https://www.3dbrew.org/w/api.php?action=feedcontributions&user=Yario&feedformat=atom3dbrew - User contributions [en]2024-03-29T15:34:49ZUser contributionsMediaWiki 1.35.8https://www.3dbrew.org/w/index.php?title=Ninjhax&diff=17668Ninjhax2016-07-11T12:40:10Z<p>Yario: </p>
<hr />
<div>ninjhax is an exploit by smea for the game Cubic Ninja. It was released on November 20th, 2014. It can be used on all 3DS firmware versions from 4.0 up to and including 9.2.0-20. It was partially patched in [[9.3.0-21|9.3.0-X]] (only system flaws used by ninjhax were fixed, the game haxx itself was not affected).<br />
<br />
ninjhax 2 was released on 18 July 2015, and works on any system version from 9.0.0-X up to 11.0.0-33.<br />
<br />
When triggered, it will boot a [[3DSX_Format | 3dsx-file]] from the sdcard root called "boot.3dsx". This file is usually the [[Homebrew Launcher]], which in turn can be used to launch other games/apps from the (micro)SD card. The launched application will run with user privileges on the ARM11 CPU. On system versions up to 9.2.0-20, one of the publicly known [[3DS System Flaws]] can be chained to gain ARM11 kernel privileges or to take control over the ARM9 CPU. More recent system versions are limited to ARM11 userland homebrew until new exploits are disclosed.<br />
<br />
==Installation==<br />
<br />
Visit [http://smealum.net/ninjhax/ here] for instructions on how to install Ninjhax, and [http://smealum.github.io/ninjhax2/ here] for instructions on how to install Ninjhax 2!<br />
<br />
==Service access==<br />
<br />
ninjhax gives developers access to a number of services. These include :<br />
<br />
* ac:u<br />
* APT:U<br />
* boss:U<br />
* cam:u<br />
* cecd:u<br />
* cfg:u<br />
* dlp:FKCL<br />
* dlp:SRVR<br />
* dsp::DSP<br />
* frd:u<br />
* fs:USER<br />
* gsp::Gpu<br />
* hid:USER<br />
* http:C<br />
* ir:u<br />
* mic:u<br />
* ndm:u<br />
* <nowiki>news:u</nowiki><br />
* nwm::UDS<br />
* ptm:u<br />
* pxi:dev<br />
* soc:U<br />
* ssl:C<br />
* y2r:u<br />
<br />
Additionally, Old 3DS models (3DS, 3DS XL and 2DS) are given access to the following :<br />
<br />
* csnd:SND<br />
<br />
In contrast, New 3DS models (New 3DS, New 3DS XL) get access to :<br />
<br />
* am:app<br />
* ir:rst<br />
* l2b2:u<br />
* l2b:u<br />
* mvd:STD<br />
* nim:aoc<br />
* y2r2:u<br />
<br />
<br />
The normal service used for accessing [[Circle Pad Pro]] is not accessible: [[IR_Services|ir:USER]].<br />
<br />
==System Call Access==<br />
<br />
The following [[SVC|system calls]] are usable by homebrew running using ninjhax:<br />
<br />
Allowed systemcalls: 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08<br />
0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F, 0x10<br />
0x11, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19<br />
0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F, 0x20, 0x21<br />
0x22, 0x23, 0x24, 0x25, 0x27, 0x28, 0x29, 0x2A<br />
0x2B, 0x2C, 0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32<br />
0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x3B, 0x3C<br />
0x3D<br />
<br />
==Limitations==<br />
<br />
At the moment, ninjhax only allows users to access 64MB of RAM, including on the New 3DS. This may change in the future.<br />
<br />
While sound works on the New 3DS for homebrew running via ninjhax 2.0, at the time of the exploit's original release, there was no good way to use the DSP from homebrew, so sound output is not possible on the New 3DS using the old version. At the moment, there is also no known way of running code on the New 3DS's extra CPU cores under ninjhax, though it is possible to use 80% of the system core's time using [[APT:SetApplicationCpuTimeLimit]] rather than 30% as was the case on the Old 3DS.<br />
<br />
==Capabilities==<br />
* All SD and NAND [[extdata]] is accessible via the main extdata [[FS:OpenArchive|archive]](R/W). Note that the [[FS:OpenArchive|ExtSaveData-for-BOSS]] archive is not accessible.</div>Yariohttps://www.3dbrew.org/w/index.php?title=Homebrew_Exploits&diff=17667Homebrew Exploits2016-07-11T12:38:52Z<p>Yario: /* Standalone Homebrew Launcher Exploits */</p>
<hr />
<div>==Standalone Homebrew Launcher Exploits==<br />
The following homebrew exploits can be executed on a previously un-exploited system.<br />
<br />
{| class="wikitable" border="1"<br />
|-<br />
! Works on latest fw<br />
! Name<br />
! Supported firmwares<br />
! Requirements<br />
! Author<br />
! Install<br />
|-<br />
| style="background: salmon" | No<br />
| [[ninjhax|Ninjhax 1.1b]]<br />
| From '''4.0.0-7''' up to and including '''9.2.0-20'''.<br />
| A cartridge or eShop version (JPN-only) of "Cubic Ninja".<br />
| smea<br />
| [http://smealum.net/ninjhax/ Install]<br />
|-<br />
| style="background: lightgreen" | Yes<br />
| [[ninjhax|Ninjhax 2.x]]<br />
| From '''9.0.0-7''' up to and including '''11.0.0-33'''.<br />
| A cartridge or eShop version (JPN-only) of "Cubic Ninja".<br />
| smea<br />
| [https://smealum.github.io/ninjhax2/ Install]<br />
|-<br />
| style="background: lightgreen" | Yes<br />
| [http://plutooo.github.io/freakyhax/ freakyhax]<br />
| From '''9.0.0-7''' up to and including '''11.0.0-33'''.<br />
| A cartridge or eShop version (USA/EUR/JAP) of "Freakyform Deluxe".<br />
| plutoo<br />
| [http://plutooo.github.io/freakyhax/ Install]<br />
|-<br />
| style="background: lightgreen" | Yes<br />
| [[smashbroshax|smashbroshax]] (beaconhax)<br />
| (New 3DS only) From '''9.0.0-X''' up to and including '''11.0.0-33'''.<br />
| Super Smash Bros 3DS (full-game) and a way to broadcast raw wifi beacons. The demo (prior to the updated November 2015 [https://github.com/yellows8/3ds_smashbroshax version]) isn't usable with the *hax payloads. Game-version v1.1.3 fixed the vuln used with this, see the repo for a workaround for that.<br />
| [[User:Yellows8|Yellows8]]<br />
| [https://github.com/yellows8/3ds_smashbroshax Install]<br />
|-<br />
| style="background: salmon" | No<br />
| [[browserhax]]<br />
| (Old 3DS) From '''9.0.0-16''' to '''9.5.0-22''', '''9.5.0-23''' to '''9.8.0-25''', '''9.9.0-26''' to '''10.1.0-27''', '''10.2.0-28''' to '''10.5.0-30'''<br />
<br />
(New 3DS) From '''9.0.0-20''' to '''9.2.0-20''', '''9.3.0-21''' to '''9.5.0-23''', '''9.6.0-24''' to '''9.8.0-25''', '''9.9.0-26''' to '''10.1.0-27''', '''10.2.0-28''' to '''10.5.0-30'''<br />
<br />
Note that the browser-version-check bypass is only usable prior to [[10.7.0-32]].<br />
| An USA, EUR, or JPN system.<br />
| [[User:Yellows8|Yellows8]]<br />
| [http://yls8.mtheall.com/3dsbrowserhax.php Install]<br />
|-<br />
| style="background: lightgreen" | Yes<br />
| [http://mrnbayoh.github.io/basicsploit/ BASICSploit]<br />
| From '''9.0.0''' up to and including '''11.0.0'''<br />
| SmileBASIC (USA only, JPN to be supported soon.) downloaded from the eShop. This vuln is not yet fixed as of v3.3.1.<br />
| MrNbaYoh<br />
| [http://mrnbayoh.github.io/basicsploit/ Install]<br />
|}<br />
<br />
Note that ninjhax 1.x is still not obsolete. Even though ninjhax 2.x can be run on 9.3+, this was made possible (amongst other things) by sacrificing the memory remapping exploit used in ninjhax 1.x (rohax). Therefore, things like JIT engines for emulators can only be supported on ninjhax 1.x. Furthermore, ninjhax 2.x does not run on system versions below 9.0.0-X, while ninjhax 1.x does.<br />
<br />
==Secondary Exploits==<br />
Installation of these exploits requires a previously exploited system to install. After installation, they can be used on their own.<br />
<br />
{| class="wikitable" border="1"<br />
! Works on latest fw<br />
! Name<br />
! Supported firmwares<br />
! Requirements<br />
! Author<br />
! Install<br />
|-<br />
| style="background: salmon" | No<br />
| [[ironhax]]<br />
| From '''9.5.0-X''' up to and including '''10.3.0-X''', for '''X''' up to and including 28.<br />
| A copy of "Ironfall: Invasion" downloaded from eShop before August 11th, 2015. Note the updated version that was released on October 13th, 2015 is not supported.<br />
| smea<br />
| [http://smealum.github.io/3ds/ Install]<br />
|-<br />
| style="background: lightgreen" | Yes<br />
| [https://github.com/yellows8/oot3dhax oot3dhax]<br />
| From '''9.0.0-X''' up to and including '''11.0.0-X''', for '''X''' up to and including 32.<br />
| A gamecard or eShop-install of Legend of Zelda: Ocarina of Time 3D. Besides using the installer app, writing raw saveimages with a save dongle for example is another option. Due to lack of free space with the size of the *hax payload, the only save-slot that can exist in the *gamecard* savedata is the oot3dhax save-slot.<br />
| Yellows8 / smea et al.<br />
| See [https://smealum.github.io/3ds/ here].<br />
|-<br />
| style="background: salmon" | No<br />
| [[menuhax]]<br />
| From '''9.0.0-X''' up to and including '''10.5.0-X''', for '''X''' up to and including 30.<br />
|<br />
| [[User:Yellows8|Yellows8]]<br />
| [https://github.com/yellows8/3ds_homemenuhax/releases Download]<br />
|-<br />
| style="background: lightgreen" | Yes<br />
| [https://github.com/shinyquagsire23/supermysterychunkhax supermysterychunkhax]<br />
| From '''9.9.0-X''' (USA/JPN) / '''10.2.0-X''' (EUR) up to and including '''11.0.0-X''', for '''X''' up to and including 33.<br />
| A gamecard or eShop-install of Pokémon Super Mystery Dungeon.<br />
| Shiny Quagsire / SALT team<br />
| [https://smd.salthax.org/ Install].<br />
|-<br />
| style="background: lightgreen" | Yes<br />
| [https://github.com/shinyquagsire23/v_hax (v*)hax]<br />
| From '''9.0.0-X''' up to and including '''11.0.0-X''', for '''X''' up to and including 33.<br />
Note that '''9.0.0-X''' is only required for the Homebrew Launcher - the game itself only requires '''2.1.0-X''' for primitive userland code execution.<br />
| A copy of VVVVVV downloaded after March 2012 (v1)<br />
| Shiny Quagsire / SALT team<br />
| [https://vvvvvv.salthax.org/ Install].<br />
|-<br />
| style="background: lightgreen" | Yes<br />
| [https://github.com/Dazzozo/humblehax humblehax]<br />
| From '''9.0.0-X''' (USA/EUR) up to and including '''11.0.0-X''', for '''X''' up to and including 33.<br />
| An eShop-install of Citizens of Earth, featured in the Humble "Friends of Nintendo" Bundle.<br />
| Dazzozo / SALT team<br />
| [https://citizens.salthax.org/ Install].<br />
|-<br />
| style="background: lightgreen" | Yes<br />
| [http://mrnbayoh.github.io/basehaxx/ basehaxx]<br />
| From '''9.0.0-X''' up to and including '''11.0.0-X''', for '''X''' up to and including 33.<br />
| A gamecard or eShop-install of Pokémon Omega Ruby / Alpha Sapphire.<br />
| MrNbaYoh<br />
| [http://mrnbayoh.github.io/basehaxx/ install]<br />
|}<br />
<br />
==Exploits without Homebrew Launcher (Not recommended)==<br />
<br />
<u>'''Warning:'''</u> The following exploits can run code, but are missing a 3DSX launcher. They cannot launch any homebrew in the 3DSX format.<br />
<br />
{| class="wikitable" border="1"<br />
|-<br />
! Works on latest fw<br />
! Name<br />
! Supported firmwares<br />
! Requirements<br />
! Author<br />
! Install<br />
|-<br />
| style="background: salmon" | No<br />
| [[browserhax]] (Without the loader in the 3ds_browserhax_common repo)<br />
| (Old3DS) From '''2.1.0-4''' to '''3.0.0-6''', '''4.0.0-7''' to '''4.5.0-10''', '''5.0.0-11''' to '''7.0.0-13''', '''7.1.0-16''' to '''9.5.0-22''', '''9.5.0-23''' to '''9.8.0-25''', '''9.9.0-26''' to '''10.1.0-27''', '''10.2.0-28''' to '''10.5.0-30'''<br />
<br />
(New3DS) From '''9.0.0-20''' to '''9.2.0-20''', '''9.3.0-21''' to '''9.5.0-23''', '''9.6.0-24''' to '''9.8.0-25''', '''9.9.0-26''' to '''10.1.0-27''', '''10.2.0-28''' to '''10.5.0-30'''<br />
<br />
Note that the browser-version-check bypass is only usable prior to [[10.7.0-32]].<br />
| An USA, EUR, or JPN system.<br />
| [[User:Yellows8|Yellows8]]<br />
| [[browserhax|Install]]<br />
|}<br />
<br />
==Previous Exploits==<br />
<u>'''Warning:'''</u> These exploits '''do not work'''. They are exploits which no longer function at all, regardless of software or firmware revision.<br />
{| class="wikitable" border="1"<br />
! Works on latest fw<br />
! Name<br />
! Supported firmwares<br />
! Requirements<br />
! Author<br />
! Install<br />
|-<br />
| style="background: salmon" | No<br />
| [[tubehax|Tubehax]]<br />
| None. '''Was''': From '''9.0.0-X''' up to and including '''10.1.0-X''', for '''X''' up to and including 27.<br />
| The YouTube application and an Internet connection. As of October 15, 2015, this is no longer usable due to an update being released which fixes the vuln used by tubehax + app update being forced(see [[YouTube|here]]).<br />
| smea<br />
| [http://smealum.github.io/3ds/ Install]<br />
|}<br />
<br />
==Other Homebrew Loaders==<br />
The [https://github.com/yellows8/hblauncher_loader hblauncher_loader] title can be used when running under modded-FIRM which allows running unsigned titles, to boot the *hax payloads.<br />
<br />
==Sysmodule Exploits==<br />
This section is for system-module exploits, which can be run from the *hax payloads.<br />
<br />
{| class="wikitable" border="1"<br />
! Works on latest fw<br />
! Name<br />
! Supported firmwares<br />
! Requirements<br />
! Author<br />
|-<br />
| Yes, that's not the intended default use however.<br />
| [https://github.com/yellows8/ctr-httpwn/releases ctr-httpwn]<br />
| From '''9.6.0-X''' up to and including '''11.0.0-X'''.<br />
| None<br />
| [[User:Yellows8|Yellows8]]<br />
|}<br />
<br />
==WebKit vuln testing==<br />
See [https://github.com/yellows8/3ds_browserhax_common/issues/28 here].</div>Yario