Internet Browser

Revision as of 19:13, 11 April 2017 by Yellows8 (talk | contribs) (→‎v11.4)

The 3DS Internet Browser was added in the June 2011 Update for JPN/EUR/USA.

From the Internet Browser help section: In compliance with the LGPL, the source code of the OSS is available via the Nintendo website. This source code can be downloaded here: [1] [2]

The 3DS Internet Browser is Netfront Browser NX v1.0 based on WebKit engine.

On O3DS the exheader name of this title is "SPIDER"; on N3DS, "SKATER". The only difference between the ExeFS .code for each region of the Old3DS/New3DS browser, is byte values for the title uniqueID/region.

A "dummy" browser (which replaces the actual browser) is being included with cartdrige games shipping with system updates starting with 9.9.0-X. In addition, versions of the real browser since 9.9.0-26X attempt to check-in with a Nintendo server to determine if the existing browser version is out of date.

New 3DS Internet Browser

New3DS has a separate browser title, with the exheader name "SKATER". Unlike the Old3DS browser, the New3DS browser has videos+HTML5 support.

This browser also has a filter enabled by default in the JPN version. Disabling it requires paying money with a credit-card, for purchasing web-browser DLC. During startup the browser does various HTTPS comms. When visting an URL, the browser sends a plaintext HTTP POST here: [3]. The raw POST data begins with "ARS/2.0\r\n\x00", the rest appears to be encrypted. The server reply content also has this ARS header + encrypted data. This appears to use a fixed xorpad, likely from a fixed encryption CTR/IV. The server content responses for allowed sites, and blocked sites, are fixed. When the server returns that the site is blocked, the browser goes to this page: [4](the Referrer header value is set to the same URL it's actually requesting).

The WebKit source was updated since the Old3DS browser. The New3DS browser uses the following services: mvd:STD and ir:rst(DLC-related services are used too but those aren't New3DS specific). Video decoding is done with mvd:STD. Audio decoding/playback is done with a browser-specific DSP binary. The Old3DS browser used CSND for audio playback, the New3DS browser doesn't have access to that at all since it uses DSP instead.

Video / libstagefright

The browser manual includes licenses for Android and PacketVideo. The browser uses libstagefright from Android. Just like WebKit, the browser appears to use a very old version of libstagefright with security/other changes back-ported(for example, the v10.7 browser libstagefright codebase seems to be older than this). This codebase is missing certain chunk-parsing code for 3GP.

HTTP for libstagefright is internally handled with HTTPC, with a similar(?) set of RootCAs as for browser-version-check.

User-Agent and Browser Versions

Normal user-agent format: Mozilla/5.0 (New Nintendo 3DS like iPhone) AppleWebKit/<WebKit version> (KHTML, like Gecko) NX/<Netfront version> Mobile NintendoBrowser/<Mobile NintendoBrowser version>.<region>

<region> can be one of the following: "JP", "US", or "EU".

Mobile User-Agent is always Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A403 Safari/8536.25.

Mobile NintendoBrowser version(displayed in browser settings) Normal UA CDN Title-version Network-only system-update version Notes
1.0.9934 Mozilla/5.0 (New Nintendo 3DS like iPhone) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.0.5.8 Mobile NintendoBrowser/1.0.9934.<region> v10 9.0.0-20 Initial version.
1.1.9996 Mozilla/5.0 (New Nintendo 3DS like iPhone) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.0.5.10 Mobile NintendoBrowser/1.1.9996.<region> v1027 9.3.0-21 See below regarding OSS changes.
1.2.10085 Mozilla/5.0 (New Nintendo 3DS like iPhone) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.0.5.13 Mobile NintendoBrowser/1.2.10085.<region> v2051 9.6.0-24 See below.
None None v3075 v9.9 CUP v9.9 CUP dummy web-browser, see below.
1.3.10126 Mozilla/5.0 (New Nintendo 3DS like iPhone) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.0.5.15 Mobile NintendoBrowser/1.3.10126.<region> v3077 9.9.0-26 See below.
1.4.10138 Mozilla/5.0 (New Nintendo 3DS like iPhone) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.0.5.17 Mobile NintendoBrowser/1.4.10138.<region> v4096 10.2.0-28 See below.
1.5.10143 Mozilla/5.0 (New Nintendo 3DS like iPhone) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.0.5.19 Mobile NintendoBrowser/1.5.10143.<region> v5121 10.4.0-29 See below.
1.6.10147 Mozilla/5.0 (New Nintendo 3DS like iPhone) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.0.5.19 Mobile NintendoBrowser/1.6.10147.<region> v6144 10.6.0-31 See below.
None None v7168 v10.7 CUP v10.7 CUP dummy web-browser, see below.
1.7.10150 Mozilla/5.0 (New Nintendo 3DS like iPhone) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.0.5.19 Mobile NintendoBrowser/1.7.10150.<region> v7184 10.7.0-32 See below.
1.8.10156 Mozilla/5.0 (New Nintendo 3DS like iPhone) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.0.5.20 Mobile NintendoBrowser/1.8.10156.<region> v8192 11.1.0-34 See below.
1.9.10160 Mozilla/5.0 (New Nintendo 3DS like iPhone) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.0.5.20 Mobile NintendoBrowser/1.9.10160.<region> v9232 11.4.0-37 See below.

Note that the latest Old3DS browser WebKit version at the time the initial New3DS browser was released, was the following: 532.8.

The first version of the KOR New3DS browser was v9.6(which was when the New3DS KOR titles were originally added). Each version of the KOR browser has the same NintendoBrowser version as the other regions. The KOR browser has been only updated when the browser for the other regions were updated, hence the title-versions are the same as well. The KOR browser ExeFS .code is different from the other regions(more than just region-related IDs etc).

OSS 9.0 and 9.3 diff

The following is a diff of the OSS archives from here, for v9.0 and v9.3.

Files NewNintendo3DS_OpenSources9.0.0-/WKC/WebCore/platform/network/WKC/ResourceHandleManagerWKC.cpp and NewNintendo3DS_OpenSources9.3.0-/WKC/WebCore/platform/network/WKC/ResourceHandleManagerWKC.cpp differ
Files NewNintendo3DS_OpenSources9.0.0-/WKC/WebKit/WKC/webkit/WKCVersion.h and NewNintendo3DS_OpenSources9.3.0-/WKC/WebKit/WKC/webkit/WKCVersion.h differ

WKC_CUSTOMER_RELEASE_VERSION was changed from "0.5.8" to "0.5.10".

The following code was added to ResourceHandleManager::doRedirect(): curl_easy_setopt(d->m_handle, CURLOPT_SHARE, 0);

v9.6

WebKit/OSS code was actually updated. ExeFS .code was updated. The following files in RomFS were updated:

  • "/banner/CN/Skater.icn" and "/banner/KR/Skater.icn".
  • "/browser/rootca.pem"
  • "/build/buildinfo.dat"
  • "/cairo.cro.lex" and "/.crr/static.crr"
  • "/lyt/Button/ButtonSelectHSearch.arc"
  • "/lyt/Kbd/Swkbd.arc"
  • "lyt/Kbd.arc"
  • "skater.msbt" under all of the "/message/<region>_<language>/" directories.
  • "/oss.cro.lex", "/peer.cro.lex", "/static.crs", and "/webkit.cro.lex".

The following was added to RomFS:

  • "/favicon/naver.dat"
  • A "KO" directory under "/iwnn".

v9.9

ExeFS:/.code was updated.

The only RomFS changes is file-updating, all of the following files were updated:

/browser/rootca.pem
/build/buildinfo.dat
/cairo.cro.lex
/.crr/static.crr
/message/CN_Simp_Chinese/skater.msbt
/message/EU_Dutch/skater.msbt
/message/EU_English/skater.msbt
/message/EU_French/skater.msbt
/message/EU_German/skater.msbt
/message/EU_Italian/skater.msbt
/message/EU_Portuguese/skater.msbt
/message/EU_Russian/skater.msbt
/message/EU_Spanish/skater.msbt
/message/JP_Japanese/skater.msbt
/message/KR_Hangeul/skater.msbt
/message/TW_English/skater.msbt
/message/TW_Trad_Chinese/skater.msbt
/message/US_English/skater.msbt
/message/US_French/skater.msbt
/message/US_Portuguese/skater.msbt
/message/US_Spanish/skater.msbt
/oss.cro.lex
/peer.cro.lex
/static.crs
/webkit.cro.lex

See here for a diff of the OSS(WebKitLibraries/ is not included due to the massive cairo library diff). An exploitable security vuln(which was already known in the context of 3DS webkit) was fixed. Yellows8' private(at the time of writing) exploit for it is based on the PoC from here(see the pastebin for the actual pastebin author).

v10.2

The libstagefright build in the main SKATER codebin was updated to a version which fixed libstagefright vuln(s): the vuln used in browserhax_fright at the time of sysupdate release was fixed. The *only* code changed in the main codebin, was code related to libstagefright.

The only RomFS changes is file-updating, all of the following files were updated(see the forced-sysupdate section regarding what changed in the message files):

/browser/rootca.pem
/build/buildinfo.dat
/.crr/static.crr
/message/CN_Simp_Chinese/skater.msbt
/message/EU_Dutch/skater.msbt
/message/EU_English/skater.msbt
/message/EU_French/skater.msbt
/message/EU_German/skater.msbt
/message/EU_Italian/skater.msbt
/message/EU_Portuguese/skater.msbt
/message/EU_Russian/skater.msbt
/message/EU_Spanish/skater.msbt
/message/JP_Japanese/skater.msbt
/message/KR_Hangeul/skater.msbt
/message/TW_English/skater.msbt
/message/TW_Trad_Chinese/skater.msbt
/message/US_English/skater.msbt
/message/US_French/skater.msbt
/message/US_Portuguese/skater.msbt
/message/US_Spanish/skater.msbt
/oss.cro.lex
/static.crs
/webkit.cro.lex

OSS diff:

diff --git a/NewNintendo3DS_OpenSources9.9.0-/WKC/WebKit/WKC/webkit/WKCVersion.h b/NewNintendo3DS_OpenSources10.2.0-/WKC/WebKit/WKC/webkit/WKCVersion.h
index 4543297..0860336 100644
--- a/NewNintendo3DS_OpenSources9.9.0-/WKC/WebKit/WKC/webkit/WKCVersion.h
+++ b/NewNintendo3DS_OpenSources10.2.0-/WKC/WebKit/WKC/webkit/WKCVersion.h
@@ -29,7 +29,7 @@
 #define WKC_VERSION_CHECK(major, minor, micro) \
     (((major)*10000) + ((minor)*100) + (micro)) >= ((WKC_VERSION_MAJOR*10000) + (WKC_VERSION_MINOR*100) + (WKC_VERSION_MICRO))
 
-#define WKC_CUSTOMER_RELEASE_VERSION "0.5.15"
+#define WKC_CUSTOMER_RELEASE_VERSION "0.5.17"
 
 #define WKC_WEBKIT_VERSION "536.30"
 
diff --git a/NewNintendo3DS_OpenSources9.9.0-/webkit/WebCore/ChangeLog b/NewNintendo3DS_OpenSources10.2.0-/webkit/WebCore/ChangeLog
index a5abb35..cf5a9fa 100644
--- a/NewNintendo3DS_OpenSources9.9.0-/webkit/WebCore/ChangeLog
+++ b/NewNintendo3DS_OpenSources10.2.0-/webkit/WebCore/ChangeLog
@@ -1,3 +1,12 @@
+2013-11-05  Ryosuke Niwa  <rniwa@webkit.org>
+
+        Use-after-free in SliderThumbElement::dragFrom
+        https://bugs.webkit.org/show_bug.cgi?id=123873
+
+        Reviewed by Andreas Kling.
+
+        Merge https://chromium.googlesource.com/chromium/blink/+/04a23bfca2d04101a1828d36ff36c29f3a24f34b
+
 2015-02-06  Maciej Stachowiak  <mjs@apple.com>
 
         REGRESSION(r179706): Caused memory corruption on some tests (Requested by _ap_ on #webkit).
@@ -879,7 +888,7 @@
         * rendering/RenderLineBoxList.cpp:
         (WebCore::RenderLineBoxList::dirtyLinesFromChangedChild):
 
-2014-01-21  László Langó  <llango.u-szeged@partner.samsung.com>
+2014-01-21  Laszlo Lango  <llango.u-szeged@partner.samsung.com>
 
         Assertion failure in Range::nodeWillBeRemoved
         https://bugs.webkit.org/show_bug.cgi?id=121694
@@ -1879,7 +1888,7 @@
 
 2012-09-14  Simon Fraser  <simon.fraser@apple.com>
 
-        REGRESSION: transition doesn’t always override transition-property
+        REGRESSION: transition doesnft always override transition-property
         https://bugs.webkit.org/show_bug.cgi?id=96658
 
         Reviewed by Dean Jackson.
@@ -3691,8 +3700,8 @@
             glyph with font data for the primary font, presumably to meet the SVG
             spec requirement: "If the references to alternate glyphs do not result
             in successful identification of alternate glyphs to use, then the
-            character(s) that are inside of the 窶和ltGlyph窶?element are rendered as
-            if the 窶和ltGlyph窶?element were a 窶?span窶?element instead."
+            character(s) that are inside of the ‘altGlyphâ€?element are rendered as
+            if the ‘altGlyphâ€?element were a â€?spanâ€?element instead."

             If the alt glyph is not then found we are in the case from the spec
             and indeed we should use the primary font. However, we end up replacing the GlyphPage
diff --git a/NewNintendo3DS_OpenSources9.9.0-/webkit/WebCore/html/RangeInputType.cpp b/NewNintendo3DS_OpenSources10.2.0-/webkit/WebCore/html/RangeInputType.cpp
index 484adec..d7e9e8d 100644
--- a/NewNintendo3DS_OpenSources9.9.0-/webkit/WebCore/html/RangeInputType.cpp
+++ b/NewNintendo3DS_OpenSources10.2.0-/webkit/WebCore/html/RangeInputType.cpp
@@ -164,7 +164,7 @@ void RangeInputType::handleMouseDownEvent(MouseEvent* event)
     ASSERT(element()->hasShadowRoot());
     if (targetNode != element() && !targetNode->isDescendantOf(element()->shadowTree()->oldestShadowRoot()))
         return;
-    SliderThumbElement* thumb = sliderThumbElementOf(element());
+    RefPtr<SliderThumbElement> thumb = sliderThumbElementOf(element());
     if (targetNode == thumb)
         return;
     thumb->dragFrom(event->absoluteLocation());

v10.4

The ExeFS codebin was updated, the only change was that the following code was updated in the actual NupCheck HTTPS request function:

libpng was updated from version 1.5.21 to 1.5.24.

The following RomFS files were updated(see the forced-sysupdate section regarding what changed in the message files):

/browser/rootca.pem
/build/buildinfo.dat
/cairo.cro.lex
/.crr/static.crr
/message/CN_Simp_Chinese/skater.msbt
/message/EU_Dutch/skater.msbt
/message/EU_English/skater.msbt
/message/EU_French/skater.msbt
/message/EU_German/skater.msbt
/message/EU_Italian/skater.msbt
/message/EU_Portuguese/skater.msbt
/message/EU_Russian/skater.msbt
/message/EU_Spanish/skater.msbt
/message/JP_Japanese/skater.msbt
/message/KR_Hangeul/skater.msbt
/message/TW_English/skater.msbt
/message/TW_Trad_Chinese/skater.msbt
/message/US_English/skater.msbt
/message/US_French/skater.msbt
/message/US_Portuguese/skater.msbt
/message/US_Spanish/skater.msbt
/oss.cro.lex differ
/peer.cro.lex differ
/static.crs differ
/webkit.cro.lex differ

v10.6

The ExeFS codebin was updated.

browserhax_fright_tx3g was fixed. The code handling tx3g now matches the latest libstagefright git.

Hence the below RomFS listing, no OSS was updated at all(besides libstagefright mentioned above).

The following RomFS files were updated:

/build/buildinfo.dat
/static.crs

v10.7

Basically the same changes as Old3DS v10.7, except with the usual buildinfo.dat update in RomFS. The below date is 6 days after the browser-version-check bypass was publicly disclosed.

cat v7184/00000025_romfs/build/buildinfo.dat
10150
applet
2016-03-02 18:25

v11.1

The ExeFS codebin was updated. The following files in RomFS were updated:

 /build/buildinfo.dat
 /.crr/static.crr
 /oss.cro.lex
 /static.crs
 /webkit.cro.lex
 cat v8192/00000026_romfs/build/buildinfo.dat
 10156
 applet
 2016-08-26 19:47

Minus the 4 functions that changed due to compiler optimization, only 1 function was actually updated. This is LT_1a4004, previous version at LT_1a4004: libstagefright status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth)

Additional code was added which doesn't seem to be from upstream git, right before the cprt code block: "if((*offset + chunk_size) - data_offset < 0)fail"

This fixed skater31hax + any other mp4 haxx which requires using a negative 64bit chunk_size value.

The filepath base used in the assert strings were changed from "d:\Jenkins\workspace\MPSkaterBuild\MVPlayer\Skater\Base\Android\frameworks\base\media\libstagefright\" to "d:\jenkins\workspace\MPSkaterBuild-Git\Base\Android\frameworks\base\media\libstagefright\".

v11.4

The only changes in RomFS was for "/build/buildinfo.dat" and "/static.crs", hence no OSS in CRO(s) were updated.

The main codebin was updated. Exactly two functions were updated, these are not related to code exec vulns.

 cat v9232/00000027_romfs/build/buildinfo.dat
 10160
 applet
 2017-03-08 19:44

New3DS Browser Specifications

[5]

English version:

  • "Browser engine: NetFront® Browser NX v3.0"
  • "User agent: Mozilla/5.0 (New Nintendo 3DS like iPhone) AppleWebKit/536.30 (KHTML and like Gecko) NX/3.0.*.*.* Mobile NintendoBrowser/1.0.**** JP
  • ** Version information is stated.
  • *** When using the “Mobile version request” function, it differs from the above-mentioned character string"
  • "Supported protocols: HTTP1.0/HTTP1.1/SSL3.0/TLS1.0/TLS1.1/TLS1.2"
  • "Web standard: HTML4.01 / HTML5 / XHTML1.1 / Fullscreen API / Gamepad API / SVG / WebSocket / Video Subtitle / WOFF / Web Messaging / Server-Sent / Web Storage (partial) / XMLHttpRequest / Canvas element / Video / DOM Levels 1-3 / ECMAScript / CSS1 / CSS2.1 / CSS3 (partial)"
  • "Image format: bmp / ​​gif / ico / jpeg / png / svg (There are, however, possibilities that some images won't display.)"
  • "Image preview: mpo / jpeg (There are, however, possibilities that some images won't display.)"
  • "Video format: MP4, M3U8 + TS (HTTPLiveStreaming) (There are, however, some videos that may not be played.)"
  • "Video codec: H.264 - MPEG-4 AVC Video (max 854x480 at level 3.2, 3D compatible) (There are, however, some videos that can not be played.)"
  • "Audio codec: AAC - ISO / IEC 14496-3 MPEG-4AAC, MP3 (There are, however, some videos that can not be played.)"
  • "Format for uploading 3D videos: .mkv (In order to be played, videos must be converted to the appropriate format within the site you are uploading to. In some cases, the video will not play even if converted.)"
  • "Plug-ins: Plug-ins such as Adobe Flash are not supported"
  • "Active Rating System filtering: provided by Digital Arts, Inc.. Access to web content can be limited based on its category information, restricting access to web content that may result inappropriate."
  • "Websites can be requested to provide the mobile version (However, if the web page does not have a mobile version, it won't change the way it's displayed.)"

MJPEG + .avi is also supported.

Notes

  • The html "color" <input> type is not supported.

Old3DS browser

Old3DS Browser Specifications

  • "Browser engine: NetFront® Browser"
  • "User agent: Mozilla/5.0 (Nintendo 3DS; region; ; en) Version/1.7498.US"
  • "Supported protocols: HTTP1.0/HTTP1.1/SSLv3/TLS1.0"
  • "Web standard: HTML 4.01/XHTML 1.1/CSS 1/CSS 2.1/CSS 3 (partial functionality)/DOM Levels 1-3/ECMAScript/XMLHttpRequest/Canvas Element (partial functionality)"
  • "Image format: MPO / GIF / JPEG / PNG / BMP / ICO (some images cannot be displayed)"
  • "Plug-ins: Plug-ins such as Adobe Flash are not supported"

Old3DS browser doesn't support events "focusin" and "focusout"

User-Agent and Browser Versions

User-agent format: Mozilla/5.0 (Nintendo 3DS; U; ; <lang>) Version/<version>.<region>.

<lang> is "en", "fr", etc. <region> is "US", "EU", etc. See below for <version>.

Browser version CDN Title-version Network-only system-update version Notes
1.7412 v6 2.0.0-2 This was the initial version.
1.7455 v1024 2.1.0-4 ExeFS .code was updated, both of the CROs(webkit/OSS) were updated too.
1.7498 v2050 4.0.0-7 ExeFS .code was updated, both of the CROs(webkit/OSS) were updated too. The manual CFA was updated as well.
1.7538 v0 4.2.0-9 First version of the KOR browser. The CROs are different from the USA/EUR/JPN 4.0.0-7 browser.
1.7552 v3075 5.0.0-11 ExeFS .code and icon were updated, both of the CROs(webkit/OSS) were updated too. The manual CFA was updated as well.
1.7552 v3088 7.0.0-13 The main NCCH wasn't updated at all(same TMD contentID/content-hash as the previous version), only the manual CFA for this title was updated.
1.7567 v4096 7.1.0-16 The CXI .code was updated, some data in the RomFS was updated(none of the CROs such as webkit.cro were updated). The manual CFA was updated too.
1.7585 v5121 9.5.0-23 The CXI .code was updated, and the manual CFA was updated. RomFS changes:
  • "/browser/rootca.pem" updated
  • "/cro/oss.cro" updated
  • "/cro/static.crs" updated
  • "/cro/webkit.cro" updated
  • "/.crr/static.crr" updated
  • "/layout/dialogheader/WirelessSwitchOff.arc" was removed
  • "/layout/favorite/favicondata/KOR.arc" updated

A vuln used in a public(at the time of this sysupdate) webkit exploit for spider was fixed, which also fixed the removewinframe exploit from here.

None v6147 v9.9 CUP v9.9 CUP dummy web-browser, see below.
1.7610 v6149 9.9.0-26 See below.
1.7616 v7168 10.2.0-28 See below.
1.7622 v8192 10.6.0-31 See below.
None v9216 v10.7 CUP v10.7 CUP dummy web-browser, see below.
1.7625 v9232 10.7.0-32 See below.
1.7630 v10240 11.1.0-34 See below.

Heap

The USA/EUR/JPN + KOR browser allocates the 0x08000000 heap with size 0x01A97000. The size used by the CHN and TWN browser is 0x01997000, exactly 0x100000-bytes smaller.

Old3DS v9.9

ExeFS:/.code was updated.

The only changes in RomFS were file-updating, the following files were updated:

/browser/rootca.pem
/cro/oss.cro
/cro/static.crs
/cro/webkit.cro
/.crr/static.crr
/message/CN_Simp_Chinese/spider.msbt
/message/EU_Dutch/spider.msbt
/message/EU_English/spider.msbt
/message/EU_French/spider.msbt
/message/EU_German/spider.msbt
/message/EU_Italian/spider.msbt
/message/EU_Portuguese/spider.msbt
/message/EU_Russian/spider.msbt
/message/EU_Spanish/spider.msbt
/message/JP_Japanese/spider.msbt
/message/KR_Hangeul/spider.msbt
/message/TW_English/spider.msbt
/message/TW_Trad_Chinese/spider.msbt
/message/US_English/spider.msbt
/message/US_French/spider.msbt
/message/US_Portuguese/spider.msbt
/message/US_Spanish/spider.msbt

OSS diff for v9.5 and v9.9, without the .dox changes:

diff --git a/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_9.5.0(23J_23U_23E_19K_18T_3C)/WKC/WebKit/WKC/webkit/WKCVersion.h b/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_9.9.0/WKC/WebKit/WKC/webkit/WKCVersion.h
index be5ff09..55a7274 100644
--- a/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_9.5.0(23J_23U_23E_19K_18T_3C)/WKC/WebKit/WKC/webkit/WKCVersion.h
+++ b/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_9.9.0/WKC/WebKit/WKC/webkit/WKCVersion.h
@@ -29,7 +29,7 @@
 #define WKC_VERSION_CHECK(major, minor, micro) \
     (((major)*10000) + ((minor)*100) + (micro)) >= ((WKC_VERSION_MAJOR*10000) + (WKC_VERSION_MINOR*100) + (WKC_VERSION_MICRO))
 
-#define WKC_CUSTOMER_RELEASE_VERSION "1.8.14"
+#define WKC_CUSTOMER_RELEASE_VERSION "1.8.16"
 
 #define WKC_WEBKIT_VERSION "532.7"
 
diff --git a/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_9.5.0(23J_23U_23E_19K_18T_3C)/webkit/WebCore/rendering/RenderBox.cpp b/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_9.9.0/webkit/WebCore/rendering/RenderBox.cpp
index da4127e..d03403e 100644
--- a/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_9.5.0(23J_23U_23E_19K_18T_3C)/webkit/WebCore/rendering/RenderBox.cpp
+++ b/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_9.9.0/webkit/WebCore/rendering/RenderBox.cpp
@@ -305,23 +305,23 @@ int RenderBox::scrollHeight() const
 
 int RenderBox::scrollLeft() const
 {
-    return hasOverflowClip() ? layer()->scrollXOffset() : 0;
+    return layer() && hasOverflowClip() ? layer()->scrollXOffset() : 0;
 }
 
 int RenderBox::scrollTop() const
 {
-    return hasOverflowClip() ? layer()->scrollYOffset() : 0;
+    return layer() && hasOverflowClip() ? layer()->scrollYOffset() : 0;
 }

 void RenderBox::setScrollLeft(int newLeft)
 {
-    if (hasOverflowClip())
+    if (hasOverflowClip() && layer())
         layer()->scrollToXOffset(newLeft);
 }
 
 void RenderBox::setScrollTop(int newTop)
 {
-    if (hasOverflowClip())
+    if (hasOverflowClip() && layer())
         layer()->scrollToYOffset(newTop);
 }

Old3DS v10.2

The slider vuln from here was fixed in the Old3DS browser.

The main codebin .text only increased by 0x10-bytes.

The only changes in RomFS was that the following files were updated:

/cro/oss.cro
/cro/static.crs
/cro/webkit.cro
/.crr/static.crr

OSS diff:

diff --git a/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_9.9.0/WKC/WebKit/WKC/webkit/WKCVersion.h b/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_10.2.0/WKC/WebKit/WKC/webkit/WKCVersion.h
index 55a7274..fc153c4 100644
--- a/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_9.9.0/WKC/WebKit/WKC/webkit/WKCVersion.h
+++ b/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_10.2.0/WKC/WebKit/WKC/webkit/WKCVersion.h
@@ -29,7 +29,7 @@
 #define WKC_VERSION_CHECK(major, minor, micro) \
     (((major)*10000) + ((minor)*100) + (micro)) >= ((WKC_VERSION_MAJOR*10000) + (WKC_VERSION_MINOR*100) + (WKC_VERSION_MICRO))
 
-#define WKC_CUSTOMER_RELEASE_VERSION "1.8.16"
+#define WKC_CUSTOMER_RELEASE_VERSION "1.8.17"
 
 #define WKC_WEBKIT_VERSION "532.7"
 
diff --git a/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_9.9.0/webkit/WebCore/rendering/RenderSlider.cpp b/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_10.2.0/webkit/WebCore/rendering/RenderSlider.cpp
index b2f5cef..1dd3dbd 100644
--- a/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_9.9.0/webkit/WebCore/rendering/RenderSlider.cpp
+++ b/3DS_InternetBrowser_OpenSources_JP_US_EU_KR_TW_HK_CN_10.2.0/webkit/WebCore/rendering/RenderSlider.cpp
@@ -221,6 +221,7 @@ RenderSlider::~RenderSlider()
 {
     if (m_thumb)
         m_thumb->detach();
+    m_thumb = 0;
 }
 
 int RenderSlider::baselinePosition(bool, bool) const
@@ -493,7 +494,8 @@ void RenderSlider::forwardEvent(Event* event)
         }
     }
 
-    m_thumb->defaultEventHandler(event);
+    if (m_thumb)
+        m_thumb->defaultEventHandler(event);
 }
 
 bool RenderSlider::inDragMode() const

Old3DS v10.6

spider28hax was fixed. The "2^32 characters long string" vuln described here was finally fixed.

A lot of WebKit issues/vulns were fixed, see here for the changes.

libpng was updated from version 1.4.12 to 1.4.19. zlib was updated from 1.2.7 to 1.2.8.

The .text size increased by 0x478-bytes.

The only changes in RomFS was that the following files were updated:

/cro/oss.cro
/cro/static.crs
/cro/webkit.cro
/.crr/static.crr
/manual/Manual.bcma

Old3DS v10.7

Nothing changed except some words for version-values in .text being updated(RomFS wasn't changed), code for browser-version-check was updated.

Old3DS v11.1

Nothing changed in the ExeFS codebin besides the usual version values. The following files in RomFS were updated:

 /cro/oss.cro
 /cro/webkit.cro
 /.crr/static.crr

Forced system-update

The Old3DS/New3DS Internet Browser updated with 9.9.0-26 added the following message strings:

In order to use the Internet 
browser, a system update 
is required.
To perform a system update, 
select System Update from Other
Settings in System Settings.
The Internet browser cannot be
used at this time.
Please check your network
environment or try again later.

For whatever reason, the above message strings were removed with New3DS-browser v10.2, then re-added with v10.4. This does not apply to the Old3DS browser. Whenever v10.2 New3DS browser tries to use these message-strings for displaying a browser-update-related message, it will crash due to an assert failing since the message-strings are missing. Hence, if/when the v10.2 update-check page is ever updated where the browser tries to display a message for it, or when accessing that page fails, the browser will automatically crash.

This wasn't enforced(web-browser displaying the above message when the installed browser isn't the latest version) until October 26, 2015.

This message only triggers when attempting to load a web-page. This is only handled the first time the browser accesses a web-page, during this browser session.

The browser codebins starting with v9.9 now contain the following URL strings:

  • Old3DS: "https://cbvc.cdn.nintendo.net/CTR/1/<region>"
  • New3DS: "https://cbvc.cdn.nintendo.net/SNAKE/1/<region>"

The <region> string is one of the following:

  • "JPN"
  • "USA"
  • "EUR"
  • "KOR"

Starting with the browser from 10.2.0-28, the "1" in the above URLs were changed to "2". With the New3DS browser from 10.4.0-29, it's now "3".

As of October 26, 2015, the "1" URLs return the browser-version for v9.9(decimal number as a string without any "."), while the "2" URLs returns 0.

if(internal_browserver > server_browserver)
{
    <safe>
}
else
{
    <update message>
}

Hence, internal_browserver == server_browserver will trigger the sysupdate message, which appears to be the normal way to indicate that the current browser is outdated(see above).

There is a cache for this in savedata. The request is only done when at least 24-hours have passed since the last time the request was done(see the below savedata section).

It is still possible to guard against this update by blocking the previous URLs using a proxy. It is not possible to remove the update message by entering the Recovery Mode.

Page request

For this request, all root-CAs bundled with the browser are trusted, in addition to two of the SSL module builtin Nintendo root-CAs.

The browser(with New3DS at least) does the following with HTTPC for requesting the above page:

Raw request data(New3DS USA v10.2 browser):

000000: 47 45 54 20 2f 53 4e 41 4b 45 2f 32 2f 55 53 41  GET /SNAKE/2/USA
000010: 20 48 54 54 50 2f 31 2e 31 0d 0a 48 6f 73 74 3a   HTTP/1.1..Host:
000020: 20 63 62 76 63 2e 63 64 6e 2e 6e 69 6e 74 65 6e   cbvc.cdn.ninten
000030: 64 6f 2e 6e 65 74 0d 0a 0d 0a                    do.net....

v10.7

The only actual code change with Old3DS/New3DS browser v10.7 was that the code which calculates the diff_timestamp was moved to immediately after the block which initializes <state_timestamp> when <state_timestamp> is all-zero. This fixed the browser-version-check bypass.

v9.9+/v10.7+ dummy web-browser

Gamecards v9.9 and above include, with their sysupdate, a dummy Old3DS/New3DS web-browser. The *only* thing this title does is display the same message listed in the above forced-update section. The message files in RomFS *only* contain that message string above. There are no "http" strings in the main codebin, and RO isn't used either(no CRO data in RomFS at all). Both browsers are internally called "dummySpider".

Hence, if you update your system below v9.8 with any v9.9 or above gamecard, the system web-browser will be rendered *completely* useless until you install a system-update from CDN(no network requests involved here).

Gamecards v10.7 and above include an updated dummy web-browser, where the only difference is the title version.

Savedata

New3DS

On newer SKATER versions, it appears *all* NAND savedata is stored under the 0x000200BB savedata.

0x000200BB savedata

This only contains "t.bin" with filesize 0xadf80, the format is below.

The timestamp format used here is the number of milliseconds since January 1, 2000(local-time).

When using the "Initialize savedata" option in the browser, that deletes this savedata file/image then exits the browser. This file is then re-created when the browser gets started again.

Offset Size Description
0x68 0x4? This counter is incremented each time the savedata is written.
0x70 0x8 Timestamp for when the savedata was last written.
0x94 0x15? This is all-zeros on non-JPN systems. On JPN systems where the browser filter is disabled, this is a string in the following format: "4110-%016llX".
0xD8 0x8 s64 timestamp, can be either a normal positive timestamp or a relative negative one. Used with the forced-update described above. When an update is detected this timestamp is negative, otherwise this is a normal positive timestamp(it's unknown how exactly this timestamp is checked). When positive, this seems to be the last time the forced-update HTTPS request was done where no update was needed.

APT Parameters

The URL to load can optionally be loaded from char[] string paramblk+0. This is used when scanning URL QR-codes in Home Menu / etc.

Errors

"Failed to load part of this page": This can be caused by failing to load "/favicon.ico". For example, this can be caused by loading a plain HTTP page, with plain-http favicon redirecting to HTTPS. If cert-verify then fails with favicon in this case, this error would then trigger.

Other details

  • It scored 90/100 on Acid3 test
  • Images from the Internet can be saved to the SD Card and viewed using the Nintendo 3DS Camera application.
  • Images saved to an SD Card or to the Nintendo 3DS system memory can be uploaded to blogs or other sites that allow the uploading of photos using :
<input type="file" />
  • HTML5Test.com say that Drag and drop is supported but it's not (code on WebKit is ready, but it's not implemented on interface of browser)

Tips

Detect User Agent

To detect if the user agent is Nintendo 3DS Browser :

<script type="text/javascript">
    if (navigator.userAgent.indexOf('Nintendo 3DS') == -1) { //If the UserAgent is not "Nintendo 3DS"
        location.replace('http://www.3dbrew.org'); //Redirect to an other page
    }
</script>
  • You can check navigator.platform=="Nintendo 3DS" as well.

Scrolling

Scrolling can be altered by modifying document.body.scrollTop and document.body.scrollLeft. However, there are drawbacks related to working with these properties:

  • Both properties return 0 when accessed
  • Setting one property resets the other property's scroll position

In order to set both at the same time (without either resetting to 0), use window.scrollTo.

Events

Key Events

The following buttons trigger the onkeydown, onkeypress and onkeyup events:

Code Button
13 A
37 Left
38 Up
39 Right
40 Down

The events cannot have their default action cancelled. Other buttons do not trigger key events.

Touch/Mouse Events

onmousedown, onmouseup & onclick are all triggered by the browser. However, the onmousedown event doesn't trigger until you lift the stylus or you've held it on the screen for ~2 seconds—which is when text selection mode is activated—making it pretty much the same as onmouseup. The events cannot have their default action cancelled.

The onmousemove and common touch/gesture events are not supported.

Screen Resolution

The up screen resolution is 400×240. However, the viewable area in the browser is only 400×220.

The touch screen resolution is 320×240. However, the viewable area in the browser is only 320×212.

You can have a page span both screens. However, the browser will behave as if the bottom screen is the only active screen and the top screen is scrolled off. This is important when computing CSS coordinates. Items positioned from "bottom" will be positioned based on 220px and not the full 432px of both screens.

Using Both Screens

Generally the easiest way to accomplish the correct layout is to create HTML elements that "contain" the top and bottom screens. Here's an example:

<!DOCTYPE html>
<html>
  <head>
    <meta name="viewport" content="width=400">
    <style>
      body{margin:0px;}
      #topscreen{width:400px;height:220px;overflow:hidden;}
      #bottomscreen{width:320px;height:212px;overflow:hidden;margin:0 auto;}
    </style>
  </head>
  <body>
    <div id="topscreen">Top Screen</div>
    <div id="bottomscreen">Bottom Screen</div>
  </body>
</html>

This scheme allows the page to be easily manipulated through JavaScript. In order to have the window snap to the correct position, use the following JavaScript code:

window.setInterval(function () {
    window.scrollTo(40, 220);  
}, 50);

This automatically resets the position if the user accidentally scrolls the page.

Example Sites