The Old3DS+New3DS 10.4.0-29 system update was released on January 18, 2016. This Old3DS update was released for the following regions: USA, EUR, JPN, CHN, KOR, and TWN. This New3DS update was released for the following regions: USA, EUR, JPN, CHN, and KOR.

Security flaws fixed: <fill this in manually later, see the updatedetails page from the ninupdates-report page(s) once available for now>.

Old3DS/New3DS browserhax and menuhax were not fixed(the Old3DS browser wasn't even updated).

Change-log

Official USA change-log:

  • Further improvements to overall system stability and other minor adjustments have been made to enhance the user experience

System Titles

NATIVE_FIRM

memchunkhax2 was fixed by reading the MemoryBlockHeader next pointer before it is mapped to userland. Only one function was changed in arm11kernel.

The only updated FIRM sysmodules were fs and loader, for fs only a version-field in .code was updated used with a debug NOP-instruction.

loader

The loader process .text was previously 0x331C-bytes, it's now 0x36F0-bytes.

All code changes:

  • Some code using svcGetSystemTick was added. This is used by L_14002670.
  • L_140022b8(L_14002234 in previous loader version): This is the function which calls L_140025f0. Code was added between the code which loads the memregion value from exheader, and the func call for mapping it(L_140025f0). This new code determines what to pass for the L_140025f0 insp4 flag. By default the value passed for that flag is 0.
    • When the process memregion is APPLICATION, the programID is for a CTR title, and the uniqueid matches the eShop system-application(all regions including CHN), the flag is set to 1.
    • When the process memregion is SYSTEM, the flag is set to 1 when the reslimit_category is not LIB_APPLET.
  • L_140025f0(L_140024e4 in previous loader version) now calls another function(L_14002670) instead of svcControlMemory directly, for mapping the codebin memory. The insp4 flag from the L_140025f0 input is passed to L_14002670 as sp0.
  • L_14002670: New function used for mapping the codebin. When the insp0 flag is zero, this does the normal memory-mapping, otherwise a special memory-mapping codepath is used. This codepath still uses the same memregion specified in the exheader.

The special memory-mapping codepath is basically a method of mapping the codebin with svcControlMemory using up to 8 chunks, each with a random size. Each chunk is done in a random order. Since the allocation order is random, this also means the order of each .text chunk in physmem is random too. When the total size of the randomized page-count is less than the required amount, an 8th chunk is used to pad the total size to the exact required size. It appears the total combined size used with svcControlMemory is always exactly the same as what's required for the codebin.

Regarding chunk size calculation:

  • s32 maxval = (codebin_totalrequiredpages - pagepos) >> 4;
  • The above maxval field is set to 15 if it's >=15.
  • pagecount = L_14001730(maxval);
  • pagecount = (pagecount+1) << 4;
  • chunksize = pagecount << 12;

This is an attempt at randomizing the layout of physmem .text, due to gspwn.

NS

NS added a new APT command used by Home Menu which now checks whether IronFall is on the latest version before launching; if it is on an exploitable version and the function is called to launch IronFall the system will reboot. This check is done again before launching the title, throwing an error if it fails.

Home Menu

The code changes for Home Menu appear to be just title/AM related / GUI.

Code was implemented for using APT:IsTitleAllowed mentioned above, when that returns 0 when you try launching an application Home Menu will display a message using the following text from new message-strings:

You need to update this 
software before you can
launch it.

See Also

System update report(s):