Soundhax: a new primary 3DS entrypoint

Discussion in '3DS - Homebrew Development and Emulators' started by cheuble, Dec 28, 2016.

  1. cheuble
    OP

    cheuble Marieism™

    Member
    714
    1,342
    Feb 6, 2016
    France
    Somewhere
    [​IMG]
    The long awaited soundhax by nedwill is finally here!

    Soundhax is a new primary entrypoint discovered in the "Nintendo 3DS Sound", that loads the homebrew launcher via a .m4a file. The exploit was shown and explained during the 33c3 talk. The exploit relies on a heap overflow in tag processing leads to code execution when a specially- crafted m4a file is loaded by Nintendo 3DS Sound.

    Exploits are tested and are confirmed working on USA, EUR and JPN region, works on Old3DS/2DS and New 3DS, on the latest firmware. At the moment KOR, CHN and TWN systems aren't working yet.

    How to use?

    Download the .m4a file corresponding to your region and model from the official website. Generate an otherapp payload for your model/region/version, and put it at the root of your SD. It has to be renamed "otherapp.bin". Then, simply start the sound application, and load the m4a file. Please note that this doesn't have a 100% success rate, so it may take a few tries.


    :arrow:Official Website
    :arrow:Github
    :arrow:Otherapp payload
     
    Last edited by xtheman, Dec 30, 2016 - Reason: Fixed otherapp payload link.
  2. TheKingy34

    TheKingy34 what has happened?

    Member
    798
    2,602
    Feb 21, 2016
    United Kingdom
    England I guess
    It's time.
     
    Amani and smileyhead like this.
  3. NoNAND

    NoNAND GBAtemp Advanced Fan

    Member
    683
    156
    Aug 22, 2015
    Ireland
    Pikachu City
    PLEASE MAKE IT WORK ON EUR CONSOLE!
     
    smileyhead likes this.
  4. TheKingy34

    TheKingy34 what has happened?

    Member
    798
    2,602
    Feb 21, 2016
    United Kingdom
    England I guess
    It possibly will, it just hasn't been tested on an EUR console, and the exploit hasn't got ready atm.
     
    Last edited by TheKingy34, Dec 28, 2016
    The9thBit, smileyhead and NoNAND like this.
  5. xtheman

    xtheman GBAtemp Guru

    Member
    5,847
    5,279
    Jan 28, 2016
    United States
    Oh fuck yeah!
    (Downloads now)
     
  6. ImCarlosGG

    ImCarlosGG GBAtemp Fan

    Member
    352
    159
    Sep 21, 2015
    Spain
    Virtual World
    Last edited by ImCarlosGG, Dec 28, 2016
  7. TheKingy34

    TheKingy34 what has happened?

    Member
    798
    2,602
    Feb 21, 2016
    United Kingdom
    England I guess
    *JPN might possibly work, but it isn't tested.

    Also note that this doesn't boot into homebrew yet.
     
    Last edited by TheKingy34, Dec 28, 2016
  8. StarTrekVoyager

    StarTrekVoyager Soon™

    Member
    1,009
    1,100
    Jun 19, 2016
    France
    Paris
    Oh my gosh, so I've spent additional €80 for an MHGen N3DSXL on 10.7 for nothing ? -_-
     
  9. cheuble
    OP

    cheuble Marieism™

    Member
    714
    1,342
    Feb 6, 2016
    France
    Somewhere
    Check OP, it was edited. So I tried to run the file on my EUR console, but it just said "Unable to read"
     
  10. TheKingy34

    TheKingy34 what has happened?

    Member
    798
    2,602
    Feb 21, 2016
    United Kingdom
    England I guess
    So EUR doesn't work yet.
     
    Last edited by TheKingy34, Dec 28, 2016
  11. Erikku

    Erikku GBATemp's Official Cancer Treatment

    Member
    251
    220
    Jan 21, 2016
    United States
    The channel description
    Edit: Ninja'd

    also u beat me op, thx
     
    cheuble likes this.
  12. cheuble
    OP

    cheuble Marieism™

    Member
    714
    1,342
    Feb 6, 2016
    France
    Somewhere
    yet
     
  13. H1B1Esquire

    H1B1Esquire RxTools, the ultimate CFW machine.

    Member
    1,788
    1,364
    Nov 2, 2016
    United States
    Earth, bro-dude.
    Maybe this is why f-shop got dm©®'d. An influx of millions of bro's trying to downgrade to get those titles, but bricking and trying to return the systems to Nintendo. Probably not, though.


    Really cool this isn't that other guy with bad mp3's.
     
    Erikku likes this.
  14. TheKingy34

    TheKingy34 what has happened?

    Member
    798
    2,602
    Feb 21, 2016
    United Kingdom
    England I guess
    Sorry, but this is your answer.
     
  15. ShinyMK

    ShinyMK known as @initPRAGMA

    Member
    1,507
    532
    Dec 29, 2015
    127.0.0.1
    -snip-
     
    Last edited by ShinyMK, Dec 28, 2016
  16. TheVinAnator

    TheVinAnator GBATemp's Greatest Vin

    Member
    3,605
    2,641
    Jan 10, 2016
    Canada
    NO COFFEI!
    So I've tested it on my A9LH USA 11.2 New 3ds XL. I put the sound file on the root of my SD along with the matching otherapp.bin. On my first try it crashed, on my second try I booted into homebrew! It works ^_^.

    — Posts automatically merged - Please don't double post! —

    Nah you would still need a second 3ds or a compatible DSiWare game that has been pulled.
     
    NoNAND likes this.
  17. NoNAND

    NoNAND GBAtemp Advanced Fan

    Member
    683
    156
    Aug 22, 2015
    Ireland
    Pikachu City
    Where can i download the needed files?
     
  18. cheuble
    OP

    cheuble Marieism™

    Member
    714
    1,342
    Feb 6, 2016
    France
    Somewhere
    A quick update: thanks to @TheVinAnator , I can confirm the exploit works on USA consoles!!! To do so, download the .m4a file from the repo and then put an "otherapp.bin" (generate them from there) at the root of your SD. The exploit doesn't have a 100% boot rate though, so it might take multiple tries.
    EDIT: :ph34r:'d
    2nd EDIT: It might work with JPN consoles too. Someone with a JPN one should try that.
     
    Last edited by cheuble, Dec 28, 2016
    TheVinAnator likes this.
  19. TheVinAnator

    TheVinAnator GBATemp's Greatest Vin

    Member
    3,605
    2,641
    Jan 10, 2016
    Canada
    NO COFFEI!
    Look above me :P
     
  20. Darkyose

    Darkyose Mysterious

    Member
    792
    1,542
    Jan 26, 2016
    United States
    Home Alone Somewhere.
    All we need is a way to downgrade now...