Line 11: |
Line 11: |
| The only difference between the ExeFS .code for each region of the Old3DS/New3DS browser, is byte values for the title uniqueID/region. | | The only difference between the ExeFS .code for each region of the Old3DS/New3DS browser, is byte values for the title uniqueID/region. |
| | | |
− | A [[#v9.9_dummy_web-browser|"dummy" browser]] (which replaces the actual browser) is being included with cartdrige games shipping the [[9.9.0-26|9.9.0-X]] system update. | + | A [[#Dummy_web-browser|"dummy" browser]] (which replaces the actual browser) is being included with cartdrige games shipping with system updates starting with [[9.9.0-26|9.9.0-X]]. |
| In addition, versions of the real browser since 9.9.0-26X attempt to [[#Forced_system-update|check-in with a Nintendo server]] to determine if the existing browser version is out of date. | | In addition, versions of the real browser since 9.9.0-26X attempt to [[#Forced_system-update|check-in with a Nintendo server]] to determine if the existing browser version is out of date. |
| | | |
Line 26: |
Line 26: |
| Video decoding is done with [[MVD_Services|mvd:STD]]. Audio decoding/playback is done with a browser-specific DSP binary. The Old3DS browser used CSND for audio playback, the New3DS browser doesn't have access to that at all since it uses DSP instead. | | Video decoding is done with [[MVD_Services|mvd:STD]]. Audio decoding/playback is done with a browser-specific DSP binary. The Old3DS browser used CSND for audio playback, the New3DS browser doesn't have access to that at all since it uses DSP instead. |
| | | |
| + | === Video / libstagefright === |
| The browser manual includes licenses for Android and PacketVideo. The browser uses libstagefright from Android. Just like WebKit, the browser appears to use a very old version of libstagefright with security/other changes back-ported(for example, the v10.7 browser libstagefright codebase seems to be older than [https://android.googlesource.com/platform/frameworks/av/+/ec77122351b4e78c1fe5b60a208f76baf8c67591%5E%21/media/libstagefright/MPEG4Extractor.cpp this]). This codebase is missing certain chunk-parsing code for 3GP. | | The browser manual includes licenses for Android and PacketVideo. The browser uses libstagefright from Android. Just like WebKit, the browser appears to use a very old version of libstagefright with security/other changes back-ported(for example, the v10.7 browser libstagefright codebase seems to be older than [https://android.googlesource.com/platform/frameworks/av/+/ec77122351b4e78c1fe5b60a208f76baf8c67591%5E%21/media/libstagefright/MPEG4Extractor.cpp this]). This codebase is missing certain chunk-parsing code for 3GP. |
| + | |
| + | HTTP for libstagefright is internally handled with [[HTTP_Services|HTTPC]], with a similar(?) set of RootCAs as for browser-version-check. |
| | | |
| ===User-Agent and Browser Versions=== | | ===User-Agent and Browser Versions=== |
Line 32: |
Line 35: |
| | | |
| <region> can be one of the following: "JP", "US", or "EU". | | <region> can be one of the following: "JP", "US", or "EU". |
| + | |
| + | Mobile User-Agent is always <code>Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A403 Safari/8536.25</code>. |
| | | |
| {| class="wikitable" border="1" | | {| class="wikitable" border="1" |
Line 37: |
Line 42: |
| ! Mobile NintendoBrowser version(displayed in browser settings) | | ! Mobile NintendoBrowser version(displayed in browser settings) |
| ! Normal UA | | ! Normal UA |
− | ! Mobile UA
| |
| ! CDN Title-version | | ! CDN Title-version |
| ! Network-only system-update version | | ! Network-only system-update version |
Line 44: |
Line 48: |
| | 1.0.9934 | | | 1.0.9934 |
| | Mozilla/5.0 (New Nintendo 3DS like iPhone) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.0.5.8 Mobile NintendoBrowser/1.0.9934.<region> | | | Mozilla/5.0 (New Nintendo 3DS like iPhone) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.0.5.8 Mobile NintendoBrowser/1.0.9934.<region> |
− | | Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A403 Safari/8536.25
| |
| | v10 | | | v10 |
| | [[9.0.0-20]] | | | [[9.0.0-20]] |
Line 51: |
Line 54: |
| | 1.1.9996 | | | 1.1.9996 |
| | Mozilla/5.0 (New Nintendo 3DS like iPhone) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.0.5.10 Mobile NintendoBrowser/1.1.9996.<region> | | | Mozilla/5.0 (New Nintendo 3DS like iPhone) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.0.5.10 Mobile NintendoBrowser/1.1.9996.<region> |
− | | Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A403 Safari/8536.25
| |
| | v1027 | | | v1027 |
| | [[9.3.0-21]] | | | [[9.3.0-21]] |
Line 58: |
Line 60: |
| | 1.2.10085 | | | 1.2.10085 |
| | Mozilla/5.0 (New Nintendo 3DS like iPhone) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.0.5.13 Mobile NintendoBrowser/1.2.10085.<region> | | | Mozilla/5.0 (New Nintendo 3DS like iPhone) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.0.5.13 Mobile NintendoBrowser/1.2.10085.<region> |
− | | Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A403 Safari/8536.25
| |
| | v2051 | | | v2051 |
| | [[9.6.0-24]] | | | [[9.6.0-24]] |
| | See below. | | | See below. |
| |- | | |- |
− | | None
| |
| | None | | | None |
| | None | | | None |
Line 71: |
Line 71: |
| |- | | |- |
| | 1.3.10126 | | | 1.3.10126 |
− | | Mozilla/5.0 (New Nintendo 3DS like iPhone) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.0.5.15 Mobile NintendoBrowser/1.3.10126.US | + | | Mozilla/5.0 (New Nintendo 3DS like iPhone) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.0.5.15 Mobile NintendoBrowser/1.3.10126.<region> |
− | | Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A403 Safari/8536.25
| |
| | v3077 | | | v3077 |
| | [[9.9.0-26]] | | | [[9.9.0-26]] |
Line 78: |
Line 77: |
| |- | | |- |
| | 1.4.10138 | | | 1.4.10138 |
− | | Mozilla/5.0 (New Nintendo 3DS like iPhone) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.0.5.17 Mobile NintendoBrowser/1.4.10138.US | + | | Mozilla/5.0 (New Nintendo 3DS like iPhone) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.0.5.17 Mobile NintendoBrowser/1.4.10138.<region> |
− | | Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A403 Safari/8536.25
| |
| | v4096 | | | v4096 |
| | [[10.2.0-28]] | | | [[10.2.0-28]] |
Line 85: |
Line 83: |
| |- | | |- |
| | 1.5.10143 | | | 1.5.10143 |
− | | | + | | Mozilla/5.0 (New Nintendo 3DS like iPhone) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.0.5.19 Mobile NintendoBrowser/1.5.10143.<region> |
− | |
| |
| | v5121 | | | v5121 |
| | [[10.4.0-29]] | | | [[10.4.0-29]] |
Line 92: |
Line 89: |
| |- | | |- |
| | 1.6.10147 | | | 1.6.10147 |
− | | Mozilla/5.0 (New Nintendo 3DS like iPhone) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.0.5.19 Mobile NintendoBrowser/1.6.10147.US | + | | Mozilla/5.0 (New Nintendo 3DS like iPhone) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.0.5.19 Mobile NintendoBrowser/1.6.10147.<region> |
− | | Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A403 Safari/8536.25
| |
| | v6144 | | | v6144 |
| | [[10.6.0-31]] | | | [[10.6.0-31]] |
| | See below. | | | See below. |
| + | |- |
| + | | None |
| + | | None |
| + | | v7168 |
| + | | v10.7 CUP |
| + | | v10.7 CUP dummy web-browser, see below. |
| |- | | |- |
| | 1.7.10150 | | | 1.7.10150 |
− | | Mozilla/5.0 (New Nintendo 3DS like iPhone) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.0.5.19 Mobile NintendoBrowser/1.7.10150.US | + | | Mozilla/5.0 (New Nintendo 3DS like iPhone) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.0.5.19 Mobile NintendoBrowser/1.7.10150.<region> |
− | |
| |
| | v7184 | | | v7184 |
| | [[10.7.0-32]] | | | [[10.7.0-32]] |
| + | | See below. |
| + | |- |
| + | | 1.8.10156 |
| + | | Mozilla/5.0 (New Nintendo 3DS like iPhone) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.0.5.20 Mobile NintendoBrowser/1.8.10156.<region> |
| + | | v8192 |
| + | | [[11.1.0-34]] |
| + | | See below. |
| + | |- |
| + | | None |
| + | | None |
| + | | v9217 |
| + | | v11.4 CUP |
| + | | v11.4 CUP dummy web-browser, see below. |
| + | |- |
| + | | 1.9.10160 |
| + | | Mozilla/5.0 (New Nintendo 3DS like iPhone) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.0.5.20 Mobile NintendoBrowser/1.9.10160.<region> |
| + | | v9232 |
| + | | [[11.4.0-37]] |
| | See below. | | | See below. |
| |} | | |} |
Line 323: |
Line 342: |
| applet | | applet |
| 2016-03-02 18:25 | | 2016-03-02 18:25 |
| + | |
| + | ==== v11.1 ==== |
| + | The ExeFS codebin was updated. The following files in RomFS were updated: |
| + | |
| + | /build/buildinfo.dat |
| + | /.crr/static.crr |
| + | /oss.cro.lex |
| + | /static.crs |
| + | /webkit.cro.lex |
| + | |
| + | cat v8192/00000026_romfs/build/buildinfo.dat |
| + | 10156 |
| + | applet |
| + | 2016-08-26 19:47 |
| + | |
| + | Minus the 4 functions that changed due to compiler optimization, only 1 function was actually updated. This is LT_1a4004, previous version at LT_1a4004: libstagefright status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth) |
| + | |
| + | Additional code was added which doesn't seem to be from upstream git, right [https://android.googlesource.com/platform/frameworks/av/+/32d6e5f0ebe9e00f80401e5f4fd6e285a474590d/media/libstagefright/MPEG4Extractor.cpp#880 before] the cprt code block: "if((*offset + chunk_size) - data_offset < 0)fail" |
| + | |
| + | This fixed skater31hax + any other mp4 haxx which requires using a negative 64bit chunk_size value. |
| + | |
| + | The filepath base used in the assert strings were changed from "d:\Jenkins\workspace\MPSkaterBuild\MVPlayer\Skater\Base\Android\frameworks\base\media\libstagefright\" to "d:\jenkins\workspace\MPSkaterBuild-Git\Base\Android\frameworks\base\media\libstagefright\". |
| + | |
| + | ==== v11.4 ==== |
| + | The only changes in RomFS was for "/build/buildinfo.dat" and "/static.crs", hence no OSS in CRO(s) were updated. |
| + | |
| + | The main codebin was updated. Exactly two functions were updated, these are not related to code exec vulns. |
| + | |
| + | cat v9232/00000027_romfs/build/buildinfo.dat |
| + | 10160 |
| + | applet |
| + | 2017-03-08 19:44 |
| | | |
| === New3DS Browser Specifications === | | === New3DS Browser Specifications === |
Line 356: |
Line 407: |
| * "User agent: Mozilla/5.0 (Nintendo 3DS; region; ; en) Version/1.7498.US" | | * "User agent: Mozilla/5.0 (Nintendo 3DS; region; ; en) Version/1.7498.US" |
| * "Supported protocols: HTTP1.0/HTTP1.1/SSLv3/TLS1.0" | | * "Supported protocols: HTTP1.0/HTTP1.1/SSLv3/TLS1.0" |
− | * "Web standard: HTML 4.01/XHTML 1.1/CSS 1/CSS 2.1/CSS 3 (partial functionality)/DOM Levels 1-3/ECMAScript | + | * "Web standard: HTML 4.01/XHTML 1.1/CSS 1/CSS 2.1/CSS 3 (partial functionality)/DOM Levels 1-3/ECMAScript/XMLHttpRequest/Canvas Element (partial functionality)" |
− | /XMLHttpRequest/Canvas Element (partial functionality)" | |
| * "Image format: MPO / GIF / JPEG / PNG / BMP / ICO (some images cannot be displayed)" | | * "Image format: MPO / GIF / JPEG / PNG / BMP / ICO (some images cannot be displayed)" |
| * "Plug-ins: Plug-ins such as Adobe Flash are not supported" | | * "Plug-ins: Plug-ins such as Adobe Flash are not supported" |
Line 442: |
Line 492: |
| | [[10.6.0-31]] | | | [[10.6.0-31]] |
| | See below. | | | See below. |
| + | |- |
| + | | None |
| + | | v9216 |
| + | | v10.7 CUP |
| + | | v10.7 CUP dummy web-browser, see below. |
| |- | | |- |
| | 1.7625 | | | 1.7625 |
| | v9232 | | | v9232 |
| | [[10.7.0-32]] | | | [[10.7.0-32]] |
| + | | See below. |
| + | |- |
| + | | 1.7630 |
| + | | v10240 |
| + | | [[11.1.0-34]] |
| | See below. | | | See below. |
| |} | | |} |
| + | |
| + | === Heap === |
| + | The USA/EUR/JPN + KOR browser allocates the 0x08000000 heap with size 0x01A97000. The size used by the CHN and TWN browser is 0x01997000, exactly 0x100000-bytes smaller. |
| | | |
| === Old3DS v9.9 === | | === Old3DS v9.9 === |
Line 589: |
Line 652: |
| === Old3DS v10.7 === | | === Old3DS v10.7 === |
| ''Nothing'' changed except some words for version-values in .text being updated(RomFS wasn't changed), code for browser-version-check was [[#v10.7_2|updated]]. | | ''Nothing'' changed except some words for version-values in .text being updated(RomFS wasn't changed), code for browser-version-check was [[#v10.7_2|updated]]. |
| + | |
| + | === Old3DS v11.1 === |
| + | Nothing changed in the ExeFS codebin besides the usual version values. The following files in RomFS were updated: |
| + | /cro/oss.cro |
| + | /cro/webkit.cro |
| + | /.crr/static.crr |
| | | |
| == Forced system-update == | | == Forced system-update == |
Line 662: |
Line 731: |
| The only actual code change with Old3DS/New3DS browser v10.7 was that the code which calculates the diff_timestamp was moved to immediately after the block which initializes <state_timestamp> when <state_timestamp> is all-zero. This fixed the browser-version-check [[3DS_Userland_Flaws|bypass]]. | | The only actual code change with Old3DS/New3DS browser v10.7 was that the code which calculates the diff_timestamp was moved to immediately after the block which initializes <state_timestamp> when <state_timestamp> is all-zero. This fixed the browser-version-check [[3DS_Userland_Flaws|bypass]]. |
| | | |
− | == v9.9 dummy web-browser == | + | == Dummy web-browser == |
− | The gamecard v9.9 sysupdate included with some games contains a dummy Old3DS/New3DS web-browser. The *only* thing this title does is display the same message listed in the above forced-update section. The message files in RomFS *only* contain that message string above. There are no "http" strings in the main codebin, and [[RO_Services|RO]] isn't used either(no CRO data in RomFS at all). Both browsers are internally called "dummySpider".
| + | Gamecards v9.9 and above include, with their sysupdate, a dummy Old3DS/New3DS web-browser. The *only* thing this title does is display the same message listed in the above forced-update section. The message files in RomFS *only* contain that message string above. There are no "http" strings in the main codebin, and [[RO_Services|RO]] isn't used either(no CRO data in RomFS at all). Both browsers are internally called "dummySpider". |
| + | |
| + | Hence, if you update your system below v9.8 with any v9.9 or above gamecard, the system web-browser will be rendered *completely* useless until you install a system-update from CDN(no network requests involved here). |
| | | |
− | Hence, if you update your system from pre-v9.9 using a gamecard with v9.9, the system web-browser will be rendered *completely* useless until you install a system-update from CDN(no network requests involved here).
| + | Gamecards v10.7 and v11.4(New3DS only) have updated the dummy web-browser, where the only difference is the title version. |
| | | |
| == Savedata == | | == Savedata == |
Line 803: |
Line 874: |
| * [http://www.nintendo.com/3ds/internetbrowser/bookmarks Nintendo 3DS Bookmarks] - This is the first bookmark pre-installed in the browser. | | * [http://www.nintendo.com/3ds/internetbrowser/bookmarks Nintendo 3DS Bookmarks] - This is the first bookmark pre-installed in the browser. |
| * [http://3ds.andysmith.co.uk/jFox.html jFox] (Short URL: http://bit.ly/iB7FqW) | | * [http://3ds.andysmith.co.uk/jFox.html jFox] (Short URL: http://bit.ly/iB7FqW) |
− | * [http://ditto3d.com/3ds Ditto3D] (Short URL: http://bit.ly/oVreWA) | + | * [http://ditto3d.com/3ds Ditto3D (Dead Link)] (Short URL: http://bit.ly/oVreWA) |