The 3DS Internet Browser was added in the June 2011 Update for JPN/EUR/USA.
From the Internet Browser help section: In compliance with the LGPL, the source code of the OSS is available via the Nintendo website. This source code can be downloaded here: [1] [2]
The 3DS Internet Browser is Netfront Browser NX v1.0 based on WebKit engine.
On O3DS the exheader name of this title is "SPIDER"; on N3DS, "SKATER". The only difference between the ExeFS .code for each region of the Old3DS/New3DS browser, is byte values for the title uniqueID/region.
A "dummy" browser (which replaces the actual browser) is being included with cartdrige games shipping with system updates starting with 9.9.0-X. In addition, versions of the real browser since 9.9.0-26X attempt to check-in with a Nintendo server to determine if the existing browser version is out of date.
New 3DS Internet Browser
New3DS has a separate browser title, with the exheader name "SKATER". Unlike the Old3DS browser, the New3DS browser has videos+HTML5 support.
This browser also has a filter enabled by default in the JPN version. Disabling it requires paying money with a credit-card, for purchasing web-browser DLC. During startup the browser does various HTTPS comms. When visting an URL, the browser sends a plaintext HTTP POST here: [3]. The raw POST data begins with "ARS/2.0\r\n\x00", the rest appears to be encrypted. The server reply content also has this ARS header + encrypted data. This appears to use a fixed xorpad, likely from a fixed encryption CTR/IV. The server content responses for allowed sites, and blocked sites, are fixed. When the server returns that the site is blocked, the browser goes to this page: [4](the Referrer header value is set to the same URL it's actually requesting).
The WebKit source was updated since the Old3DS browser. The New3DS browser uses the following services: mvd:STD and ir:rst(DLC-related services are used too but those aren't New3DS specific). Video decoding is done with mvd:STD. Audio decoding/playback is done with a browser-specific DSP binary. The Old3DS browser used CSND for audio playback, the New3DS browser doesn't have access to that at all since it uses DSP instead.
Video / libstagefright
The browser manual includes licenses for Android and PacketVideo. The browser uses libstagefright from Android. Just like WebKit, the browser appears to use a very old version of libstagefright with security/other changes back-ported(for example, the v10.7 browser libstagefright codebase seems to be older than this). This codebase is missing certain chunk-parsing code for 3GP.
HTTP for libstagefright is internally handled with HTTPC, with a similar(?) set of RootCAs as for browser-version-check.
User-Agent and Browser Versions
Normal user-agent format: Mozilla/5.0 (New Nintendo 3DS like iPhone) AppleWebKit/<WebKit version> (KHTML, like Gecko) NX/<Netfront version> Mobile NintendoBrowser/<Mobile NintendoBrowser version>.<region>
<region> can be one of the following: "JP", "US", or "EU".
Mobile User-Agent is always Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A403 Safari/8536.25
.
Mobile NintendoBrowser version(displayed in browser settings) | Normal UA | CDN Title-version | Network-only system-update version | Notes |
---|---|---|---|---|
1.0.9934 | Mozilla/5.0 (New Nintendo 3DS like iPhone) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.0.5.8 Mobile NintendoBrowser/1.0.9934.<region> | v10 | 9.0.0-20 | Initial version. |
1.1.9996 | Mozilla/5.0 (New Nintendo 3DS like iPhone) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.0.5.10 Mobile NintendoBrowser/1.1.9996.<region> | v1027 | 9.3.0-21 | See below regarding OSS changes. |
1.2.10085 | Mozilla/5.0 (New Nintendo 3DS like iPhone) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.0.5.13 Mobile NintendoBrowser/1.2.10085.<region> | v2051 | 9.6.0-24 | See below. |
None | None | v3075 | v9.9 CUP | v9.9 CUP dummy web-browser, see below. |
1.3.10126 | Mozilla/5.0 (New Nintendo 3DS like iPhone) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.0.5.15 Mobile NintendoBrowser/1.3.10126.<region> | v3077 | 9.9.0-26 | See below. |
1.4.10138 | Mozilla/5.0 (New Nintendo 3DS like iPhone) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.0.5.17 Mobile NintendoBrowser/1.4.10138.<region> | v4096 | 10.2.0-28 | See below. |
1.5.10143 | Mozilla/5.0 (New Nintendo 3DS like iPhone) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.0.5.19 Mobile NintendoBrowser/1.5.10143.<region> | v5121 | 10.4.0-29 | See below. |
1.6.10147 | Mozilla/5.0 (New Nintendo 3DS like iPhone) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.0.5.19 Mobile NintendoBrowser/1.6.10147.<region> | v6144 | 10.6.0-31 | See below. |
None | None | v7168 | v10.7 CUP | v10.7 CUP dummy web-browser, see below. |
1.7.10150 | Mozilla/5.0 (New Nintendo 3DS like iPhone) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.0.5.19 Mobile NintendoBrowser/1.7.10150.<region> | v7184 | 10.7.0-32 | See below. |
1.8.10156 | Mozilla/5.0 (New Nintendo 3DS like iPhone) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.0.5.20 Mobile NintendoBrowser/1.8.10156.<region> | v8192 | 11.1.0-34 | See below. |
? | ? | v9232 | 11.4.0-37 | See below. |
Note that the latest Old3DS browser WebKit version at the time the initial New3DS browser was released, was the following: 532.8.
The first version of the KOR New3DS browser was v9.6(which was when the New3DS KOR titles were originally added). Each version of the KOR browser has the same NintendoBrowser version as the other regions. The KOR browser has been only updated when the browser for the other regions were updated, hence the title-versions are the same as well. The KOR browser ExeFS .code is different from the other regions(more than just region-related IDs etc).
OSS 9.0 and 9.3 diff
The following is a diff of the OSS archives from here, for v9.0 and v9.3.
Files NewNintendo3DS_OpenSources9.0.0-/WKC/WebCore/platform/network/WKC/ResourceHandleManagerWKC.cpp and NewNintendo3DS_OpenSources9.3.0-/WKC/WebCore/platform/network/WKC/ResourceHandleManagerWKC.cpp differ Files NewNintendo3DS_OpenSources9.0.0-/WKC/WebKit/WKC/webkit/WKCVersion.h and NewNintendo3DS_OpenSources9.3.0-/WKC/WebKit/WKC/webkit/WKCVersion.h differ
WKC_CUSTOMER_RELEASE_VERSION was changed from "0.5.8" to "0.5.10".
The following code was added to ResourceHandleManager::doRedirect(): curl_easy_setopt(d->m_handle, CURLOPT_SHARE, 0);
v9.6
WebKit/OSS code was actually updated. ExeFS .code was updated. The following files in RomFS were updated:
- "/banner/CN/Skater.icn" and "/banner/KR/Skater.icn".
- "/browser/rootca.pem"
- "/build/buildinfo.dat"
- "/cairo.cro.lex" and "/.crr/static.crr"
- "/lyt/Button/ButtonSelectHSearch.arc"
- "/lyt/Kbd/Swkbd.arc"
- "lyt/Kbd.arc"
- "skater.msbt" under all of the "/message/<region>_<language>/" directories.
- "/oss.cro.lex", "/peer.cro.lex", "/static.crs", and "/webkit.cro.lex".
The following was added to RomFS:
- "/favicon/naver.dat"
- A "KO" directory under "/iwnn".
v9.9
ExeFS:/.code was updated.
The only RomFS changes is file-updating, all of the following files were updated:
/browser/rootca.pem /build/buildinfo.dat /cairo.cro.lex /.crr/static.crr /message/CN_Simp_Chinese/skater.msbt /message/EU_Dutch/skater.msbt /message/EU_English/skater.msbt /message/EU_French/skater.msbt /message/EU_German/skater.msbt /message/EU_Italian/skater.msbt /message/EU_Portuguese/skater.msbt /message/EU_Russian/skater.msbt /message/EU_Spanish/skater.msbt /message/JP_Japanese/skater.msbt /message/KR_Hangeul/skater.msbt /message/TW_English/skater.msbt /message/TW_Trad_Chinese/skater.msbt /message/US_English/skater.msbt /message/US_French/skater.msbt /message/US_Portuguese/skater.msbt /message/US_Spanish/skater.msbt /oss.cro.lex /peer.cro.lex /static.crs /webkit.cro.lex
See here for a diff of the OSS(WebKitLibraries/ is not included due to the massive cairo library diff). An exploitable security vuln(which was already known in the context of 3DS webkit) was fixed. Yellows8' private(at the time of writing) exploit for it is based on the PoC from here(see the pastebin for the actual pastebin author).
v10.2
The libstagefright build in the main SKATER codebin was updated to a version which fixed libstagefright vuln(s): the vuln used in browserhax_fright at the time of sysupdate release was fixed. The *only* code changed in the main codebin, was code related to libstagefright.
The only RomFS changes is file-updating, all of the following files were updated(see the forced-sysupdate section regarding what changed in the message files):
/browser/rootca.pem /build/buildinfo.dat /.crr/static.crr /message/CN_Simp_Chinese/skater.msbt /message/EU_Dutch/skater.msbt /message/EU_English/skater.msbt /message/EU_French/skater.msbt /message/EU_German/skater.msbt /message/EU_Italian/skater.msbt /message/EU_Portuguese/skater.msbt /message/EU_Russian/skater.msbt /message/EU_Spanish/skater.msbt /message/JP_Japanese/skater.msbt /message/KR_Hangeul/skater.msbt /message/TW_English/skater.msbt /message/TW_Trad_Chinese/skater.msbt /message/US_English/skater.msbt /message/US_French/skater.msbt /message/US_Portuguese/skater.msbt /message/US_Spanish/skater.msbt /oss.cro.lex /static.crs /webkit.cro.lex
OSS diff:
diff --git a/NewNintendo3DS_OpenSources9.9.0-/WKC/WebKit/WKC/webkit/WKCVersion.h b/NewNintendo3DS_OpenSources10.2.0-/WKC/WebKit/WKC/webkit/WKCVersion.h index 4543297..0860336 100644 --- a/NewNintendo3DS_OpenSources9.9.0-/WKC/WebKit/WKC/webkit/WKCVersion.h +++ b/NewNintendo3DS_OpenSources10.2.0-/WKC/WebKit/WKC/webkit/WKCVersion.h @@ -29,7 +29,7 @@ #define WKC_VERSION_CHECK(major, minor, micro) \ (((major)*10000) + ((minor)*100) + (micro)) >= ((WKC_VERSION_MAJOR*10000) + (WKC_VERSION_MINOR*100) + (WKC_VERSION_MICRO)) -#define WKC_CUSTOMER_RELEASE_VERSION "0.5.15" +#define WKC_CUSTOMER_RELEASE_VERSION "0.5.17" #define WKC_WEBKIT_VERSION "536.30" diff --git a/NewNintendo3DS_OpenSources9.9.0-/webkit/WebCore/ChangeLog b/NewNintendo3DS_OpenSources10.2.0-/webkit/WebCore/ChangeLog index a5abb35..cf5a9fa 100644 --- a/NewNintendo3DS_OpenSources9.9.0-/webkit/WebCore/ChangeLog +++ b/NewNintendo3DS_OpenSources10.2.0-/webkit/WebCore/ChangeLog @@ -1,3 +1,12 @@ +2013-11-05 Ryosuke Niwa <rniwa@webkit.org> + + Use-after-free in SliderThumbElement::dragFrom + https://bugs.webkit.org/show_bug.cgi?id=123873 + + Reviewed by Andreas Kling. + + Merge https://chromium.googlesource.com/chromium/blink/+/04a23bfca2d04101a1828d36ff36c29f3a24f34b + 2015-02-06 Maciej Stachowiak <mjs@apple.com> REGRESSION(r179706): Caused memory corruption on some tests (Requested by _ap_ on #webkit). @@ -879,7 +888,7 @@ * rendering/RenderLineBoxList.cpp: (WebCore::RenderLineBoxList::dirtyLinesFromChangedChild): -2014-01-21 László Langó <llango.u-szeged@partner.samsung.com> +2014-01-21 Laszlo Lango <llango.u-szeged@partner.samsung.com> Assertion failure in Range::nodeWillBeRemoved https://bugs.webkit.org/show_bug.cgi?id=121694 @@ -1879,7 +1888,7 @@ 2012-09-14 Simon Fraser <simon.fraser@apple.com> - REGRESSION: transition doesnât always override transition-property + REGRESSION: transition doesnft always override transition-property https://bugs.webkit.org/show_bug.cgi?id=96658 Reviewed by Dean Jackson. @@ -3691,8 +3700,8 @@ glyph with font data for the primary font, presumably to meet the SVG spec requirement: "If the references to alternate glyphs do not result in successful identification of alternate glyphs to use, then the - character(s) that are inside of the 窶åltGlyph窶?element are rendered as - if the 窶åltGlyph窶?element were a 窶?span窶?element instead." + character(s) that are inside of the âaltGlyphâ?element are rendered as + if the âaltGlyphâ?element were a â?spanâ?element instead." If the alt glyph is not then found we are in the case from the spec and indeed we should use the primary font. However, we end up replacing the GlyphPage diff --git a/NewNintendo3DS_OpenSources9.9.0-/webkit/WebCore/html/RangeInputType.cpp b/NewNintendo3DS_OpenSources10.2.0-/webkit/WebCore/html/RangeInputType.cpp index 484adec..d7e9e8d 100644 --- a/NewNintendo3DS_OpenSources9.9.0-/webkit/WebCore/html/RangeInputType.cpp +++ b/NewNintendo3DS_OpenSources10.2.0-/webkit/WebCore/html/RangeInputType.cpp @@ -164,7 +164,7 @@ void RangeInputType::handleMouseDownEvent(MouseEvent* event) ASSERT(element()->hasShadowRoot()); if (targetNode != element() && !targetNode->isDescendantOf(element()->shadowTree()->oldestShadowRoot())) return; - SliderThumbElement* thumb = sliderThumbElementOf(element()); + RefPtr<SliderThumbElement> thumb = sliderThumbElementOf(element()); if (targetNode == thumb) return; thumb->dragFrom(event->absoluteLocation());
v10.4
The ExeFS codebin was updated, the only change was that the following code was updated in the actual NupCheck HTTPS request function:
- Previous version: sprintf(out, "https://cbvc.cdn.nintendo.net/SNAKE/2/%s", region);
- Current version: sprintf(out, "https://cbvc.cdn.nintendo.net/SNAKE/%d/%s", 3, region);
libpng was updated from version 1.5.21 to 1.5.24.
The following RomFS files were updated(see the forced-sysupdate section regarding what changed in the message files):
/browser/rootca.pem /build/buildinfo.dat /cairo.cro.lex /.crr/static.crr /message/CN_Simp_Chinese/skater.msbt /message/EU_Dutch/skater.msbt /message/EU_English/skater.msbt /message/EU_French/skater.msbt /message/EU_German/skater.msbt /message/EU_Italian/skater.msbt /message/EU_Portuguese/skater.msbt /message/EU_Russian/skater.msbt /message/EU_Spanish/skater.msbt /message/JP_Japanese/skater.msbt /message/KR_Hangeul/skater.msbt /message/TW_English/skater.msbt /message/TW_Trad_Chinese/skater.msbt /message/US_English/skater.msbt /message/US_French/skater.msbt /message/US_Portuguese/skater.msbt /message/US_Spanish/skater.msbt /oss.cro.lex differ /peer.cro.lex differ /static.crs differ /webkit.cro.lex differ
v10.6
The ExeFS codebin was updated.
browserhax_fright_tx3g was fixed. The code handling tx3g now matches the latest libstagefright git.
Hence the below RomFS listing, no OSS was updated at all(besides libstagefright mentioned above).
The following RomFS files were updated:
/build/buildinfo.dat /static.crs
v10.7
Basically the same changes as Old3DS v10.7, except with the usual buildinfo.dat update in RomFS. The below date is 6 days after the browser-version-check bypass was publicly disclosed.
cat v7184/00000025_romfs/build/buildinfo.dat 10150 applet 2016-03-02 18:25
v11.1
The ExeFS codebin was updated. The following files in RomFS were updated:
/build/buildinfo.dat /.crr/static.crr /oss.cro.lex /static.crs /webkit.cro.lex
cat v8192/00000026_romfs/build/buildinfo.dat 10156 applet 2016-08-26 19:47
Minus the 4 functions that changed due to compiler optimization, only 1 function was actually updated. This is LT_1a4004, previous version at LT_1a4004: libstagefright status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth)
Additional code was added which doesn't seem to be from upstream git, right before the cprt code block: "if((*offset + chunk_size) - data_offset < 0)fail"
This fixed skater31hax + any other mp4 haxx which requires using a negative 64bit chunk_size value.
The filepath base used in the assert strings were changed from "d:\Jenkins\workspace\MPSkaterBuild\MVPlayer\Skater\Base\Android\frameworks\base\media\libstagefright\" to "d:\jenkins\workspace\MPSkaterBuild-Git\Base\Android\frameworks\base\media\libstagefright\".
v11.4
The only changes in RomFS was for "/build/buildinfo.dat" and "/static.crs", hence no OSS in CRO(s) were updated.
The main codebin was updated.
cat v9232/00000027_romfs/build/buildinfo.dat 10160 applet 2017-03-08 19:44
New3DS Browser Specifications
English version:
- "Browser engine: NetFront® Browser NX v3.0"
- "User agent: Mozilla/5.0 (New Nintendo 3DS like iPhone) AppleWebKit/536.30 (KHTML and like Gecko) NX/3.0.*.*.* Mobile NintendoBrowser/1.0.**** JP
- ** Version information is stated.
- *** When using the “Mobile version request” function, it differs from the above-mentioned character string"
- "Supported protocols: HTTP1.0/HTTP1.1/SSL3.0/TLS1.0/TLS1.1/TLS1.2"
- "Web standard: HTML4.01 / HTML5 / XHTML1.1 / Fullscreen API / Gamepad API / SVG / WebSocket / Video Subtitle / WOFF / Web Messaging / Server-Sent / Web Storage (partial) / XMLHttpRequest / Canvas element / Video / DOM Levels 1-3 / ECMAScript / CSS1 / CSS2.1 / CSS3 (partial)"
- "Image format: bmp / gif / ico / jpeg / png / svg (There are, however, possibilities that some images won't display.)"
- "Image preview: mpo / jpeg (There are, however, possibilities that some images won't display.)"
- "Video format: MP4, M3U8 + TS (HTTPLiveStreaming) (There are, however, some videos that may not be played.)"
- "Video codec: H.264 - MPEG-4 AVC Video (max 854x480 at level 3.2, 3D compatible) (There are, however, some videos that can not be played.)"
- "Audio codec: AAC - ISO / IEC 14496-3 MPEG-4AAC, MP3 (There are, however, some videos that can not be played.)"
- "Format for uploading 3D videos: .mkv (In order to be played, videos must be converted to the appropriate format within the site you are uploading to. In some cases, the video will not play even if converted.)"
- "Plug-ins: Plug-ins such as Adobe Flash are not supported"
- "Active Rating System filtering: provided by Digital Arts, Inc.. Access to web content can be limited based on its category information, restricting access to web content that may result inappropriate."
- "Websites can be requested to provide the mobile version (However, if the web page does not have a mobile version, it won't change the way it's displayed.)"
MJPEG + .avi is also supported.
Notes
- The html "color" <input> type is not supported.
Old3DS browser
Old3DS Browser Specifications
- "Browser engine: NetFront® Browser"
- "User agent: Mozilla/5.0 (Nintendo 3DS; region; ; en) Version/1.7498.US"
- "Supported protocols: HTTP1.0/HTTP1.1/SSLv3/TLS1.0"
- "Web standard: HTML 4.01/XHTML 1.1/CSS 1/CSS 2.1/CSS 3 (partial functionality)/DOM Levels 1-3/ECMAScript/XMLHttpRequest/Canvas Element (partial functionality)"
- "Image format: MPO / GIF / JPEG / PNG / BMP / ICO (some images cannot be displayed)"
- "Plug-ins: Plug-ins such as Adobe Flash are not supported"
Old3DS browser doesn't support events "focusin" and "focusout"
User-Agent and Browser Versions
User-agent format: Mozilla/5.0 (Nintendo 3DS; U; ; <lang>) Version/<version>.<region>
.
<lang> is "en", "fr", etc. <region> is "US", "EU", etc. See below for <version>.
Browser version | CDN Title-version | Network-only system-update version | Notes |
---|---|---|---|
1.7412 | v6 | 2.0.0-2 | This was the initial version. |
1.7455 | v1024 | 2.1.0-4 | ExeFS .code was updated, both of the CROs(webkit/OSS) were updated too. |
1.7498 | v2050 | 4.0.0-7 | ExeFS .code was updated, both of the CROs(webkit/OSS) were updated too. The manual CFA was updated as well. |
1.7538 | v0 | 4.2.0-9 | First version of the KOR browser. The CROs are different from the USA/EUR/JPN 4.0.0-7 browser. |
1.7552 | v3075 | 5.0.0-11 | ExeFS .code and icon were updated, both of the CROs(webkit/OSS) were updated too. The manual CFA was updated as well. |
1.7552 | v3088 | 7.0.0-13 | The main NCCH wasn't updated at all(same TMD contentID/content-hash as the previous version), only the manual CFA for this title was updated. |
1.7567 | v4096 | 7.1.0-16 | The CXI .code was updated, some data in the RomFS was updated(none of the CROs such as webkit.cro were updated). The manual CFA was updated too. |
1.7585 | v5121 | 9.5.0-23 | The CXI .code was updated, and the manual CFA was updated. RomFS changes:
A vuln used in a public(at the time of this sysupdate) webkit exploit for spider was fixed, which also fixed the removewinframe exploit from here. |
None | v6147 | v9.9 CUP | v9.9 CUP dummy web-browser, see below. |
1.7610 | v6149 | 9.9.0-26 | See below. |
1.7616 | v7168 | 10.2.0-28 | See below. |
1.7622 | v8192 | 10.6.0-31 | See below. |
None | v9216 | v10.7 CUP | v10.7 CUP dummy web-browser, see below. |
1.7625 | v9232 | 10.7.0-32 | See below. |
1.7630 | v10240 | 11.1.0-34 | See below. |
Heap
The USA/EUR/JPN + KOR browser allocates the 0x08000000 heap with size 0x01A97000. The size used by the CHN and TWN browser is 0x01997000, exactly 0x100000-bytes smaller.
Old3DS v9.9
ExeFS:/.code was updated.
The only changes in RomFS were file-updating, the following files were updated:
/browser/rootca.pem /cro/oss.cro /cro/static.crs /cro/webkit.cro /.crr/static.crr /message/CN_Simp_Chinese/spider.msbt /message/EU_Dutch/spider.msbt /message/EU_English/spider.msbt /message/EU_French/spider.msbt /message/EU_German/spider.msbt /message/EU_Italian/spider.msbt /message/EU_Portuguese/spider.msbt /message/EU_Russian/spider.msbt /message/EU_Spanish/spider.msbt /message/JP_Japanese/spider.msbt /message/KR_Hangeul/spider.msbt /message/TW_English/spider.msbt /message/TW_Trad_Chinese/spider.msbt /message/US_English/spider.msbt /message/US_French/spider.msbt /message/US_Portuguese/spider.msbt /message/US_Spanish/spider.msbt
OSS diff for v9.5 and v9.9, without the .dox changes:
diff --git a/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_9.5.0(23J_23U_23E_19K_18T_3C)/WKC/WebKit/WKC/webkit/WKCVersion.h b/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_9.9.0/WKC/WebKit/WKC/webkit/WKCVersion.h index be5ff09..55a7274 100644 --- a/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_9.5.0(23J_23U_23E_19K_18T_3C)/WKC/WebKit/WKC/webkit/WKCVersion.h +++ b/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_9.9.0/WKC/WebKit/WKC/webkit/WKCVersion.h @@ -29,7 +29,7 @@ #define WKC_VERSION_CHECK(major, minor, micro) \ (((major)*10000) + ((minor)*100) + (micro)) >= ((WKC_VERSION_MAJOR*10000) + (WKC_VERSION_MINOR*100) + (WKC_VERSION_MICRO)) -#define WKC_CUSTOMER_RELEASE_VERSION "1.8.14" +#define WKC_CUSTOMER_RELEASE_VERSION "1.8.16" #define WKC_WEBKIT_VERSION "532.7" diff --git a/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_9.5.0(23J_23U_23E_19K_18T_3C)/webkit/WebCore/rendering/RenderBox.cpp b/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_9.9.0/webkit/WebCore/rendering/RenderBox.cpp index da4127e..d03403e 100644 --- a/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_9.5.0(23J_23U_23E_19K_18T_3C)/webkit/WebCore/rendering/RenderBox.cpp +++ b/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_9.9.0/webkit/WebCore/rendering/RenderBox.cpp @@ -305,23 +305,23 @@ int RenderBox::scrollHeight() const int RenderBox::scrollLeft() const { - return hasOverflowClip() ? layer()->scrollXOffset() : 0; + return layer() && hasOverflowClip() ? layer()->scrollXOffset() : 0; } int RenderBox::scrollTop() const { - return hasOverflowClip() ? layer()->scrollYOffset() : 0; + return layer() && hasOverflowClip() ? layer()->scrollYOffset() : 0; } void RenderBox::setScrollLeft(int newLeft) { - if (hasOverflowClip()) + if (hasOverflowClip() && layer()) layer()->scrollToXOffset(newLeft); } void RenderBox::setScrollTop(int newTop) { - if (hasOverflowClip()) + if (hasOverflowClip() && layer()) layer()->scrollToYOffset(newTop); }
Old3DS v10.2
The slider vuln from here was fixed in the Old3DS browser.
The main codebin .text only increased by 0x10-bytes.
The only changes in RomFS was that the following files were updated:
/cro/oss.cro /cro/static.crs /cro/webkit.cro /.crr/static.crr
OSS diff:
diff --git a/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_9.9.0/WKC/WebKit/WKC/webkit/WKCVersion.h b/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_10.2.0/WKC/WebKit/WKC/webkit/WKCVersion.h index 55a7274..fc153c4 100644 --- a/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_9.9.0/WKC/WebKit/WKC/webkit/WKCVersion.h +++ b/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_10.2.0/WKC/WebKit/WKC/webkit/WKCVersion.h @@ -29,7 +29,7 @@ #define WKC_VERSION_CHECK(major, minor, micro) \ (((major)*10000) + ((minor)*100) + (micro)) >= ((WKC_VERSION_MAJOR*10000) + (WKC_VERSION_MINOR*100) + (WKC_VERSION_MICRO)) -#define WKC_CUSTOMER_RELEASE_VERSION "1.8.16" +#define WKC_CUSTOMER_RELEASE_VERSION "1.8.17" #define WKC_WEBKIT_VERSION "532.7" diff --git a/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_9.9.0/webkit/WebCore/rendering/RenderSlider.cpp b/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_10.2.0/webkit/WebCore/rendering/RenderSlider.cpp index b2f5cef..1dd3dbd 100644 --- a/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_9.9.0/webkit/WebCore/rendering/RenderSlider.cpp +++ b/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_10.2.0/webkit/WebCore/rendering/RenderSlider.cpp @@ -221,6 +221,7 @@ RenderSlider::~RenderSlider() { if (m_thumb) m_thumb->detach(); + m_thumb = 0; } int RenderSlider::baselinePosition(bool, bool) const @@ -493,7 +494,8 @@ void RenderSlider::forwardEvent(Event* event) } } - m_thumb->defaultEventHandler(event); + if (m_thumb) + m_thumb->defaultEventHandler(event); } bool RenderSlider::inDragMode() const
Old3DS v10.6
spider28hax was fixed. The "2^32 characters long string" vuln described here was finally fixed.
A lot of WebKit issues/vulns were fixed, see here for the changes.
libpng was updated from version 1.4.12 to 1.4.19. zlib was updated from 1.2.7 to 1.2.8.
The .text size increased by 0x478-bytes.
The only changes in RomFS was that the following files were updated:
/cro/oss.cro /cro/static.crs /cro/webkit.cro /.crr/static.crr /manual/Manual.bcma
Old3DS v10.7
Nothing changed except some words for version-values in .text being updated(RomFS wasn't changed), code for browser-version-check was updated.
Old3DS v11.1
Nothing changed in the ExeFS codebin besides the usual version values. The following files in RomFS were updated:
/cro/oss.cro /cro/webkit.cro /.crr/static.crr
Forced system-update
The Old3DS/New3DS Internet Browser updated with 9.9.0-26 added the following message strings:
In order to use the Internet browser, a system update is required. To perform a system update, select System Update from Other Settings in System Settings.
The Internet browser cannot be used at this time. Please check your network environment or try again later.
For whatever reason, the above message strings were removed with New3DS-browser v10.2, then re-added with v10.4. This does not apply to the Old3DS browser. Whenever v10.2 New3DS browser tries to use these message-strings for displaying a browser-update-related message, it will crash due to an assert failing since the message-strings are missing. Hence, if/when the v10.2 update-check page is ever updated where the browser tries to display a message for it, or when accessing that page fails, the browser will automatically crash.
This wasn't enforced(web-browser displaying the above message when the installed browser isn't the latest version) until October 26, 2015.
This message only triggers when attempting to load a web-page. This is only handled the first time the browser accesses a web-page, during this browser session.
The browser codebins starting with v9.9 now contain the following URL strings:
- Old3DS: "https://cbvc.cdn.nintendo.net/CTR/1/<region>"
- New3DS: "https://cbvc.cdn.nintendo.net/SNAKE/1/<region>"
The <region> string is one of the following:
- "JPN"
- "USA"
- "EUR"
- "KOR"
Starting with the browser from 10.2.0-28, the "1" in the above URLs were changed to "2". With the New3DS browser from 10.4.0-29, it's now "3".
As of October 26, 2015, the "1" URLs return the browser-version for v9.9(decimal number as a string without any "."), while the "2" URLs returns 0.
if(internal_browserver > server_browserver) { <safe> } else { <update message> }
Hence, internal_browserver == server_browserver will trigger the sysupdate message, which appears to be the normal way to indicate that the current browser is outdated(see above).
There is a cache for this in savedata. The request is only done when at least 24-hours have passed since the last time the request was done(see the below savedata section).
It is still possible to guard against this update by blocking the previous URLs using a proxy. It is not possible to remove the update message by entering the Recovery Mode.
Page request
For this request, all root-CAs bundled with the browser are trusted, in addition to two of the SSL module builtin Nintendo root-CAs.
The browser(with New3DS at least) does the following with HTTPC for requesting the above page:
- Initializes the HTTP context and uses HTTPC:InitializeConnectionSession + HTTPC:SetProxyDefault.
- Uses HTTPC command 0x250080 twice with cmd[1]=contexthandle: first time cmd[2]=0x3, second time cmd[2]=0x6.
- Then HTTPC:AddTrustedRootCA is used 48 times to setup 48 trusted root CAs. This appears to be every cert in the browser "romfs:/browser/rootca.pem" file converted to DER, in the same order from there(in other words, every single root CA the browser trusts by default for normal web-browsing).
- Then HTTPC:BeginRequest is used.
- Then HTTPC:ReceiveDataTimeout is used, the recv-size seems to be fixed to 0x20.
- Then HTTPC:GetResponseStatusCodeTimeout is used.
- Then HTTPC:GetDownloadSizeState is used.
- Then the HTTP context is closed.
Raw request data(New3DS USA v10.2 browser):
000000: 47 45 54 20 2f 53 4e 41 4b 45 2f 32 2f 55 53 41 GET /SNAKE/2/USA 000010: 20 48 54 54 50 2f 31 2e 31 0d 0a 48 6f 73 74 3a HTTP/1.1..Host: 000020: 20 63 62 76 63 2e 63 64 6e 2e 6e 69 6e 74 65 6e cbvc.cdn.ninten 000030: 64 6f 2e 6e 65 74 0d 0a 0d 0a do.net....
v10.7
The only actual code change with Old3DS/New3DS browser v10.7 was that the code which calculates the diff_timestamp was moved to immediately after the block which initializes <state_timestamp> when <state_timestamp> is all-zero. This fixed the browser-version-check bypass.
v9.9+/v10.7+ dummy web-browser
Gamecards v9.9 and above include, with their sysupdate, a dummy Old3DS/New3DS web-browser. The *only* thing this title does is display the same message listed in the above forced-update section. The message files in RomFS *only* contain that message string above. There are no "http" strings in the main codebin, and RO isn't used either(no CRO data in RomFS at all). Both browsers are internally called "dummySpider".
Hence, if you update your system below v9.8 with any v9.9 or above gamecard, the system web-browser will be rendered *completely* useless until you install a system-update from CDN(no network requests involved here).
Gamecards v10.7 and above include an updated dummy web-browser, where the only difference is the title version.
Savedata
New3DS
On newer SKATER versions, it appears *all* NAND savedata is stored under the 0x000200BB savedata.
0x000200BB savedata
This only contains "t.bin" with filesize 0xadf80, the format is below.
The timestamp format used here is the number of milliseconds since January 1, 2000(local-time).
When using the "Initialize savedata" option in the browser, that deletes this savedata file/image then exits the browser. This file is then re-created when the browser gets started again.
Offset | Size | Description |
---|---|---|
0x68 | 0x4? | This counter is incremented each time the savedata is written. |
0x70 | 0x8 | Timestamp for when the savedata was last written. |
0x94 | 0x15? | This is all-zeros on non-JPN systems. On JPN systems where the browser filter is disabled, this is a string in the following format: "4110-%016llX". |
0xD8 | 0x8 | s64 timestamp, can be either a normal positive timestamp or a relative negative one. Used with the forced-update described above. When an update is detected this timestamp is negative, otherwise this is a normal positive timestamp(it's unknown how exactly this timestamp is checked). When positive, this seems to be the last time the forced-update HTTPS request was done where no update was needed. |
APT Parameters
The URL to load can optionally be loaded from char[] string paramblk+0. This is used when scanning URL QR-codes in Home Menu / etc.
Errors
"Failed to load part of this page": This can be caused by failing to load "/favicon.ico". For example, this can be caused by loading a plain HTTP page, with plain-http favicon redirecting to HTTPS. If cert-verify then fails with favicon in this case, this error would then trigger.
Other details
- It scored 90/100 on Acid3 test
- Images from the Internet can be saved to the SD Card and viewed using the Nintendo 3DS Camera application.
- Images saved to an SD Card or to the Nintendo 3DS system memory can be uploaded to blogs or other sites that allow the uploading of photos using :
<input type="file" />
- HTML5Test.com say that Drag and drop is supported but it's not (code on WebKit is ready, but it's not implemented on interface of browser)
Tips
Detect User Agent
To detect if the user agent is Nintendo 3DS Browser :
<script type="text/javascript"> if (navigator.userAgent.indexOf('Nintendo 3DS') == -1) { //If the UserAgent is not "Nintendo 3DS" location.replace('http://www.3dbrew.org'); //Redirect to an other page } </script>
- You can check navigator.platform=="Nintendo 3DS" as well.
Scrolling
Scrolling can be altered by modifying document.body.scrollTop and document.body.scrollLeft. However, there are drawbacks related to working with these properties:
- Both properties return 0 when accessed
- Setting one property resets the other property's scroll position
In order to set both at the same time (without either resetting to 0), use window.scrollTo.
Events
Key Events
The following buttons trigger the onkeydown, onkeypress and onkeyup events:
Code | Button |
---|---|
13 | A |
37 | Left |
38 | Up |
39 | Right |
40 | Down |
The events cannot have their default action cancelled. Other buttons do not trigger key events.
Touch/Mouse Events
onmousedown, onmouseup & onclick are all triggered by the browser. However, the onmousedown event doesn't trigger until you lift the stylus or you've held it on the screen for ~2 seconds—which is when text selection mode is activated—making it pretty much the same as onmouseup. The events cannot have their default action cancelled.
The onmousemove and common touch/gesture events are not supported.
Screen Resolution
The up screen resolution is 400×240. However, the viewable area in the browser is only 400×220.
The touch screen resolution is 320×240. However, the viewable area in the browser is only 320×212.
You can have a page span both screens. However, the browser will behave as if the bottom screen is the only active screen and the top screen is scrolled off. This is important when computing CSS coordinates. Items positioned from "bottom" will be positioned based on 220px and not the full 432px of both screens.
Using Both Screens
Generally the easiest way to accomplish the correct layout is to create HTML elements that "contain" the top and bottom screens. Here's an example:
<!DOCTYPE html> <html> <head> <meta name="viewport" content="width=400"> <style> body{margin:0px;} #topscreen{width:400px;height:220px;overflow:hidden;} #bottomscreen{width:320px;height:212px;overflow:hidden;margin:0 auto;} </style> </head> <body> <div id="topscreen">Top Screen</div> <div id="bottomscreen">Bottom Screen</div> </body> </html>
This scheme allows the page to be easily manipulated through JavaScript. In order to have the window snap to the correct position, use the following JavaScript code:
window.setInterval(function () { window.scrollTo(40, 220); }, 50);
This automatically resets the position if the user accidentally scrolls the page.
Example Sites
- Nintendo 3DS Bookmarks - This is the first bookmark pre-installed in the browser.
- jFox (Short URL: http://bit.ly/iB7FqW)
- Ditto3D (Short URL: http://bit.ly/oVreWA)