3dbrew

Homebrew Exploits: Difference between revisions

← Older edit
mNo edit summary
No edit summary
 
(312 intermediate revisions by 63 users not shown)
Line 1: Line 1:
==Self-Exploitable==
==Payload==
The following homebrew exploits can be executed on a previously un-exploited system.
{| class="wikitable" border="1"
{| class="wikitable" border="1"
|-
|-
!  Works on latest fw
!  Name
!  Name
!  Supported firmares
!  Description
!  Supported firmwares
|-
| style="background: lightgreen" | Yes
| [https://smealum.github.io/3ds/ *hax payload]
| Booted by all of the below non-sysmodule exploits. '''No longer needed as of [https://github.com/AuroraWright/Luma3DS/releases/tag/v8.0 Luma 8.0]'''
| From '''9.0.0-7''' up to '''11.9.0-42'''.
|}
 
For the rest of this page, "Supported firmwares" refers to the exploit ''itself'', not whether *hax payload supports it.
 
==Standalone Homebrew Launcher Exploits==
The following homebrew exploits can be executed on a previously un-exploited system. ''Please'' see the above Payload section regarding what "Supported firmwares" indicates ''exactly''.
 
{| class="wikitable" border="1"
|-
!  Works on latest fw
!  Name
!  Supported firmwares
!  Requirements
!  Requirements
!  Author
!  Author
!  Install
!  Install
|-
|-
| [[ninjhax]]
| style="background: salmon" | No
| From '''4.0.0-X''' up to and including '''9.2.0-X''', for '''X''' is between 7 and 20.  
| [[ninjhax|Ninjhax 1.1b]]
| A cartridge or eShop version (JPN-only) of "Cubic Ninja". (Obsolete?)
| From '''4.0.0-7''' up to and including '''9.2.0-20'''.
| A cartridge or eShop version (JPN-only) of "Cubic Ninja".
| smea
| smea
| [http://smealum.net/ninjhax/ Install]
| [http://smealum.net/ninjhax/ Install]
|-
|-
| [[ninjhax2.1]]
| style="background: lightgreen" | Yes
| From '''9.0.0-X''' up to and including '''9.9.0-X''', for '''X''' up to and including 26.  
| [[ninjhax|Ninjhax 2.x]]
| A copy of "Cubic Ninja" (cartridge or eShop version).
| From '''9.0.0-7''' up to and including '''11.9.X'''.
| A cartridge or eShop version (JPN-only, not available anymore for purchase) of "Cubic Ninja".
| smea
| smea
| [http://smealum.github.io/ninjhax2/ Install]
| [https://smealum.github.io/ninjhax2/ Install]
|-
| style="background: lightgreen" | Yes
| [http://plutooo.github.io/freakyhax/ freakyhax]
| From '''9.0.0-7''' up to and including '''11.9.X'''.
|  A cartridge or eShop version (USA/EUR/JPN, not available anymore for purchase) of "Freakyform Deluxe".
| plutoo
| [http://plutooo.github.io/freakyhax/ Install]
|-
| style="background: salmon" | No
| [http://plutooo.github.io/smilehax/ smilehax]
| From '''9.0.0-7''' up to and including '''11.0.0-33'''
| SmileBASIC (JPN all versions up to 3.32 excluded, USA 3.31 only)
| plutoo
| [http://plutooo.github.io/smilehax/ Install]
|-
| style="background: lightgreen" | Yes
| [https://github.com/zoogie/smilehax-IIe smilehax IIe]
| From '''9.0.0-7''' up to and including '''11.13.0-45'''
| SmileBASIC (JPN version 3.3.2 via app downgrade, USA/EUR 3.6.0, aka latest app version)
| zoogie
| [https://github.com/zoogie/smilehax-IIe/releases/latest Install]
|-
| style="background: salmon" | No
| [http://mrnbayoh.github.io/basicsploit/ BASICSploit]
| From '''9.0.0-7''' up to and including '''11.0.0-33'''
| SmileBASIC (USA all versions)
| MrNbaYoh
| [http://mrnbayoh.github.io/basicsploit/ Install]
|-
| style="background: lightgreen" | Yes
| [[smashbroshax|smashbroshax]] (beaconhax)
| (New 3DS only) From '''9.0.0-X''' up to and including '''11.9.0-37'''.
| Super Smash Bros 3DS (full-game) and a way to broadcast raw wifi beacons. The demo (prior to the updated November 2015 [https://github.com/yellows8/3ds_smashbroshax version]) isn't usable with the *hax payloads. Game-version v1.1.3 fixed the vuln used with this, see the repo for a workaround for that.
| [[User:Yellows8|Yellows8]]
| [https://github.com/yellows8/3ds_smashbroshax Install]
|-
| style="background: salmon" | No
| [[browserhax]]
| From '''9.0.0-2''' to '''11.0.0-33'''
Note that the browser-version-check bypass is only usable prior to [[10.7.0-32]].
| A USA, EUR, JPN, or KOR system.
| [[User:Yellows8|Yellows8]]
| [http://yls8.mtheall.com/3dsbrowserhax.php Install]
|-
| style="background: salmon" | No
| [https://github.com/svanheulen/genhax genhax]
| (New 3DS only) From '''9.9.0-X''' up to and including '''11.2.0-X'''.
| A gamecard or eShop-install of Monster Hunter X (JPN only), and the DLC encryption key (see installer instructions). '''Note: the secondary exploit still works, see bellow'''
| svanheulen
| [https://github.com/svanheulen/genhax_installer Install]
|-
| style="background: salmon" | No
| [https://github.com/nedwill/soundhax soundhax]
| From '''9.0.0-13''' up to and including '''11.3.0-36'''.
| A USA, EUR, JPN or KOR system.
| nedwill
| [http://soundhax.com Install]
|-
| style="background: lightgreen" | Yes
| [https://github.com/MrNbaYoh/doodlebomb doodlebomb]
| From '''9.0.0-X'''(?) up to and including '''11.6.0-X'''.
| An eShop-install of Swapdoodle (version 1.1.1 or lower). As of 2017-4-26, version 1.1.2 was released, blocking outdated app version from sending or receiving messages.
| MrNbaYoh
| [https://mrnbayoh.github.io/doodlebomb/ Install]
|-
| style="background: lightgreen" | Yes
| [https://github.com/MrNbaYoh/rpwng2 RPwnG 2]
| From '''11.7.0-X'''(?) up to and including '''11.9.0-X'''.
| A digital copy of RPG Maker Player (free) ver. 1.1.4 on EUR, ver. 1.1.2 on USA. A 3DS on firmware 11.7.
| MrNbaYoh
| [https://mrnbayoh.github.io/rpwng2/ Install]
|-
|-
| [[tubehax]]
| style="background: darkorange" | Only if installed before August 28, 2017
| From '''9.0.0-X''' up to and including '''9.9.0-X''', for '''X''' up to and including 26.
| [https://twitter.com/MrNbaYoh/status/899394739543437313 RPwnG]
| The YouTube application and an internet connection.
| From '''9.0.0-X'''(?) up to and including '''11.9.0-X'''.
| An  digital copy of RPG Maker Player (free) ver. 1.1.4 on EUR, ver. 1.1.2 on USA/JPN is required. As of August 28, 2017 the code is instantly removed after publishing.
| MrNbaYoh
| [https://mrnbayoh.github.io/rpwng/ Install]
|-
| style="background: salmon" | No
| [https://github.com/MrNbaYoh/notehax notehax]
|  From '''9.9.0-X''' up to and including '''11.5.0-X'''.
| A digital copy of Flipnote Studio 3D on ver 1.3.1 (JPN) and ver 1.0.0 for EUR/USA (not the latest)
| MrNbaYoh
| [https://mrnbayoh.github.io/notehax/ Install]
|-
| style="background: darkorange" | Only if you already purchased Blockfactory before it was removed from the eShop
| [https://github.com/Stary2001/haxfactory haxfactory]
| From '''9.0.0-X'''(?) up to and including '''11.9.0-X'''.
| A digital copy of "Blockfactory" (USA/EUR)
| Stary2001
| [https://github.com/Stary2001/haxfactory Install]
|}
 
==Secondary Exploits==
Installation of these exploits requires a previously exploited system to install. After installation, they can be used on their own. ''Please'' see the above Payload section regarding what "Supported firmwares" indicates ''exactly''.
 
{| class="wikitable" border="1"
!  Works on latest fw
!  Name
!  Supported firmwares
!  Requirements
!  Author
!  Install
|-
| style="background: salmon" | No
| [[ironhax]]
| From '''9.5.0-X''' up to and including '''10.3.0-X''', for '''X''' up to and including 28.
| A copy of "Ironfall: Invasion" downloaded from eShop before August 11th, 2015. Note the updated version that was released on October 13th, 2015 is not supported.
| smea
| smea
| [http://smealum.github.io/3ds/ Install]
| [http://smealum.github.io/3ds/ Install]
|-
| style="background: lightgreen" | Yes
| [http://vegaroxas.github.io/ steelhax]
| From '''9.0.0-X''' up to and including '''11.9.0-X'''
| A copy of Steel Diver: Sub Wars
| Vegaroxas
| [https://github.com/VegaRoXas/vegaroxas.github.io/raw/master/files/steelhax-installer.zip Install]
|-
| style="background: lightgreen" | Yes
| [https://github.com/yellows8/oot3dhax oot3dhax]
| From '''9.0.0-X''' up to and including '''11.9.0-X''', for '''X''' up to and including 39.
| A gamecard or eShop-install of Legend of Zelda: Ocarina of Time 3D. Besides using the installer app, writing raw saveimages with a save dongle for example is another option. Before compression was introduced in the 2016-7-18 release, the size of the *hax payload meant the exploit can't co-exist with regular saves on a physical version of the game.
| Yellows8 / smea et al.
| See [https://smealum.github.io/3ds/ here].
|-
| style="background: salmon" | No
| [[menuhax]]
| JPN/USA/EUR: From '''9.0.0-X''' up to and including '''11.2.0-X'''.
KOR: From '''9.6.0-X''' up to and including '''11.2.0-X'''.
| JPN/USA/EUR: Having created [[Home_Menu#Home_Menu_Theme_SD_ExtData|theme extdata]] through opening the official theme selector at least once.
| [[User:Yellows8|Yellows8]]
| [https://github.com/yellows8/3ds_homemenuhax/releases Download]
|-
| style="background: lightgreen" | Yes
| [https://github.com/shinyquagsire23/supermysterychunkhax supermysterychunkhax]
| From '''9.9.0-X''' (USA/JPN) / '''10.2.0-X''' (EUR) up to '''11.9.0-X'''.
| A gamecard or eShop-install of Pokémon Super Mystery Dungeon.
| Shiny Quagsire / SALT team
| [https://smd.salthax.org/ Install].
|-
| style="background: salmon" | No
| [https://github.com/shinyquagsire23/v_hax (v*)hax]
| From '''9.0.0-X''' up to and including '''11.0.0-X''', for '''X''' up to and including 33.
Note that '''9.0.0-X''' is only required for the Homebrew Launcher - the game itself only requires '''2.1.0-X''' for primitive userland code execution.
| A copy of VVVVVV downloaded after March 2012 (v1). v1.1 patches out the overflow vulnerability used by (v*)hax.
| Shiny Quagsire / SALT team
| [https://vvvvvv.salthax.org/ Install].
|-
| style="background: lightgreen" | Yes
| [https://github.com/Dazzozo/humblehax humblehax]
| From '''9.0.0-X''' (USA/EUR) up to and including '''11.9.0-X'''.
| An eShop-install of Citizens of Earth (either v1 or v2), featured in the Humble "Friends of Nintendo" Bundle.
| Dazzozo / SALT team
| [https://citizens.salthax.org/ Install].
|-
| style="background: salmon" | No
| [http://mrnbayoh.github.io/basehaxx/ basehaxx]
| From '''9.0.0-X''' up to and including '''11.1.0-X'''.
| A gamecard or eShop-install of Pokémon Omega Ruby / Alpha Sapphire v1 or v1.4 with the ability to have a secret base.
| MrNbaYoh
| [http://mrnbayoh.github.io/basehaxx/ install]
|-
| style="background: lightgreen" | Yes
| [https://github.com/yellows8/stickerhax stickerhax]
| From '''9.0.0-X''' up to and including '''11.6.0-X'''.
| A gamecard or eShop-install of Paper Mario: Sticker Star.
| [[User:Yellows8|Yellows8]]
| [https://github.com/yellows8/stickerhax Here]
|-
| style="background: lightgreen" | Yes
| [https://github.com/svanheulen/genhax genhax]
| (New 3DS only) From '''9.9.0-X'''(JPN) or '''10.3.0-X'''(EUR/USA) up to and including '''11.3.0-X'''.
| A gamecard or eShop-install of Monster Hunter Generations or Monster Hunter X (without the game updates installed), and an internet connection during installation.
| svanheulen
| [https://github.com/svanheulen/genhax_installer Install]
|-
| style="background: lightgreen" | Yes
| [https://github.com/MrNbaYoh/painthax painthax]
| From '''9.0.0-X''' up to and including '''11.6.0-X'''.
| An eShop-install of Pixel Paint.
| MrNbaYoh
| [https://github.com/MrNbaYoh/painthax/releases/latest install]
|-
| style="background: salmon" | No
| [https://github.com/yellows8/ctpkpwn ctpkpwn_tfh]
| From '''9.9.0-X''' up to and including '''11.3.0-X'''.
| A gamecard or eShop-install of "The Legend of Zelda: Tri Force Heroes", and an Internet connection during installation. Unless you have "CFW", ctr-httpwn >=v1.2 with the included bosshaxx on a compatible system-version is also required. If installing via ctr-httpwn, you can't do so on >=v11.4. Note that the exploit itself was not fixed.
| [[User:Yellows8|Yellows8]]
| [https://github.com/yellows8/ctpkpwn/releases Install]
|-
| style="background: salmon" | No
| [https://github.com/MrNbaYoh/doodlebomb doodlebomb]
| From '''9.0.0-X'''(?) up to and including '''11.4.0-X'''.
| An eShop-install of Swapdoodle.
| MrNbaYoh
| [https://mrnbayoh.github.io/doodlebomb/ Install]
|-
| style="background: darkorange" | Only if installed before August 28, 2017
| [https://github.com/ChampionLeake/RPwnG3 RPwnG3]
| From '''9.0.0-X'''(?) up to and including '''11.12.0-X'''.
| A Digital/Physical copy of "RPGMaker Fes Player/RPGMaker Fes" (USA/JPN 1.1.2 or lower ; EUR 1.1.4 or lower).
| [[User:ChampionLeake|ChampionLeake]]
| [https://github.com/ChampionLeake/RPwnG3/releases Install]
|-
| style="background: lightgreen" | Yes
| [https://github.com/luigoalma/nitpic3d nitpic3d]
| From '''9.6.0-X'''(?) up to and including '''11.13.0-X'''.
| A digital or physical of Picross 3D: Round 2
| Luigoalma and Kartik
| [https://github.com/luigoalma/nitpic3d Install]
|-
| style="background: lightgreen" | Yes
| [https://github.com/PabloMK7/kartdlphax kartdlphax]
| All system versions work.
| A digital or physical of Mario Kart 7 for the same region as both consoles
| PabloMK7
| [https://3ds.hacks.guide/installing-boot9strap-(kartdlphax) Install]
|}
|}


==Secondary Exploits==
==Exploits without Homebrew Launcher==
Installation of these exploits requires a previously exploited system.
 
<u>'''Warning:'''</u> The following exploits can run code, but are missing a 3DSX launcher. They cannot launch any homebrew in the 3DSX format, but could still prove useful by chaining to exploits with higher privileges.
 
{| class="wikitable" border="1"
{| class="wikitable" border="1"
|-
!  Works on latest fw
!  Name
!  Name
!  Supported firmwares
!  Supported firmwares
Line 37: Line 273:
!  Install
!  Install
|-
|-
| [[ironhax]]
| style="background: lightgreen" | yes
| From '''9.5.0-X''' up to and including '''9.9.0-X''', for '''X''' up to and including 26.
| [https://github.com/zoogie/MSET9 MSET9]
| A copy of "Ironfall: Invasion" (not available on eShop as of August 11th, 2015) and a self-exploitable title.
| From '''3.0.0''' to '''latest'''.
| Works on all consoles, but for CHN consoles, will need SD card with preinstalled titles or movable.sed for generating valid SD title database.
| zoogie
|[https://github.com/zoogie/MSET9 Install]
|-
| style="background: salmon" | No
| [https://safecerthax.rocks safecerthax] (Safe Mode System Updater)
| (Old3DS (2DS) (XL)) From '''1.0.0''' to '''11.14.0'''
 
(New3DS (New2DS) (XL)) '''NOT SUPPORTED'''
|An O3DS or O2DS that can be booted into [[Recovery_Mode|Recovery Mode]] (hold L+R+Up+A at startup) & an internet connection.
|[[User:Nba_Yoh|MrNbaYoh]]
|[https://safecerthax.rocks/user-guide/ Install]
|-
| style="background: lightgreen" | Yes (partially)
| [[bannerbomb3]] (System Settings)
| (USA / EUR / JPN) '''11.5.0''' to '''11.16.0'''
 
(KOR / TWN) '''(11.4.0)''' '''11.5.0''' to '''latest'''
 
An exploit that uses a buffer overflow in a TWL export banner's title strings to gain rop execution.
|A USA, EUR, JPN, KOR, or TWN system with its movable.sed keyY extracted.
|[[User:zoogie|zoogie]]
|[[bannerbomb3|Install]]
|-
| style="background: salmon" | No
| [[browserhax]] (Without the loader in the 3ds_browserhax_common repo)
| (Old3DS) From '''5.0.0-2''' to '''11.0.0-33''' (Pre-v5.0 is supported for some versions if you manually modify the source)
 
(New3DS) From '''9.0.0-20''' to '''11.0.0-33'''
 
Note that the browser-version-check bypass is only usable prior to [[10.7.0-32]].
| An USA, EUR, or JPN system.
| [[User:Yellows8|Yellows8]]
| [[browserhax|Install]]
|-
| style="background: salmon" | No
| Ninjhax (with specialized payloads)
| Up to '''9.2.0-20'''?
|
| smea + independent developers
| N/A
|}
 
==Previous Exploits==
<u>'''Warning:'''</u> These exploits '''do not work'''. They are exploits which no longer function at all, regardless of software or firmware revision.
{| class="wikitable" border="1"
!  Works on latest fw
! Name
! Supported firmwares
! Requirements
! Author
! Install
|-
| style="background: salmon" | No
| [[tubehax|Tubehax]]
| None. '''Was''': From '''9.0.0-X''' up to and including '''10.1.0-X''', for '''X''' up to and including 27.
| The YouTube application and an Internet connection. As of October 15, 2015, this is no longer usable due to an update being released which fixes the vuln used by tubehax + app update being forced (see [[YouTube|here]]).
| smea
| smea
| [http://smealum.github.io/3ds/ Install]
| [http://smealum.github.io/3ds/ Install]
|}
|}
==Other Homebrew Loaders==
The [https://github.com/yellows8/hblauncher_loader hblauncher_loader] title can be used when running under modded-FIRM which allows running unsigned titles, to boot the *hax payloads.
[https://github.com/AuroraWright/Luma3DS Luma3DS], apart from providing signature patches for the installation and use of custom titles, includes the "Rosalina" system module, which among its features allows cleanly loading 3dsx applications as a native process with full ARM11 system permissions, by replacing an installed title's ExeFS and ExHeader during load time. It is currently the only option for running 3dsx applications on 11.4+ O3DSes; additionally, the *hax 2.x payload is incompatible with Rosalina and therefore so are homebrew applications requiring its target title system.
==Sysmodule Exploits==
This section is for system-module exploits, which can be run from the *hax payloads.
{| class="wikitable" border="1"
! Works on latest fw
! Name
! Supported firmwares
! Requirements
! Author
|-
| style="background: salmon" | No, still usable pre-v11.4.
| [https://github.com/yellows8/ctr-httpwn/releases ctr-httpwn]
| From '''9.6.0-X''' up to and including '''11.3.0-X'''. This includes bosshaxx.
| None
| [[User:Yellows8|Yellows8]]
|}
==WebKit vuln testing==
See [https://github.com/yellows8/3ds_browserhax_common/issues/28 here].
Retrieved from "https://www.3dbrew.org/wiki/Homebrew_Exploits"