Hacking @Zoogie did some new "unSAFE_MODE" Exploit for boot9strap Installation.

[Alexander1970]

https://github.com/zoogie/unSAFE_MODE/releases

Zoogie delights us with a new 3DS exploit for the recovery mode of the 3DS, which also works on the current firmware! This shortens the installation process for boot9strap somewhat.

If the 3DS is to be updated via the recovery menu (SAFE_MODE) and an Internet connection cannot be established, the Internet settings in SAFE_MODE are forwarded to. If the proxy settings are edited here for a connection, the URL is not checked for length, which can be exploited with the help of prepared settings.

The system updater in SAFE_MODE is actually a fork of MSET (the system settings) of firmware 1.0. MSET also had this error in the past, but only up to firmware 3.0. Since Nintendo doesn't update SAFE_MODE often for some reason, this bug has never been fixed there. If that sounds familiar, safehax used a company launch bug that was fixed before, but never in SAFE_MODE.

To do this, of course, the Wi-Fi settings must be specially edited, which is possible, for example, using bannerbomb3. As is so often the case in the 3DS scene, the documentation is rather moderate and often only with a reference to 3ds.hacks.guide. Instructions are included, however seed miners must be run beforehand and movable.sed must be obtained. Alternatively, you can also use PicHaxx with a special Otherapp payload.

https://wiidatabase.de/unsafe_mode-v1-0-neuer-3ds-exploit-zur-installation-von-boot9strap/
(German Page).

Thank you very much @zoogie

 

[Alexander1970]

https://github.com/zoogie/unSAFE_MODE

Intro
This is a new exploit for SAFE_MODE system updater. SAFE_MODE sysupdater is the recovery mode app that launches when L+R+Up+A are held while coldbooting the 3DS. It's normally used to internet update the 3DS from a corrupted state and hopefully repair any damaged system titles. Because it runs under SAFE_MODE firm, it's a very interesting (and safe) hax target

Directions
Download the zip archive under the Release tab above and follow the instructions inside. You will need some sort of userland exploit to install a hacked wifi save. Details for two suitable exploits are included.
Works on firmwares:
old3ds 6.0 - latest

new3ds 8.1 - latest (all versions)

Exploit
When SAFE_MODE sysupdater launches, it will check all 3 wifi slots for a working access point to perform a sysupdate. If it can't find one, it will allow the user to access wifi connection settings to make changes. When Proxy Settings -> Detailed Setup is selected, the displayed proxy URL string is not adequately checked for length, and a stack smash is possible if the attacker had previously altered the location of the string's NULL terminator in the wifi slot data.

In order to prepare the necessary slot modification, userland execution is needed with either cfg:i or cfg:s available. For example, it's possible to attain the cfg:s service with a small modification to the "*hax" otherapp source, or running an mset entrypoint (i.e. bannerbomb3). Note that SAFE_MODE sysupdater is actually a fork of firmware 1.0's mset (System Settings). As a result, mset also had this same bug at one point, but it was fixed in firmware 3.0. The fix obviously was never backported to SAFE_MODE sysupdater due to the fact that SAFE_MODE titles are seldom updated for whatever reason.

FAQ
Q: Um, ... is this unsafe?
A: It's no more unsafe than any other full exploit chain in terms of user safety. The "unsafe" part is ribbing Nintendo for calling SAFE_MODE as such given, from their perspective, it's full of exploitable bugs (since they never backport fixes from NATIVE_FIRM). The name also refers to the exploit running un(der)SAFE_MODE firm, which is a unique (and nice) aspect of this version of safehax.

Q: One of my shoulder buttons is hosed, what can I do?
A: Some people report that blowing hot humid air into the buttons temporarily allows them to work, but that's just gross and unsanitary (I'd totally do it, but I'm a weirdo).
The best plan B is probably to just use ntrboot or seedminer.

Q: You mentioned safehax a couple of times, does unSAFE_MODE have that?
A: It's bundled in, yes. Usm.bin contains the safehax code (and several other stages). It will automatically install boot9strap to firm0/1 for permanent cfw.

Q: Is this fixable with a firmware update?
A: I think so. Nintendo has a weird track record ignoring my previous exploits, but they could fix this, and possibly do so without even touching SAFE_MODE titles (they prefer leaving SAFE_MODE untouched, as already mentioned). While the fix I'm thinking of is pretty straightforward, I'd rather not give any hints right now.

 

[iCRON]

Looks very nice!
I made a preview video about the exploit (Mods, please don‘t delete this. I Not want to advertising, it‘s not a tutorial. Only a showcase. Thx )

 

[zoogie]

Oh wow, people are already making videos

It will be added to the guide pretty soon I hope.

 

[iCRON]

Oh wow, people are already making videos

It will be added to the guide pretty soon I hope.

Why you must inject the exploit in all 3 slots? Not better if you can select in the installer witch slot do you want use?

 

[peteruk]

Zoogie does it again !! Love that 3DS scene is still moving forward, long may it continue <3

 

[BaamAlex]

Looks very nice!
I made a preview video about the exploit (Mods, please don‘t delete this. I Not want to advertising, it‘s not a tutorial. Only a showcase. Thx )

It's time to unwrap all your presents dude

 

[zoogie]

Why you must inject the exploit in all 3 slots? Not better if you can select in the installer witch slot do you want use?

It's explained in the repo but all 3 slots have to not connect for the wifi settings feature to appear (necessary for the sploit).
As to why all 3 slots have the full exploit payload instead of just changing the ssid, well it gives you the choice of selecting 1-3 to trigger the sploit and keeps the rop code small and simple.

In any event, it's easy to restore the slots. All you have to do is rerun the bb3 exploit once and all your old slot data is restored.

 

[Valery0p]

And so, we have come full circle. A complete, no PC needed exploit chain
Thanks again zoogie! Just one question, can we launch another arm9 payload instead of the b9s installer?

(Now we'll finally know if Nintendo still cares about 3ds exploitation )

 

[BaamAlex]

A complete, no PC needed exploit chain

This is not completely correct. You need a pc to download the files from github.

 

[Valery0p]

This is not completely correct. You need a pc to download the files from github.

But you need it only once, it may also be a mobile device, and you don't need to do extra steps with it (seedmining) to complete the process.
In practice is a minor difference, but if the bruteforce movable website ever goes down in the future, people won't need a complicated setup or extra hardware to mod a 3ds.
Edit:
Also technically you don't even need an SD reader if you have a new 3ds since you can use the integrated samba server.

 

[zoogie]

And so, we have come full circle. A complete, no PC needed exploit chain
Thanks again zoogie! Just one question, can we launch another arm9 payload instead of the b9s installer?

(Now we'll finally know if Nintendo still cares about 3ds exploitation )

https://github.com/zoogie/unSAFE_MO...e9otherapp/usr2arm9ldr/arm9/source/main.c#L53
You could maybe just change the "usm.bin" path there to whatever your arm9 binary is and the last argument of fileread would probably need to be 0 (fileoffset). Then recompile of course (watch out for those pesky python2 scripts ).

Framebuffer code might also need to be adjusted depending on what arm9 binary you're trying to load though.

 

[peteruk]

So about 3 weeks back I ordered a used but great condition New 3DS XL Hyrule edition from France

It came yesterday so I got to test out this new exploit, I was kind of nervous to begin with because I was so used to using froghax to dot it and kind of enjoyed it because it was all in Japanese and not knowing the language added anxiety which was kind of fun

Anyway long story short, the new exploit worked flawlessly and shaved off a fair bit of time from the older method

Massive thanks to Zoogie as ever

 

[fmkid]

NVM