11.3.0-36
The Old3DS+New3DS 11.3.0-36 system update was released on February 6, 2017. This Old3DS update was released for the following regions: USA, EUR, JPN, CHN, KOR, and TWN. This New3DS update was released for the following regions: USA, EUR, JPN, CHN, KOR, and TWN.
Security flaws fixed: yes.
Change-log
Official USA change-log:
- Further improvements to overall system stability and other minor adjustments have been made to enhance the user experience
System Titles
NATIVE_FIRM
Process9
Actual code changed in Process9 .text. Exactly 2 functions were updated, and 1 new function was added which is called by the first function(see below).
Process9 now sets a global flag via the new function when starting certain titles. The flag is set when programID-high matches 0x00040000 or 0x00040010, unless the uniqueID is 0xF802A for programID-high 0x00040000. The flag is set for programID-high 0x00040030(applets) when the uniqueID doesn't match any of the 6 Home Menu regions. The flag is not set if the programID-high isn't one of these 3. This is implemented in the PXIPM cmdhandler function in the code for PXIPM:RegisterProgram, in the code prior to actually calling the PXIPM:RegisterProgram function.
The flag-write function just writes hard-coded value 0x1 to the u8 flag.
The firmlaunch function panics when attempting to launch SAFE_FIRM(New3DS programID-low bitmask is masked out) if that flag has been set, to prevent safefirmhax.
The anti-downgrade title-listing in Process9 was also updated.
New3DS arm9loader
New3DS arm9loader wasn't updated.
ARM11 kernel
fasthax was fixed.
Exactly 4 functions were added(includes the func for SVC 0x59 and the actual func for it). Exactly 14 functions were updated, 13 if not including the kernel-flags-parser func which verifies the exheader kernel-version etc(which only had compiler(?)-related changes minus version constant).
Code addrs listed below are from the Old3DS kernel.
- A new SVC was implemented: 0x59. See here for the kernel implementation. This is used by the updated GSP-module.
- svcGetProcessInfo type19 was implemented, this is used by the updated GSP-module.
- Additional bound checks were added to timer-handling code (setting and/or incrementing a timer's value, etc.) and to the KTimerAndWDTManager second virtual function, so that a timer's value can never be set to either a negative value or the past (which is what fasthax needed to do).
- The two functions that either add a KTimeableInterruptEvent instance to the global queue of pending KTimeableInterruptEvent (see KTimerAndWDTManager), or remove one from it, now return a boolean indicating whether the interrupt event already is/was in the queue (if that is true, the function that adds the interrupt event will now update the timer registers in that case as well). This is especially used for the below fixes.
- When adding a timer to that queue, its reference count is incremented (if it wasn't already in the queue). It is only decremented when needed, after actually signaling the timer by the interrupt-handling code.
- L_fff20d28(Prev ver @ L_fff20b40): Added a call to L_fff1bb74() before calling L_fff1d514(), in two locations.
- L_fff2131c(Prev ver @ L_fff21124): Same changes as L_fff20d28.
- L_fff26348(Prev ver @ L_fff2631c): Same changes as L_fff20d28 except with four locations.
- L_fff28058(Prev ver @ L_fff27e28): Same changes as L_fff20d28 except with just one location.
- A virtual method was added to the definition of abstract class KTimeableInterruptEvent. Prior to (re)adding KTimer instances as interrupt events (and some other objects) to the queue, objects of the queue with this method returning
falseare removed from it. Its implementations are the following:
Modules
No FIRM ARM11 sysmodule was changed.
NS
Only two constants were actually changed: the minimal value required for the kernel's minor version number (now 0x35, ie. 11.3 NFIRM, it used to be 0x23, ie. 5.0 NFIRM), and the version number used for FS:InitializeWithSdkVersion.
GSP
GSP-module was updated for Old3DS+New3DS.
Exactly 4 functions were updated (11.3 N3DS addresses):
- L_102048, prev ver @ L_102048: Now writes 0 to LCD register 0x10202014 and ORs 0x1020200C with 0x10001.
- L_104CD0, prev ver @ L_104CD8: Code was added @ 0x104E6C(prev 0x104E78) for calling L_0x106C8C() when a certain field is non-zero.
- L_10B4F4, prev ver @ L_10B4A8: This is called by GSPGPU:AcquireRight. Code executed before successfully returning was moved into L_106058, this now calls that function before returning instead.
- L_10B7DC, prev ver @ L_L_10B800: This is GSPGPU:TryAcquireRight. Exact same changes as L_10B4F4.
Exactly 1 new function was added, L_106058:
- This function is just the code mentioned above that was moved into here, with some new code:
- val=0;
- svcGetProcessInfo with type19 is used with the handle from inr2.
- if(above_svc_succeeded){if((procinfo_outu32 & 0xF00) != 0x100)val=1;}//check for memregionid!=APPLICATION
- val is passed to the new SVC 0x59 as s8 r0.
- Lastly it will execute throw_fatalerr() on error.
Friends
Exact same change as usual: only the byte for fpdver in exefs codebin was updated(changed from 8 to 9).
Home Menu
Exactly 1 function was updated, this fixed bossbannerhax(the last exploit used by menuhax). Code was added to verify that the common and {region/language}-specific exbanner sections don't have a decompressed size >{max_size}, when that happens it jumps over the func-call for doing the actual decompression.
eShop system-application
In RomFS, the message/ localization files and "/cad/Download.arc.lz" were updated. Besides strings related to new localization messages, it appears the only new string in the exefs codebin is "integrated_account". Going by nearby strings this may be used with network requests.
diff --git a/v21506/US_English_tiger.msbt.lz.decom_wstrs b/v23552/US_English_tiger.msbt.lz.decom_wstrs index 3c3938f..2890b25 100644 --- a/v21506/US_English_tiger.msbt.lz.decom_wstrs +++ b/v23552/US_English_tiger.msbt.lz.decom_wstrs @@ -766,6 +766,11 @@ Continue Press to return to the HOME Menu. +A receipt will be sent to the e-mail +address registered to your Nintendo +Account. If a child account is being +used, the receipt will be sent to the +parent or guardian's e-mail address. Do you want to continue shopping? Please read the information on the upper screen. @@ -783,6 +788,9 @@ more information. You can view the code at any time by checking the receipt within Account Activity in the Settings / Other menu. +The code will also be sent to the +e-mail address registered to your +Nintendo Account. Transaction complete. Generated Code(s) A software update is available.
mint eShop applet
Seems to be about the same changes as eShop-app.
In the ExeFS codebin, besides message-related strings, multiple "integrated_account" strings were added + the following two strings: "privilege_infos" and "privilege_info".
The RomFS message/ files were updated.
diff --git a/v16384/US_English_mint.msbt.lz.decom_wstrs b/v18432/US_English_mint.msbt.lz.decom_wstrs index 78a6c56..e32142a 100644 --- a/v16384/US_English_mint.msbt.lz.decom_wstrs +++ b/v18432/US_English_mint.msbt.lz.decom_wstrs @@ -163,6 +163,15 @@ For details, refer to the receipt for this transaction via Account Activity in Nintendo eShop. Your download will commence shortly. +A code has been issued to you. +The code and information about its use +will be sent to the e-mail address +registered to your Nintendo Account. +If a child account is being used, the +receipt will be sent to the parent or +guardian's e-mail address. +Your download will be completed +shortly. Get All Downloading Software Software Download Complete @@ -212,6 +221,10 @@ For purchase details, please check Account Activity on Nintendo eShop. You can view your receipt at any time within Account Activity in the Settings / Other menu. +Your receipt will be sent to the email address +registered to your Nintendo Account. If a child +account is being used, the receipt will be sent +to the parent or guardian's email address. Added: Balance: Credit-Card Funding
See Also
System update report(s):