3DS System Flaws: Difference between revisions

Line 1:

Exploits are used to execute unofficial code (homebrew) on the Nintendo 3DS. This page is a list of known 3DS-mode exploits.

==List of 3DS exploits==

==List of public 3DS exploits==

~~==Current Efforts==~~

~~There are people working on finding exploits and documenting the 3DS. Here's a list of some current efforts being made to make homebrew on the 3DS possible:~~

* See [[Ninjhax|here]] regarding Ninjhax.

Line 25:

Line 21:

==Tips and info==

The 3DS uses the XN feature of the ~~ARM~~ processor, ~~and~~ only ~~apps that have the necessary permissions in their headers can set memory~~ to ~~be executable~~. ~~This means that although a~~ usable ~~buffer overflow~~ exploit would still be useful, it ~~would not go the entire way towards allowing code to be run in an easy or practical fashion (like an actual homebrew launcher)~~. ~~For that, an~~ exploit ~~in the~~ system ~~is required. A buffer overflow exploit does~~, ~~however, provide enough wiggle room through the use of return-oriented programming to potentially trigger a system exploit~~.

The 3DS uses the XN feature of the ARM11 processor. There's no official way from applications to enable executable permission for memory containing arbitrary unsigned code(there's a [[SVC]] for this, but only [[RO_Services|RO-module]] has access to it). An usable userland exploit would still be useful: you could only do return-oriented-programming with it initially. From ROP one could then exploit system flaw(s), see below.

SD card [[extdata]] and SD savegames can be attacked, for consoles where the console-unique [[Nand/private/movable.sed|movable.sed]] was dumped.

SD card [[extdata]] and SD savegames can be attacked, for consoles where the console-unique [[Nand/private/movable.sed|movable.sed]] was dumped(accessing SD data is far easier by running code on the target 3DS however).

Note that the publicly-available <v5.0 total-control exploits are [[FIRM|Process9]] exploits, not "kernel exploits".

@@ Line 1: / Line 1: @@
 Exploits are used to execute unofficial code (homebrew) on the Nintendo 3DS. This page is a list of known 3DS-mode exploits.
-==List of 3DS exploits==
+==List of public 3DS exploits==
-==Current Efforts==
-There are people working on finding exploits and documenting the 3DS. Here's a list of some current efforts being made to make homebrew on the 3DS possible:
 * See [[Ninjhax|here]] regarding Ninjhax.
@@ Line 25: / Line 21: @@
 ==Tips and info==
-The 3DS uses the XN feature of the ARM processor, and only apps that have the necessary permissions in their headers can set memory to be executable. This means that although a usable buffer overflow exploit would still be useful, it would not go the entire way towards allowing code to be run in an easy or practical fashion (like an actual homebrew launcher). For that, an exploit in the system is required. A buffer overflow exploit does, however, provide enough wiggle room through the use of return-oriented programming to potentially trigger a system exploit.
+The 3DS uses the XN feature of the ARM11 processor. There's no official way from applications to enable executable permission for memory containing arbitrary unsigned code(there's a [[SVC]] for this, but only [[RO_Services|RO-module]] has access to it). An usable userland exploit would still be useful: you could only do return-oriented-programming with it initially. From ROP one could then exploit system flaw(s), see below.
-SD card [[extdata]] and SD savegames can be attacked, for consoles where the console-unique [[Nand/private/movable.sed|movable.sed]] was dumped.
+SD card [[extdata]] and SD savegames can be attacked, for consoles where the console-unique [[Nand/private/movable.sed|movable.sed]] was dumped(accessing SD data is far easier by running code on the target 3DS however).
 Note that the publicly-available <v5.0 total-control exploits are [[FIRM|Process9]] exploits, not "kernel exploits".