3dbrew

Homebrew Exploits: Difference between revisions

← Older edit
100pcrack (talk | contribs)
11 edits
No edit summary
No edit summary
 
(294 intermediate revisions by 59 users not shown)
Line 1: Line 1:
==Self-Exploitable==
==Payload==
The following homebrew exploits can be executed on a previously un-exploited system.
{| class="wikitable" border="1"
{| class="wikitable" border="1"
|-
|-
!  Works on latest fw
!  Name
!  Description
!  Supported firmwares
|-
| style="background: lightgreen" | Yes
| [https://smealum.github.io/3ds/ *hax payload]
| Booted by all of the below non-sysmodule exploits. '''No longer needed as of [https://github.com/AuroraWright/Luma3DS/releases/tag/v8.0 Luma 8.0]'''
| From '''9.0.0-7''' up to '''11.9.0-42'''.
|}
For the rest of this page, "Supported firmwares" refers to the exploit ''itself'', not whether *hax payload supports it.
==Standalone Homebrew Launcher Exploits==
The following homebrew exploits can be executed on a previously un-exploited system. ''Please'' see the above Payload section regarding what "Supported firmwares" indicates ''exactly''.
{| class="wikitable" border="1"
|-
!  Works on latest fw
!  Name
!  Name
!  Supported firmwares
!  Supported firmwares
Line 9: Line 27:
!  Install
!  Install
|-
|-
| style="background: salmon" | No
| [[ninjhax|Ninjhax 1.1b]]
| [[ninjhax|Ninjhax 1.1b]]
| From '''4.0.0-X''' up to and including '''9.2.0-X''', for '''X''' is between 7 and 20.  
| From '''4.0.0-7''' up to and including '''9.2.0-20'''.
| A cartridge or eShop version (JPN-only) of "Cubic Ninja".
| A cartridge or eShop version (JPN-only) of "Cubic Ninja".
| smea
| smea
| [http://smealum.net/ninjhax/ Install]
| [http://smealum.net/ninjhax/ Install]
|-
|-
| [[ninjhax|Ninjhax 2.1]]
| style="background: lightgreen" | Yes
| From '''9.0.0-X''' up to and including '''10.1.0-X''', for '''X''' up to and including 27.  
| [[ninjhax|Ninjhax 2.x]]
| A cartridge or eShop version (JPN-only) of "Cubic Ninja".
| From '''9.0.0-7''' up to and including '''11.9.X'''.
|  A cartridge or eShop version (JPN-only, not available anymore for purchase) of "Cubic Ninja".
| smea
| [https://smealum.github.io/ninjhax2/ Install]
|-
| style="background: lightgreen" | Yes
| [http://plutooo.github.io/freakyhax/ freakyhax]
| From '''9.0.0-7''' up to and including '''11.9.X'''.
|  A cartridge or eShop version (USA/EUR/JPN, not available anymore for purchase) of "Freakyform Deluxe".
| plutoo
| [http://plutooo.github.io/freakyhax/ Install]
|-
| style="background: salmon" | No
| [http://plutooo.github.io/smilehax/ smilehax]
| From '''9.0.0-7''' up to and including '''11.0.0-33'''
| SmileBASIC (JPN all versions up to 3.32 excluded, USA 3.31 only)
| plutoo
| [http://plutooo.github.io/smilehax/ Install]
|-
| style="background: lightgreen" | Yes
| [https://github.com/zoogie/smilehax-IIe smilehax IIe]
| From '''9.0.0-7''' up to and including '''11.13.0-45'''
| SmileBASIC (JPN version 3.3.2 via app downgrade, USA/EUR 3.6.0, aka latest app version)
| zoogie
| [https://github.com/zoogie/smilehax-IIe/releases/latest Install]
|-
| style="background: salmon" | No
| [http://mrnbayoh.github.io/basicsploit/ BASICSploit]
| From '''9.0.0-7''' up to and including '''11.0.0-33'''
| SmileBASIC (USA all versions)
| MrNbaYoh
| [http://mrnbayoh.github.io/basicsploit/ Install]
|-
| style="background: lightgreen" | Yes
| [[smashbroshax|smashbroshax]] (beaconhax)
| (New 3DS only) From '''9.0.0-X''' up to and including '''11.9.0-37'''.
| Super Smash Bros 3DS (full-game) and a way to broadcast raw wifi beacons. The demo (prior to the updated November 2015 [https://github.com/yellows8/3ds_smashbroshax version]) isn't usable with the *hax payloads. Game-version v1.1.3 fixed the vuln used with this, see the repo for a workaround for that.
| [[User:Yellows8|Yellows8]]
| [https://github.com/yellows8/3ds_smashbroshax Install]
|-
| style="background: salmon" | No
| [[browserhax]]
| From '''9.0.0-2''' to '''11.0.0-33'''
Note that the browser-version-check bypass is only usable prior to [[10.7.0-32]].
| A USA, EUR, JPN, or KOR system.
| [[User:Yellows8|Yellows8]]
| [http://yls8.mtheall.com/3dsbrowserhax.php Install]
|-
| style="background: salmon" | No
| [https://github.com/svanheulen/genhax genhax]
| (New 3DS only) From '''9.9.0-X''' up to and including '''11.2.0-X'''.
| A gamecard or eShop-install of Monster Hunter X (JPN only), and the DLC encryption key (see installer instructions). '''Note: the secondary exploit still works, see bellow'''
| svanheulen
| [https://github.com/svanheulen/genhax_installer Install]
|-
| style="background: salmon" | No
| [https://github.com/nedwill/soundhax soundhax]
| From '''9.0.0-13''' up to and including '''11.3.0-36'''.
| A USA, EUR, JPN or KOR system.
| nedwill
| [http://soundhax.com Install]
|-
| style="background: lightgreen" | Yes
| [https://github.com/MrNbaYoh/doodlebomb doodlebomb]
| From '''9.0.0-X'''(?) up to and including '''11.6.0-X'''.
| An eShop-install of Swapdoodle (version 1.1.1 or lower). As of 2017-4-26, version 1.1.2 was released, blocking outdated app version from sending or receiving messages.
| MrNbaYoh
| [https://mrnbayoh.github.io/doodlebomb/ Install]
|-
| style="background: lightgreen" | Yes
| [https://github.com/MrNbaYoh/rpwng2 RPwnG 2]
| From '''11.7.0-X'''(?) up to and including '''11.9.0-X'''.
| A digital copy of RPG Maker Player (free) ver. 1.1.4 on EUR, ver. 1.1.2 on USA. A 3DS on firmware 11.7.
| MrNbaYoh
| [https://mrnbayoh.github.io/rpwng2/ Install]
|-
| style="background: darkorange" | Only if installed before August 28, 2017
| [https://twitter.com/MrNbaYoh/status/899394739543437313 RPwnG]
| From '''9.0.0-X'''(?) up to and including '''11.9.0-X'''.
| An  digital copy of RPG Maker Player (free) ver. 1.1.4 on EUR, ver. 1.1.2 on USA/JPN is required. As of August 28, 2017 the code is instantly removed after publishing.
| MrNbaYoh
| [https://mrnbayoh.github.io/rpwng/ Install]
|-
| style="background: salmon" | No
| [https://github.com/MrNbaYoh/notehax notehax]
|  From '''9.9.0-X''' up to and including '''11.5.0-X'''.
| A digital copy of Flipnote Studio 3D on ver 1.3.1 (JPN) and ver 1.0.0 for EUR/USA (not the latest)
| MrNbaYoh
| [https://mrnbayoh.github.io/notehax/ Install]
|-
| style="background: darkorange" | Only if you already purchased Blockfactory before it was removed from the eShop
| [https://github.com/Stary2001/haxfactory haxfactory]
| From '''9.0.0-X'''(?) up to and including '''11.9.0-X'''.
| A digital copy of "Blockfactory" (USA/EUR)
| Stary2001
| [https://github.com/Stary2001/haxfactory Install]
|}
 
==Secondary Exploits==
Installation of these exploits requires a previously exploited system to install. After installation, they can be used on their own. ''Please'' see the above Payload section regarding what "Supported firmwares" indicates ''exactly''.
 
{| class="wikitable" border="1"
!  Works on latest fw
!  Name
!  Supported firmwares
!  Requirements
!  Author
!  Install
|-
| style="background: salmon" | No
| [[ironhax]]
| From '''9.5.0-X''' up to and including '''10.3.0-X''', for '''X''' up to and including 28.
| A copy of "Ironfall: Invasion" downloaded from eShop before August 11th, 2015. Note the updated version that was released on October 13th, 2015 is not supported.
| smea
| smea
| [http://smealum.github.io/ninjhax2/ Install]
| [http://smealum.github.io/3ds/ Install]
|-
| style="background: lightgreen" | Yes
| [http://vegaroxas.github.io/ steelhax]
| From '''9.0.0-X''' up to and including '''11.9.0-X'''
| A copy of Steel Diver: Sub Wars
| Vegaroxas
| [https://github.com/VegaRoXas/vegaroxas.github.io/raw/master/files/steelhax-installer.zip Install]
|-
| style="background: lightgreen" | Yes
| [https://github.com/yellows8/oot3dhax oot3dhax]
| From '''9.0.0-X''' up to and including '''11.9.0-X''', for '''X''' up to and including 39.
| A gamecard or eShop-install of Legend of Zelda: Ocarina of Time 3D. Besides using the installer app, writing raw saveimages with a save dongle for example is another option. Before compression was introduced in the 2016-7-18 release, the size of the *hax payload meant the exploit can't co-exist with regular saves on a physical version of the game.
| Yellows8 / smea et al.
| See [https://smealum.github.io/3ds/ here].
|-
| style="background: salmon" | No
| [[menuhax]]
| JPN/USA/EUR: From '''9.0.0-X''' up to and including '''11.2.0-X'''.
KOR: From '''9.6.0-X''' up to and including '''11.2.0-X'''.
| JPN/USA/EUR: Having created [[Home_Menu#Home_Menu_Theme_SD_ExtData|theme extdata]] through opening the official theme selector at least once.
| [[User:Yellows8|Yellows8]]
| [https://github.com/yellows8/3ds_homemenuhax/releases Download]
|-
| style="background: lightgreen" | Yes
| [https://github.com/shinyquagsire23/supermysterychunkhax supermysterychunkhax]
| From '''9.9.0-X''' (USA/JPN) / '''10.2.0-X''' (EUR) up to '''11.9.0-X'''.
| A gamecard or eShop-install of Pokémon Super Mystery Dungeon.
| Shiny Quagsire / SALT team
| [https://smd.salthax.org/ Install].
|-
| style="background: salmon" | No
| [https://github.com/shinyquagsire23/v_hax (v*)hax]
| From '''9.0.0-X''' up to and including '''11.0.0-X''', for '''X''' up to and including 33.
Note that '''9.0.0-X''' is only required for the Homebrew Launcher - the game itself only requires '''2.1.0-X''' for primitive userland code execution.
| A copy of VVVVVV downloaded after March 2012 (v1). v1.1 patches out the overflow vulnerability used by (v*)hax.
| Shiny Quagsire / SALT team
| [https://vvvvvv.salthax.org/ Install].
|-
| style="background: lightgreen" | Yes
| [https://github.com/Dazzozo/humblehax humblehax]
| From '''9.0.0-X''' (USA/EUR) up to and including '''11.9.0-X'''.
| An eShop-install of Citizens of Earth (either v1 or v2), featured in the Humble "Friends of Nintendo" Bundle.
| Dazzozo / SALT team
| [https://citizens.salthax.org/ Install].
|-
| style="background: salmon" | No
| [http://mrnbayoh.github.io/basehaxx/ basehaxx]
| From '''9.0.0-X''' up to and including '''11.1.0-X'''.
| A gamecard or eShop-install of Pokémon Omega Ruby / Alpha Sapphire v1 or v1.4 with the ability to have a secret base.
| MrNbaYoh
| [http://mrnbayoh.github.io/basehaxx/ install]
|-
| style="background: lightgreen" | Yes
| [https://github.com/yellows8/stickerhax stickerhax]
| From '''9.0.0-X''' up to and including '''11.6.0-X'''.
| A gamecard or eShop-install of Paper Mario: Sticker Star.
| [[User:Yellows8|Yellows8]]
| [https://github.com/yellows8/stickerhax Here]
|-
| style="background: lightgreen" | Yes
| [https://github.com/svanheulen/genhax genhax]
| (New 3DS only) From '''9.9.0-X'''(JPN) or '''10.3.0-X'''(EUR/USA) up to and including '''11.3.0-X'''.
| A gamecard or eShop-install of Monster Hunter Generations or Monster Hunter X (without the game updates installed), and an internet connection during installation.
| svanheulen
| [https://github.com/svanheulen/genhax_installer Install]
|-
| style="background: lightgreen" | Yes
| [https://github.com/MrNbaYoh/painthax painthax]
| From '''9.0.0-X''' up to and including '''11.6.0-X'''.
| An eShop-install of Pixel Paint.
| MrNbaYoh
| [https://github.com/MrNbaYoh/painthax/releases/latest install]
|-
| style="background: salmon" | No
| [https://github.com/yellows8/ctpkpwn ctpkpwn_tfh]
| From '''9.9.0-X''' up to and including '''11.3.0-X'''.
| A gamecard or eShop-install of "The Legend of Zelda: Tri Force Heroes", and an Internet connection during installation. Unless you have "CFW", ctr-httpwn >=v1.2 with the included bosshaxx on a compatible system-version is also required. If installing via ctr-httpwn, you can't do so on >=v11.4. Note that the exploit itself was not fixed.
| [[User:Yellows8|Yellows8]]
| [https://github.com/yellows8/ctpkpwn/releases Install]
|-
| style="background: salmon" | No
| [https://github.com/MrNbaYoh/doodlebomb doodlebomb]
| From '''9.0.0-X'''(?) up to and including '''11.4.0-X'''.
| An eShop-install of Swapdoodle.
| MrNbaYoh
| [https://mrnbayoh.github.io/doodlebomb/ Install]
|-
| style="background: darkorange" | Only if installed before August 28, 2017
| [https://github.com/ChampionLeake/RPwnG3 RPwnG3]
| From '''9.0.0-X'''(?) up to and including '''11.12.0-X'''.
| A Digital/Physical copy of "RPGMaker Fes Player/RPGMaker Fes" (USA/JPN 1.1.2 or lower ; EUR 1.1.4 or lower).
| [[User:ChampionLeake|ChampionLeake]]
| [https://github.com/ChampionLeake/RPwnG3/releases Install]
|-
| style="background: lightgreen" | Yes
| [https://github.com/luigoalma/nitpic3d nitpic3d]
| From '''9.6.0-X'''(?) up to and including '''11.13.0-X'''.
| A digital or physical of Picross 3D: Round 2
| Luigoalma and Kartik
| [https://github.com/luigoalma/nitpic3d Install]
|-
| style="background: lightgreen" | Yes
| [https://github.com/PabloMK7/kartdlphax kartdlphax]
| All system versions work.
| A digital or physical of Mario Kart 7 for the same region as both consoles
| PabloMK7
| [https://3ds.hacks.guide/installing-boot9strap-(kartdlphax) Install]
|}
 
==Exploits without Homebrew Launcher==
 
<u>'''Warning:'''</u> The following exploits can run code, but are missing a 3DSX launcher. They cannot launch any homebrew in the 3DSX format, but could still prove useful by chaining to exploits with higher privileges.
 
{| class="wikitable" border="1"
|-
!  Works on latest fw
!  Name
!  Supported firmwares
!  Requirements
!  Author
!  Install
|-
| style="background: lightgreen" | yes
| [https://github.com/zoogie/MSET9 MSET9]
| From '''3.0.0''' to '''latest'''.
| Works on all consoles, but for CHN consoles, will need SD card with preinstalled titles or movable.sed for generating valid SD title database.
| zoogie
|[https://github.com/zoogie/MSET9 Install]
|-
| style="background: salmon" | No
| [https://safecerthax.rocks safecerthax] (Safe Mode System Updater)
| (Old3DS (2DS) (XL)) From '''1.0.0''' to '''11.14.0'''
 
(New3DS (New2DS) (XL)) '''NOT SUPPORTED'''
|An O3DS or O2DS that can be booted into [[Recovery_Mode|Recovery Mode]] (hold L+R+Up+A at startup) & an internet connection.
|[[User:Nba_Yoh|MrNbaYoh]]
|[https://safecerthax.rocks/user-guide/ Install]
|-
| style="background: lightgreen" | Yes (partially)
| [[bannerbomb3]] (System Settings)
| (USA / EUR / JPN) '''11.5.0''' to '''11.16.0'''
 
(KOR / TWN) '''(11.4.0)''' '''11.5.0''' to '''latest'''
 
An exploit that uses a buffer overflow in a TWL export banner's title strings to gain rop execution.
|A USA, EUR, JPN, KOR, or TWN system with its movable.sed keyY extracted.
|[[User:zoogie|zoogie]]
|[[bannerbomb3|Install]]
|-
| style="background: salmon" | No
| [[browserhax]] (Without the loader in the 3ds_browserhax_common repo)
| (Old3DS) From '''5.0.0-2''' to '''11.0.0-33''' (Pre-v5.0 is supported for some versions if you manually modify the source)
 
(New3DS) From '''9.0.0-20''' to '''11.0.0-33'''
 
Note that the browser-version-check bypass is only usable prior to [[10.7.0-32]].
| An USA, EUR, or JPN system.
| [[User:Yellows8|Yellows8]]
| [[browserhax|Install]]
|-
| style="background: salmon" | No
| Ninjhax (with specialized payloads)
| Up to '''9.2.0-20'''?
|
| smea + independent developers
| N/A
|}
 
==Previous Exploits==
<u>'''Warning:'''</u> These exploits '''do not work'''. They are exploits which no longer function at all, regardless of software or firmware revision.
{| class="wikitable" border="1"
!  Works on latest fw
! Name
! Supported firmwares
! Requirements
! Author
! Install
|-
|-
| style="background: salmon" | No
| [[tubehax|Tubehax]]
| [[tubehax|Tubehax]]
| From '''9.0.0-X''' up to and including '''10.1.0-X''', for '''X''' up to and including 27.
| None. '''Was''': From '''9.0.0-X''' up to and including '''10.1.0-X''', for '''X''' up to and including 27.
| The YouTube application and an internet connection.
| The YouTube application and an Internet connection. As of October 15, 2015, this is no longer usable due to an update being released which fixes the vuln used by tubehax + app update being forced (see [[YouTube|here]]).
| smea
| smea
| [http://smealum.github.io/3ds/ Install]
| [http://smealum.github.io/3ds/ Install]
|}
==Other Homebrew Loaders==
The [https://github.com/yellows8/hblauncher_loader hblauncher_loader] title can be used when running under modded-FIRM which allows running unsigned titles, to boot the *hax payloads.
[https://github.com/AuroraWright/Luma3DS Luma3DS], apart from providing signature patches for the installation and use of custom titles, includes the "Rosalina" system module, which among its features allows cleanly loading 3dsx applications as a native process with full ARM11 system permissions, by replacing an installed title's ExeFS and ExHeader during load time. It is currently the only option for running 3dsx applications on 11.4+ O3DSes; additionally, the *hax 2.x payload is incompatible with Rosalina and therefore so are homebrew applications requiring its target title system.
==Sysmodule Exploits==
This section is for system-module exploits, which can be run from the *hax payloads.
{| class="wikitable" border="1"
! Works on latest fw
! Name
! Supported firmwares
! Requirements
! Author
|-
|-
| [[smashbroshax|smashbroshax]] (beaconhax)
| style="background: salmon" | No, still usable pre-v11.4.
| From '''9.0.0-X''' up to and including '''10.1.0-X''', for '''X''' up to and including 27.
| [https://github.com/yellows8/ctr-httpwn/releases ctr-httpwn]
| Super Smash Bros 3DS (full-game or demo) and a way to broadcast raw wifi beacons. Currently the hb-launcher payload can only be properly booted on New3DS with this, see the repo for details on that.
| From '''9.6.0-X''' up to and including '''11.3.0-X'''. This includes bosshaxx.
| None
| [[User:Yellows8|Yellows8]]
| [[User:Yellows8|Yellows8]]
| [https://github.com/yellows8/3ds_smashbroshax]
|-
| amiibohax
| From '''9.0.0-X''' up to and including '''9.9.X-X''', for '''X''' up to and including 27.
| Super Smash Bros 3DS, Animal Crossing: Happy Home Designer, Pokken Tournament, Hyrule Warriors and other games. and a way to read amiibos.
| 100pcrack
| Actually private
|}
|}


Note that ninjhax 1.x is still not obsolete. Even though ninjhax 2.x can be run on 9.3+, this was made possible (amongst other things) by sacrificing the memory remapping exploit used in ninjhax 1.x (rohax). Therefore, things like JIT engines for emulators can only be supported on ninjhax 1.x. Furthermore, ninjhax 2.x does not run on system versions below 9.0.0-X, while ninjhax 1.x does.
==WebKit vuln testing==
See [https://github.com/yellows8/3ds_browserhax_common/issues/28 here].
Retrieved from "https://www.3dbrew.org/wiki/Homebrew_Exploits"