Smealum's Ninjhax Writeup

Discussion in '3DS - Homebrew Development and Emulators' started by Psi-hate, Jan 11, 2015.

  1. Psi-hate
    OP

    Psi-hate GBATemp's Official Psi-Hater

    Member
    1,666
    1,060
    Dec 14, 2014
    United States
    Houston
    Smealum on his twitter recently released his writeup for Ninjhax so I thought it would possibly help or intrigue some people of how it works. Here's his tweet/a link to his blogpost:

    Smealum: "you asked for it : here's a full technical writeup of ninjhax's inner workings http://smealum.net/?p=517 ; handle with care"

     
    SLiV3R and MarkDarkness like this.
  2. DarkFlare69

    DarkFlare69 GBAtemp Psycho!

    Member
    4,766
    2,621
    Dec 8, 2014
    United States
    Ohio
    Now can someone make a new ninjhax with kernel access and all RAM?
     
  3. Psi-hate
    OP

    Psi-hate GBATemp's Official Psi-Hater

    Member
    1,666
    1,060
    Dec 14, 2014
    United States
    Houston
    I can hardly think so, considering that it uses a lot of constricted data to even boot up usermode access. Who knows though. It'd probably have to use another exploit or way entirely to run that.
     
  4. berichan

    berichan Member

    Newcomer
    30
    19
    Dec 9, 2014
    Apologies for my severe lack of 3DS knowledge & if this makes no sense at all, but smea mentions that

    > The ro system module has access to a number of high-privilege system calls which, among other things, allow it to give regions of memory executable status within its own virtual memory space as well as other processes

    and has access to 0x70. Using the same exploit, would it be possible to create a custom CRO to syscall 0x7B for creating ram dumps?

    Again, sorry for my limited 3DS knowledge, baby steps :)
     
    Psi-hate likes this.
  5. StapleButter

    StapleButter 'New Member' registered since 2009. Fuck yea.

    Member
    776
    1,482
    Dec 5, 2009
    France
    Syscall 0x7B isn't usable easily on the ARM11.

    You need to pass it a kernel virtual address while you're typically in user mode. And you need to write your code in a memory region that will be writable in user mode and executable in kernel mode.
     
  6. A Burnt Taco

    A Burnt Taco Member

    Newcomer
    12
    0
    Dec 31, 2014
    United States
    Im in love!!!!!!
     
  7. filfat

    filfat Musician, Developer & Entrepreneur

    Member
    1,231
    858
    Nov 24, 2012
    You really think he wouldn't have done it already if the exploit used in ninjhax allowed you to?
    Its a little bit like saying "now we have the ingredients to a pizza so lets make pie!"
     
    Arithmatics and Psi-hate like this.
  8. Slushie3DS

    Slushie3DS Cold Beverage Lover

    Member
    707
    294
    Jan 9, 2015
    United States
    While I was reading, I was hopeful that there would be a way to use GPU DMA hack to load a minimal homebrew setup through a webkit exploit, but Smea stated that spider/SKATER's .text is out of range. Hopefully, other people are seeing further than I am.
     
  9. smealum

    smealum growing up sucks.

    Member
    635
    2,035
    May 1, 2006
    United States
    SF
    you could just do spiderhax => rohax => full code exec under spider
     
    pelago likes this.
  10. PhoenixWrightX

    PhoenixWrightX GBAtemp Regular

    Member
    219
    130
    Jun 11, 2014
    United States
  11. gudenau

    gudenau Largely ignored

    Member
    GBAtemp Patron
    gudenau is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    3,301
    1,253
    Jul 7, 2010
    United States
    /dev/random
    Just need to find the NAND I/O patches GW uses, then patch the sig checks like in GW and have a nice CFW!
     
  12. Slushie3DS

    Slushie3DS Cold Beverage Lover

    Member
    707
    294
    Jan 9, 2015
    United States

    Whoa, I wasn't expecting a reply from you. Doing this would give us the same possibilities as Ninjhax, and would cut out the need for a cartridge, no?
     
  13. smealum

    smealum growing up sucks.

    Member
    635
    2,035
    May 1, 2006
    United States
    SF
    spider has access to way less RAM, and it would require an internet connection every time you want to run homebrew, so it would be somewhat impractical.
     
    SLiV3R likes this.
  14. Slushie3DS

    Slushie3DS Cold Beverage Lover

    Member
    707
    294
    Jan 9, 2015
    United States
    Hmm, I may take a crack at it just for the novelty. It could be used for other things, possibly. Text editors and other trivial stuff.

    So, if spider is out of the equation, can you think of any other way?

    Edit: Also, you're getting thoroughly trashed by some casuals.
     
  15. smealum

    smealum growing up sucks.

    Member
    635
    2,035
    May 1, 2006
    United States
    SF
    well, one nice thing about spider is that it's an applet, so it can run concurrently with an application.

    what you could do is essentially the reverse from what ninjhax does, ie takeover an app from spider rather than takeover spider from an app. for instance, have the user run mii plaza or whatever, then return to menu and run spiderhax.

    of course this makes the booting process more cumbersome but it would work.
     
    SLiV3R likes this.
  16. Slushie3DS

    Slushie3DS Cold Beverage Lover

    Member
    707
    294
    Jan 9, 2015
    United States
    My only concern is the POWER. People bend over back for the ability to run 3rd party apps. They paid 40 USD+ for a terrible game just to do that, so I'm sure they wouldn't mind a bit of work to get their prize.
     
  17. gudenau

    gudenau Largely ignored

    Member
    GBAtemp Patron
    gudenau is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    3,301
    1,253
    Jul 7, 2010
    United States
    /dev/random
    So, Pokéhax?
     
  18. Slushie3DS

    Slushie3DS Cold Beverage Lover

    Member
    707
    294
    Jan 9, 2015
    United States
    Wait, smealum, on the OFF chance that we are somehow able to obtain kernel access, would that mean we could somehow use a webkit exploit to execute code to install a boot.cia from your SDHC? Example: Putting the .cia on your SDHC, going to a webpage, and clicking a button activator to start the process so we could install the homebrew launcher directly to our 3DS home menu.
     
  19. gudenau

    gudenau Largely ignored

    Member
    GBAtemp Patron
    gudenau is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    3,301
    1,253
    Jul 7, 2010
    United States
    /dev/random
    We need the keys before we could do that. (Not the ones we have)
     
  20. Slushie3DS

    Slushie3DS Cold Beverage Lover

    Member
    707
    294
    Jan 9, 2015
    United States
    [​IMG]
     
    hackotedelaplaqu and sj33 like this.