2
edits
Changes
Jump to navigation
Jump to search
Line 11:
Line 11: − + Line 35:
Line 35: + + Line 40:
Line 42: − ! Mobile UA Line 47:
Line 48: − | Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A403 Safari/8536.25 Line 54:
Line 54: − | Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A403 Safari/8536.25 Line 61:
Line 60: − | Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A403 Safari/8536.25 − | None Line 74:
Line 71: − + − | Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A403 Safari/8536.25 Line 81:
Line 77: − + − | Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A403 Safari/8536.25 Line 88:
Line 83: − + − | Line 95:
Line 89: − + − | Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A403 Safari/8536.25 + + + + + + − + − | − + − + − | + + + + + + + + + + + + + + + + + + + + + + + + Line 349:
Line 370: + + + + + + + + + + + + + + Line 384:
Line 419: − + − Line 470:
Line 504: + + + + + + + + + + + + + + + + + + + + Line 620:
Line 674: + + + + + + Line 693:
Line 753: − + − + + + Line 832:
Line 894: − + + − +
→Example Sites
The only difference between the ExeFS .code for each region of the Old3DS/New3DS browser, is byte values for the title uniqueID/region.
The only difference between the ExeFS .code for each region of the Old3DS/New3DS browser, is byte values for the title uniqueID/region.
A [[#v9.9_dummy_web-browser|"dummy" browser]] (which replaces the actual browser) is being included with cartdrige games shipping the [[9.9.0-26|9.9.0-X]] system update.
A [[#Dummy_web-browser|"dummy" browser]] (which replaces the actual browser) is being included with cartdrige games shipping with system updates starting with [[9.9.0-26|9.9.0-X]].
In addition, versions of the real browser since 9.9.0-26X attempt to [[#Forced_system-update|check-in with a Nintendo server]] to determine if the existing browser version is out of date.
In addition, versions of the real browser since 9.9.0-26X attempt to [[#Forced_system-update|check-in with a Nintendo server]] to determine if the existing browser version is out of date.
<region> can be one of the following: "JP", "US", or "EU".
<region> can be one of the following: "JP", "US", or "EU".
Mobile User-Agent is always <code>Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A403 Safari/8536.25</code>.
{| class="wikitable" border="1"
{| class="wikitable" border="1"
! Mobile NintendoBrowser version(displayed in browser settings)
! Mobile NintendoBrowser version(displayed in browser settings)
! Normal UA
! Normal UA
! CDN Title-version
! CDN Title-version
! Network-only system-update version
! Network-only system-update version
| 1.0.9934
| 1.0.9934
| Mozilla/5.0 (New Nintendo 3DS like iPhone) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.0.5.8 Mobile NintendoBrowser/1.0.9934.<region>
| Mozilla/5.0 (New Nintendo 3DS like iPhone) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.0.5.8 Mobile NintendoBrowser/1.0.9934.<region>
| v10
| v10
| [[9.0.0-20]]
| [[9.0.0-20]]
| 1.1.9996
| 1.1.9996
| Mozilla/5.0 (New Nintendo 3DS like iPhone) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.0.5.10 Mobile NintendoBrowser/1.1.9996.<region>
| Mozilla/5.0 (New Nintendo 3DS like iPhone) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.0.5.10 Mobile NintendoBrowser/1.1.9996.<region>
| v1027
| v1027
| [[9.3.0-21]]
| [[9.3.0-21]]
| 1.2.10085
| 1.2.10085
| Mozilla/5.0 (New Nintendo 3DS like iPhone) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.0.5.13 Mobile NintendoBrowser/1.2.10085.<region>
| Mozilla/5.0 (New Nintendo 3DS like iPhone) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.0.5.13 Mobile NintendoBrowser/1.2.10085.<region>
| v2051
| v2051
| [[9.6.0-24]]
| [[9.6.0-24]]
| See below.
| See below.
|-
|-
| None
| None
| None
| None
|-
|-
| 1.3.10126
| 1.3.10126
| Mozilla/5.0 (New Nintendo 3DS like iPhone) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.0.5.15 Mobile NintendoBrowser/1.3.10126.US
| Mozilla/5.0 (New Nintendo 3DS like iPhone) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.0.5.15 Mobile NintendoBrowser/1.3.10126.<region>
| v3077
| v3077
| [[9.9.0-26]]
| [[9.9.0-26]]
|-
|-
| 1.4.10138
| 1.4.10138
| Mozilla/5.0 (New Nintendo 3DS like iPhone) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.0.5.17 Mobile NintendoBrowser/1.4.10138.US
| Mozilla/5.0 (New Nintendo 3DS like iPhone) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.0.5.17 Mobile NintendoBrowser/1.4.10138.<region>
| v4096
| v4096
| [[10.2.0-28]]
| [[10.2.0-28]]
|-
|-
| 1.5.10143
| 1.5.10143
|
| Mozilla/5.0 (New Nintendo 3DS like iPhone) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.0.5.19 Mobile NintendoBrowser/1.5.10143.<region>
| v5121
| v5121
| [[10.4.0-29]]
| [[10.4.0-29]]
|-
|-
| 1.6.10147
| 1.6.10147
| Mozilla/5.0 (New Nintendo 3DS like iPhone) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.0.5.19 Mobile NintendoBrowser/1.6.10147.US
| Mozilla/5.0 (New Nintendo 3DS like iPhone) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.0.5.19 Mobile NintendoBrowser/1.6.10147.<region>
| v6144
| v6144
| [[10.6.0-31]]
| [[10.6.0-31]]
| See below.
| See below.
|-
| None
| None
| v7168
| v10.7 CUP
| v10.7 CUP dummy web-browser, see below.
|-
|-
| 1.7.10150
| 1.7.10150
| Mozilla/5.0 (New Nintendo 3DS like iPhone) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.0.5.19 Mobile NintendoBrowser/1.7.10150.US
| Mozilla/5.0 (New Nintendo 3DS like iPhone) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.0.5.19 Mobile NintendoBrowser/1.7.10150.<region>
| v7184
| v7184
| [[10.7.0-32]]
| [[10.7.0-32]]
| See below.
| See below.
|-
|-
|
| 1.8.10156
|
| Mozilla/5.0 (New Nintendo 3DS like iPhone) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.0.5.20 Mobile NintendoBrowser/1.8.10156.<region>
| v8192
| v8192
| [[11.1.0-34]]
| [[11.1.0-34]]
| See below.
|-
| None
| None
| v9217
| v11.4 CUP
| v11.4 CUP dummy web-browser, see below.
|-
| 1.9.10160
| Mozilla/5.0 (New Nintendo 3DS like iPhone) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.0.5.20 Mobile NintendoBrowser/1.9.10160.<region>
| v9232
| [[11.4.0-37]]
| See below.
|-
| 1.10.10166
| Mozilla/5.0 (New Nintendo 3DS like iPhone) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.0.5.22 Mobile NintendoBrowser/1.10.10166.<region>
| v10272
| [[11.9.0-42]]
| See below.
|-
| 1.11.10172
| Mozilla/5.0 (New Nintendo 3DS like iPhone) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.0.5.23 Mobile NintendoBrowser/1.11.10172.<region>
| v11264
| [[11.14.0-46]]
| See below.
| See below.
|}
|}
Minus the 4 functions that changed due to compiler optimization, only 1 function was actually updated. This is LT_1a4004, previous version at LT_1a4004: libstagefright status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth)
Minus the 4 functions that changed due to compiler optimization, only 1 function was actually updated. This is LT_1a4004, previous version at LT_1a4004: libstagefright status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth)
Additional code was added which doesn't seem to be from upstream git, right [https://android.googlesource.com/platform/frameworks/av/+/32d6e5f0ebe9e00f80401e5f4fd6e285a474590d/media/libstagefright/MPEG4Extractor.cpp#880 before] the cprt code block: "if((*offset + chunk_size) - data_offset < 0)fail"
This fixed skater31hax + any other mp4 haxx which requires using a negative 64bit chunk_size value.
The filepath base used in the assert strings were changed from "d:\Jenkins\workspace\MPSkaterBuild\MVPlayer\Skater\Base\Android\frameworks\base\media\libstagefright\" to "d:\jenkins\workspace\MPSkaterBuild-Git\Base\Android\frameworks\base\media\libstagefright\".
The filepath base used in the assert strings were changed from "d:\Jenkins\workspace\MPSkaterBuild\MVPlayer\Skater\Base\Android\frameworks\base\media\libstagefright\" to "d:\jenkins\workspace\MPSkaterBuild-Git\Base\Android\frameworks\base\media\libstagefright\".
==== v11.4 ====
The only changes in RomFS was for "/build/buildinfo.dat" and "/static.crs", hence no OSS in CRO(s) were updated.
The main codebin was updated. Exactly two functions were updated, these are not related to code exec vulns.
cat v9232/00000027_romfs/build/buildinfo.dat
10160
applet
2017-03-08 19:44
=== New3DS Browser Specifications ===
=== New3DS Browser Specifications ===
* "User agent: Mozilla/5.0 (Nintendo 3DS; region; ; en) Version/1.7498.US"
* "User agent: Mozilla/5.0 (Nintendo 3DS; region; ; en) Version/1.7498.US"
* "Supported protocols: HTTP1.0/HTTP1.1/SSLv3/TLS1.0"
* "Supported protocols: HTTP1.0/HTTP1.1/SSLv3/TLS1.0"
* "Web standard: HTML 4.01/XHTML 1.1/CSS 1/CSS 2.1/CSS 3 (partial functionality)/DOM Levels 1-3/ECMAScript
* "Web standard: HTML 4.01/XHTML 1.1/CSS 1/CSS 2.1/CSS 3 (partial functionality)/DOM Levels 1-3/ECMAScript/XMLHttpRequest/Canvas Element (partial functionality)"
/XMLHttpRequest/Canvas Element (partial functionality)"
* "Image format: MPO / GIF / JPEG / PNG / BMP / ICO (some images cannot be displayed)"
* "Image format: MPO / GIF / JPEG / PNG / BMP / ICO (some images cannot be displayed)"
* "Plug-ins: Plug-ins such as Adobe Flash are not supported"
* "Plug-ins: Plug-ins such as Adobe Flash are not supported"
| [[10.6.0-31]]
| [[10.6.0-31]]
| See below.
| See below.
|-
| None
| v9216
| v10.7 CUP
| v10.7 CUP dummy web-browser, see below.
|-
|-
| 1.7625
| 1.7625
| v9232
| v9232
| [[10.7.0-32]]
| [[10.7.0-32]]
| See below.
|-
| 1.7630
| v10240
| [[11.1.0-34]]
| See below.
|-
| 1.7636
| v11297
| [[11.9.0-42]]
| See below.
|-
| 1.7639
| v12288
| [[11.14.0-46]]
| See below.
| See below.
|}
|}
=== Old3DS v10.7 ===
=== Old3DS v10.7 ===
''Nothing'' changed except some words for version-values in .text being updated(RomFS wasn't changed), code for browser-version-check was [[#v10.7_2|updated]].
''Nothing'' changed except some words for version-values in .text being updated(RomFS wasn't changed), code for browser-version-check was [[#v10.7_2|updated]].
=== Old3DS v11.1 ===
Nothing changed in the ExeFS codebin besides the usual version values. The following files in RomFS were updated:
/cro/oss.cro
/cro/webkit.cro
/.crr/static.crr
== Forced system-update ==
== Forced system-update ==
The only actual code change with Old3DS/New3DS browser v10.7 was that the code which calculates the diff_timestamp was moved to immediately after the block which initializes <state_timestamp> when <state_timestamp> is all-zero. This fixed the browser-version-check [[3DS_Userland_Flaws|bypass]].
The only actual code change with Old3DS/New3DS browser v10.7 was that the code which calculates the diff_timestamp was moved to immediately after the block which initializes <state_timestamp> when <state_timestamp> is all-zero. This fixed the browser-version-check [[3DS_Userland_Flaws|bypass]].
== v9.9+ dummy web-browser ==
== Dummy web-browser ==
Gamecards v9.9 and above include, with their sysupdate, a dummy Old3DS/New3DS web-browser. The *only* thing this title does is display the same message listed in the above forced-update section. The message files in RomFS *only* contain that message string above. There are no "http" strings in the main codebin, and [[RO_Services|RO]] isn't used either(no CRO data in RomFS at all). Both browsers are internally called "dummySpider".
Gamecards v9.9 and above include, with their sysupdate, a dummy Old3DS/New3DS web-browser. The *only* thing this title does is display the same message listed in the above forced-update section. The message files in RomFS *only* contain that message string above. There are no "http" strings in the main codebin, and [[RO_Services|RO]] isn't used either(no CRO data in RomFS at all). Both browsers are internally called "dummySpider".
Hence, if you update your system with any v9.9 or above gamecard, the system web-browser will be rendered *completely* useless until you install a system-update from CDN(no network requests involved here).
Hence, if you update your system below v9.8 with any v9.9 or above gamecard, the system web-browser will be rendered *completely* useless until you install a system-update from CDN(no network requests involved here).
Gamecards v10.7 and v11.4(New3DS only) have updated the dummy web-browser, where the only difference is the title version.
== Savedata ==
== Savedata ==
==Example Sites==
==Example Sites==
<!-- If you have a website that demonstrates these techniques, place it here! -->
<!-- If you have a website that demonstrates these techniques, place it here! -->
* [http://www.nintendo.com/3ds/internetbrowser/bookmarks Nintendo 3DS Bookmarks] - This is the first bookmark pre-installed in the browser.
* [http://www.nintendo.com/3ds/internetbrowser/bookmarks Nintendo 3DS Bookmarks]: This is the first bookmark pre-installed in the browser.
* [https://imgsharetool.herokuapp.com ImageShare]: Image uploader for the 3DS ([https://github.com/corbindavenport/image-share source code])
* [http://3ds.andysmith.co.uk/jFox.html jFox] (Short URL: http://bit.ly/iB7FqW)
* [http://3ds.andysmith.co.uk/jFox.html jFox] (Short URL: http://bit.ly/iB7FqW)
* [http://ditto3d.com/3ds Ditto3D] (Short URL: http://bit.ly/oVreWA)
* [http://ditto3d.com/3ds Ditto3D (Dead Link)] (Short URL: http://bit.ly/oVreWA)