the exploit still works. you can use it with a ROP chain as yifanlu says. it still exists and works. you're confusing working/existing and usable for morons. the latter is not exactly what a hacking section should be focused on
 
  • Like
Reactions: tHciNc
Drenn

Drenn

Well-Known Member
Member
Level 5
Joined
Feb 22, 2013
Messages
574
Trophies
0
XP
696
Country
Canada
OP knows that there is no usable exploit for 5.0+ systems. The question is whether the ds profile exploit can still be used in case a new kernel exploit is discovered in 6.3. I'll believe that the answer to that question is "yes" unless you have some source saying otherwise.
 
how_do_i_do_that

how_do_i_do_that

Blue Wizard is about to die.
Member
Level 12
Joined
May 16, 2008
Messages
5,135
Trophies
1
Location
You have insufficient posts to view user location.
XP
2,942
Country
Antarctica
megazig said:
the exploit still works. you can use it with a ROP chain as yifanlu says. it still exists and works. you're confusing working/existing and usable for morons. the latter is not exactly what a hacking section should be focused on
Click to expand...

Drenn said:
OP knows that there is no usable exploit for 5.0+ systems. The question is whether the ds profile exploit can still be used in case a new kernel exploit is discovered in 6.3. I'll believe that the answer to that question is "yes" unless you have some source saying otherwise.
Click to expand...

I see you two are going to make me wait for 6.4 or higher to come out to vindicate who knows what to be correct. Incidentally that would also give an absolute answer to the op's question on that matter.
 
RenegadeKid

RenegadeKid

Well-Known Member
Member
Level 3
Joined
Aug 11, 2013
Messages
454
Trophies
0
XP
329
Country
France
yifan_lu said:
Yes, the DS profile exploit still works on 6.3. In theory, it could allow for homebrew on 6.3 provided that homebrews are compiled into ROP lists. Also, if another kernel exploit is found, it'll allow 6.3 to run your pirated games (versus if Nintendo patches the DS profile exploit in 6.4+, then even a new kernel exploit would be useless until another Usermode exploit is found. You need both to run unsigned code).
Click to expand...

Thank you for your useful explanations:)

Yifan Lu is a genius in the hacking scene. He would deserve more respect and gratitude.
 
  • Like
Reactions: megazig and cearp
snikerz

snikerz

Well-Known Member
Member
Level 4
Joined
Nov 30, 2008
Messages
502
Trophies
1
Website
Visit site
XP
462
Country
Lesotho
how_do_i_do_that said:
There is no need to theorycraft this exploit as still usable or not when there is a real world example of this exploit in the form of the gateway flashcart and clones, it is the same exploit used by Smea to run his version of emuNAND. These all have the same limitations of the exploit, it is effectively dead on a 3DS firmware of 5.0 or higher a this time.

Your confusing the "exploit still exists" for "exploit still works", these are 2 different things.
Click to expand...

Maybe you should look up who you are arguing with.
 
  • Like
Reactions: megazig and cearp
McHaggis

McHaggis

Fackin' Troller
Member
Level 8
Joined
Oct 24, 2008
Messages
1,749
Trophies
0
XP
1,466
Country
how_do_i_do_that said:
There is no need to theorycraft this exploit as still usable or not when there is a real world example of this exploit in the form of the gateway flashcart and clones, it is the same exploit used by Smea to run his version of emuNAND. These all have the same limitations of the exploit, it is effectively dead on a 3DS firmware of 5.0 or higher a this time.
Click to expand...
You're confusing matters. The "exploit" to which you're referring, used by smea and Gateway, is actually made to exploit more than one vulnerability. Exploiting the first vulnerability gets you access to the user mode, where a second-stage vulnerability is exploited to allow "kernel mode" access. The latter is required for all the patches to the system that smea's "CFW" and Gateway's "Gateway mode" make. The former (user mode) vulnerability still exists in the latest firmware and it is entirely usable. That's all the OP wanted to know.

tl;dr the vulnerability in question isn't "effectively dead". More like it's dormant until it becomes useful again.
 
  • Like
Reactions: Snailface and cearp
smealum

smealum

growing up sucks.
Member
Level 11
Joined
May 1, 2006
Messages
635
Trophies
2
Age
31
Location
SF
Website
www.smealum.net
XP
2,516
Country
United States
just fyi : i haven't actually tried exploiting the ds profile vuln on 6.3 or looked into it at all. all i know is the crash still happens, but it's entirely possible that it happens differently and isn't exploitable afaik. i should have reflected that in my article, sorry about that.
nevertheless, McHaggis has the right idea.
 
  • Like
Reactions: Schizoanalysis, DSoryu and cearp
Chaldron

Chaldron

GBATemp's Official Attorney
OP
Member
Level 4
Joined
Mar 29, 2013
Messages
434
Trophies
0
Location
`Murica
XP
439
Country
United States
Okay, thanks for all the replies! I understand it better now.

So if a kernel exploit is found, it might be possible to use the DS NVRAM exploit as "gateway" (no pun intended) to get to the kernel access, correct?

Thanks again.
 
P

profi200

Banned!
Banned
Level 3
Joined
Sep 3, 2011
Messages
330
Trophies
0
XP
282
Country
Gambia, The
The mset haxx vuln exist, even in 6.3, but no ARM9 vuln exist.

Have not tried to do something with mset haxx >4.5, because i don't have useful ROP-gadget's. And yes, mset haxx works a bit different after the 5.X update, but it is not fixed or updated since 5.X.
 

Site & Scene News

Go to forum More news

Popular threads in this forum

Hacking Homebrew  A new way to experience StreetPass

Is it possible...?

Hacking Hardware  New Nintendo 3DS XL Louvre

Hardware  Why does my 3DS take so long to turn off?

Emulation  i have citra, i have my aes keys installed, how do i get the home menu

What's the best 3DS emulator (especially after Citra's shutdown)?

Hacking Misc  VCRUNTIME140.dll UCRTBASED.dll Master Thread

Tutorial  How to fix 007-2001

General chit-chat
Help Users
    AncientBoi @ AncientBoi: :O:rofl2: +1