3dbrew

Changes

3DS System Flaws (edit)

Revision as of 07:05, 3 November 2014

545 bytes added ,  07:05, 3 November 2014
no edit summary
Line 2: Line 2:     
==List of 3DS exploits==
 
==List of 3DS exploits==
 +
 +
==Current Efforts==
 +
There are people working on finding exploits and documenting the 3DS. Here's a list of some current efforts being made to make homebrew on the 3DS possible:
 +
 +
* Smealum has a working exploit up to newest system version and has shown what seems to be viable proof that this is real. He says that he will be releasing the exploit when he believes all of the bundled software (HBC and others) are relatively bug free. In other words NO ETA.
 +
 +
==Stale / Rejected Efforts==
 +
* Neimod has been working on a RAM dumping setup for a little while now. He's desoldered the 3DS's RAM chip and hooked it and the RAM pinouts on the 3DS's PCB up to a custom RAM dumping setup. Recent photos show that the setup is working quite well, with the 3DS successfully booting up. Pictures of neimod's work can be found on [http://www.flickr.com/photos/neimod/ his Flickr stream].
 +
 +
    * Neimod's flickr stream is now private and his work is considered stale
 +
 +
* Govanify has released CFW and CIA installers along with some other interesting stuff (and illegal stuff) most of which were created by others and stolen
 +
 +
== Fixed vulnerabilities ==
 +
* The following was fixed with [[7.0.0-13]], see here for [[7.0.0-13|details]]. Too long or corrupted strings (01Ah  2  Nickname length in characters    050h  2  Message length in characters) in the NVRAM DS user settings cause (System Settings->Other Settings->Profile->Nintendo DS Profile) to crash in 3DS-mode due to a stack-smash. The DSi is not vulnerable to this, DSi launcher(menu) and DSi System Settings will reset the NVRAM user-settings if the length field values are too long(same result as when the CRCs are invalid).
    
==Failed attempts==
 
==Failed attempts==
Line 9: Line 24:  
* Pyramids (3DSWare), QR codes: no strings. Only crashes are from out-of-bounds values (like background ID) and are not exploitable.
 
* Pyramids (3DSWare), QR codes: no strings. Only crashes are from out-of-bounds values (like background ID) and are not exploitable.
 
* 3DS browser, 2^32 characters long string: this is similar to the vuln fixed [http://git.chromium.org/gitweb/?p=external/Webkit.git;a=commitdiff;h=ec471f16fbd1f879cb631f9b022fd16acd75f4d4 here], concat-large-strings-crash2.html triggers a crash which is about the same as the one triggered by a 2^32 string. Most of the time this vuln will cause a memory page permissions fault, since the webkit code attempts to copy the string text data to the output buffer located in read-only [[CRO0|CRO]] heap memory. The only difference between a crash triggered by a 2^32 string and the concat-large-strings-crash2.html crash is that the former copies the string data using the original string length(like 1 text character for "x", 4 for "xxxx") while the latter attempts to copy >12MB. In some ''very'' rare cases a thread separate from the string data-copy thread will crash, this might be exploitable however this is useless since it rarely crashes this way.
 
* 3DS browser, 2^32 characters long string: this is similar to the vuln fixed [http://git.chromium.org/gitweb/?p=external/Webkit.git;a=commitdiff;h=ec471f16fbd1f879cb631f9b022fd16acd75f4d4 here], concat-large-strings-crash2.html triggers a crash which is about the same as the one triggered by a 2^32 string. Most of the time this vuln will cause a memory page permissions fault, since the webkit code attempts to copy the string text data to the output buffer located in read-only [[CRO0|CRO]] heap memory. The only difference between a crash triggered by a 2^32 string and the concat-large-strings-crash2.html crash is that the former copies the string data using the original string length(like 1 text character for "x", 4 for "xxxx") while the latter attempts to copy >12MB. In some ''very'' rare cases a thread separate from the string data-copy thread will crash, this might be exploitable however this is useless since it rarely crashes this way.
  −
==Current efforts==
  −
There are people working on finding exploits and documenting the 3DS. Here's a list of some current efforts being made to make homebrew on the 3DS possible:
  −
  −
* Neimod has been working on a RAM dumping setup for a little while now. He's desoldered the 3DS's RAM chip and hooked it and the RAM pinouts on the 3DS's PCB up to a custom RAM dumping setup. Recent photos show that the setup is working quite well, with the 3DS successfully booting up. Pictures of neimod's work can be found on [http://www.flickr.com/photos/neimod/ his Flickr stream].
  −
  −
== Fixed vulnerabilities ==
  −
* The following was fixed with [[7.0.0-13]], see here for [[7.0.0-13|details]]. Too long or corrupted strings (01Ah  2  Nickname length in characters    050h  2  Message length in characters) in the NVRAM DS user settings cause (System Settings->Other Settings->Profile->Nintendo DS Profile) to crash in 3DS-mode due to a stack-smash. The DSi is not vulnerable to this, DSi launcher(menu) and DSi System Settings will reset the NVRAM user-settings if the length field values are too long(same result as when the CRCs are invalid).
      
==Tips and info==
 
==Tips and info==
Irocktolive7
10

edits

Retrieved from "https://www.3dbrew.org/wiki/Special:MobileDiff/10406"