11.1.0-34

From 3dbrew
Jump to: navigation, search

The Old3DS+New3DS 11.1.0-34 system update was released on September 13, 2016. This Old3DS update was released for the following regions: USA, EUR, JPN, CHN, KOR, and TWN. This New3DS update was released for the following regions: USA, EUR, JPN, CHN, KOR, and TWN.

Security flaws fixed: yes.

Change-log[edit]

Official USA change-log:

  • Further improvements to overall system stability and other minor adjustments have been made to enhance the user experience

System Titles[edit]

The updated titles were Home Menu, Internet Browser, NGWord bad word list CFA, Nintendo Zone hotspot list CFA, NVer, CVer, DSP, friends, NS and NATIVE_FIRM. In JPN and KOR, the error string list CFA was additionally updated.

NATIVE_FIRM[edit]

ARM9[edit]

No changes to Old3DS/New3DS code at all(plaintext FIRM ARM9 binary / arm9loader).

Only differences are in the minversion list, which updated the minimum versions for Home Menu, Internet Browser, DSP, friends, NS, and NATIVE_FIRM to latest.

ARM11-kernel[edit]

Exactly 3 functions were updated, these are for Memory_Management. Validation code for memchunk-headers was changed. In the New3DS kernel:

  • L_fff1aab0, prev ver @ L_fff1aab0.
  • L_fff1c730, prev ver @ L_fff1c6f0.
  • L_fff26410, prev ver @ L_fff26394.

All three functions now prevent negative chunk sizes to be used, which could have been used with hypotetical kernel-memory-read vulnerabilities to exploit the memory-management code.

The first function ("validateChunk") now makes sure that:

chunk + currentChunkSize >= currentChunk

when checking that the current chunk doesn't overlap with either the previous or next one.


The second function ("Kern::ControlMemory"), aside from other small changes, now makes additional checks on the previously allocated memory chunk; the code for that is now:

if(chunkSizeInPages >= regionSize >> 12 || chunk < regionBase || chunk + chunkSize < chunk || chunk + chunkSize > regionBase + regionSize) panic;


The third function ("insertChunk") now makes the following checks:

if(chunkSizeInPages >= regionSize >> 12 || regionBase + regionSize < chunk + chunkSize) panic;
// ...
if(leftChunk && leftChunk + leftChunkSize <= leftChunk) panic; // this check was already done on 'right'

FIRM-modules[edit]

Only the following FIRM-modules were updated: fs and loader.

loader[edit]

It appears only one function changed in loader: L_140022b8 previously @ L_140022b8. Codebin physical memory randomization was enabled for all of the following titles:

  • USA/EUR "VVVVVV"
  • USA/EUR/JPN "Freakyforms Deluxe: Your Creations, Alive!"
  • USA/EUR/JPN "Pokémon Super Mystery Dungeon"
  • "Pokémon Omega Ruby" + "Pokémon Alpha Sapphire"
  • USA/EUR/JPN "Citizens of Earth"
  • "Pokémon Picross"
fs[edit]

0x18-bytes were added to an u32 array in .rodata containing a list of title uniqueIDs, with the additional data at address 0x00134094. This array was already in FS-module. A new UTF-16 string "/updated.dat" was added @ .rodata 0x0013411c.

The titles in this list are:

  • "Pokémon X"
  • "Pokémon Y"
  • "Pokémon Omega Ruby"
  • "Pokémon Alpha Sapphire"
  • "Pokémon Sun"
  • "Pokémon Moon"

A new FSUSER command was added. If the command returns an error, the caller assumes false.

All code changes:

  • LT_10d8b0: New func, the actual handler for the new command.
  • LT_111480: Updated, prev ver @ LT_111330. After writing 0x27 to struct+4, this now writes 0x6 to struct+16.
  • L_129434: New func, calls LT_10d8b0. This function is called by the cmdhandler.
  • L_12b4fc: Updated, prev ver @ L_12b330. FSUSER cmdhandler, now calls L_129434 for the new command.

NS[edit]

The code for APT:IsTitleAllowed was updated.

It now adds a version check for SmileBASIC, and enforces minimum major-versions 7 for JAP and 2 for USA. This means that smilehax is impossible on latest firmware.

Same function also now checks for the "Animal Crossing: New Leaf" title in EUR+JAP+USA, and checks if major-version is higher than 3. If version is <=3, it calls the new fs command with the title-id of the Animal Crossing game. If the new fs command returns true, it returns that the game is not allowed to be launched, otherwise it will launch it despite being too old.

This functionality appears to be for preventing the user from switching from an newer version of the application to an older version, where the newer version isn't released yet at the time the sysupdate was released. The newer version would (presumably) write to savedata "/updated.dat", which would trigger launch-not-allowed if the user tries to run an older version of the application.

The only other changes are for some initialization-related(?) code, which seem to be minor.

DSP-sysmodule[edit]

The only actual code change was that the handler function called by the DSP:RegisterInterruptEvents function was updated. Validation code was added for the input at the beginning of the function.

friends-sysmodule[edit]

Like past updates, the only codebin change was for updating the fpdver(6->7).

Home Menu[edit]

The icon vulns were fixed, hence latest menuhax as of sysupdate release was fixed for this system-version. The only code changes were for updating 2 functions, for fixing these 2 vulns(RomFS wasn't changed).

Internet Browser[edit]

See here for details. The browser-version-check pages for the old browser versions were updated just minutes after the sysupdate was released, unlike like past updates where it took weeks.

See Also[edit]

System update report(s):