Difference between revisions of "11.4.0-37"
Emufan4568 (talk | contribs) m |
|||
(13 intermediate revisions by 3 users not shown) | |||
Line 10: | Line 10: | ||
===NATIVE_FIRM=== | ===NATIVE_FIRM=== | ||
====Process9==== | ====Process9==== | ||
− | + | Exactly two functions were changed. | |
− | This is to fix [[3DS_System_Flaws#Process9|safehax]]. | + | The global boolean preventing [[FIRM|SAFE_FIRM]] from being launched is now set in Process9's main() if [[CONFIG9_Registers#CFG9_BOOTENV|CFG9_BOOTENV]] has bit0 set, that is to say, if it has been launched from a firmlaunch (this register is set to 1 just before a firmlaunch). The following code has also been added in the firmlaunch function itself, immediately after the code-block where the boolean is checked: <code>if(!(CFG9_BOOTENV & 1) /* not a firmlaunch */ || (CFG9_BOOTENV & 6) /* firmlaunched from LGY_FIRM (if even possible at all) */) goto panic</code>. |
+ | |||
+ | This is to properly fix [[3DS_System_Flaws#Process9|safehax]]. | ||
====New3DS kernel9loader==== | ====New3DS kernel9loader==== | ||
Line 18: | Line 20: | ||
====ARM11 kernel==== | ====ARM11 kernel==== | ||
− | There | + | There's exactly three code changes: |
* [[CONFIG11_Registers#CFG11_WIFIUNK|CFG11_WIFIUNK]] is now set to 0x10 in Kernel11's crt0 | * [[CONFIG11_Registers#CFG11_WIFIUNK|CFG11_WIFIUNK]] is now set to 0x10 in Kernel11's crt0 | ||
Line 29: | Line 31: | ||
===[[NWM_Services|NWM-sysmodule]]=== | ===[[NWM_Services|NWM-sysmodule]]=== | ||
The [[CONFIG11_Registers]] are no longer directly mapped under userland for NWM-sysmodule. | The [[CONFIG11_Registers]] are no longer directly mapped under userland for NWM-sysmodule. | ||
− | This prevents anything under NWM-module from modifying the GPUPROT register. | + | This prevents anything under NWM-module from modifying the GPUPROT register. This was used by both *hax payload(prior to v11.4 release) and [https://github.com/smealum/udsploit udsploit]. |
The codebin was updated. | The codebin was updated. | ||
Line 38: | Line 40: | ||
.. has been removed from NWM. This one has been moved into kernel bootup. | .. has been removed from NWM. This one has been moved into kernel bootup. | ||
− | + | All accesses to 0x1EC40180 have been replaced by a new syscall, [[SVC|0x5A]]. | |
+ | |||
+ | This now includes code from old CTRSDK update(s). A new func was added for calling a func, previously that func was directly called via vtable funcptr. The only other changes was new heap code(and the code for using it basically), for fixing the NWMUDS sharedmem [[3DS_System_Flaws|vuln]]. This includes code which actually validates heap memchunkhdrs, with svcBreak being executed on failure. | ||
+ | |||
+ | A new string was added at 0x13E200: "used"(with 3 0xFF bytes afterwards), this is used by the new heap code. The wifi-fw was moved from .data to .rodata. | ||
+ | |||
+ | ===[[HTTP_Services|HTTP-sysmodule]]=== | ||
+ | There were exactly 3 changes in the HTTP-sysmodule codebin. | ||
+ | |||
+ | Two functions, the memalloc and memfree functions used with HTTP sharedmem, were updated to use the new function. The new function is for heap memchunkhdr validation. This additional code is the same new heap code as NWM-sysmodule. This fixed the vuln used by ctr-httpwn at the time of sysupdate release. | ||
+ | |||
+ | ===[[Friend_Services|Friends-sysmodule]]=== | ||
+ | Like past updates the only change in this codebin was the fpdver(0x9->0xA). | ||
− | + | ===[[NS_and_APT_Services|NS-sysmodule]]=== | |
+ | The only changes for NS was version values in the codebin, nothing else. | ||
+ | |||
+ | ===[[Internet Browser]]=== | ||
+ | The web-browser was updated, only for New3DS. See [[Internet Browser|here]] for details. | ||
+ | |||
+ | ===[[Nintendo_3DS_Sound]]=== | ||
+ | soundhax was fixed, it appears other vulns were fixed too. | ||
+ | |||
+ | Exactly 8 functions were changed in the codebin. | ||
+ | |||
+ | L_1d3ba8 | ||
+ | updated, prev ver @ L_1d3ba8. | ||
+ | Added only the following code: | ||
+ | if(len<2)return; | ||
+ | if(len>=0xfe)len=0xfe; | ||
+ | *lenstorage = len; | ||
+ | |||
+ | L_1d3d10 | ||
+ | updated, prev ver @ L_1d3cfc. | ||
+ | When L_1ea0b8 returns non-zero, this now clears the 4-bytes at inr1. | ||
+ | |||
+ | L_1f32c4 | ||
+ | updated, prev ver @ L_1f329c. | ||
+ | This now writes u32 val0 to inr0+0x34 immediately after the nop instruction. | ||
+ | |||
+ | L_275754 | ||
+ | updated, prev ver @ L_27572c. | ||
+ | This now executes the following each time L_1ea0b8 returns non-zero: sp20 = 0; | ||
+ | |||
+ | L_275ed4 | ||
+ | updated, prev ver @ L_275e94. | ||
+ | Added the following code after the branch for "if(*(inr1+8)==0)": | ||
+ | if(len>0xfe){len=0xfe;<jump over the code which checks len0>} | ||
+ | Identical changes were added at 0x276054, except with len val 0x82. | ||
+ | Likewise at 0x276138 except with len val 0x76. | ||
+ | |||
+ | L_280000 | ||
+ | updated, prev ver @ L_27ff90. | ||
+ | This was added at 0x280444: if(len>0xfe)len=0xfe; | ||
+ | Minor(?) other changes. | ||
+ | |||
+ | L_280c74 | ||
+ | updated, prev ver @ L_280b60. | ||
+ | This now writes u32 val0 to inr0+0x34 immediately after the nop instruction. | ||
+ | |||
+ | L_281ab0 | ||
+ | updated, prev ver @ L_281998. | ||
+ | Added the following: if(len>=0xfe)len=0xfe; | ||
+ | This was added at 0x281b94: | ||
+ | if(somelen>=0xfe) | ||
+ | { | ||
+ | len=0xfe; | ||
+ | } | ||
+ | else | ||
+ | { | ||
+ | len=somelen; | ||
+ | } | ||
+ | *r4 = val; | ||
+ | Then len is used for a string data-copy(ASCII/UTF16), unless it's UTF16 and len is <=0. | ||
+ | |||
+ | ===[[Title_list|SNOTE_AP]]=== | ||
+ | This was updated with vuln fixes similar to the sound-app. | ||
+ | |||
+ | LT_1004d6 | ||
+ | updated, prev ver @ LT_1004d6. | ||
+ | Added a func call for LT_1017c8 at 0x100508. | ||
+ | |||
+ | LT_1017c8 | ||
+ | new func. | ||
+ | Only called by LT_1004d6. | ||
+ | return LT_10250c(0x405, 5, 0x5109d503); | ||
+ | |||
+ | LT_103368 | ||
+ | updated, prev ver @ LT_1032f8. | ||
+ | The first func call was removed, it's now located in LT_1017c8. | ||
+ | |||
+ | LT_11ea6c | ||
+ | updated, prev ver @ LT_11ea60. | ||
+ | Added the following: if(len>0xfe)*lenptr = 0xfe; | ||
+ | |||
+ | LT_11f210 | ||
+ | updated, prev ver @ LT_11f1fc. | ||
+ | The following was added at 0x11f49c: if(len>0xfe)len=0xfe; | ||
+ | Before executing "return ~0x63;" this now calls LT_12f542. | ||
+ | minor other changes. | ||
+ | |||
+ | LT_11f84c | ||
+ | updated, prev ver @ LT_11f828. | ||
+ | This now clears inr0+0x34 after calling L_14cabc. | ||
+ | |||
+ | LT_11f9ac | ||
+ | updated, prev ver @ LT_11f984. | ||
+ | Added the following: if(len>0xfe)*lenptr=0xfe; | ||
+ | ==New 2DS XL Version== | ||
+ | On June 15, 2017 a new version of 11.4.0-37E was released pre-installed with the AU/NZ debut of the New 2DS XL model of the 3ds family. There are 13 updated titles over the base NUS version included this new model, apparently to ensure compatibility with the New 2DS XL's unique 3D-less hardware configuration. A list of changed titles can be found [https://gist.github.com/ihaveamac/bffc8694ac209207c8db86a98f6c4238 here]. | ||
+ | |||
+ | ===[[MCU Services|MCU sysmodule]]=== | ||
+ | Differences between v8192 and v9216 (New2DSXL): | ||
+ | |||
+ | * The SDK crt0 and functions seem to have been updated | ||
+ | * The MCU firmware has been moved into .rodata | ||
+ | * Other minor changes (?) | ||
+ | |||
+ | The MCU firmware itself was updated, see below. | ||
+ | |||
+ | ====MCU firmware==== | ||
+ | With <code>u16 *g_model = (u16 *)0x000ff908;</code>, the function that were actually changed are: | ||
+ | |||
+ | * 00000189: adds <code>if(*g_model == 2DS) *g_model == N2DSXL;</code> in the function that converts model numbers to their XL versions. However the function hardcodes N3DS even on N2DSXL. | ||
+ | * <code>*(u8 *)0xffe3a |= (model == N3DS || model == N3DSXL) ? 8 : 0;</code> becomes <code>*(u8 *)0xffe3a |= (model == N3DS || model == N3DSXL || model == N2DSXL) ? 8 : 0</code> | ||
+ | * 00002be5 (previously 00002be1): | ||
+ | u8 *v = (u8 *)0xffe3b; | ||
+ | if(g_model == N3DS || g_model == N3DSXL) | ||
+ | { | ||
+ | v[0] = 0x54; | ||
+ | v[1] = 0x44; | ||
+ | } | ||
+ | +else if(g_model == N2DSXL) | ||
+ | +{ | ||
+ | + v[0] = 0x4e; | ||
+ | + v[1] = 0x3f; | ||
+ | +} | ||
+ | else | ||
+ | { | ||
+ | v[0] = 0x4b; | ||
+ | v[1] = 0x3d; | ||
+ | } | ||
+ | |||
+ | Reminder: The MCU is similar to the rl78-g13 model; to build a reconstruct the MCU firmware, copy 0x1000 bytes after "jhl" ''twice'', and 0x1000 bytes thereafter. | ||
==See Also== | ==See Also== | ||
Line 46: | Line 189: | ||
* [https://yls8.mtheall.com/ninupdates/reports.php?date=04-10-17_08-00-38&sys=ctr] | * [https://yls8.mtheall.com/ninupdates/reports.php?date=04-10-17_08-00-38&sys=ctr] | ||
* [https://yls8.mtheall.com/ninupdates/reports.php?date=04-10-17_08-00-47&sys=ktr] | * [https://yls8.mtheall.com/ninupdates/reports.php?date=04-10-17_08-00-47&sys=ktr] | ||
+ | |||
+ | [[Category:Firmware Versions]] |
Latest revision as of 11:45, 26 November 2023
The Old3DS+New3DS 11.4.0-37 system update was released on April 10, 2017. This Old3DS update was released for the following regions: USA, EUR, JPN, CHN, KOR, and TWN. This New3DS update was released for the following regions: USA, EUR, JPN, CHN, KOR, and TWN.
Security flaws fixed: yes.
Change-log[edit]
Official USA change-log:
- Further improvements to overall system stability and other minor adjustments have been made to enhance the user experience
System Titles[edit]
NATIVE_FIRM[edit]
Process9[edit]
Exactly two functions were changed.
The global boolean preventing SAFE_FIRM from being launched is now set in Process9's main() if CFG9_BOOTENV has bit0 set, that is to say, if it has been launched from a firmlaunch (this register is set to 1 just before a firmlaunch). The following code has also been added in the firmlaunch function itself, immediately after the code-block where the boolean is checked: if(!(CFG9_BOOTENV & 1) /* not a firmlaunch */ || (CFG9_BOOTENV & 6) /* firmlaunched from LGY_FIRM (if even possible at all) */) goto panic
.
This is to properly fix safehax.
New3DS kernel9loader[edit]
New3DS kernel9loader wasn't updated.
ARM11 kernel[edit]
There's exactly three code changes:
- CFG11_WIFIUNK is now set to 0x10 in Kernel11's crt0
- A new SVC, svc 0x5A has been introduced, to enable or disable wifi
- The code handling svcArbitrateAddress with type = SIGNAL, has been changed. It now counts the actual number of threads arbitrating on that address, and if it is non-zero, it executes the following hack:
if(coreId == 0 && currentThread->dynamicPriority >= 50) waitCycles(0x64E)
. This supposedly works around the lag issue in some games, which has been introduced on 11.3.0-36
Modules[edit]
No FIRM ARM11 sysmodule was changed.
NWM-sysmodule[edit]
The CONFIG11_Registers are no longer directly mapped under userland for NWM-sysmodule. This prevents anything under NWM-module from modifying the GPUPROT register. This was used by both *hax payload(prior to v11.4 release) and udsploit.
The codebin was updated.
The crt0-poke in PDN that NWM previously did:
0x1EC4010C |= 0x10
.. has been removed from NWM. This one has been moved into kernel bootup.
All accesses to 0x1EC40180 have been replaced by a new syscall, 0x5A.
This now includes code from old CTRSDK update(s). A new func was added for calling a func, previously that func was directly called via vtable funcptr. The only other changes was new heap code(and the code for using it basically), for fixing the NWMUDS sharedmem vuln. This includes code which actually validates heap memchunkhdrs, with svcBreak being executed on failure.
A new string was added at 0x13E200: "used"(with 3 0xFF bytes afterwards), this is used by the new heap code. The wifi-fw was moved from .data to .rodata.
HTTP-sysmodule[edit]
There were exactly 3 changes in the HTTP-sysmodule codebin.
Two functions, the memalloc and memfree functions used with HTTP sharedmem, were updated to use the new function. The new function is for heap memchunkhdr validation. This additional code is the same new heap code as NWM-sysmodule. This fixed the vuln used by ctr-httpwn at the time of sysupdate release.
Friends-sysmodule[edit]
Like past updates the only change in this codebin was the fpdver(0x9->0xA).
NS-sysmodule[edit]
The only changes for NS was version values in the codebin, nothing else.
Internet Browser[edit]
The web-browser was updated, only for New3DS. See here for details.
Nintendo_3DS_Sound[edit]
soundhax was fixed, it appears other vulns were fixed too.
Exactly 8 functions were changed in the codebin.
L_1d3ba8 updated, prev ver @ L_1d3ba8. Added only the following code: if(len<2)return; if(len>=0xfe)len=0xfe; *lenstorage = len; L_1d3d10 updated, prev ver @ L_1d3cfc. When L_1ea0b8 returns non-zero, this now clears the 4-bytes at inr1. L_1f32c4 updated, prev ver @ L_1f329c. This now writes u32 val0 to inr0+0x34 immediately after the nop instruction. L_275754 updated, prev ver @ L_27572c. This now executes the following each time L_1ea0b8 returns non-zero: sp20 = 0; L_275ed4 updated, prev ver @ L_275e94. Added the following code after the branch for "if(*(inr1+8)==0)": if(len>0xfe){len=0xfe;<jump over the code which checks len0>} Identical changes were added at 0x276054, except with len val 0x82. Likewise at 0x276138 except with len val 0x76. L_280000 updated, prev ver @ L_27ff90. This was added at 0x280444: if(len>0xfe)len=0xfe; Minor(?) other changes. L_280c74 updated, prev ver @ L_280b60. This now writes u32 val0 to inr0+0x34 immediately after the nop instruction. L_281ab0 updated, prev ver @ L_281998. Added the following: if(len>=0xfe)len=0xfe; This was added at 0x281b94: if(somelen>=0xfe) { len=0xfe; } else { len=somelen; } *r4 = val; Then len is used for a string data-copy(ASCII/UTF16), unless it's UTF16 and len is <=0.
SNOTE_AP[edit]
This was updated with vuln fixes similar to the sound-app.
LT_1004d6 updated, prev ver @ LT_1004d6. Added a func call for LT_1017c8 at 0x100508. LT_1017c8 new func. Only called by LT_1004d6. return LT_10250c(0x405, 5, 0x5109d503); LT_103368 updated, prev ver @ LT_1032f8. The first func call was removed, it's now located in LT_1017c8. LT_11ea6c updated, prev ver @ LT_11ea60. Added the following: if(len>0xfe)*lenptr = 0xfe; LT_11f210 updated, prev ver @ LT_11f1fc. The following was added at 0x11f49c: if(len>0xfe)len=0xfe; Before executing "return ~0x63;" this now calls LT_12f542. minor other changes. LT_11f84c updated, prev ver @ LT_11f828. This now clears inr0+0x34 after calling L_14cabc. LT_11f9ac updated, prev ver @ LT_11f984. Added the following: if(len>0xfe)*lenptr=0xfe;
New 2DS XL Version[edit]
On June 15, 2017 a new version of 11.4.0-37E was released pre-installed with the AU/NZ debut of the New 2DS XL model of the 3ds family. There are 13 updated titles over the base NUS version included this new model, apparently to ensure compatibility with the New 2DS XL's unique 3D-less hardware configuration. A list of changed titles can be found here.
MCU sysmodule[edit]
Differences between v8192 and v9216 (New2DSXL):
- The SDK crt0 and functions seem to have been updated
- The MCU firmware has been moved into .rodata
- Other minor changes (?)
The MCU firmware itself was updated, see below.
MCU firmware[edit]
With u16 *g_model = (u16 *)0x000ff908;
, the function that were actually changed are:
- 00000189: adds
if(*g_model == 2DS) *g_model == N2DSXL;
in the function that converts model numbers to their XL versions. However the function hardcodes N3DS even on N2DSXL. *(u8 *)0xffe3a |= (model == N3DS || model == N3DSXL) ? 8 : 0;
becomes*(u8 *)0xffe3a |= (model == N3DS || model == N3DSXL || model == N2DSXL) ? 8 : 0
- 00002be5 (previously 00002be1):
u8 *v = (u8 *)0xffe3b; if(g_model == N3DS || g_model == N3DSXL) { v[0] = 0x54; v[1] = 0x44; } +else if(g_model == N2DSXL) +{ + v[0] = 0x4e; + v[1] = 0x3f; +} else { v[0] = 0x4b; v[1] = 0x3d; }
Reminder: The MCU is similar to the rl78-g13 model; to build a reconstruct the MCU firmware, copy 0x1000 bytes after "jhl" twice, and 0x1000 bytes thereafter.
See Also[edit]
System update report(s):