[Questions] Technical details of scene status

Discussion in '3DS - Homebrew Development and Emulators' started by Urbanshadow, Feb 18, 2016.

  1. Urbanshadow
    OP

    Urbanshadow GBAtemp Maniac

    Member
    1,306
    478
    Oct 16, 2015
    Hi all,
    I'm in the process of documenting what is/was going in the 3ds scene for a little presentation for security enthusiasts at my university and I have some questions I am not able to find in 3dsbrew so any help is appreciated.

    Maybe I'll have more questions along the way. You don't have to be too precise on the answer, if you feel like I could find the info searching a little hint for me will suffice, I'll do the research.

    Questions:

    Pending:

    Figured out:
    1) At the first steps of the scene, was MSET 4.X the only place to go or there was some kind of user mode execution then?
    There was no homebrew scene at the time, but devs were already working hard on useful looking vulnerabilities.

    2) Was MSET 4.X a discovery of GW team?
    Nope it's not! The discovery belongs to a user called Ichifly in 2012. A long year before GW came.

    3) What came first: MSET 6.X or HBL?

    MSET 6.X as exploit came first, but it was not-so-useful. More complete support for it was written after HBL, with rxtools and half the initial homebrew scene.

    4) The first supported version for HBL was the first version available webkit payloads?
    HBL was designed for Cubic Ninja. *hax came afterwards.

    5) Is the ARM11 code execution in *hax handled just by gspwn or it used another exploit in the past?
    6) In the 9.0 to 9.2 versions, what is the exploit enabling ARM9 code execution and how fits brahma in this?

    Brahma is in fact a privilege elevation exploit to easily execute a valid ARM9 payload into the 3ds system. This looks like is widely used on 9.0/9.2 as the main method to gain full ARM9 access. (if I'm not mistaken cfws, D9 and ET9 work this way; I even think gateway does something along this way, but not brahma)

    With gspwn help, Rohax helps to achieve the firmlaunchhax. Both are used in (at least) the original brahma code. This grants ARM9 code execution. I got this part figured out then. I guess the response to 5 is also quite obvious now. Gspwn is still alive in 10.5 and it will be around for good.

    Approximate Scene Timeline:
    Code:
    Q2 2011 - Release of O3DS
       2012 - Discovery of MSET exploit
    Q3 2013 - Release of MSET 4.X and Gateway
    Q3 2013 - Update 6.1 rolls in
    Q4 2013 - Release of 2DS
    Q4 2013 - Update 7.0 released (MSET exploit fixed)
    Q4 2014 - 9.0 Update released
    Q4 2014 - The homebrew launcher appears! (It uses gspwn and rohax!)
    Q4 2014 - 9.3 Update released (rohax is fixed)
    Q1 2015? - MSET 6.X release for Rxtools
    Q2 2015 - 9.5 Update released (firmlaunchhax is fixed)
    Q2 2015 - Release of N3DS/N3DSXL
    Q2 2015 - Ninty secretly rolls browser update nag support with 9.9
    Q3 2015 - themehax/menuhax, browserhax releases!
    Q3 2015 - Ninty browser update nag detonates with 10.1
    Q4 2015 - Update 10.3 rolls in
    Q4 2015 - 32c3 Talk. Memchunkhax2, ntrcardhax and arm9loaderhax are revealed.
    Q1 2016 - The great downgrade happening. Hundreds of systems going 9.2 and bricked thanks to memchunkhax2.
    Q1 2016 - Updates 10.4 and 10.5 roll in a week appart. Memchunkhax2 is fixed on 10.4 ( :( )
    Q1 2016 - The entire secret sector of n3ds is leaked and decrypted, along with the 0x11 keyslot. N3DS users can go to the latest emunand! (Some devs have went into the 1.X land and grabbed nice things)
    Q1 2016 - A known vulnerability is exploited to admit a firm replacement in updates 10.4 and 10.5 to recover memchunkhax2, but requires hardmod.
    Q1 2016 - People is downgrading to very low versions (2.1.0) to grab the OTP register from his system, allowing them to use arm9loaderhax!
    Q1 2016 - Update 10.6 rolls in and it's still vulnerable to te firm replacement downgrade! Menuhax and Browserhax have (temporally?) died :'(.
    
     
    Last edited by Urbanshadow, Mar 4, 2016
    Games&Stuff likes this.
  2. Urbanshadow
    OP

    Urbanshadow GBAtemp Maniac

    Member
    1,306
    478
    Oct 16, 2015
    Thanks to the kind mod for moving this to its appropiate forum!

    Update:
    Ok so I found partial info on 6 but it's incomplete. Brahma is in fact a privilege elevation exploit to easily execute a valid ARM9 payload into the 3ds system. This looks like is widely used on 9.0/9.2 as the main method to gain full ARM9 access. (if I'm not mistaken cfws, D9 and ET9 work this way; I even think gateway does something along this way, but not brahma)

    As the brahma documentation states, it's based on two known (defined as "commercial", wat) exploits in the system. It does not say what two exploits, but we don't have ARM9 execution over 9.2 so it must been fixed at least on 9.3.X. I have not found any exploit in 3dbrew matching this, but have some suspects. Then again in the brahma docs explain how a firm_reboot() call must be made for the ARM9 payload to run.

    So as long as I can understand, what fuels the scene on 9.2 is:
    -A 1st grade hax capable of start a ROPchain. (Webkit exploits for the keks)
    -Gspwn or another ARM11 user code execution enabler exploit.
    -A homebrew for ARM11 userland with the brahma code compiled.
    -A valid ARM9 brahma payload.

    Somehow brahma does not work over 9.2 and I can't find exactly what exploit was fixed and how it was fixed to achieve that. After this, people are going full memchunkhax2 (which I undestand well enough) to expose am:u and downgrade to recover the brahma exploit.

    Before this, geez, I'm not really sure. Yeah, I mean, MSET and everything. And it's documented on 3dbrew, but I'm not there yet.
     
    Last edited by Urbanshadow, Feb 18, 2016
  3. Games&Stuff

    Games&Stuff GBAtemp Advanced Fan

    Member
    787
    563
    Oct 8, 2015
    Belgium
    Wow... I think you're one of the first one here asking some interesting/good questions and not: HOW DO I GET CFW ON 10.5 PLEEZ I WUN FREE GAMZZ
     
    SLiV3R, clank, Mrrraou and 4 others like this.
  4. GalladeGuy

    GalladeGuy Freeze Kirby :3

    Member
    2,598
    2,658
    Oct 28, 2015
    United States
    I believe it is Rohax.
     
  5. Urbanshadow
    OP

    Urbanshadow GBAtemp Maniac

    Member
    1,306
    478
    Oct 16, 2015
    That's one of my suspects indeed. But brahma documentation refers to two exploits. I will continue dwelling on 3dbrew.

    The memory mapping syscalls are really useful, but that doesn't grant you magical ARM9 access.

    Update: Here it was! with gspwn help, Rohax helps to achieve the firmlaunchhax. Both are used in (at least) the original brahma code. This grants ARM9 code execution. I got this part figured out then. I guess the response to 5 is also quite obvious now. gspwn is still alive in 10.5 and it will be around for good.

    firmlaunchhax is fixed on 9.5, but is unreachable in 9.4 and 9.3 because rohax was fixed in 9.3
    I wonder now if a posterior memchunkhax2 could have aided to reach firmlaunchhax on 9.4...
     
    Last edited by Urbanshadow, Feb 18, 2016
    FenrirWolf likes this.
  6. Urbanshadow
    OP

    Urbanshadow GBAtemp Maniac

    Member
    1,306
    478
    Oct 16, 2015
    Oh, I found partial info on 2:

    Pretty straightforward. And as it turns out, not gateway's fault. Was fixed on 7.X.

    So definetly HBL came before MSET 6.X for Rxtools (I thought it was the other way around!). HBL was first supported by ninjhax as smea did it that way.
     
    Last edited by Urbanshadow, Feb 21, 2016
  7. atkfromabove

    atkfromabove GBAtemp Fan

    Member
    318
    52
    Feb 9, 2015
    United States
    The state with lots of wives
    I really like this thread. Thanks for the great information!
     
  8. shinyquagsire23

    shinyquagsire23 SALT/Sm4sh Leak Guy

    Member
    1,966
    3,249
    Nov 18, 2012
    United States
    Las Vegas
    If you're documenting history, yifanlu published the first public implementation of Memchunkhax, which I ported to ninjhax as bootstrap, which then forked to Brahma and bootstrap-arm9. Libkhax was another implementation designed to patch the system and exit cleanly, allowing kernel for homebrew. Might be worth mentioning the OSKA/KARL deal as well which happened before Pasta and the subsequent modified RxTools which added signature removals.
     
    Last edited by shinyquagsire23, Feb 19, 2016
    Mrrraou and FenrirWolf like this.
  9. Urbanshadow
    OP

    Urbanshadow GBAtemp Maniac

    Member
    1,306
    478
    Oct 16, 2015
    I wasn't going that deep because I only have about an hour to say everything, but its nice having you around here :)
    I will go search everything you said, but I don't know how much of it would end on the final talk.

    — Posts automatically merged - Please don't double post! —

    It's everything out there, seriously. It's only hidden or scattered.
     
    lanman14444 and FenrirWolf like this.
  10. Roboman

    Roboman GBAtemp Fan

    Member
    303
    70
    Jan 7, 2016
    United States
    Brahma references two exploits because the arm9 exploit requires arm11 kernel to execute. The first exploit elevates it to arm11 kernel, then the second gives arm9.
    Memchunkhax was fixed in 9.3 but the arm9 exploit wasn't fixed until 9.5
    That's why 9.3 arm9 isnt around
    (Although with memchunkhax 2 it's doable again)
     
    FenrirWolf likes this.
  11. Mrrraou

    Mrrraou GBAtemp Advanced Maniac

    Member
    1,869
    2,167
    Oct 17, 2015
    France
    rohax isn't an ARM9 exploit. In 5.0 to 9.2, it's firmlaunchhax, which needs to be done as Kernel11.
     
    GalladeGuy and Urbanshadow like this.
  12. GalladeGuy

    GalladeGuy Freeze Kirby :3

    Member
    2,598
    2,658
    Oct 28, 2015
    United States
    Wait, then what's Rohax?
     
  13. Mrrraou

    Mrrraou GBAtemp Advanced Maniac

    Member
    1,869
    2,167
    Oct 17, 2015
    France
    It's an exploit in a service which allows to take over it, to be able to access more RAM.
     
  14. GalladeGuy

    GalladeGuy Freeze Kirby :3

    Member
    2,598
    2,658
    Oct 28, 2015
    United States
    Ahh, I see. Thanks for clearing that up!
     
    Mrrraou likes this.
  15. Quantumcat

    Quantumcat Dead and alive

    Member
    11,874
    6,377
    Nov 23, 2014
    Australia
    Canberra, Australia
    Thanks for providing this history, it is useful. However, there are a lot of members of this forum who live in the southern hemisphere. Where I live, Summer is December-February and Winter is June-August. So it makes it really confusing to follow your timeline. Fixed for inclusivity:

     
  16. Mrrraou

    Mrrraou GBAtemp Advanced Maniac

    Member
    1,869
    2,167
    Oct 17, 2015
    France
    By the way, for the "timeline":
    It's not the 0x11 keyslot, but the whole decrypted N3DS secret sector leaked. And the devs went into the 1.0 land, not 2.1, since they had Cubic Ninja.
    IIRC, the 10.4 occured before the leaked secret sector.
    Firm replacement wasn't found, it was a known vulnerability.
     
  17. The Real Jdbye

    The Real Jdbye Always Remember 30/07/08

    Member
    GBAtemp Patron
    The Real Jdbye is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    12,528
    5,474
    Mar 17, 2010
    Norway
    Alola
    Mset 6.x existed for a long time before HBL but it was not very useful because we had no arm9/arm11 kernel exploit for 5.0+ at the time, so it was only useful for simple homebrew, and there was not much of a homebrew ecosystem at the time.
     
    Mrrraou likes this.
  18. Urbanshadow
    OP

    Urbanshadow GBAtemp Maniac

    Member
    1,306
    478
    Oct 16, 2015
    Ugh, that's entirely on me. Give me a second, I'll chage it to a quarters notation.

    — Posts automatically merged - Please don't double post! —

    Oh, so the late one was the implementation of it on rxtools. Do you happen to know aproximately when in the timeline appeared?

    — Posts automatically merged - Please don't double post! —

    Yup, but the vulnerability itself consist of running a diferent system titles version with a lower minor version of a firm, Is it? This makes possible the recovery of mch2 and run it on 10.4 and 10.5 system titles thus allowing to downgrade from there. (I mean, the phrase needs rewording but it's not entirely wrong, is it?)

    EDIT: Merged the info into the OP, just for clarification- Your contributions are very helpful!
     
    Last edited by Urbanshadow, Feb 21, 2016
  19. Mrrraou

    Mrrraou GBAtemp Advanced Maniac

    Member
    1,869
    2,167
    Oct 17, 2015
    France
    No, it's because only the revision (<KERNEL_VERSIONMAJOR>.<KERNEL_VERSIONMINOR>-<KERNEL_VERSIONREVISION>) since 9.6, and the titled are just saying which major version and which minor version they want, so it allows to downgrade to a 9.6 FIRM and lower.
     
    Last edited by Mrrraou, Feb 21, 2016
    Urbanshadow likes this.