3dbrew

3DS Userland Flaws: Difference between revisions

← Older edit
Luigoalma (talk | contribs)
Trusted
26 edits
No edit summary
Riley (talk | contribs)
39 edits
Non-system applications: might as well finally document this CGB trl vuln. may the 3DS VC escape become reality someday.
 
(4 intermediate revisions by 4 users not shown)
Line 225: Line 225:
| August 24, 2020
| August 24, 2020
| [[User: Luigoalma|Luigoalma]] and [[User: Kartik|Kartik]]
| [[User: Luigoalma|Luigoalma]] and [[User: Kartik|Kartik]]
|-
| Me and My Pets 3D
| String buffer overflow
| The game stores some strings in the savegame. Using a large enough string, once can overwrite addresses on the stack and form a ropchain.
| None
| App: Initial Version
| June 24, 2022
| June 12, 2022
| [[User: Kartik|Kartik]]
|-
| trl CGB emulator (GBC Virtual Console)
| HDMA heap buffer overflow
| trl's CGB emulation implements normal mode HDMA by a straight memcpy, failing to correctly bounds check the provided pointers/length. (hblank mode HDMA does perform proper bounds checks after each 0x10 byte memcpy)
In addition, each area of memory (ROM, SRAM, VRAM, WRAM, SRAM, OAM, MMIO+HRAM) are allocated seperately, from the CTR-SDK heap.
Thus, doing HDMA to an area past the end of VRAM (VRAM bank 1 must be set here) would cause heap overflow. The maximum possible memcpy here would be 0x800 bytes to the end of VRAM less 0x10 bytes.
This is hard to exploit. The heap buffers get freed when choosing to close the game from the Home Menu, with the Home Menu holding the GPU. It may be possible to make calls to APT in ROP in this state to get Home Menu to release the GPU.
To exploit this, SM83 code execution inside the emulator would need to be obtained. This could be done by human-viable or remote (emulated link-cable) code execution exploits (for example Pokémon Yellow (non-JP)/Gold/Silver/Crystal); by crafting SRAM (where the game itself has a savegame exploit); or by crafting an emulator save-state (for games where save-states are enabled).
DMG (mono Game Boy) games are not exploitable; the bug is in CGB-specific functionality which is disabled in mono Game Boy games (determined by ROM header).
| None
| trl as included in Pokémon Crystal VC
| January 2024
| ~2017
| [[User:Riley|Riley]]
|}
|}


Line 335: Line 362:


Interesting note: A line feed wchar (00 0A) at any point in the string before the crash offset will prevent the crash from occurring.
Interesting note: A line feed wchar (00 0A) at any point in the string before the crash offset will prevent the crash from occurring.
| None
| [[11.17.0-50]]
| [[11.13.0-45]]
| [[11.13.0-45]]
| Dec. 2018
| Dec. 2018
Line 357: Line 384:
| June/July 2016
| June/July 2016
| [[User:nedwill|nedwill]]
| [[User:nedwill|nedwill]]
|-
| [[EShop]]
| When creating an audio decoder object for the moflex movie player, if the audio codec is PCM16, the application uses an uninitialized value as a pointer. One can spray the heap to get control of that pointer and achieve ROP.
| None
| [[11.14.0-46]]
| 2020
| [[User:Nba_Yoh|MrNbaYoh]]
|}
|}


Line 426: Line 460:
!  Timeframe this was discovered
!  Timeframe this was discovered
!  Discovered by
!  Discovered by
|-
| u8 brightness setting OOB index (menuhax67)
| Config block 0x50001, which contains a u8 brightness setting that indexes a table of u32 addresses, can be set to an out-of-bounds index (it's normally 1-5). Located within cfg block 0x50009, there exists a single controllable u32 that's located within the u8's range. With these set properly, one can eventually redirect a function pointer to an address of their choice. This is triggered after the Home Menu quick launch tab is activated. POC [https://github.com/zoogie/menuhax67 here].
| None
| [[11.13.0-45]]
|
| October 4, 2020
| September, 2020
| Zoogie
|-
|-
| bossbannerhax
| bossbannerhax
Retrieved from "https://www.3dbrew.org/wiki/3DS_Userland_Flaws"