https://www.3dbrew.org/w/api.php?action=feedcontributions&user=Simon66&feedformat=atom3dbrew - User contributions [en]2024-03-28T14:28:43ZUser contributionsMediaWiki 1.35.8https://www.3dbrew.org/w/index.php?title=Homebrew_Exploits&diff=18530Homebrew Exploits2016-11-02T15:47:07Z<p>Simon66: /* Secondary Exploits */</p>
<hr />
<div>==Payload==<br />
{| class="wikitable" border="1"<br />
|-<br />
! Works on latest fw<br />
! Name<br />
! Description<br />
! Supported firmwares<br />
|-<br />
| style="background: lightgreen" | Yes<br />
| [https://smealum.github.io/3ds/ *hax payload]<br />
| Booted by all of the below non-sysmodule exploits.<br />
| From '''9.0.0-7''' up to and including '''11.2.0-35'''.<br />
|}<br />
<br />
For the rest of this page, "Supported firmwares" refers to the exploit ''itself'', not whether *hax payload supports it.<br />
<br />
==Standalone Homebrew Launcher Exploits==<br />
The following homebrew exploits can be executed on a previously un-exploited system. ''Please'' see the above Payload section regarding what "Supported firmwares" indicates ''exactly''.<br />
<br />
{| class="wikitable" border="1"<br />
|-<br />
! Works on latest fw<br />
! Name<br />
! Supported firmwares<br />
! Requirements<br />
! Author<br />
! Install<br />
|-<br />
| style="background: salmon" | No<br />
| [[ninjhax|Ninjhax 1.1b]]<br />
| From '''4.0.0-7''' up to and including '''9.2.0-20'''.<br />
| A cartridge or eShop version (JPN-only) of "Cubic Ninja".<br />
| smea<br />
| [http://smealum.net/ninjhax/ Install]<br />
|-<br />
| style="background: lightgreen" | Yes<br />
| [[ninjhax|Ninjhax 2.x]]<br />
| From '''9.0.0-7''' up to and including '''11.2.0-35'''.<br />
| A cartridge or eShop version (JPN-only, not available anymore for purchase) of "Cubic Ninja".<br />
| smea<br />
| [https://smealum.github.io/ninjhax2/ Install]<br />
|-<br />
| style="background: lightgreen" | Yes<br />
| [http://plutooo.github.io/freakyhax/ freakyhax]<br />
| From '''9.0.0-7''' up to and including '''11.2.0-35'''.<br />
| A cartridge or eShop version (USA/EUR/JAP, not available anymore for purchase) of "Freakyform Deluxe".<br />
| plutoo<br />
| [http://plutooo.github.io/freakyhax/ Install]<br />
|-<br />
| style="background: salmon" | No<br />
| [http://plutooo.github.io/smilehax/ smilehax]<br />
| From '''9.0.0-7''' up to and including '''11.0.0-33'''<br />
| SmileBASIC (JPN all versions up to 3.32 excluded, USA 3.31 only)<br />
| plutoo<br />
| [http://plutooo.github.io/smilehax/ Install]<br />
|-<br />
| style="background: salmon" | No<br />
| [http://mrnbayoh.github.io/basicsploit/ BASICSploit]<br />
| From '''9.0.0-7''' up to and including '''11.0.0-33'''<br />
| SmileBASIC (USA all versions)<br />
| MrNbaYoh<br />
| [http://mrnbayoh.github.io/basicsploit/ Install]<br />
|-<br />
| style="background: lightgreen" | Yes<br />
| [[smashbroshax|smashbroshax]] (beaconhax)<br />
| (New 3DS only) From '''9.0.0-X''' up to and including '''11.2.0-35'''.<br />
| Super Smash Bros 3DS (full-game) and a way to broadcast raw wifi beacons. The demo (prior to the updated November 2015 [https://github.com/yellows8/3ds_smashbroshax version]) isn't usable with the *hax payloads. Game-version v1.1.3 fixed the vuln used with this, see the repo for a workaround for that.<br />
| [[User:Yellows8|Yellows8]]<br />
| [https://github.com/yellows8/3ds_smashbroshax Install]<br />
|-<br />
| style="background: salmon" | No<br />
| [[browserhax]]<br />
| From '''9.0.0-2''' to '''11.0.0-33'''<br />
Note that the browser-version-check bypass is only usable prior to [[10.7.0-32]].<br />
| A USA, EUR, JPN, or KOR system.<br />
| [[User:Yellows8|Yellows8]]<br />
| [http://yls8.mtheall.com/3dsbrowserhax.php Install]<br />
|}<br />
<br />
Note that ninjhax 1.x is still not obsolete. Even though ninjhax 2.x can be run on 9.3+, this was made possible (amongst other things) by sacrificing the memory remapping exploit used in ninjhax 1.x (rohax). Therefore, things like JIT engines for emulators can only be supported on ninjhax 1.x. Furthermore, ninjhax 2.x does not run on system versions below 9.0.0-X, while ninjhax 1.x does.<br />
<br />
==Secondary Exploits==<br />
Installation of these exploits requires a previously exploited system to install. After installation, they can be used on their own. ''Please'' see the above Payload section regarding what "Supported firmwares" indicates ''exactly''.<br />
<br />
{| class="wikitable" border="1"<br />
! Works on latest fw<br />
! Name<br />
! Supported firmwares<br />
! Requirements<br />
! Author<br />
! Install<br />
|-<br />
| style="background: salmon" | No<br />
| [[ironhax]]<br />
| From '''9.5.0-X''' up to and including '''10.3.0-X''', for '''X''' up to and including 28.<br />
| A copy of "Ironfall: Invasion" downloaded from eShop before August 11th, 2015. Note the updated version that was released on October 13th, 2015 is not supported.<br />
| smea<br />
| [http://smealum.github.io/3ds/ Install]<br />
|-<br />
| style="background: salmon" | No, exploit update required.<br />
| [http://vegaroxas.github.io/ steelhax]<br />
| From '''9.0.0-X''' up to and including '''11.1.0-X''', for '''X''' up to and including 34.<br />
| A copy of Steel Diver: Sub wars<br />
| Vegaroxas<br />
| [https://github.com/VegaRoXas/vegaroxas.github.io/raw/master/files/steelhax-installer.zip Install]<br />
|-<br />
| style="background: lightgreen" | Yes<br />
| [https://github.com/yellows8/oot3dhax oot3dhax]<br />
| From '''9.0.0-X''' up to and including '''11.2.0-X''', for '''X''' up to and including 35.<br />
| A gamecard or eShop-install of Legend of Zelda: Ocarina of Time 3D. Besides using the installer app, writing raw saveimages with a save dongle for example is another option. Before compression was introduced in the 2016-7-18 release, the size of the *hax payload meant the exploit can't coexist with regular saves on a physical version of the game.<br />
| Yellows8 / smea et al.<br />
| See [https://smealum.github.io/3ds/ here].<br />
|-<br />
| style="background: salmon" | No<br />
| [[menuhax]]<br />
| JPN/USA/EUR: From '''9.0.0-X''' up to and including '''11.0.0-X'''.<br />
KOR: From '''9.6.0-X''' up to and including '''11.0.0-X'''.<br />
| JPN/USA/EUR: Having created [[Home_Menu#Home_Menu_Theme_SD_ExtData|theme extdata]] through opening the official theme selector at least once.<br />
| [[User:Yellows8|Yellows8]]<br />
| [https://github.com/yellows8/3ds_homemenuhax/releases Download]<br />
|-<br />
| style="background: lightgreen" | Yes<br />
| [https://github.com/shinyquagsire23/supermysterychunkhax supermysterychunkhax]<br />
| From '''9.9.0-X''' (USA/JPN) / '''10.2.0-X''' (EUR) up to and including '''11.1.0-X''', for '''X''' up to and including 34.<br />
| A gamecard or eShop-install of Pokémon Super Mystery Dungeon.<br />
| Shiny Quagsire / SALT team<br />
| [https://smd.salthax.org/ Install].<br />
|-<br />
| style="background: salmon" | No<br />
| [https://github.com/shinyquagsire23/v_hax (v*)hax]<br />
| From '''9.0.0-X''' up to and including '''11.0.0-X''', for '''X''' up to and including 33.<br />
Note that '''9.0.0-X''' is only required for the Homebrew Launcher - the game itself only requires '''2.1.0-X''' for primitive userland code execution.<br />
| A copy of VVVVVV downloaded after March 2012 (v1). v1.1 patches out the overflow vulnerability used by (v*)hax.<br />
| Shiny Quagsire / SALT team<br />
| [https://vvvvvv.salthax.org/ Install].<br />
|-<br />
| style="background: salmon" | No, exploit update required.<br />
| [https://github.com/Dazzozo/humblehax humblehax]<br />
| From '''9.0.0-X''' (USA/EUR) up to and including '''11.0.0-X''', for '''X''' up to and including 33.<br />
| An eShop-install of Citizens of Earth (either v1 or v2), featured in the Humble "Friends of Nintendo" Bundle.<br />
| Dazzozo / SALT team<br />
| [https://citizens.salthax.org/ Install].<br />
|-<br />
| style="background: lightgreen" | Yes<br />
| [http://mrnbayoh.github.io/basehaxx/ basehaxx]<br />
| From '''9.0.0-X''' up to and including '''11.1.0-X''', for '''X''' up to and including 34.<br />
| A gamecard or eShop-install of Pokémon Omega Ruby / Alpha Sapphire.<br />
| MrNbaYoh<br />
| [http://mrnbayoh.github.io/basehaxx/ install]<br />
|-<br />
| style="background: lightgreen" | Yes<br />
| [https://github.com/yellows8/stickerhax stickerhax]<br />
| From '''9.0.0-X''' up to and including '''11.2.0-X'''(not including installation).<br />
| A gamecard or eShop-install of Paper Mario: Sticker Star.<br />
| [[User:Yellows8|Yellows8]]<br />
| [https://github.com/yellows8/stickerhax Here]<br />
|}<br />
<br />
==Exploits without Homebrew Launcher (Not recommended)==<br />
<br />
<u>'''Warning:'''</u> The following exploits can run code, but are missing a 3DSX launcher. They cannot launch any homebrew in the 3DSX format.<br />
<br />
{| class="wikitable" border="1"<br />
|-<br />
! Works on latest fw<br />
! Name<br />
! Supported firmwares<br />
! Requirements<br />
! Author<br />
! Install<br />
|-<br />
| style="background: salmon" | No<br />
| [[browserhax]] (Without the loader in the 3ds_browserhax_common repo)<br />
| (Old3DS) From '''5.0.0-2''' to '''11.0.0-33''' (Pre-v5.0 is supported for some versions if you manually modify the source)<br />
<br />
(New3DS) From '''9.0.0-20''' to '''11.0.0-33'''<br />
<br />
Note that the browser-version-check bypass is only usable prior to [[10.7.0-32]].<br />
| An USA, EUR, or JPN system.<br />
| [[User:Yellows8|Yellows8]]<br />
| [[browserhax|Install]]<br />
|-<br />
| style="background: salmon" | No<br />
| Ninjhax (with specialized payloads)<br />
| Up to '''9.2.0-20'''?<br />
| <br />
| smea + independent developers<br />
| N/A<br />
|}<br />
<br />
==Previous Exploits==<br />
<u>'''Warning:'''</u> These exploits '''do not work'''. They are exploits which no longer function at all, regardless of software or firmware revision.<br />
{| class="wikitable" border="1"<br />
! Works on latest fw<br />
! Name<br />
! Supported firmwares<br />
! Requirements<br />
! Author<br />
! Install<br />
|-<br />
| style="background: salmon" | No<br />
| [[tubehax|Tubehax]]<br />
| None. '''Was''': From '''9.0.0-X''' up to and including '''10.1.0-X''', for '''X''' up to and including 27.<br />
| The YouTube application and an Internet connection. As of October 15, 2015, this is no longer usable due to an update being released which fixes the vuln used by tubehax + app update being forced (see [[YouTube|here]]).<br />
| smea<br />
| [http://smealum.github.io/3ds/ Install]<br />
|}<br />
<br />
==Other Homebrew Loaders==<br />
The [https://github.com/yellows8/hblauncher_loader hblauncher_loader] title can be used when running under modded-FIRM which allows running unsigned titles, to boot the *hax payloads.<br />
<br />
==Sysmodule Exploits==<br />
This section is for system-module exploits, which can be run from the *hax payloads.<br />
<br />
{| class="wikitable" border="1"<br />
! Works on latest fw<br />
! Name<br />
! Supported firmwares<br />
! Requirements<br />
! Author<br />
|-<br />
| style="background: lightgreen" | Yes, that's not the intended default use however.<br />
| [https://github.com/yellows8/ctr-httpwn/releases ctr-httpwn]<br />
| From '''9.6.0-X''' up to and including '''11.2.0-X'''.<br />
| None<br />
| [[User:Yellows8|Yellows8]]<br />
|}<br />
<br />
==WebKit vuln testing==<br />
See [https://github.com/yellows8/3ds_browserhax_common/issues/28 here].</div>Simon66https://www.3dbrew.org/w/index.php?title=Pyramids_(3DSWare)/Pyramids_icon_list&diff=18512Pyramids (3DSWare)/Pyramids icon list2016-10-31T05:00:11Z<p>Simon66: Created page with "== Overview == This page details game asset bytes is used in both Pyramids and Pyramids 2. TODO: Include Pyramids 2 game asset bytes == Data bytes =..."</p>
<hr />
<div>== Overview ==<br />
<br />
This page details game asset bytes is used in both [[Pyramids_(3DSWare)| Pyramids]] and Pyramids 2.<br />
<br />
TODO: Include Pyramids 2 game asset bytes<br />
<br />
== Data bytes ==<br />
{| class="wikitable"<br />
|Asset Name<br />
!|[[Pyramids_(3DSWare)|Pyramids]]<br />
!|Pyramids 2<br />
|-<br />
!|Blank<br />
|0x00<br />
|??<br />
|-<br />
!|Sand<br />
|0x01<br />
|??<br />
|-<br />
!|Bullet<br />
|0x02<br />
|??<br />
|-<br />
!|Bullet covered with sand<br />
|0x02<br />
|??<br />
|-<br />
!|Spike Ball<br />
|0x04<br />
|??<br />
|-<br />
!|Block (Plain)<br />
|0x05<br />
|??<br />
|-<br />
!|Block (Bird)<br />
|0x06<br />
|??<br />
|-<br />
!|Block (4-blocks)<br />
|0x07<br />
|??<br />
|-<br />
!|Block (Tools)<br />
|0x08<br />
|??<br />
|-<br />
!|Amulet<br />
|0x09<br />
|??<br />
|-<br />
!|Snake<br />
|0x0A<br />
|??<br />
|-<br />
!|Skull (Horizontal)<br />
|0x0B<br />
|??<br />
|-<br />
!|Skull (Vertical)<br />
|0x0C<br />
|??<br />
|-<br />
!|Fire<br />
|0x0D<br />
|??<br />
|-<br />
!|Dog (Facing Up)<br />
|0x0E<br />
|??<br />
|-<br />
!|Dog (Facing Left)<br />
|0x0F<br />
|??<br />
|-<br />
!|Dog (Facing Right)<br />
|0x10<br />
|??<br />
|-<br />
!|Dog (Facing Down)<br />
|0x11<br />
|??<br />
|-<br />
!|Player<br />
|0x12<br />
|??<br />
|-<br />
!|Exit Door<br />
|0x13<br />
|??<br />
|-<br />
!|Fly<br />
|0x14<br />
|??<br />
|-<br />
!|Fly covered with sand<br />
|0x15<br />
|??<br />
|-<br />
!|Hourglass<br />
|0x16<br />
|??<br />
|-<br />
!|Hourglass covered with sand<br />
|0x17<br />
|??<br />
|-<br />
!|Rockdoor<br />
|0x18<br />
|??<br />
|-<br />
!|Coins (Collectible)<br />
|0x19<br />
|??<br />
|-<br />
!|Coins covered with sand (Collectible)<br />
|0x1A<br />
|??<br />
|-<br />
!|Chalice (Collectible)<br />
|0x1B<br />
|??<br />
|-<br />
!|Chalice covered with sand (Collectible)<br />
|0x1C<br />
|??<br />
|-<br />
!|Bug Chain (Collectible)<br />
|0x1D<br />
|??<br />
|-<br />
!|Bug Chain covered with sand<br />
|0x1E<br />
|??<br />
|-<br />
!|Pyramid Chain (Collectible)<br />
|0x1F<br />
|??<br />
|-<br />
!|Pyramid Chain covered with sand (Collectible)<br />
|0x20<br />
|??<br />
|-<br />
!|Wings (Collectible)<br />
|0x21<br />
|??<br />
|-<br />
!|Wings covered with sand (Collectible)<br />
|0x22<br />
|??<br />
|-<br />
!|Big block top-left (Plain)<br />
|0x23<br />
|??<br />
|-<br />
!|Big Block top-right (Plain)<br />
|0x24<br />
|??<br />
|-<br />
!|Big Block bottom-left (Plain)<br />
|0x25<br />
|??<br />
|-<br />
!|Big Block bottom-right (Plain)<br />
|0x26<br />
|??<br />
|-<br />
!|Big Block top-left (Cat-head)<br />
|0x27<br />
|??<br />
|-<br />
!|Big Block top-right (Cat-head)<br />
|0x28<br />
|??<br />
|-<br />
!|Big Block bottom-left (Cat-head)<br />
|0x29<br />
|??<br />
|-<br />
!|Big Block bottom-right (Cat-head)<br />
|0x2A<br />
|??<br />
|-<br />
!|Big Block top-left (Two figures)<br />
|0x2B<br />
|??<br />
|-<br />
!|Big Block top-right (Two figures)<br />
|0x2C<br />
|??<br />
|-<br />
!|Big Block bottom-left (Two figures)<br />
|0x2D<br />
|??<br />
|-<br />
!|Big Block bottom-right (Two figures)<br />
|0x2E<br />
|??<br />
|-<br />
!|TNT<br />
|0x2F<br />
|??<br />
|-<br />
!|TNT Detonator<br />
|0x30<br />
|??<br />
|-<br />
!|Spikes<br />
|0x31<br />
|??<br />
|-<br />
!|Pillar top<br />
|0x32<br />
|??<br />
|-<br />
!|Pillar<br />
|0x33<br />
|??<br />
|}</div>Simon66https://www.3dbrew.org/w/index.php?title=Pyramids_(3DSWare)&diff=18509Pyramids (3DSWare)2016-10-31T04:25:20Z<p>Simon66: Created page with "== Overview == A valid QR code contains 170 bytes of data and it's LZ-10 compressed. The only byte that can cause a crash is at offset 0x01 (As stated bellow) == QR Image ==..."</p>
<hr />
<div>== Overview ==<br />
A valid QR code contains 170 bytes of data and it's LZ-10 compressed. The only byte that can cause a crash is at offset 0x01 (As stated bellow)<br />
<br />
== QR Image ==<br />
https://s13.postimg.org/f2lqhhaon/img.png<br />
<br />
== RAW Decompressed Data ==<br />
<br />
<pre><br />
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F<br />
00000000 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br />
00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br />
00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br />
00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br />
00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br />
00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br />
00000060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br />
00000070 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br />
00000080 00 00 12 00 00 09 13 00 00 00 00 00 00 00 00 00 ................<br />
00000090 00 00 05 05 05 05 05 05 05 05 05 05 05 05 05 05 ................<br />
000000A0 05 05 1E 00 00 00 C9 73 A8 1A ......És¨.<br />
</pre><br />
<br />
== Raw Decompressed Data Explained ==<br />
{| class="wikitable"<br />
|'''Address'''<br />
|'''Length'''<br />
|'''Meaning'''<br />
|-<br />
|0x00<br />
|1 byte<br />
|Must be 0x01 or the game will not accept the level.<br />
|-<br />
|0x01<br />
|1 byte<br />
|This byte selects the level background. Valid bytes ranges from 0x00 to 0x04. Anything over 0x04 will cause a null exception and crash.<br />
|-<br />
|0x02<br />
|160 bytes<br />
|This section contains specific [[pyramids icon list | data bytes]] that makes up the level (16x10 grid thus 160 bytes).<br />
|-<br />
|0xA2<br />
|4 bytes<br />
|This represents the time required to complete the level. Its stored as Little Endian Unsigned Int<br />
|-<br />
|0xA6<br />
|4 bytes<br />
|This is a [http://www.scadacore.com/field-applications/programming-calculators/online-checksum-calculator/ Reversed CRC32] of the combined bytes from address 0x00 to 0xA5<br />
|}<br />
<br />
== Reason for not being exploitable ==<br />
<br />
The only byte that causes a crash is located at address 0x01 (Level background byte). The crash results in a null ptr exception which is not exploitable.</div>Simon66https://www.3dbrew.org/w/index.php?title=3DS_Userland_Flaws&diff=185063DS Userland Flaws2016-10-31T02:23:46Z<p>Simon66: /* Useless crashes / applications which were fuzzed */</p>
<hr />
<div>This page lists vulnerabilities / exploits for 3DS applications and applets. Exploiting these initially results in ROP, from that ROP one can then for example try exploiting [[3DS_System_Flaws|system]] flaw(s).<br />
<br />
=Non-system applications=<br />
{| class="wikitable" border="1"<br />
|-<br />
! Application name<br />
! Summary<br />
! Description<br />
! Fixed in app/system version<br />
! Last app/system version this flaw was checked for<br />
! Timeframe info related to this was added to wiki<br />
! Timeframe this vuln was discovered<br />
! Vuln discovered by<br />
|-<br />
| Cubic Ninja<br />
| Map-data stack smash<br />
| See [[Ninjhax|here]] regarding Ninjhax.<br />
| None<br />
| App: Initial version. System: [[10.4.0-29]].<br />
| Ninjhax release<br />
| July 2014<br />
| [[User:smea|smea]]<br />
|-<br />
| The Legend of Zelda: Ocarina of Time 3D<br />
| UTF-16 name string buffer overflow via unchecked u8 length field<br />
| The u8 at offset 0x2C in the savefile is the character-length of the UTF-16 string at offset 0x1C. When copying this string, it's essentially a memory-copy with lenval*2, not a string-copy. This can be used to trigger buffer overflows at various locations depending on the string length.<br />
* When value is >=0x6E it crashes when saving the saveslot, this causes a stack-smash however it normally crashes before it returns from the function which had the stack-frame overwritten.<br />
* With value >=0x9A, it crashes via stack-smash in-game once any dialogs are opened(touching buttons on the touch-screen can trigger it too).<br />
* Length value>=0xCD causes a crash while loading the saveslot, via a heap buffer overflow. This buf-overflow overwrites a heap memchunk following the allocated buffer. When the first 16-bits overwriting that heap memchunk is not the memchunk magic-number(0x7373), the mem-alloc code will just return a NULL ptr which later results in a crash. When the magic-number is valid, the mem-alloc code will continue to attempt to parse the memchunk, which may crash depending on the data which overwrote the memchunk. This heap code is separate from the CTRSDK heap code. Exploiting this doesn't seem to be possible: since the heap code actually verifies that the magic-number for the next/prev memchunk ptrs are correct(unlike CTRSDK), it's not possible to change those ptrs to useful arbitrary addresses outside of savedata(like with triggering a write to a c++ object ptr which later is used with a vtable func-call, this is what one would do with CTRSDK heap here).<br />
<br />
On March 11, 2015, an exploit using this vuln was released, that one was intended for warez/etc. The following exploit wasn't released before then mainly because doing so would (presumably) result in the vuln being fixed. The following old exploit was released on March 14, 2015: [https://github.com/yellows8/oot3dhax].<br />
| None<br />
| App: Initial version. System: [[10.6.0-31]].<br />
| March 11, 2015<br />
| Around October 22, 2012<br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| Super Smash Bros 3DS<br />
| Buffer overflow in local-multiplayer beacon handling.<br />
| See [[smashbroshax|here]].<br />
| App: v1.1.3<br />
| See [[smashbroshax|here]]. System: [[10.3.0-28]].<br />
| Time of exploit release.<br />
| See [[smashbroshax|here]].<br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| Pokemon Super Mystery Dungeon<br />
| Heap overflow within linear memory via unchecked save file length<br />
| Pokemon Super Mystery Dungeon uses zlib compression for most of its save files, possibly due to the save files being larger than it's predecessor, Gates to Infinity. When a save file is being prepared to be loaded and read from, only a 0x32000 large buffer is allocated for file reading, and a 0x3e800-large buffer for decompression is also allocated before the file is read. However, the game does not limit the size of the file read to this allocation bound, allowing for the file to overflow into the linear memory heap and into the next allocation. Since Pokemon Super Mystery Dungeon stores allocation memchunks directly before the allocation, overwriting the next memchunk with a corrupted one allows for arbitrary writes of linear heap pointers when the next buffer is allocated or arbitrary writes of any pointer within writable memory when the corrupted buffer is freed.<br />
| None<br />
| [[10.7.0-32]].<br />
| Time of exploit release.<br />
| April 14, 2016<br />
| [[User:Shinyquagsire23|Shiny Quagsire]]<br />
|-<br />
| VVVVVV<br />
| Buffer overflow in XML save file array parsing<br />
| VVVVVV utilizes several XML files (renamed with a .vvv extension) to store level save data, stats and settings. Within these XML files are several tags containing an array of data which, when parsed, is not properly checked to be of proper length for the tag being parsed from. This allows for an overflow of 16-bit array values from the location where the array is parsed. With unlock.vvv, XML data is parsed to the stack, and with level saves the heap. This allows for the pointer where the level save worldmap tag array should be parsed into to be overwritten with a stack address, allowing for ROP from within the XML array parsing function on the next level load.<br />
| None<br />
| [[10.7.0-32]].<br />
| Time of exploit release.<br />
| April 25, 2016<br />
| [[User:Shinyquagsire23|Shiny Quagsire]]<br />
|-<br />
| Citizens of Earth<br />
| Save file read stack smash<br />
| Citizens of Earth also uses "XML" files for saves, which are actually entirely binary data (not XML at all) with no checksums. These files are read from the filesystem on to a fixed size stack buffer which leads to an incredibly trivial stack smash. When using the autosave slot for this, the save is parsed when the user selects "continue". When using one of the dedicated save slots (1-3), the save is parsed shortly after the company splash screens fade. Note that the save is read quite high (descending) on the stack - when exploiting this, one would likely need to move SP due to almost instantly overflowing the physical stack.<br />
| None<br />
| [[10.7.0-32]].<br />
| Time of exploit release.<br />
| May 5, 2016<br />
| [[User:Dazzozo|Dazzozo]]<br />
|-<br />
| SmileBASIC 3.x<br />
| Poor parameter validation on "BGSCREEN" command<br />
| The SmileBASIC "BGSCREEN" command's second parameter is not properly validated as being within range. As a result, one can set the screen size to an absurdly large value. This means that the "BGGET" and "BGPUT" commands can then be used on out-of-range values to read and write a significant chunk of the interpreter's address space.<br />
With a series of carefully-designed BGPUT commands, one can build a ROP chain and cause it to be executed.<br />
| App: 3.3.2.<br />
| System: [[11.0.0-33]].<br />
| July 20, 2016<br />
| Around June 26, 2016<br />
| slackerSnail, 12Me12, incvoid<br />
Exploited by MrNbaYoh and [[User:Plutooo|plutoo]].<br />
|}<br />
<br />
==Useless crashes / applications which were fuzzed==<br />
* Pushmo (3DSWare), QR codes: level name is properly limited to 16 characters, game doesn't crash with a longer name. The only possible crashes are triggered by out-of-bounds array index values, these crashes are not exploitable due to the index value being 8bit.<br />
<br />
* [[Pyramids (3DSWare)]], QR codes: no strings. Only crashes are from out-of-bounds values (like background ID) and are not exploitable.<br />
<br />
* [[Pyramids 2 (3DSWare)]], QR codes: no strings. Only crashes are from out-of-bounds values (like background ID) and are not exploitable.<br />
<br />
* [https://github.com/yellows8/mm3d_re The Legend of Zelda: Majora's Mask 3D]<br />
<br />
* "The Legend of Zelda: A Link Between Worlds" and "The Legend of Zelda: Tri Force Heroes": these games don't crash at all when the entire save-file(minus constant header data) is overwritten with /dev/random output / 0xFF-bytes. All of the CRC32s were updated for this of course.<br />
<br />
* Pokemon Mystery Dungeon: Gates to Infinity has the same unchecked file bounds as Pokemon Super Mystery Dungeon, however since save compression was introduced in Pokemon Super Mystery Dungeon, it only allocates one buffer within the application heap instead of several within the linear heap, resulting in nothing to corrupt or overwrite even if the file's length is extended past it's allocation.<br />
<br />
* "Kid Icarus: Uprising": Overwriting the entire savedata results in various crashes, nothing useful.<br />
<br />
* Savedata/extdata for "Super Smash Bros 3DS": Overwriting the various files stored under savedata/extdata results in useless crashes.<br />
<br />
* "StarFox 64 3D": Doesn't crash at all with the entire savedata overwritten.<br />
<br />
* "Frogger 3D": Overwriting a savefile with random-data results in *nothing* crashing.<br />
<br />
* "Mutant Mudds": Overwriting the savefile with random data results in a crash<br />
<br />
* "Animal Crossing: New Leaf": Creating a QR code from random data results in a valid QR code and a random design. In some very rare cases(which aren't always reproducible?) a crash/etc may occur, but this isn't known to be useful.<br />
<br />
==Crashes needing investigation==<br />
* Disney Infinity crashes when all savedata overwritten with /dev/urandom. No checksums. 0xFF bytes don't cause a crash.<br />
<br />
* Football Up Online / Soccer Up Online and Football Up 3D / Soccer Up 3D crash when teamname(UTF-16) length = 0x48 AND 0x20 null bytes are removed after just the name or if teamname length is way longer than 0x48.<br />
<br />
=System applications=<br />
{| class="wikitable" border="1"<br />
|-<br />
! Summary<br />
! Description<br />
! Fixed in version<br />
! Last version this flaw was checked for<br />
! Timeframe this was discovered<br />
! Discovered by<br />
|-<br />
| 3DS [[System Settings]] DS profile string stack-smash<br />
| Too long or corrupted strings (01Ah 2 Nickname length in characters 050h 2 Message length in characters) in the NVRAM DS user settings (System Settings->Other Settings->Profile->Nintendo DS Profile) cause it to crash in 3DS-mode due to a stack-smash. The DSi is not vulnerable to this, DSi launcher(menu) and DSi System Settings will reset the NVRAM user-settings if the length field values are too long(same result as when the CRCs are invalid). TWL_FIRM also resets the NVRAM user-settings when the string-length(s) are too long.<br />
| [[7.0.0-13]]<br />
| [[7.0.0-13]]<br />
| 2012<br />
| [[User:Ichfly|Ichfly]]<br />
|}<br />
<br />
=System applets=<br />
{| class="wikitable" border="1"<br />
|-<br />
! Summary<br />
! Description<br />
! Fixed in version<br />
! Last version this flaw was checked for<br />
! Introduced with version<br />
! Timeframe info related to this was added to wiki<br />
! Timeframe this was discovered<br />
! Discovered by<br />
|-<br />
| Webkit/web-browser bugs<br />
| spider has had at least three different code-execution exploits. Majority of them are use-after-free issues. See also [[browserhax|here]].<br />
|<br />
|<br />
| <br />
| 2013?<br />
|<br />
| A lot of people.<br />
|-<br />
| Old3DS/New3DS [[Internet_Browser|Browser-version-check]] bypass<br />
| When the browser-version-check code runs where the savedata for it was never initialized(such as when the user used the "Initialize savedata" option), it will use base_timestamp=0 instead of the timestamp loaded from savedata. This is then used with "if(cur_timestamp - base_timestamp >= <24h timestamp>){Run browser-version-check HTTPS request code}".<br />
Hence, if the savedata was just initialized, and if the system datetime is set to before January 2, 2000, the browser-version-check will be skipped. This includes January 1, 2000, 00:00, because that's the epoch(timestamp value 0x0) used with this timestamp.<br />
<br />
See [http://yls8.mtheall.com/3dsbrowserhax.php here] for bypass usage instructions.<br />
<br />
This was fixed with [[10.7.0-32|10.7.0-32]], see [[Internet_Browser|here]] for details.<br />
| [[10.7.0-32|10.7.0-32]]<br />
| <br />
| [[9.9.0-26|9.9.0-26]]<br />
| February 25, 2016<br />
| November 2, 2015 (Exactly one week after the browser version pages were initially updated server-side)<br />
| [[User:Yellows8|Yellows8]]<br />
|}<br />
<br />
==Home Menu==<br />
{| class="wikitable" border="1"<br />
|-<br />
! Summary<br />
! Description<br />
! Fixed in version<br />
! Last version this flaw was checked for<br />
! Introduced with version<br />
! Timeframe info related to this was added to wiki<br />
! Timeframe this was discovered<br />
! Discovered by<br />
|-<br />
| sdiconhax<br />
| This is basically the same as nandiconhax, the vulnerable SD/NAND functions are ''identical'' minus the file-buffer offsets. Exploitation is different due to different heap-buffer location though. Unlike nandiconhax, the icon buffer for SD is located in linearmem(with recent Home Menu versions at least). This is used by [[menuhax]].<br />
| [[11.1.0-34|11.1.0-X]]<br />
| <br />
| [[4.0.0-7|4.0.0-X]]<br />
| July 27, 2016<br />
| October 23, 2015<br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| [[System_SaveData|NAND-savedata]] Launcher.dat icons (nandiconhax)<br />
| The homemenu code processing the titleid list @ launcherdat+8 copies those titleIDs to another buffer, where the offset relative to that buffer is calculated using the corresponding s8/s16 entries. Those two values are not range checked at all. Hence, one can use this to write u64(s) with arbitrary values to before/after this allocated output buffer. See [[Home_Menu|here]] regarding Launcher.dat structure.<br />
<br />
This can be exploited(with Launcher.dat loading at startup at least) by using a s16 for the icon entry with value 0xFFEC(-20)(and perhaps more icons with similar s16 values to write multiple u64s). The result is that the u64 value is written to outbuf-0xA0, which overwrites object+0(vtable) and object+4(doesn't matter here) for an object that gets used a bit after the vulnerable function triggers. The low 32bits of the u64 can then be set to the address of controlled memory(either outbuf in regular heap or the entire launcherdat buffer in linearmem), for use as a fake vtable in order to get control of PC. From there one can begin ROP via vtable funcptrs to do a stack-pivot(r4=objectaddr at the time the above object gets used).<br />
<br />
Originally this vuln could only be triggered via Launcher.dat at Home Menu startup, right after Launcher.dat gets loaded + memory gets allocated, once the file-format version code is finished running. Starting with v9.6 this can be triggered when loading layouts from SD extdata as well. The vuln itself triggers before the layout data is written to Launcher.dat, but it doesn't seem to be possible to overwrite anything which actually gets used before the function which writes Launcher.dat into the layout gets called.<br />
<br />
Home Menu has some sort of fail-safe system(or at least on v9.7) when Home Menu crashes due to Launcher.dat(this also applies for other things with Home Menu): after crashing once, Home Menu resets Launcher.dat to a state where it no longer crashes anymore. However, note that any exploits using this which hang/etc without crashing will still brick the system. '''Hence, attempting anything with this on physnand without hw-nand-access isn't really recommended.'''<br />
| [[11.1.0-34|11.1.0-X]]<br />
| <br />
| [[4.0.0-7|4.0.0-X]]<br />
| <br />
| May 14, 2015<br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| Theme-data decompression buffer overflow ([[menuhax|themehax]])<br />
| The only func-call size parameter used by the theme decompression function is one for the compressed size, none for the decompressed size. The decompressed-size value from the LZ header is used by this function to check when to stop decompressing, but this function itself has nothing to verify the decompressed_size with. The code calling this function does not check or even use the decompressed size from the header either.<br />
<br />
This function is separate from the rest of the Home Menu code: the function used for decompressing themes is *only* used for decompressing themes, nothing else. There's a separate decompression function in Home Menu used for decompressing everything else.<br />
<br />
That other decompression function in Home Menu handles decompression size properly(decompressed size check for max buffer size is done by code calling the other function, not in the function itself). Unlike the other function, the theme function supports multiple LZ algorithms, but the one which actually gets used in official themes is the same one supported by the other function anyway.<br />
<br />
See also [[menuhax|here]].<br />
<br />
With [[10.2.0-28|10.2.0-X]] Home Menu, the only code change was that the following was added right after theme-load and before actual decompression: "if(<get_lzheader_decompressed_size>(compressed_buf) > 0x150000)<exit>;". This fixed the vuln.<br />
| [[10.2.0-28|10.2.0-X]]<br />
| [[10.2.0-28|10.2.0-X]]<br />
| <Old3DS/New3DS version which added initial theme support><br />
| <br />
| December 22, 2014<br />
| [[User:Yellows8|Yellows8]], [[User:Myria|Myria]] independently (~spring 2015)<br />
|-<br />
| Shuffle body-data buffer overflow ([[menuhax|shufflehax]])<br />
| See [[menuhax|here]].<br />
| [[10.6.0-31|10.6.0-X]]<br />
| [[10.6.0-31|10.6.0-X]]<br />
| [[9.3.0-21|9.3.0-X]]<br />
| <br />
| January 3, 2015<br />
| [[User:Yellows8|Yellows8]]<br />
|-<br />
| Extdata file-data loading buffer overflow<br />
| The extdata file-reading code allocates a fixed-size heap buffer for the expected filesize, then reads the filedata into this buffer using the actual FS filesize. Before v5.0 the filesize used here wasn't validated, hence if the filesize is larger than alloc_size a buffer overflow would occur. ''After'' doing the file-read it does validate that the actual_readsize matches the alloc_size, but at this point the buffer overflow has already occurred.<br />
<br />
This affected at least the following: SaveData.dat and Cache.dat.<br />
<br />
This can be triggered with SaveData.dat by installing a <v4.0 Home Menu version, with Home Menu extdata from >=v4.0 still on SD. When this is done with v2.0 Home Menu, a kernelpanic occurs when processing an AM command(it appears a buffer ptr which is then passed to a command was overwritten with 0x0 - of course other SaveData.dat filesizes may result in different behaviour).<br />
| [[5.0.0-11|5.0.0-X]]<br />
| <br />
| [[2.0.0-2|2.0.0-X]]<br />
| June 9, 2016<br />
| June 9, 2016<br />
| [[User:Yellows8|Yellows8]]<br />
|}<br />
<br />
The icon data arrays used with {sd/nand}iconhax were added to SaveData.dat/Launcher.dat with [[4.0.0-7|4.0.0-X]], hence the vulnerable functions were added with that same version.<br />
<br />
With <=v4.0 the SaveData.dat buffer is located in the regular heap. It's unknown when exactly it was moved to linearmem, which is where it's located with recent versions. It's located in linearmem for KOR >=v9.6 for example.<br />
<br />
The SaveData.dat/Launcher.dat icon vulns were fixed by doing various unsigned >=60/>=360 checks on the loaded values. When these checks fail, it just skips over handling this icon entry. Hence, the original value can't be negative / out-of-bounds any more.<br />
<br />
==Useless crashes==<br />
Old3DS system web-browser:<br />
* 2^32 characters long string(''finally'' fixed with v10.6): this is similar to the vulnerability fixed [http://git.chromium.org/gitweb/?p=external/Webkit.git;a=commitdiff;h=ec471f16fbd1f879cb631f9b022fd16acd75f4d4 here], concat-large-strings-crash2.html triggers a crash which is about the same as the one triggered by a 2^32 string. Most of the time this vulnerability will cause a memory page permissions fault, since the WebKit code attempts to copy the string text data to the output buffer located in read-only [[CRO0|CRO]] heap memory. The only difference between a crash triggered by a 2^32 string and the concat-large-strings-crash2.html crash is at the former copies the string data using the original string length(like 1 text character for "x", 4 for "xxxx") while the latter attempts to copy >12MB. In some ''very'' rare cases a thread separate from the string data-copy thread will crash, this might be exploitable. However, this is mostly useless since it rarely crashes this way.<br />
<br />
* Trying to directly load a page via the browser "URL" option with [https://github.com/yellows8/3ds_browserhax_common webkitdebug] setup, causes a crash to trigger in oss.cro due to an use-after-free being caught with webkitdebug. This is presumably some sort of realloc() issue in the libcurl version used by the <={v10.2-v10.3} browser. This happens with *every* *single* *page* one tries to load via the "URL" option, but not when loading links on the current page, hence this is probably useless. A different use-after-free with realloc triggers with loading any page at all regardless of method too(libcurl probably).<br />
<br />
* This WebKit build has ''a lot'' of crash-trigger bugs that only happen with [https://github.com/yellows8/3ds_browserhax_common webkitdebug] completely setup(addr accesses near 0x0), with ''just'' trying to load any page at all.</div>Simon66