Thread Status:
Not open for further replies.
  1. tony_2018

    tony_2018 GBAtemp Psycho!
    Member

    Joined:
    Jan 3, 2014
    Messages:
    3,107
    Country:
    United States

    I really wish I knew coding instead of getting into SaaS storage...sorry dude.
     
    Margen67 likes this.
  2. Rokkubro

    OP Rokkubro GBAtemp Regular
    Member

    Joined:
    Apr 4, 2014
    Messages:
    115
    Country:
    Cool thanks, I'll keep you posted if anything comes up!
     
  3. WulfyStylez

    WulfyStylez SALT/Bemani Princess
    Member

    Joined:
    Nov 3, 2013
    Messages:
    1,149
    Country:
    United States


    Just a few things I noticed.
     
  4. Rokkubro

    OP Rokkubro GBAtemp Regular
    Member

    Joined:
    Apr 4, 2014
    Messages:
    115
    Country:
    I think I understand the method you refer to now.

    To do this, I need to exploit memchunkhax via gspwn using Gsp::GPU within ninjhax to write to axiwram, then I need to write to the FIRM area that arm9 boots from and trigger a soft reboot. I can find this method with the old 3ds's memory addresses in the gateway file, albeit with a slightly different second stage which runs from userland. I could deobfuscate the gateway launcher.dat, and translate using the excellent address mapping info on 3dbrew or just have some fun and do it from scratch.

    If I've made any mistakes anyone feel free to correct me, otherwise I'll see you all in a couple of weeks! (Nah, I'll post updates every couple of days or so, I promise...)
     
    Margen67 likes this.
  5. Apache Thunder

    Apache Thunder I have cameras in your head!
    Member

    Joined:
    Oct 7, 2007
    Messages:
    4,283
    Country:
    United States
    From what I understand, the exploit is timing based and you have to write to a certain address after the command to reboot Arm9 is sent as it checks the code to make sure it's signed correctly and is in a memory address only it can see. Then it will reboot. But before it does, Arm11 changes the code on that region quickly before Arm9 has a chance to reboot. When Arm9 reboots, it reads it. That's from what I understand of it from reading yifun_lu's blog page on it. Just making sure you didn't forget about that. ;)
     
    Slushie3DS likes this.
  6. Rokkubro

    OP Rokkubro GBAtemp Regular
    Member

    Joined:
    Apr 4, 2014
    Messages:
    115
    Country:
    Thanks! I hadn't forgotten but I did forget to write it up :/. This relates to why I was saying earlier that this part of the exploit was fairly complicated compared to memchunkhax; because it has the set up. Anyway I need to get some sleep, I've been working on this for too long... I'll see you all tomorrow! I might share a few snippets...
     
    mercluke likes this.
  7. WulfyStylez

    WulfyStylez SALT/Bemani Princess
    Member

    Joined:
    Nov 3, 2013
    Messages:
    1,149
    Country:
    United States
    If you're not familiar with the 3DS, you'll need some background on how a lot of things work that aren't really covered by anybody's documentation. Try tearing apart yellows8's leaked 'cfw' and GW's pre-2.0 launcher and you'll learn loads about the platform. I say this assuming you haven't already done it, though.

    You mention doing firmlaunch-hax, but do you even know what that's used for? It's not in Yifan's documentation per se.
     
  8. Rokkubro

    OP Rokkubro GBAtemp Regular
    Member

    Joined:
    Apr 4, 2014
    Messages:
    115
    Country:
    Gateway stage 3 uses firmlaunchhax, and therefore it is in Yifanlu's documentation, see here.
     
  9. peter14ji

    peter14ji Member
    Newcomer

    Joined:
    Dec 28, 2014
    Messages:
    21
    Country:
    Switzerland
    I think skater based exploit would be helpful for those who can't afford to buy a copy of Cubic Ninja(which has a skyrocketed collector's price)or a Sky3DS.Please keep this in your todo list.And Cell9 has already had a code insert platform called NTR CFW working on 4.5.Just use his work if he agrees.
     
    Azel likes this.
  10. shinyquagsire23

    shinyquagsire23 SALT/Sm4sh Leak Guy
    Member

    Joined:
    Nov 18, 2012
    Messages:
    1,970
    Country:
    United States
    Eh, I made an attempt at getting ARM11 kernel from ninjhax. So far no go, it crashes with svc 0x8 (or rather, it never enters ARM11 kernel at all or seemingly never returns from the svc). Also tried it on my N3DS, it has a newer kernel version (22e0000) which I don't know what the patch offset for svcCreateThread is. I'm guessing though that part of the issue with my 3DS is that it's on 4.5, it seems the ARM11 kernel loader that yifanlu has is based more on that version (although I at least got gspwn to write properly and I believe I got it to write the value to the kernel right). Not sure what it could be aside from maybe a stack issue or something, idk. Also, apparently something I did with gspwn makes it so I can take out my cartridge while my homebrew runs. Neat.
     
    Rokkubro and VinsCool like this.
  11. Rokkubro

    OP Rokkubro GBAtemp Regular
    Member

    Joined:
    Apr 4, 2014
    Messages:
    115
    Country:
    Hey, well if you managed to make it possible for the cartridge to be removed, RegionThree may be possible on the N3DS which is interesting... so many different things to look at now, I may have to go back to my original approach if it isn't possible to get Arm11 kernel from within ninjhax, and I was making progress too (or so I thought). :(
     
  12. shinyquagsire23

    shinyquagsire23 SALT/Sm4sh Leak Guy
    Member

    Joined:
    Nov 18, 2012
    Messages:
    1,970
    Country:
    United States
    Well I'm sure it's possible, gspwn works just fine under ninjhax. I probably just messed something up or my 3DS is just at a bad version to test it at. You could probably also fit it into the secondary exploit of ninjhax (after you scan the QR code initially) so that it would work from there to launch stuff. The problem as of now it seems is that you can't even launch applications from ninjhax, and even if I threw my code in the earlier stages of ninjhax it probably wouldn't work (but who knows?). The thing is though, I'm not sure what actually causes this to happen at all, it's quite odd.
     
  13. Rokkubro

    OP Rokkubro GBAtemp Regular
    Member

    Joined:
    Apr 4, 2014
    Messages:
    115
    Country:
    Yeah, original it was my thought to load the exploit through the second stage of the ninjhax exploit but when Yifan said this was possible I switched to doing this because obviously it's a lot faster and easier... Unsure of why you're having trouble though... Just having a quick look at it, it appears to be a quick and dirty port of the gateway exploit, have you tried cutting out the obfuscation? And would you mind terribly if I messed around with it? I'd prefer to try to use this method for as long as I can...
     
  14. shinyquagsire23

    shinyquagsire23 SALT/Sm4sh Leak Guy
    Member

    Joined:
    Nov 18, 2012
    Messages:
    1,970
    Country:
    United States
    Feel free to mess with it, all the testing the better. I take no credit at all for that port since it's just a port from yifanlu's stuff. I'm not terribly sure what the obfuscation is for tbh, it could be for something, but it could also not be for anything at all. If you're on 8.1 or above, I'd change the patch offset in the arm11 kernel method to what it is in yifanlu's code, maybe it'll work then. I had it set to the 4.1 value and it didn't work for me.
     
  15. marksteele

    marksteele GBAtemp Advanced Fan
    Member

    Joined:
    Jan 16, 2011
    Messages:
    823
    Country:
    Canada
    I can't really contribute here (as I only vaguely understand what your attempting), but I do want to say that I think it's great that your not only trying a new way to hack the N3DS but also making it public. Far too many people keep these kind of things in private or small hidden collaborative groups (I get the reasons but...). Anyway who knows perhaps I'll start following this and learn a thing or 2 :P
     
  16. enarky

    enarky owls?
    Member

    Joined:
    Jul 31, 2003
    Messages:
    1,198
    Country:
    Afghanistan
    Prices are way down again. Currently goes for 25 EUR over here, amazon.com has it for 17 USD.
     
  17. Kracken

    Kracken GBAtemp Regular
    Member

    Joined:
    Jan 12, 2015
    Messages:
    257
    Country:
    United States
    JPN prices are a lot higher, plus shipping costs. I think many people are hoping this would be a way to play US/EU games on JPN N3DS. That was my hope, but at this point waiting for GW support is probably a better option as I already own a GW card.
     
  18. WulfyStylez

    WulfyStylez SALT/Bemani Princess
    Member

    Joined:
    Nov 3, 2013
    Messages:
    1,149
    Country:
    United States
    Yes, but what I was getting at was the fact that Gateway does more during/after the reboot that Yifan didn't cover, and you're going to want to be familiar with what it does if you want to do anything on useful on 9.2 or run newer emunand versions.
     
  19. Rokkubro

    OP Rokkubro GBAtemp Regular
    Member

    Joined:
    Apr 4, 2014
    Messages:
    115
    Country:

    The patch offset for svcCreateThread is identical for old3ds and new3ds 8.0-9.2 as they have the same physical address mapping for AXIWRAM(0x1FF00000), you can see this on 3dbrew here. I made an extremely small edit to your code(just changed the final else to the correct patch address instead of printing unknown kversion, as I don't know the correct kversion for old3ds 9.0) and I've been able to remove the cubic ninja cartridge and get the weird crash you were talking about. I'll keep looking at it to see why it's occurring, but at the moment I'm as stumped as you are.

    Edit: By the way, does it just repeat 'deadead' for you, as if it keeps trying to verify it has kernel code execution? And I think the ability to remove the cartridge is useless, it appears to be a complete system crash...
    Edit2: And nope, it's not useless, I can get it to do things while the cartridge is out.
     
    flashh likes this.
  20. WulfyStylez

    WulfyStylez SALT/Bemani Princess
    Member

    Joined:
    Nov 3, 2013
    Messages:
    1,149
    Country:
    United States
    noooooooooooooonononononono. Just because the kernel is loaded to the same location in memory doesn't mean its offsets are the same. N3DS has its own NATIVE_FIRM because there's a bunch of new stuff the system has to do. Thus, every single specific patch offset for 9.x old 3DS will differ.
    You should be getting your offsets from N3DS NATIVE_FIRM, not conjecture. You can grab it from NUS and decrypt it with an exploitable old 3DS. It's like super duper critical that you familiarize yourself with the NATIVE_FIRM of the system and sw version you're trying to hack. If you plan on doing almost everything you mentioned wanting to do, you're going to need to map out quite a few things in Process9 in order to make patches.
     
Loading...

Hide similar threads Similar threads with keywords - Loadcode, KARL3DS, Ninjhax

Thread Status:
Not open for further replies.