10.6.0-31: Difference between revisions

Line 20:

Old and New 3DS Internet Browser were updated. Both browserhax_fright_tx3g (New 3DS) and spider28hax (old 3DS) were fixed.

===Socket ~~module~~===

===Socket sysmodule===

Minus changes from an older CTRSDK version(CTRSDK version seems to be the latest now), only one actual SOC-specific function(L_11154c) was updated. The previous version did: <write u8 0x0 to ptr and increase ptr by 1>. The current version removed this so that L_11f9f0() is called with ptr, without writing data to ptr+0/changing ptr.

===IR sysmodule===

Exactly two functions were changed. Originally the two functions for reading I2C-IR registers TXLVL and RXLVL just used i2c_ReadRegister8 then returned the output u8. Now each function reads the register, then returns the output value if it's <=0x40. Otherwise, the register is read again. If the output value is <=0x40, the output value is returned, otherwise 0x0 is returned.

With the original IR hardware the value returned by these registers are always 0x0..0x40 according to the datasheet.

In theory with modified/custom IR hardware it might(?) be possible to trigger a stack-smash with this, enough to overwrite the saved-LR. In theory it might be possible to start full ROP from this(what to do after getting ROP in this context is another matter however).

===JPN-only titles===

@@ Line 20: / Line 20: @@
 Old and New 3DS Internet Browser were updated. Both browserhax_fright_tx3g (New 3DS) and spider28hax (old 3DS) were fixed.
-===Socket module===
+===Socket sysmodule===
 Minus changes from an older CTRSDK version(CTRSDK version seems to be the latest now), only one actual SOC-specific function(L_11154c) was updated. The previous version did: <write u8 0x0 to ptr and increase ptr by 1>. The current version removed this so that L_11f9f0() is called with ptr, without writing data to ptr+0/changing ptr.
+===IR sysmodule===
+Exactly two functions were changed. Originally the two functions for reading I2C-IR registers TXLVL and RXLVL just used i2c_ReadRegister8 then returned the output u8. Now each function reads the register, then returns the output value if it's <=0x40. Otherwise, the register is read again. If the output value is <=0x40, the output value is returned, otherwise 0x0 is returned.
+With the original IR hardware the value returned by these registers are always 0x0..0x40 according to the datasheet.
+In theory with modified/custom IR hardware it might(?) be possible to trigger a stack-smash with this, enough to overwrite the saved-LR. In theory it might be possible to start full ROP from this(what to do after getting ROP in this context is another matter however).
 ===JPN-only titles===