Changes

Internet Browser (edit)

Revision as of 21:07, 12 September 2021

5,522 bytes added , 21:07, 12 September 2021

Line 11: Line 11:

The only difference between the ExeFS .code for each region of the Old3DS/New3DS browser, is byte values for the title uniqueID/region.

−

A [[#~~v9.9_dummy_web~~-browser|"dummy" browser]] (which replaces the actual browser) is being included with cartdrige games shipping ~~the~~ [[9.9.0-26|9.9.0-X]] ~~system update~~.

+

A [[#Dummy_web-browser|"dummy" browser]] (which replaces the actual browser) is being included with cartdrige games shipping with system updates starting with [[9.9.0-26|9.9.0-X]].

In addition, versions of the real browser since 9.9.0-26X attempt to [[#Forced_system-update|check-in with a Nintendo server]] to determine if the existing browser version is out of date.

Line 25: Line 25:

The New3DS browser uses the following services: [[MVD_Services|mvd:STD]] and [[IR_Services|ir:rst]](DLC-related services are used too but those aren't New3DS specific).

Video decoding is done with [[MVD_Services|mvd:STD]]. Audio decoding/playback is done with a browser-specific DSP binary. The Old3DS browser used CSND for audio playback, the New3DS browser doesn't have access to that at all since it uses DSP instead.

−

The browser manual includes licenses for Android and PacketVideo. The browser uses libstagefright from Android.

+

=== Video / libstagefright ===

+

The browser manual includes licenses for Android and PacketVideo. The browser uses libstagefright from Android. Just like WebKit, the browser appears to use a very old version of libstagefright with security/other changes back-ported(for example, the v10.7 browser libstagefright codebase seems to be older than [https://android.googlesource.com/platform/frameworks/av/+/ec77122351b4e78c1fe5b60a208f76baf8c67591%5E%21/media/libstagefright/MPEG4Extractor.cpp this]). This codebase is missing certain chunk-parsing code for 3GP.

+

HTTP for libstagefright is internally handled with [[HTTP_Services|HTTPC]], with a similar(?) set of RootCAs as for browser-version-check.

===User-Agent and Browser Versions===

Line 31: Line 35:

<region> can be one of the following: "JP", "US", or "EU".

+

Mobile User-Agent is always <code>Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A403 Safari/8536.25</code>.

{| class="wikitable" border="1"

Line 36: Line 42:

! Mobile NintendoBrowser version(displayed in browser settings)

! Normal UA

−

~~! Mobile UA~~

! CDN Title-version

! Network-only system-update version

Line 43: Line 48:

| 1.0.9934

| Mozilla/5.0 (New Nintendo 3DS like iPhone) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.0.5.8 Mobile NintendoBrowser/1.0.9934.<region>

−

~~| Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A403 Safari/8536.25~~

| v10

| [[9.0.0-20]]

Line 50: Line 54:

| 1.1.9996

| Mozilla/5.0 (New Nintendo 3DS like iPhone) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.0.5.10 Mobile NintendoBrowser/1.1.9996.<region>

−

~~| Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A403 Safari/8536.25~~

| v1027

| [[9.3.0-21]]

Line 57: Line 60:

| 1.2.10085

| Mozilla/5.0 (New Nintendo 3DS like iPhone) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.0.5.13 Mobile NintendoBrowser/1.2.10085.<region>

−

~~| Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A403 Safari/8536.25~~

| v2051

| [[9.6.0-24]]

| See below.

|-

−

~~| None~~

| None

Line 70: Line 71:

|-

| 1.3.10126

−

| Mozilla/5.0 (New Nintendo 3DS like iPhone) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.0.5.15 Mobile NintendoBrowser/1.3.10126.US

+

| Mozilla/5.0 (New Nintendo 3DS like iPhone) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.0.5.15 Mobile NintendoBrowser/1.3.10126.<region>

−

~~| Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A403 Safari/8536.25~~

| v3077

| [[9.9.0-26]]

Line 77: Line 77:

|-

| 1.4.10138

−

| Mozilla/5.0 (New Nintendo 3DS like iPhone) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.0.5.17 Mobile NintendoBrowser/1.4.10138.US

+

| Mozilla/5.0 (New Nintendo 3DS like iPhone) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.0.5.17 Mobile NintendoBrowser/1.4.10138.<region>

−

~~| Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A403 Safari/8536.25~~

| v4096

| [[10.2.0-28]]

| See below.

|-

−

|

+

| 1.5.10143

−

|

+

| Mozilla/5.0 (New Nintendo 3DS like iPhone) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.0.5.19 Mobile NintendoBrowser/1.5.10143.<region>

−

|

| v5121

| [[10.4.0-29]]

| See below.

|-

−

|

+

| 1.6.10147

−

|

+

| Mozilla/5.0 (New Nintendo 3DS like iPhone) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.0.5.19 Mobile NintendoBrowser/1.6.10147.<region>

−

|

| v6144

| [[10.6.0-31]]

+

| See below.

+

|-

+

| None

+

| None

+

| v7168

+

| v10.7 CUP

+

| v10.7 CUP dummy web-browser, see below.

+

|-

+

| 1.7.10150

+

| Mozilla/5.0 (New Nintendo 3DS like iPhone) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.0.5.19 Mobile NintendoBrowser/1.7.10150.<region>

+

| v7184

+

| [[10.7.0-32]]

+

| See below.

+

|-

+

| 1.8.10156

+

| Mozilla/5.0 (New Nintendo 3DS like iPhone) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.0.5.20 Mobile NintendoBrowser/1.8.10156.<region>

+

| v8192

+

| [[11.1.0-34]]

+

| See below.

+

|-

+

| None

+

| None

+

| v9217

+

| v11.4 CUP

+

| v11.4 CUP dummy web-browser, see below.

+

|-

+

| 1.9.10160

+

| Mozilla/5.0 (New Nintendo 3DS like iPhone) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.0.5.20 Mobile NintendoBrowser/1.9.10160.<region>

+

| v9232

+

| [[11.4.0-37]]

+

| See below.

+

|-

+

| 1.10.10166

+

| Mozilla/5.0 (New Nintendo 3DS like iPhone) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.0.5.22 Mobile NintendoBrowser/1.10.10166.<region>

+

| v10272

+

| [[11.9.0-42]]

+

| See below.

+

|-

+

| 1.11.10172

+

| Mozilla/5.0 (New Nintendo 3DS like iPhone) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.0.5.23 Mobile NintendoBrowser/1.11.10172.<region>

+

| v11264

+

| [[11.14.0-46]]

| See below.

|}

Note that the latest Old3DS browser WebKit version at the time the initial New3DS browser was released, was the following: 532.8.

+

The first version of the KOR New3DS browser was v9.6(which was when the New3DS KOR titles were originally added). Each version of the KOR browser has the same NintendoBrowser version as the other regions. The KOR browser has been only updated when the browser for the other regions were updated, hence the title-versions are the same as well. The KOR browser ExeFS .code is different from the other regions(more than just region-related IDs etc).

==== OSS 9.0 and 9.3 diff ====

Line 305: Line 346:

/build/buildinfo.dat

/static.crs

+

==== v10.7 ====

+

Basically the same changes as Old3DS v10.7, except with the usual buildinfo.dat update in RomFS. The below date is 6 days after the browser-version-check [[3DS_Userland_Flaws|bypass]] was publicly disclosed.

+

cat v7184/00000025_romfs/build/buildinfo.dat

+

10150

+

applet

+

2016-03-02 18:25

+

==== v11.1 ====

+

The ExeFS codebin was updated. The following files in RomFS were updated:

+

/build/buildinfo.dat

+

/.crr/static.crr

+

/oss.cro.lex

+

/static.crs

+

/webkit.cro.lex

+

cat v8192/00000026_romfs/build/buildinfo.dat

+

10156

+

applet

+

2016-08-26 19:47

+

Minus the 4 functions that changed due to compiler optimization, only 1 function was actually updated. This is LT_1a4004, previous version at LT_1a4004: libstagefright status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth)

+

Additional code was added which doesn't seem to be from upstream git, right [https://android.googlesource.com/platform/frameworks/av/+/32d6e5f0ebe9e00f80401e5f4fd6e285a474590d/media/libstagefright/MPEG4Extractor.cpp#880 before] the cprt code block: "if((*offset + chunk_size) - data_offset < 0)fail"

+

This fixed skater31hax + any other mp4 haxx which requires using a negative 64bit chunk_size value.

+

The filepath base used in the assert strings were changed from "d:\Jenkins\workspace\MPSkaterBuild\MVPlayer\Skater\Base\Android\frameworks\base\media\libstagefright\" to "d:\jenkins\workspace\MPSkaterBuild-Git\Base\Android\frameworks\base\media\libstagefright\".

+

==== v11.4 ====

+

The only changes in RomFS was for "/build/buildinfo.dat" and "/static.crs", hence no OSS in CRO(s) were updated.

+

The main codebin was updated. Exactly two functions were updated, these are not related to code exec vulns.

+

cat v9232/00000027_romfs/build/buildinfo.dat

+

10160

+

applet

+

2017-03-08 19:44

=== New3DS Browser Specifications ===

Line 327: Line 408:

MJPEG + .avi is also supported.

+

==== Notes ====

+

* The html "color" <input> type is not supported.

== Old3DS browser ==

Line 335: Line 419:

* "User agent: Mozilla/5.0 (Nintendo 3DS; region; ; en) Version/1.7498.US"

* "Supported protocols: HTTP1.0/HTTP1.1/SSLv3/TLS1.0"

−

* "Web standard: HTML 4.01/XHTML 1.1/CSS 1/CSS 2.1/CSS 3 (partial functionality)/DOM Levels 1-3/ECMAScript

+

* "Web standard: HTML 4.01/XHTML 1.1/CSS 1/CSS 2.1/CSS 3 (partial functionality)/DOM Levels 1-3/ECMAScript/XMLHttpRequest/Canvas Element (partial functionality)"

−

/XMLHttpRequest/Canvas Element (partial functionality)"

* "Image format: MPO / GIF / JPEG / PNG / BMP / ICO (some images cannot be displayed)"

* "Plug-ins: Plug-ins such as Adobe Flash are not supported"

Line 367: Line 450:

| [[4.0.0-7]]

| ExeFS .code was updated, both of the CROs(webkit/OSS) were updated too. The manual CFA was updated as well.

+

|-

+

| 1.7538

+

| v0

+

| [[4.2.0-9]]

+

| First version of the KOR browser. The CROs are different from the USA/EUR/JPN [[4.0.0-7]] browser.

|-

| 1.7552

Line 412: Line 500:

| See below.

|-

−

|

+

| 1.7622

| v8192

| [[10.6.0-31]]

+

| See below.

+

|-

+

| None

+

| v9216

+

| v10.7 CUP

+

| v10.7 CUP dummy web-browser, see below.

+

|-

+

| 1.7625

+

| v9232

+

| [[10.7.0-32]]

+

| See below.

+

|-

+

| 1.7630

+

| v10240

+

| [[11.1.0-34]]

+

| See below.

+

|-

+

| 1.7636

+

| v11297

+

| [[11.9.0-42]]

+

| See below.

+

|-

+

| 1.7639

+

| v12288

+

| [[11.14.0-46]]

| See below.

|}

+

=== Heap ===

+

The USA/EUR/JPN + KOR browser allocates the 0x08000000 heap with size 0x01A97000. The size used by the CHN and TWN browser is 0x01997000, exactly 0x100000-bytes smaller.

=== Old3DS v9.9 ===

Line 555: Line 671:

/.crr/static.crr

/manual/Manual.bcma

+

=== Old3DS v10.7 ===

+

''Nothing'' changed except some words for version-values in .text being updated(RomFS wasn't changed), code for browser-version-check was [[#v10.7_2|updated]].

+

=== Old3DS v11.1 ===

+

Nothing changed in the ExeFS codebin besides the usual version values. The following files in RomFS were updated:

+

/cro/oss.cro

+

/cro/webkit.cro

+

/.crr/static.crr

== Forced system-update ==

Line 625: Line 750:

000030: 64 6f 2e 6e 65 74 0d 0a 0d 0a do.net....

−

== v9.~~9 dummy~~ web-browser ==

+

=== v10.7 ===

−

~~The gamecard~~ v9.9 sysupdate ~~included with some games contains~~ a dummy Old3DS/New3DS web-browser. The *only* thing this title does is display the same message listed in the above forced-update section. The message files in RomFS *only* contain that message string above. There are no "http" strings in the main codebin, and [[RO_Services|RO]] isn't used either(no CRO data in RomFS at all). Both browsers are internally called "dummySpider".

+

The only actual code change with Old3DS/New3DS browser v10.7 was that the code which calculates the diff_timestamp was moved to immediately after the block which initializes <state_timestamp> when <state_timestamp> is all-zero. This fixed the browser-version-check [[3DS_Userland_Flaws|bypass]].

+

== Dummy web-browser ==

+

Gamecards v9.9 and above include, with their sysupdate, a dummy Old3DS/New3DS web-browser. The *only* thing this title does is display the same message listed in the above forced-update section. The message files in RomFS *only* contain that message string above. There are no "http" strings in the main codebin, and [[RO_Services|RO]] isn't used either(no CRO data in RomFS at all). Both browsers are internally called "dummySpider".

−

Hence, if you update your system ~~from pre-~~v9.~~9 using a gamecard~~ with v9.9, the system web-browser will be rendered *completely* useless until you install a system-update from CDN(no network requests involved here).

+

Hence, if you update your system below v9.8 with any v9.9 or above gamecard, the system web-browser will be rendered *completely* useless until you install a system-update from CDN(no network requests involved here).

+

Gamecards v10.7 and v11.4(New3DS only) have updated the dummy web-browser, where the only difference is the title version.

== Savedata ==

Line 663: Line 793:

| s64 timestamp, can be either a normal positive timestamp or a relative negative one. Used with the forced-update described above. When an update is detected this timestamp is negative, otherwise this is a normal positive timestamp(it's unknown how exactly this timestamp is checked). When positive, this seems to be the last time the forced-update HTTPS request was done where no update was needed.

|}

+

==APT Parameters==

+

The URL to load can optionally be loaded from char[] string [[APT:SendParameter|paramblk+0]]. This is used when scanning URL QR-codes in Home Menu / etc.

==Errors==

Line 761: Line 894:

==Example Sites==

−

* [http://www.nintendo.com/3ds/internetbrowser/bookmarks Nintendo 3DS Bookmarks] - This is the first bookmark pre-installed in the browser.

+

* [http://www.nintendo.com/3ds/internetbrowser/bookmarks Nintendo 3DS Bookmarks]: This is the first bookmark pre-installed in the browser.

+

* [https://imgsharetool.herokuapp.com ImageShare]: Image uploader for the 3DS ([https://github.com/corbindavenport/image-share source code])

* [http://3ds.andysmith.co.uk/jFox.html jFox] (Short URL: http://bit.ly/iB7FqW)

−

* [http://ditto3d.com/3ds Ditto3D] (Short URL: http://bit.ly/oVreWA)

+

* [http://ditto3d.com/3ds Ditto3D (Dead Link)] (Short URL: http://bit.ly/oVreWA)

CorbinDavenport

2

edits

Changes

Internet Browser (edit)

Revision as of 21:07, 12 September 2021

Navigation menu

Search