Changes

Internet Browser (edit)

Revision as of 23:08, 23 January 2018

6,010 bytes added , 23:08, 23 January 2018

m

no edit summary

Line 11: Line 11:

The only difference between the ExeFS .code for each region of the Old3DS/New3DS browser, is byte values for the title uniqueID/region.

−

A [[#~~v9.9_dummy_web~~-browser|"dummy" browser]] (which replaces the actual browser) is being included with cartdrige games shipping ~~the~~ [[9.9.0-26|9.9.0-X]] ~~system update~~.

+

A [[#Dummy_web-browser|"dummy" browser]] (which replaces the actual browser) is being included with cartdrige games shipping with system updates starting with [[9.9.0-26|9.9.0-X]].

In addition, versions of the real browser since 9.9.0-26X attempt to [[#Forced_system-update|check-in with a Nintendo server]] to determine if the existing browser version is out of date.

Line 25: Line 25:

The New3DS browser uses the following services: [[MVD_Services|mvd:STD]] and [[IR_Services|ir:rst]](DLC-related services are used too but those aren't New3DS specific).

Video decoding is done with [[MVD_Services|mvd:STD]]. Audio decoding/playback is done with a browser-specific DSP binary. The Old3DS browser used CSND for audio playback, the New3DS browser doesn't have access to that at all since it uses DSP instead.

−

The browser manual includes licenses for Android and PacketVideo. The browser uses libstagefright from Android.

+

=== Video / libstagefright ===

+

The browser manual includes licenses for Android and PacketVideo. The browser uses libstagefright from Android. Just like WebKit, the browser appears to use a very old version of libstagefright with security/other changes back-ported(for example, the v10.7 browser libstagefright codebase seems to be older than [https://android.googlesource.com/platform/frameworks/av/+/ec77122351b4e78c1fe5b60a208f76baf8c67591%5E%21/media/libstagefright/MPEG4Extractor.cpp this]). This codebase is missing certain chunk-parsing code for 3GP.

+

HTTP for libstagefright is internally handled with [[HTTP_Services|HTTPC]], with a similar(?) set of RootCAs as for browser-version-check.

===User-Agent and Browser Versions===

Line 31: Line 35:

<region> can be one of the following: "JP", "US", or "EU".

+

Mobile User-Agent is always <code>Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A403 Safari/8536.25</code>.

{| class="wikitable" border="1"

Line 36: Line 42:

! Mobile NintendoBrowser version(displayed in browser settings)

! Normal UA

−

~~! Mobile UA~~

! CDN Title-version

! Network-only system-update version

Line 43: Line 48:

| 1.0.9934

| Mozilla/5.0 (New Nintendo 3DS like iPhone) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.0.5.8 Mobile NintendoBrowser/1.0.9934.<region>

−

~~| Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A403 Safari/8536.25~~

| v10

| [[9.0.0-20]]

Line 50: Line 54:

| 1.1.9996

| Mozilla/5.0 (New Nintendo 3DS like iPhone) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.0.5.10 Mobile NintendoBrowser/1.1.9996.<region>

−

~~| Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A403 Safari/8536.25~~

| v1027

| [[9.3.0-21]]

Line 57: Line 60:

| 1.2.10085

| Mozilla/5.0 (New Nintendo 3DS like iPhone) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.0.5.13 Mobile NintendoBrowser/1.2.10085.<region>

−

~~| Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A403 Safari/8536.25~~

| v2051

| [[9.6.0-24]]

| See below.

|-

−

~~| None~~

| None

Line 70: Line 71:

|-

| 1.3.10126

−

| Mozilla/5.0 (New Nintendo 3DS like iPhone) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.0.5.15 Mobile NintendoBrowser/1.3.10126.US

+

| Mozilla/5.0 (New Nintendo 3DS like iPhone) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.0.5.15 Mobile NintendoBrowser/1.3.10126.<region>

−

~~| Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A403 Safari/8536.25~~

| v3077

| [[9.9.0-26]]

Line 77: Line 77:

|-

| 1.4.10138

−

| Mozilla/5.0 (New Nintendo 3DS like iPhone) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.0.5.17 Mobile NintendoBrowser/1.4.10138.US

+

| Mozilla/5.0 (New Nintendo 3DS like iPhone) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.0.5.17 Mobile NintendoBrowser/1.4.10138.<region>

−

~~| Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A403 Safari/8536.25~~

| v4096

| [[10.2.0-28]]

| See below.

|-

−

|

+

| 1.5.10143

−

|

+

| Mozilla/5.0 (New Nintendo 3DS like iPhone) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.0.5.19 Mobile NintendoBrowser/1.5.10143.<region>

−

|

| v5121

| [[10.4.0-29]]

| See below.

|-

−

|

+

| 1.6.10147

−

|

+

| Mozilla/5.0 (New Nintendo 3DS like iPhone) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.0.5.19 Mobile NintendoBrowser/1.6.10147.<region>

−

|

| v6144

| [[10.6.0-31]]

+

| See below.

+

|-

+

| None

+

| None

+

| v7168

+

| v10.7 CUP

+

| v10.7 CUP dummy web-browser, see below.

+

|-

+

| 1.7.10150

+

| Mozilla/5.0 (New Nintendo 3DS like iPhone) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.0.5.19 Mobile NintendoBrowser/1.7.10150.<region>

+

| v7184

+

| [[10.7.0-32]]

+

| See below.

+

|-

+

| 1.8.10156

+

| Mozilla/5.0 (New Nintendo 3DS like iPhone) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.0.5.20 Mobile NintendoBrowser/1.8.10156.<region>

+

| v8192

+

| [[11.1.0-34]]

+

| See below.

+

|-

+

| None

+

| None

+

| v9217

+

| v11.4 CUP

+

| v11.4 CUP dummy web-browser, see below.

+

|-

+

| 1.9.10160

+

| Mozilla/5.0 (New Nintendo 3DS like iPhone) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.0.5.20 Mobile NintendoBrowser/1.9.10160.<region>

+

| v9232

+

| [[11.4.0-37]]

| See below.

|}

Note that the latest Old3DS browser WebKit version at the time the initial New3DS browser was released, was the following: 532.8.

+

The first version of the KOR New3DS browser was v9.6(which was when the New3DS KOR titles were originally added). Each version of the KOR browser has the same NintendoBrowser version as the other regions. The KOR browser has been only updated when the browser for the other regions were updated, hence the title-versions are the same as well. The KOR browser ExeFS .code is different from the other regions(more than just region-related IDs etc).

==== OSS 9.0 and 9.3 diff ====

Line 265: Line 294:

* Previous version: sprintf(out, "https://cbvc.cdn.nintendo.net/SNAKE/2/%s", region);

* Current version: sprintf(out, "https://cbvc.cdn.nintendo.net/SNAKE/%d/%s", 3, region);

+

libpng was updated from version 1.5.21 to 1.5.24.

The following RomFS files were updated(see the forced-sysupdate section regarding what changed in the message files):

Line 296: Line 327:

The ExeFS codebin was updated.

−

[[browserhax|browserhax_fright_tx3g]] was fixed.

+

[[browserhax|browserhax_fright_tx3g]] was fixed. The code handling tx3g now matches the latest libstagefright git.

+

Hence the below RomFS listing, no OSS was updated at all(besides libstagefright mentioned above).

The following RomFS files were updated:

/build/buildinfo.dat

/static.crs

+

==== v10.7 ====

+

Basically the same changes as Old3DS v10.7, except with the usual buildinfo.dat update in RomFS. The below date is 6 days after the browser-version-check [[3DS_Userland_Flaws|bypass]] was publicly disclosed.

+

cat v7184/00000025_romfs/build/buildinfo.dat

+

10150

+

applet

+

2016-03-02 18:25

+

==== v11.1 ====

+

The ExeFS codebin was updated. The following files in RomFS were updated:

+

/build/buildinfo.dat

+

/.crr/static.crr

+

/oss.cro.lex

+

/static.crs

+

/webkit.cro.lex

+

cat v8192/00000026_romfs/build/buildinfo.dat

+

10156

+

applet

+

2016-08-26 19:47

+

Minus the 4 functions that changed due to compiler optimization, only 1 function was actually updated. This is LT_1a4004, previous version at LT_1a4004: libstagefright status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth)

+

Additional code was added which doesn't seem to be from upstream git, right [https://android.googlesource.com/platform/frameworks/av/+/32d6e5f0ebe9e00f80401e5f4fd6e285a474590d/media/libstagefright/MPEG4Extractor.cpp#880 before] the cprt code block: "if((*offset + chunk_size) - data_offset < 0)fail"

+

This fixed skater31hax + any other mp4 haxx which requires using a negative 64bit chunk_size value.

+

The filepath base used in the assert strings were changed from "d:\Jenkins\workspace\MPSkaterBuild\MVPlayer\Skater\Base\Android\frameworks\base\media\libstagefright\" to "d:\jenkins\workspace\MPSkaterBuild-Git\Base\Android\frameworks\base\media\libstagefright\".

+

==== v11.4 ====

+

The only changes in RomFS was for "/build/buildinfo.dat" and "/static.crs", hence no OSS in CRO(s) were updated.

+

The main codebin was updated. Exactly two functions were updated, these are not related to code exec vulns.

+

cat v9232/00000027_romfs/build/buildinfo.dat

+

10160

+

applet

+

2017-03-08 19:44

=== New3DS Browser Specifications ===

Line 323: Line 396:

MJPEG + .avi is also supported.

+

==== Notes ====

+

* The html "color" <input> type is not supported.

== Old3DS browser ==

Line 331: Line 407:

* "User agent: Mozilla/5.0 (Nintendo 3DS; region; ; en) Version/1.7498.US"

* "Supported protocols: HTTP1.0/HTTP1.1/SSLv3/TLS1.0"

−

* "Web standard: HTML 4.01/XHTML 1.1/CSS 1/CSS 2.1/CSS 3 (partial functionality)/DOM Levels 1-3/ECMAScript

+

* "Web standard: HTML 4.01/XHTML 1.1/CSS 1/CSS 2.1/CSS 3 (partial functionality)/DOM Levels 1-3/ECMAScript/XMLHttpRequest/Canvas Element (partial functionality)"

−

/XMLHttpRequest/Canvas Element (partial functionality)"

* "Image format: MPO / GIF / JPEG / PNG / BMP / ICO (some images cannot be displayed)"

* "Plug-ins: Plug-ins such as Adobe Flash are not supported"

Line 363: Line 438:

| [[4.0.0-7]]

| ExeFS .code was updated, both of the CROs(webkit/OSS) were updated too. The manual CFA was updated as well.

+

|-

+

| 1.7538

+

| v0

+

| [[4.2.0-9]]

+

| First version of the KOR browser. The CROs are different from the USA/EUR/JPN [[4.0.0-7]] browser.

|-

| 1.7552

Line 406: Line 486:

| v7168

| [[10.2.0-28]]

+

| See below.

+

|-

+

| 1.7622

+

| v8192

+

| [[10.6.0-31]]

+

| See below.

+

|-

+

| None

+

| v9216

+

| v10.7 CUP

+

| v10.7 CUP dummy web-browser, see below.

+

|-

+

| 1.7625

+

| v9232

+

| [[10.7.0-32]]

+

| See below.

+

|-

+

| 1.7630

+

| v10240

+

| [[11.1.0-34]]

| See below.

|}

+

=== Heap ===

+

The USA/EUR/JPN + KOR browser allocates the 0x08000000 heap with size 0x01A97000. The size used by the CHN and TWN browser is 0x01997000, exactly 0x100000-bytes smaller.

=== Old3DS v9.9 ===

Line 484: Line 587:

=== Old3DS v10.2 ===

−

The slider vuln from [https://github.com/yellows8/3ds_webkithax here] was fixed in the Old3DS browser ~~it seems~~.

+

The slider vuln from [https://github.com/yellows8/3ds_webkithax here] was fixed in the Old3DS browser.

The main codebin .text only increased by 0x10-bytes.

Line 530: Line 633:

bool RenderSlider::inDragMode() const

+

=== Old3DS v10.6 ===

+

[[browserhax|spider28hax]] was fixed. The "2^32 characters long string" vuln described [[3DS_Userland_Flaws|here]] was ''finally'' fixed.

+

''A lot'' of WebKit issues/vulns were fixed, see [https://gist.github.com/yellows8/b1e10caa1d8bb8a46316 here] for the changes.

+

libpng was updated from version 1.4.12 to 1.4.19. zlib was updated from 1.2.7 to 1.2.8.

+

The .text size increased by 0x478-bytes.

+

The only changes in RomFS was that the following files were updated:

+

/cro/oss.cro

+

/cro/static.crs

+

/cro/webkit.cro

+

/.crr/static.crr

+

/manual/Manual.bcma

+

=== Old3DS v10.7 ===

+

''Nothing'' changed except some words for version-values in .text being updated(RomFS wasn't changed), code for browser-version-check was [[#v10.7_2|updated]].

+

=== Old3DS v11.1 ===

+

Nothing changed in the ExeFS codebin besides the usual version values. The following files in RomFS were updated:

+

/cro/oss.cro

+

/cro/webkit.cro

+

/.crr/static.crr

== Forced system-update ==

Line 600: Line 728:

000030: 64 6f 2e 6e 65 74 0d 0a 0d 0a do.net....

−

== v9.~~9 dummy web-browser~~ ==

+

=== v10.7 ===

−

The ~~gamecard v9.9 sysupdate included~~ with ~~some games contains a dummy~~ Old3DS/New3DS ~~web-~~browser. ~~The *only* thing this title does is display~~ the ~~same message listed in~~ the ~~above forced~~-~~update section. The message files in RomFS *only* contain that message string above~~. ~~There are no "http" strings in~~ the ~~main codebin, and~~ [[~~RO_Services~~|RO]] ~~isn't used either(no CRO data in RomFS at all). Both browsers are internally called "dummySpider"~~.

+

The only actual code change with Old3DS/New3DS browser v10.7 was that the code which calculates the diff_timestamp was moved to immediately after the block which initializes <state_timestamp> when <state_timestamp> is all-zero. This fixed the browser-version-check [[3DS_Userland_Flaws|bypass]].

−

Hence, if you update your system ~~from pre-~~v9.~~9 using a gamecard~~ with v9.9, the system web-browser will be rendered *completely* useless until you install a system-update from CDN(no network requests involved here).

+

== Dummy web-browser ==

+

Gamecards v9.9 and above include, with their sysupdate, a dummy Old3DS/New3DS web-browser. The *only* thing this title does is display the same message listed in the above forced-update section. The message files in RomFS *only* contain that message string above. There are no "http" strings in the main codebin, and [[RO_Services|RO]] isn't used either(no CRO data in RomFS at all). Both browsers are internally called "dummySpider".

+

Hence, if you update your system below v9.8 with any v9.9 or above gamecard, the system web-browser will be rendered *completely* useless until you install a system-update from CDN(no network requests involved here).

+

Gamecards v10.7 and v11.4(New3DS only) have updated the dummy web-browser, where the only difference is the title version.

== Savedata ==

Line 638: Line 771:

| s64 timestamp, can be either a normal positive timestamp or a relative negative one. Used with the forced-update described above. When an update is detected this timestamp is negative, otherwise this is a normal positive timestamp(it's unknown how exactly this timestamp is checked). When positive, this seems to be the last time the forced-update HTTPS request was done where no update was needed.

|}

+

==APT Parameters==

+

The URL to load can optionally be loaded from char[] string [[APT:SendParameter|paramblk+0]]. This is used when scanning URL QR-codes in Home Menu / etc.

+

==Errors==

+

"Failed to load part of this page": This can be caused by failing to load "/favicon.ico". For example, this can be caused by loading a plain HTTP page, with plain-http favicon redirecting to HTTPS. If cert-verify then fails with favicon in this case, this error would then trigger.

==Other details==

Line 735: Line 874:

* [http://www.nintendo.com/3ds/internetbrowser/bookmarks Nintendo 3DS Bookmarks] - This is the first bookmark pre-installed in the browser.

* [http://3ds.andysmith.co.uk/jFox.html jFox] (Short URL: http://bit.ly/iB7FqW)

−

* [http://ditto3d.com/3ds Ditto3D] (Short URL: http://bit.ly/oVreWA)

+

* [http://ditto3d.com/3ds Ditto3D (Dead Link)] (Short URL: http://bit.ly/oVreWA)

Pigeon

18

edits

Changes

Internet Browser (edit)

Revision as of 23:08, 23 January 2018

Navigation menu

Search