Rom modding on 9.9 ??

Discussion in '3DS - ROM Hacking, Translations and Utilities' started by puss2puss, Aug 12, 2015.

  1. puss2puss
    OP

    puss2puss ♻ThinkGreen♻

    Member
    737
    456
    Dec 18, 2013
    Canada
    Hell-o gba tempers and temperesses!
    I have a small question that i think i already have the answer but just want to make sure before downgrading my nand...

    ...On N3DS 9.9, is there a way to mod game roms? Knowing that we cant install cias, and cannot use a cfw, i still hope there's a way to use a FsLayered plugin or something similar..
    ..if i dont have any choice, i'il flash me nand with my 9.2 backup..

    Thanks.
     
  2. Rusb

    Rusb GBAtemp Regular

    Member
    137
    56
    Apr 17, 2014
    Smea in twitter said he had an idea to do that for ninjhax users (if I remember well), but nothing more than that.
     
    Margen67 likes this.
  3. The Real Jdbye

    The Real Jdbye Always Remember 30/07/08

    Member
    GBAtemp Patron
    The Real Jdbye is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    12,289
    5,314
    Mar 17, 2010
    Norway
    Alola
    I doubt that will be possible on 9.9 since it's just one step away from ROM loading :P
    It'd likely need a kernel exploit. It's possible with ARM11 kernel alone (NTR-CFW can do it and only has ARM11 kernel) and some people are speculating that Ninjhax 2.0 does in fact have ARM11 kernel access, but I'm not so sure I believe that.
     
  4. Rusb

    Rusb GBAtemp Regular

    Member
    137
    56
    Apr 17, 2014
    Ninjhax ARM11 kernel access... I think not, not by itself, can be used as entrypoint for other (unknown) exploits, but Smea, being anti-piracy as he is, I doubt he'll release that. And the game shouldn't have that level of privileges.
     
  5. The Real Jdbye

    The Real Jdbye Always Remember 30/07/08

    Member
    GBAtemp Patron
    The Real Jdbye is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    12,289
    5,314
    Mar 17, 2010
    Norway
    Alola
    It doesn't, but ninjhax uses a series of exploits to gain more permissions. Without that, even running basic homebrew wouldn't be possible. One of the exploits Ninjhax used was patched in 9.3 and it's uncertain what's being used in place of that in Ninjhax 2.0, but people more experienced with hacking than you or I seem relatively sure that Ninjhax 2.0 has ARM11 kernel access. Of course this isn't exposed to homebrew though :P
     
  6. Rusb

    Rusb GBAtemp Regular

    Member
    137
    56
    Apr 17, 2014
    For now I'll try to made game crash and find how many bytes can I use to run code, if I find the thing what is smea using, it'll be easy to make a hello world. But only experimental, i don't know enough to do something more :\

    (Of course, maybe i can't achieve it xD)
     
  7. WateredFire19

    WateredFire19 Banned

    Banned
    643
    215
    Aug 23, 2014
    United States
    Wait for the Ninjhax 2.0 source code release.
     
    Jwiz33 likes this.
  8. puss2puss
    OP

    puss2puss ♻ThinkGreen♻

    Member
    737
    456
    Dec 18, 2013
    Canada
    Arm11 on nh2, if it was the case, wouldnt we already have ability to make a cfw for it? Or people are waiting for GW to update?
    ..anyway, if i want to mod my games this week, i guess i definitly need to downgrade to 9.2 then, right?..
     
  9. The Real Jdbye

    The Real Jdbye Always Remember 30/07/08

    Member
    GBAtemp Patron
    The Real Jdbye is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    12,289
    5,314
    Mar 17, 2010
    Norway
    Alola
    Making the game crash is only the first step... from there you need to figure out how to make it do something useful (e.g. execute a carefully crafted ROP chain that exploits a specific part of the system to gain unsigned code execution), then you go from there and exploit other parts of the system to gain more permissions. Pretty much how Ninjhax 1.0 works, check http://smealum.net/?p=517 for the details, I'm pretty sure he's intentionally leaving out some parts of the explanation, but it's fairly detailed.

    A proper CFW needs ARM9 kernel. And no one's RE'd Ninjhax 2.0 fully yet nor is it open source, so we're not exactly sure how it works, or what would be needed to make use of the ARM11 kernel access.
     
  10. Rusb

    Rusb GBAtemp Regular

    Member
    137
    56
    Apr 17, 2014

    Can't use the framebuffer adress to write directly to it, only exploiting the game? :\ you know, override return adress and run the code in the stack, i made it with lower versions of adobe reader and PoC of known program bugs, in 3DS never tried it.
     
  11. The Real Jdbye

    The Real Jdbye Always Remember 30/07/08

    Member
    GBAtemp Patron
    The Real Jdbye is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    12,289
    5,314
    Mar 17, 2010
    Norway
    Alola
    Normal executable memory isn't writable by the game that's why Ninjhax 1.0 exploits part of the system so it can mark accessible regions of memory as executable. This was the exploit that was patched in 9.3, and I don't know how Ninjhax 2.0 does it. Maybe the other way around, marking already executable memory regions as writable? :P
    The 3DS is a completely different beast than computers or most smartphones, everything is locked down at the CPU level.
     
  12. Rusb

    Rusb GBAtemp Regular

    Member
    137
    56
    Apr 17, 2014
    Okay :wacko::glare:
     
  13. Megalegacy98

    Megalegacy98 ( ͡° ͜ʖ ͡°)™

    Member
    505
    259
    Aug 11, 2015
    United States
    Just around the corner™
    What about TDVS? Is that way different?
     
  14. Rusb

    Rusb GBAtemp Regular

    Member
    137
    56
    Apr 17, 2014
    TDVS is an savedata dumper/injector
     
  15. Megalegacy98

    Megalegacy98 ( ͡° ͜ʖ ͡°)™

    Member
    505
    259
    Aug 11, 2015
    United States
    Just around the corner™
    ...Yeah know that I think of it they are wayyyyy different xD
     
  16. sat

    sat GBAtemp Regular

    Member
    101
    97
    Aug 25, 2014
    Not possible. Ever.
     
  17. puss2puss
    OP

    puss2puss ♻ThinkGreen♻

    Member
    737
    456
    Dec 18, 2013
    Canada
    You dont know what your talking about lol
     
  18. probablygay

    probablygay GBAtemp Regular

    Member
    106
    14
    Jan 20, 2014
    United States
    nvm
     
    Last edited by probablygay, Aug 23, 2015
  19. gamesquest1

    gamesquest1 Nabnut

    Member
    GBAtemp Patron
    gamesquest1 is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    14,150
    9,504
    Sep 23, 2013
    .......errrr, if you need to use tubehax to load the out of region CN then you would still be needing internet access
     
  20. probablygay

    probablygay GBAtemp Regular

    Member
    106
    14
    Jan 20, 2014
    United States
    Oh, shit. I'm retarded. Pardon me.
     
    gamesquest1 likes this.