Difference between revisions of "11.4.0-37"

Revision as of 17:28, 11 April 2017

The Old3DS+New3DS 11.4.0-37 system update was released on April 10, 2017. This Old3DS update was released for the following regions: USA, EUR, JPN, CHN, KOR, and TWN. This New3DS update was released for the following regions: USA, EUR, JPN, CHN, KOR, and TWN.

Security flaws fixed: yes.

Change-log

Official USA change-log:

Further improvements to overall system stability and other minor adjustments have been made to enhance the user experience

System Titles

NATIVE_FIRM

Process9

The global boolean preventing SAFE_FIRM from being launched is now set in Process9's crt0 if CFG9_BOOTENV has bit0 set, that is to say, if it has been launched from a firmlaunch (this register is set to 1 just before a firmlaunch). The following code has also been added in the firmlaunch function itself: if(!(CFG9_BOOTENV & 1) /* not a firmlaunch */ || (CFG9_BOOTENV & 6) /* firmlaunched from LGY_FIRM (if even possible at all) */) goto panic.

This is to fix safehax.

New3DS kernel9loader

New3DS kernel9loader wasn't updated.

ARM11 kernel

There are at least, and likely, three changes:

CFG11_WIFIUNK is now set to 0x10 in Kernel11's crt0
A new SVC, svc 0x5A has been introduced, to enable or disable wifi
The code handling svcArbitrateAddress with type = SIGNAL, has been changed. It now counts the actual number of threads arbitrating on that address, and if it is non-zero, it executes the following hack: if(coreId == 0 && currentThread->dynamicPriority >= 50) waitCycles(0x64E). This supposedly works around the lag issue in some games, which has been introduced on 11.3.0-36

Modules

No FIRM ARM11 sysmodule was changed.

NWM-sysmodule

The CONFIG11_Registers are no longer directly mapped under userland for NWM-sysmodule. This prevents anything under NWM-module from modifying the GPUPROT register. This was used by both *hax payload(prior to v11.4 release) and udsploit.

The codebin was updated.

The crt0-poke in PDN that NWM previously did:

 0x1EC4010C |= 0x10

.. has been removed from NWM. This one has been moved into kernel bootup.

All accesses to 0x1EC40180 have been replaced by a new syscall, 0x5A.

This now includes code from old CTRSDK update(s). The only other changes was new heap code, for fixing the NWMUDS sharedmem vuln. This includes code which actually validates heap memchunkhdrs, with svcBreak being executed on failure.

A new string was added at 0x13E200: "used"(with 3 0xFF bytes afterwards), this is used by the new heap code. The wifi-fw was moved from .data to .rodata.

Internet Browser

The web-browser was updated, only for New3DS. See here for details.

@@ Line 29: / Line 29: @@
 ===[[NWM_Services|NWM-sysmodule]]===
 The [[CONFIG11_Registers]] are no longer directly mapped under userland for NWM-sysmodule.
-This prevents anything under NWM-module from modifying the GPUPROT register.
+This prevents anything under NWM-module from modifying the GPUPROT register. This was used by both *hax payload(prior to v11.4 release) and [https://github.com/smealum/udsploit udsploit].
 The codebin was updated.
@@ Line 38: / Line 38: @@
 .. has been removed from NWM. This one has been moved into kernel bootup.
-Accesses to 0x1EC40180 have been replaced by a new syscall, [[SVC|0x5A]].
+All accesses to 0x1EC40180 have been replaced by a new syscall, [[SVC|0x5A]].
-A new string was added at 0x13E200: "used"(with 3 0xFF bytes afterwards). The wifi-fw was moved from .data to .rodata.
+This now includes code from old CTRSDK update(s). The only other changes was new heap code, for fixing the NWMUDS sharedmem [[3DS_System_Flaws|vuln]]. This includes code which actually validates heap memchunkhdrs, with svcBreak being executed on failure.
+A new string was added at 0x13E200: "used"(with 3 0xFF bytes afterwards), this is used by the new heap code. The wifi-fw was moved from .data to .rodata.
 ===[[Internet Browser]]===