Toggle sidebar

Hacking [WIP] open source Kernel access on 3DS

  • Thread starter Thread starter aliak11
  • Start date Start date
  • Views Views 232,751
  • Replies Replies 1,003
  • Likes Likes 42
Status
Not open for further replies.
powersaver said:
An informative, concise, 100% correct answer that is 100% directly related to my question(s) is the goal and unfortunately, many in replies (not naming names) this is not what occurs.

I think people are saying in 9.6.x ARM11 user is ok, but is that true? I didn't think so and I thought the quotes I provided prove that, if they don't please explain so, how, and why?
Click to expand...

I answered you 4 posts ago.
You quoted 5.0.0 (and we know that we can execute code in upper firmwares) and it was the ARM9 code execution flaws that were fixed.
Yes, I'm sure that we can execute code in 9.6 userland, because gspwn is not fixed, so we can get out of ROP.
 
  • Like
Reactions: Margen67
motezazer said:
They could fix OOT and CN flaws by a forced game update included in the firmware.
Click to expand...


Of course they can be fixed, but they're not a simple first-party fix like MSET. They clearly have shown that they're not willing to do anything about it yet.
 
  • Like
Reactions: Margen67
Again, isn't Hashtastrophe mistaken? Also, are both Oishikatta and motezazer incorrect and are they both obfuscating and confusing the original question(s)? Full transcript below for your convenience and quotes from wiki too. Oishikatta and motezazer need not reply.

Doesn't CN/ninjahaxx/haxx use 'rohax', which doesn't work on 9.6.x? If so, then I don't see how Hashtastrophe can be correct. Additionally I don't understand how motezazer answered my question.

Hashtastrophe said:
You said entry point, not a chain of exploits resulting in full system access. CN and OoT both can be used to execute your own code in ARM11 userland, even on 9.6 so I'd say they work.

Also that link you requested: http://3dbrew.org/wiki/3DS_Userland_Flaws
Click to expand...
powersaver said:
I think Hashtastrophe is completely mistaken, however can anyone chime in if is Hashtastrophe correct?

"ninjhax is an exploit by smea for the game Cubic Ninja. It was released on November 20th, 2014. It can be used on all 3DS firmware versions from 4.0 up to and including 9.2.0-20. It was partially patched in 9.3.0-X (only system flaws used by ninjhax were fixed, the game haxx itself was not affected). From http://3dbrew.org/wiki/Ninjhax
Click to expand...
Hashtastrophe said:
Uh, you just quoted the part that proves me right. Look under the "Fixed in Version" column on the userland flaws page, see where it says "none"?
You can use CN (and OoT) as a way to get userland ARM11 access. gspwn is still not fixed so you can use that instead of being stuck with ROP.
Click to expand...
Oishikatta said:
Hashtastrophe is not mistaken at all. There is no longer public kernel-mode code execution in the current 3DS firmware, there is ROP and user-mode.
Click to expand...
motezazer said:
You quote 5.0 update, which fixed an ARM9 code execution flaw.
Click to expand...
Oishikatta said:
Can you accept that you're wrong and not respond like I'm an idiot? Read the links. Why do you act like this in every thread.
Click to expand...
motezazer said:
I answered you 4 posts ago.
You quoted 5.0.0 (and we know that we can execute code in upper firmwares) and it was the ARM9 code execution flaws that were fixed.
Yes, I'm sure that we can execute code in 9.6 userland, because gspwn is not fixed, so we can get out of ROP.
Click to expand...
 
powersaver said:
Again, isn't Hashtastrophe mistaken? Also, are both Oishikatta and motezazer incorrect and are they both obfuscating and confusing the original question(s)? Full transcript below for your convenience and quotes from wiki too. Oishikatta and motezazer need not reply.

Doesn't CN/ninjahaxx/haxx use 'rohax', which doesn't work on 9.6.x? If so, then I don't see how Hashtastrophe can be correct. Additionally I don't understand how motezazer answered my question.
Click to expand...


rohax is used after gspwn to gain additional privileges for ninjhax.

Go back and read the thread.

http://gbatemp.net/threads/wip-open-source-kernel-access-on-3ds.383534/page-43
http://gbatemp.net/threads/wip-open-source-kernel-access-on-3ds.383534/page-44
http://gbatemp.net/threads/wip-open-source-kernel-access-on-3ds.383534/page-45

You can have arm11 user. Obviously can't run ninjahax, nobody ever said you could. ROP via CN and ninjhax are completely separate things, why can't you understand that. It's a very simple concept.
 
  • Like
Reactions: Margen67
powersaver said:
Again, isn't Hashtastrophe mistaken? Also, are both Oishikatta and motezazer incorrect and are they both obfuscating and confusing the original question(s)? Full transcript below for your convenience and quotes from wiki too. Oishikatta and motezazer need not reply.

Doesn't CN/ninjahaxx/haxx use 'rohax', which doesn't work on 9.6.x? If so, then I don't see how Hashtastrophe can be correct. Additionally I don't understand how motezazer answered my question.
Click to expand...
Again, CN and OoT's ability to use ROP are not fixed. gspwn is not fixed. This gives us actual code execution under ARM11 userland.
rohax was fixed and so was memchunkhax. Both of these are used after the initial ROP and gspwn.

Also not sure why you quoted from that 5.0.0-11 page. It proves nothing as Ninjhax (and OotThax) was released around 9.0 so it clearly works after 5.0.

That being said, I'm done arguing. You're not correct and other people and practically every page linked proves that.
 
The last pages have been nothing but non-sense mostly.
I still hold my vote up for locking this thread until the OP/Devs ask for it to be opened again.

This could keep going for months until they come back from what they are working on currently.
 
  • Like
Reactions: Margen67, Zidapi, VinsCool and 3 others
powersaver said:
Again, isn't Hashtastrophe mistaken? Also, are both Oishikatta and motezazer incorrect and are they both obfuscating and confusing the original question(s)? Full transcript below for your convenience and quotes from wiki too. Oishikatta and motezazer need not reply.

Doesn't CN/ninjahaxx/haxx use 'rohax', which doesn't work on 9.6.x? If so, then I don't see how Hashtastrophe can be correct. Additionally I don't understand how motezazer answered my question.
Click to expand...
It was the "You quote 5.0 update, which fixed an ARM9 code execution flaw."
Your wiki quote was from the 5.0.0 update, which fixed an ARM9 code execution flaw. It's why they said "however the code execution haxx used by this was fixed."
It was the ARM9 code execution flaws that were fixed.
The ARM9 ones.
We can still have (unprivileged) userland in 9.6
But we can't mark pages as executable (since rohax was fixed), which limit homebrew capablilities.
So, to conclude, we have a good entrypoint if we found deeper system flaws. Not more.
 
Holy freaking crap guys, seriously.
Stop it with that.

You guys sound like kindergarden guys trying to be always above the other with your argument.
I seriously hope this thread gets locked until there is something interesting or the devs finally come back.
 
  • Like
Reactions: Margen67
ShadowOne333 said:
The last pages have been nothing but non-sense mostly.
I still hold my vote up for locking this thread until the OP/Devs ask for it to be opened again.

This could keep going for months until they come back from what they are working on currently.
Click to expand...


The thing is we have 3 separate projects released already now that all give open-source kernel access.

ARM11:

https://gbatemp.net/threads/wip-libkhax-stable-arm11-kernel-access.386648/
https://github.com/shinyquagsire23/bootstrap

ARM9:

https://github.com/patois/Brahma
https://github.com/shinyquagsire23/bootstrap/tree/arm9-kernel


There really isn't any reason for this thread to be open.
 
  • Like
Reactions: Margen67 and ShadowOne333
Oishikatta said:
The thing is we have 3 separate projects released already now that all give open-source kernel access.

ARM11:

https://gbatemp.net/threads/wip-libkhax-stable-arm11-kernel-access.386648/
https://github.com/shinyquagsire23/bootstrap

ARM9:

https://github.com/patois/Brahma
https://github.com/shinyquagsire23/bootstrap/tree/arm9-kernel


There really isn't any reason for this thread to be open.
Click to expand...
And I agree.
I already asked for this thread to be locked, let's hope it does since there is already other threads that are indeed being maintained.
 
Oishikatta said:
The thing is we have 3 separate projects released already now that all give open-source kernel access.

ARM11:

https://gbatemp.net/threads/wip-libkhax-stable-arm11-kernel-access.386648/
https://github.com/shinyquagsire23/bootstrap

ARM9:

https://github.com/patois/Brahma
https://github.com/shinyquagsire23/bootstrap/tree/arm9-kernel


There really isn't any reason for this thread to be open.
Click to expand...

For what it's worth, yifan_lu had libspiderhax which had the ARM11 kernel which I based mine off of, and Brahma was based on the bootstrap code I had developed on top of yifan_lu's code which I ported to ninjhax. But in any case, unless there's actually progress with OSKA we don't know about, there's not a whole lot of reason for this thread to be alive still.
 
  • Like
Reactions: Margen67, Oishikatta and Hashtastrophe
Hey all, here's some clarification. Ninjhax starts out by using a bug in the QR code reading/save reading to gain ROP. This means they can execute through a premade stack to accomplish some stuff. To run actual code, gspwn is used through ROP. This copies a payload from the end of the save payload to executable memory. Since ROP gives us stack access, we can then just branch to it.
Those two exploits (an entrypoint giving ROP, and gspwn to get actual code running) comprise an ARM11 userspace hack. Ninjhax additionally uses rohax to gain control of the ro module, giving access to memory mapping syscalls. That's particularly important for loading homebrew apps, as they'll need their own memory mapped and won't always fit in Cubic Ninja's premapped section sizes and such. The ro module is then also tweaked to add a bunch of extra service calls ("the HB service").
Ninjhax also uses gspwn and ROP to take over the browser and gain its permissions.

Beyond that, you need to get arm9 kernel access. On 4.5, this was actually done from userland. You could just register with srv:pm and give yourself access to all services. From there, an overflow in the PXI command for VerifyRsaSha256 was used to get code exec in ARM9.
On versions 7.0 and above, this isn't possible. Instead, we use a combination of exploits. memchunkhax lets you corrupt kernel memory and ultimately execute your own code in a kernel context. From there, you do firmlaunch-hax by modifying the arm11-side reset handling code and triggering a reset. Proper implementation of that will cause ARM9 to start executing your code.

So, to be as clear as possible, versions things were patched on:
Entrypoints:
mset: 7.0 (can be downgraded and re-enabled, as we and roxas have done)
spider: 9.5.0-23 (can be downgraded too, but currently exploitable consoles already have an exploitable version so w/e)
Ocarina of Time: never
Cubic Ninja: never

Exploits:
srv:pm registration: 7.0
VerifyRsaSha256 overflow: 5.0
--
gspwn: never (kinda difficult to patch without breaking compatability or ruining performance)
rohax: 9.3 (but this is only needed for homebrew)
memchunkhax: 9.3
firmlaunch-hax: 9.5


The gist of all this is: an ARM11 kernel exploit will support systems up to 9.4, and an ARM9 exploit on top of that will allow for any firmware. (An exploit in a PXI function that one of the entrypoints has access to would remove the need for the ARM11 kernel exploit, but finding one is highly unlikely.)
 
  • Like
Reactions: overlord00, lPolarisl, Margen67 and 9 others
WulfyStylez said:
Hey all, here's some clarification. Ninjhax starts out by using a bug in the QR code reading/save reading to gain ROP. This means they can execute through a premade stack to accomplish some stuff. To run actual code, gspwn is used through ROP. This copies a payload from the end of the save payload to executable memory. Since ROP gives us stack access, we can then just branch to it.
Those two exploits (an entrypoint giving ROP, and gspwn to get actual code running) comprise an ARM11 userspace hack. Ninjhax additionally uses rohax to gain control of the ro module, giving access to memory mapping syscalls. That's particularly important for loading homebrew apps, as they'll need their own memory mapped and won't always fit in Cubic Ninja's premapped section sizes and such. The ro module is then also tweaked to add a bunch of extra service calls ("the HB service").
Ninjhax also uses gspwn and ROP to take over the browser and gain its permissions.

Beyond that, you need to get arm9 kernel access. On 4.5, this was actually done from userland. You could just register with srv:pm and give yourself access to all services. From there, an overflow in the PXI command for VerifyRsaSha256 was used to get code exec in ARM9.
On versions 7.0 and above, this isn't possible. Instead, we use a combination of exploits. memchunkhax lets you corrupt kernel memory and ultimately execute your own code in a kernel context. From there, you do firmlaunch-hax by modifying the arm11-side reset handling code and triggering a reset. Proper implementation of that will cause ARM9 to start executing your code.

So, to be as clear as possible, versions things were patched on:
Entrypoints:
mset: 7.0 (can be downgraded and re-enabled, as we and roxas have done)
spider: 9.5.0-23 (can be downgraded too, but currently exploitable consoles already have an exploitable version so w/e)
Ocarina of Time: never
Cubic Ninja: never

Exploits:
srv:pm registration: 7.0
VerifyRsaSha256 overflow: 5.0
--
gspwn: never (kinda difficult to patch without breaking compatability or ruining performance)
rohax: 9.3 (but this is only needed for homebrew)
memchunkhax: 9.3
firmlaunch-hax: 9.5


The gist of all this is: an ARM11 kernel exploit will support systems up to 9.4, and an ARM9 exploit on top of that will allow for any firmware. (An exploit in a PXI function that one of the entrypoints has access to would remove the need for the ARM11 kernel exploit, but finding one is highly unlikely.)
Click to expand...

And even if one pxi service is exploitable, you have to gain access to certain service, which is not possible at this moment.
 
WulfyStylez said:
Hey all, here's some clarification. Ninjhax starts out by using a bug in the QR code reading/save reading to gain ROP. This means they can execute through a premade stack to accomplish some stuff. To run actual code, gspwn is used through ROP ... Those two exploits (an entrypoint giving ROP, and gspwn to get actual code running) comprise an ARM11 userspace hack.
Click to expand...

So, if gspawn and Ninjahax are all that's needed to gain ARM11 user-space, could you theoretically still run very simple homebrew on the latest firmwares?

By the way, your post is by far the most understandable explanation of this that I've seen; thank you!
 
  • Like
Reactions: Margen67
Wowfunhappy said:
So, if gspawn and Ninjahax are all that's needed to gain ARM11 user-space, could you theoretically still run very simple homebrew on the latest firmwares?
Click to expand...

Yup, but you'll be limited in services and syscalls to whatever the entrypoint you used had. You also won't be able to remap memory, so your code would have to fit within the sections of a given entrypoint. You'd have to link it accordingly, too. It's not ideal at all.
 
  • Like
Reactions: lPolarisl, Margen67, VinsCool and 1 other person
powersaver said:
Again, isn't Hashtastrophe mistaken? Also, are both Oishikatta and motezazer incorrect and are they both obfuscating and confusing the original question(s)? Full transcript below for your convenience and quotes from wiki too. Oishikatta and motezazer need not reply.

Doesn't CN/ninjahaxx/haxx use 'rohax', which doesn't work on 9.6.x? If so, then I don't see how Hashtastrophe can be correct. Additionally I don't understand how motezazer answered my question.
Click to expand...
Surely at this point you were just trolling. What were you planning to do, just keep quoting posts and ignoring answers until you got one that proved you right? Well that's not going to happen, because you're wrong.

It seems now that you've got three of the most talented developers in the 3DS scene chiming in to explain in detail exactly why you're wrong well... Well, suddenly you have nothing to say.

I'd also like to throw my support behind the motion to have this thread locked.
 
  • Like
Reactions: Margen67
Status
Not open for further replies.

Site & Scene News

Go to forum More news

Popular threads in this forum

Why did the price of 3ds shoot up ?

Hacking Homebrew Project  BlazerTube - a YouTube 3DS revival using the REAL app!

Problems getting Homebrew to appear outside of the Homebrew Launcher (homebrew won't appear on the HOME menu)

Homebrew app Emulator  [Release] 3DS-CLI - Run a real RISC-V Linux environment on the Nintendo 3DS

Website for finding alternative games for 3DS

Gaming  any good rpgs on 3ds?

Hardware  2 Broken 3DSes, need help

Hacking  Modding Reassurance