Jump to content


Nintendo 3DS

151 archivos

  1. MSET9

    MSET9 es un exploit primario ARM9 para 3DS que puede ser lanzado con sólo datos de nombre de archivo añadidos a la tarjeta SD insertada.
    Cómo funciona
    En la implementación de FSPXI:EnumerateExtSaveData (llamada por MSET para analizar los ID de extdata de 3DS para la gestión de datos), no se comprobaba el valor de retorno de la llamada a la función interna P9 para abrir un directorio (al enumerar el contenido del directorio extdata). Por lo tanto, si la llamada falla, se utilizará un puntero no inicializado en la pila para una llamada vtable.
    Como tal, un archivo que comienza con 8 dígitos hexadecimales puede bloquear process9 si se coloca directamente dentro del directorio extdata. Puede bloquearse de varias formas basadas en sutiles diferencias en la forma en que el usuario desencadena el evento de bloqueo.
    Mientras que en la mayoría de los casos conduce a referencias nulas, en un contexto específico, process9 salta directamente a una cadena ID1 que se mantiene en la memoria ARM9. Sorprendentemente, la 3DS no discierne qué caracteres se utilizan para el nombre del directorio ID1 en la SD, sólo requiere exactamente 32 caracteres. Esto permite al atacante insertar instrucciones arm en el nombre de directorio ID1 unicode y tomar el control del ARM9, y por lo tanto, el control total de la 3DS.
    ¿Puedo hacerlo?
    Necesitas una 3ds 11.4-11.17, de cualquier región (probablemente, no las he probado todas) Un lector USB a SD PC Windows/Linux (esto podría ampliarse a MAC y/o Android en algún momento, si es posible) PREGUNTAS FRECUENTES
    P: ¿Esto instala boot9strap y escribe en la NAND?
    R: ¡Sí! ¿Qué más vas a hacer con el control de ARM9, a9lh? pastaCFW? sketchy tetris clones" 😛
    P: ¡Eso suena peligroso, Zoogie!
    R: Sí, lo es, pero la escena lleva años haciendo estas cosas peligrosas. Si te preocupa, no pases de la fase beta.
    P: ¿Qué pasa si no desinstalo el exploit cuando termine?
    R: Tendrás problemas para ejecutar los títulos instalados anteriormente, además de fallos aleatorios en el FBI y en la configuración del sistema. ¡Así que asegúrate de limpiar el exploit! (la opción 4 en el menú mset9.py hace esto)
    P: El archivo que activa el exploit (002F003A.txt) ... parece ... una dirección virtual, ¿no?
    R: Son los caracteres ":/", algo que no podemos mostrar en un nombre típico de archivo/carpeta. Un hecho conveniente de ese archivo (además de desencadenar la caída general) es que los primeros 8 caracteres de ese nombre de archivo hexadecimal se convierten a un u32 que resulta existir 0x44 pasado SP, por lo que puedo usarlo para rellenar los caracteres que faltan en la ruta de archivo de carga útil "sdmc??b9", y mantener feliz al sistema operativo del PC.
    P: Sugieres en la explicación del hack anterior que FS_EnumerateExtData es la función responsable de permitir el crash en MSET/ARM9, ¿podría ser llamada en userland homebrew para hacerse cargo de ARM9?
    R: ¿Quizás? Jugué brevemente con esta misma idea, pero no pude encontrar un contexto de crash que pudiera controlar, a diferencia del método pre-userland que es MSET9. Tal vez esto podría ser un ejercicio para que el usuario dedicado explore y desarrolle esta variante potencial de MSET9. Podría ser útil más adelante.
    Dato curioso: El archivo hexadecimal de 8 dígitos, si se deja en extdata, también bloqueará FBI al seleccionar la opción "Ext Save Data" en su menú principal. Es el único homebrew que conozco que llama a FS_EnumerateExtData.
    P: Acortaste SafeB9SInstaller.bin a SafeB9S.bin, ¿por qué?
    R: Mantiene el estándar de nombre de archivo 8.3 de FAT que evita Nombres de Archivo Largos, y por lo tanto permite un ahorro significativo de espacio en la biblioteca FatFs. "B9" también se utiliza por el mismo motivo, aunque no está relacionado con FatFs. En este exploit es de vital importancia que el código ocupe poco espacio.
    P: ¿Por qué no funciona en MAC?
    R: Porque se niega a renderizar la siguiente locura unicode: �﫿餑䠇䚅敩ꄈ∁䬅䞘䙨䙙꫿ᰗ䙃䰃䞠䞸退ࠊꁱࠅ캙ࠄsdmc退ࠊb9
    ( ͡° ͜ʖ ͡°)
    MSET9 es una aplicación creada por Zoogie.
  2. 3DS ROP xPloit Injector

    Un instalador de unSAFE_MODE y menuhax67 basado en ROP, útil para los exploits de userland que no pueden lanzar el lanzador homebrew.
    Esta herramienta está basada en ninjhax. 
    3DS ROP xPLoit Injector es una herramienta creada por PabloMK7.
  3. CIAngel

    ¡Ahora podemos obtener juegos directamente en la 3DS! Usando una ID de título y una clave de título encriptada, o buscando un título por nombre, se producirán o instalarán directamente BUENAS CIA que se pueden volver a descargar desde eshop y actualizar desde eshop si sale nuevo contenido. Estas CIA no interferirán con el contenido de eShop.
    Puedes optar por crear una CIA, instalar el juego directamente o instalar solo el ticket.
    Uso
    Buscar por nombre
    CIAngel utiliza HBKBlib para buscar títulos por nombre. Los datos se leen desde /CIAngel/wings.json (que se descarga automáticamente en el primer lanzamiento) para buscar el nombre ingresado.
    Cola de descarga
    Al ver la lista de resultados de la búsqueda, puede presionar X para agregar el título a la cola de descarga. Si selecciona "Procesar cola de descarga", podrá descargar o instalar todos los títulos en cola uno tras otro. Esto usa el modo de descarga / instalación seleccionado actualmente.
    Soporte Input.txt
    CIAngel puede leer un archivo de texto (sd: /CIAngel/input.txt) que tiene 2 líneas.
    La primera línea debe ser la identificación del título. La segunda línea debe ser la clave de título cifrada.
    Aplicación creada por llakssz.
  4. NGPDS

    NGPDS es un emulador de NeoGeo Pocket (Color) para Nintendo DS.
    Cómo utilizar NGPDS
    Primero parche DLDI el emulador para su tarjeta de memoria flash. Cree una carpeta llamada "ngpds" en la raíz de su tarjeta flash o en el carpeta de datos. Ahora coloque los archivos del juego en una carpeta donde tenga roms. Cuando se inicia el emulador, puede presionar L + R o tocar la pantalla para abrir subir el menú. Ahora puede usar la cruz o la pantalla táctil para navegar por los menús, A o doble toque para seleccionar una opción, B o la parte superior de la pantalla para retroceder un paso. Para seleccionar entre las pestañas, use R & L o la pantalla táctil. -------------------------------------------------- ------------------------------
    Menú:
    -------------------------------------------------- ------------------------------
     
    Archivo
    -----
    Cargar juego: seleccione un juego para cargar. Cargar estado: carga un estado guardado previamente del juego en ejecución. Guardar estado: guarda un estado del juego en ejecución. Load Flash RAM: carga la memoria RAM flash para el juego que se está ejecutando actualmente. Save Flash RAM: guarde la memoria RAM flash para el juego que se está ejecutando actualmente. Guardar configuración: guarda la configuración actual. Restablecer juego: restablece el juego que se está ejecutando actualmente. Opciones:
    --------
    Controlador: Autofire: seleccione si desea autofire. Controlador: 2P inicia un juego de 2 jugadores. Intercambiar A / B: intercambia qué botón NDS está asignado a qué botón NGP. Monitor: Paleta Mono: Aquí puede seleccionar la paleta para juegos en blanco y negro. Gamma: le permite cambiar el gamma ("brillo"). Desactivar primer plano: activa o desactiva el renderizado de primer plano. Desactivar fondo: activa / desactiva el renderizado de fondo. Desactivar Sprites: activa / desactiva el renderizado de sprites. Configuración de la máquina: Idioma: seleccione entre japonés e inglés. Máquina: seleccione la máquina emulada. Media velocidad de la CPU: esto reduce a la mitad la velocidad de la CPU emulada. Puede hacer que los juegos sean más rápidos. Cambie las pilas: cámbielas por unas nuevas pilas principales (AA / LR6). Cambiar batería secundaria: cambie a una batería secundaria nueva (CR2032). Configuración de BIOS: cargue una BIOS de NGP real. Ajustes: Velocidad: cambia entre los modos de velocidad. Normal: el juego se ejecuta a su velocidad normal. 200%: el juego se ejecuta a doble velocidad. Máx .: los juegos pueden ejecutarse hasta 4 veces la velocidad normal (puede cambiar). 50%: el juego se ejecuta a la mitad de la velocidad. Estado de carga automática: active la carga automática de estado de almacenamiento. Carga automáticamente el estado de guardado asociado con el juego actual. Autocarga Flash RAM: alternar flash / guardar memoria RAM autocarga. Cargue automáticamente el flash ram asociado con el juego actual. Configuración de guardado automático: esto guardará la configuración cuando saliendo del menú si se realizan cambios. Pausa automática del juego: alterna si el juego debe pausarse al abrir el menú. Powersave 2nd Screen: Si los gráficos / luces deben apagarse para el Pantalla GUI cuando el menú no está activo. Emulador en la parte inferior: seleccione si se debe usar la pantalla superior o inferior para emulador, cuando el menú está activo, la pantalla del emulador siempre está en la parte superior. Salida de depuración: muestra un medidor de FPS por ahora. Sueño automático: no funciona. Créditos
    Muchísimas gracias a Loopy por el increíble PocketNES, sin él este emú probablemente nunca se hayan hecho. Dwedit en busca de ayuda e inspiración con muchas cosas. NGPDS ha sido creado por Fredrik Ahlström.
  5. 3DS Multi EmuNAND Creator

    Este programa está diseñado para inyectar / extraer volcados NAND hacia / desde el área de almacenamiento reservada en la tarjeta SD mediante herramientas como Gateway's Launcher.dat y EmuNAND9. Está completamente escrito en C y se puede compilar usando MinGW o TDM-GCC, sin la necesidad de bibliotecas adicionales y / o componentes de tiempo de ejecución.

    Características
    Detección automática de tarjetas SD que contienen una o más NAND (s). Puede inyectar / extraer hasta cuatro (4) NAND diferentes desde / hacia cualquier tarjeta SD dada (siempre que la capacidad de almacenamiento lo permita). Compatible con viejos volcados 3DS / 2DS y New 3DS / 2DS NAND. Admite formatos EmuNAND y RedNAND (desplazamiento de sector +1). Compatible con todos los diseños NAND existentes: 'Legacy' (utilizado por Gateway's Launcher.dat), 'Default' (tamaño NAND redondeado de 4 MB) y 'Mínimo' (tamaño NAND mínimo redondeado de 4 MB posible). Capaz de realizar la acción "Formatear EmuNAND", que permite particionar, formatear e inyectar un volcado NAND a una nueva tarjeta SD sin usar una consola Nintendo 3DS. Posibilidad de eliminar una NAND existente de la tarjeta SD reparticionándola y formateándola, ganando más espacio para la partición FAT en proceso. Si se elimina una NAND que precede a una o más NAND adicionales, también se perderán. La eliminación de NAND # 1 es equivalente a formatear la tarjeta SD sin una EmuNAND, p. Ej. recuperarás todo el espacio consumido por la (s) NAND (s). Posibilidad de establecer un nombre personalizado para una NAND, que CakesFW puede mostrar en su menú de selección Multi NAND. Agradecimientos a
    Pete Batard, por desarrollar Rufus. Este programa usa código de Rufus en su procedimiento de formato FAT32. Todos mis amigos, que me ayudaron y motivaron para seguir adelante. La gente de GBAtemp, por probar cada nueva versión. Aplicación creada por DarkMatterCore.
  6. Batch CIA 3DS Decryptor

    Batch CIA 3DS Decyptor es un simple archivo .bat que descifra archivos CIA y 3DS para principiantes. Los archivos .CIA se descifrarán y se convertirán en CCI o solo se descifrará la CIA para que se pueda instalar en Citra.
    Uso de Batch CIA 3DS Decryptor
    Coloca los juegos XXX.cia y XXX.3ds, DLC y parches en esta carpeta, admite múltiples archivos. Ejecuta "Batch CIA 3DS Decryptor.bat". Esperar a que el proceso se complete y listo. Nota: Se necesitará mucha memoria / RAM cuando estos archivos sean demasiado grandes).
    Funciones y efectos:
    Descifra archivos CIA y 3DS. DLC / Patch CIA> CIA descifrado, capaz de instalar en Citra. Juegos 3DS> 3DS descifrado y recortado, por lo que el archivo resultante ocupa menos. Juegos de la CIA> CCI descifrado (NCSD), no CXI (NCCH). Detección automática del tipo de CIA (DLC / Patch / Game). Autores:
    54634564 - decrypt.exe profi200: makerom.exe, ctrtool.exe matif - Batch CIA 3DS Decryptor.bat
  7. NitroEdit

    NitroEdit es un editor de ROMS de Nintendo DS y DSi para las propias consolas Nintendo DS y DSi, compatible con flashcarts o TwilightMenu, por ejemplo, permitiendo personalizar las ROMs con la simplicidad y la portabilidad de esta familia de consolas portátiles nintenderas.
    Formatos admitidos
    ROM NDS (i) Ver / editar información (título del juego, código del juego, código del fabricante) Ver / editar icono Explore su sistema de archivos NitroFs Archivos (NARC, CARC, etc.) Explore su sistema de archivos NitroFs NCGR, NCLR, NSCR Ver / editar la textura formada por NCGR + NCLR Ver la textura formada por un NCGR + NCLR + NSCR (aún no se admite guardar) SDAT Explore los archivos de ondas (SWAR) y sus muestras de ondas ¡Reproduce / edita esas muestras de ondas (SWAV), grabando con el micrófono de la consola! BMG Ver / editar sus cadenas
    TODO / Problemas conocidos
    Pasar de gráficos temporales a gráficos adecuados Mejore los tiempos de carga / ahorro, no se puede hacer mucho mejor debido a limitaciones técnicas que los editores de ROM existentes no tienen ... Detecta formatos de archivo con un sistema mejor que simplemente verificando la extensión (verificando encabezados, etc.) Implementar zoom para texturas grandes en el editor gráfico Permitir cambiar colores en la paleta de colores en el editor gráfico Implementar textura de ahorro como NCGR + NCLR + NSCR Admite otros formatos dentro de SDAT (STRM, SSEQ, etc.) Modelos y texturas de modelos (NSBMD, NSBTX), ¿tal vez admitan la edición de esas texturas al menos? Implementar el soporte utility.bin (contiene un sistema de archivos en su interior) Para texturas de paleta múltiple NCGR + NCLR, permita elegir la paleta para cargar Mejorar el código del menú (el parpadeo puede resultar molesto) Admite atributos ignorados en los datos de NSCR (verifique los enlaces acreditados a continuación) Soporte de la sección PMCP en NCLR ¿Agregar editores / visores hexadecimales / de texto? ¿Compatibilidad con la exportación e importación de archivos desde los sistemas de archivos NitroF? Admite más caracteres especiales (é, à, etc.) en el teclado. ¿Mejorar la (des) compresión de LZ77? Actualmente, utilizando una implementación portada de C #, podría haber implementaciones más óptimas por ahí ... Aplicación creada por XorTroll.
  8. Supercard DSONE SDHC and DSONEi Evolution Firmware

    La última versión del firmware para los flashcards DSONE SDHC y DSONEi Evolution.
    Incluye el ultimo parche con la base de datos (12/06/2012) que no estaba incluído en la release oficial.
    ¿Cómo actualizar el firmware de DSONE SDHC y DSONEi Evolution?
    Descargue el firmware más reciente desde aquí mismo. Copie el firmware descargado a la inserción de microSD en DSONEi, luego insértelo en el escritor de firmware y luego en el puerto USB para la fuente de alimentación y el funcionamiento. No se necesita software adicional, el escritor de firmware renovará el firmware de DSONEi automáticamente en cuestión de unos 8 minutos. La luz intermitente significa renovación en curso. Luz verde significa que la actualización ha terminado terminado. La luz roja significa que la renovación falló. Si falla, repita el progreso.
  9. NooDS

    A (hopefully!) speedy NDS emulator for Windows, macOS, Linux, Switch, PS Vita y Android.
    Overview
    The goal of NooDS is to be a fast and portable Nintendo DS emulator. It's not quite there speed-wise, but it does offer most other features that you might expect from a DS emulator. It even supports GBA backwards compatability! I'm doing this for fun and as a learning experience, and also because I'm a huge fan of the DS. It may not be a worthy competitor for the other DS emulators just yet, but I believe that I can get it there someday. If not, that's fine too; like I said, I'm just having fun!
    Usage
    NooDS doesn't provide high-level emulation of the BIOS yet, so you'll need to provide BIOS and firmware files dumped from your physical DS. The file paths can be configured in the settings. It also currently lacks automatic save type detection for DS games. If you load a new game and saving doesn't work, you'll have to manually change the save type. This information can be difficult to find, so it's easier if you have working save files already present.
    by Hydr8gon.
  10. 3DS Ropkit

    This is a codebase intended to be used with userland title exploits in general for Nintendo 3DS.
    The exploit would use the scripts here for locating the required ROP addrs. Then in the .s, it would include "ropkit_ropinclude.s", and if this is an regular-application "ropkit_boototherapp.s".
    Currently this is only usable with GCC with the "-x assembler-with-cpp" build option.
    This requires ropgadget_patternfinder.
    ropkit_boototherapp.s
    This handles booting the otherapp *hax payload, various defines are required.
    This automatically handles locating each 0x1000-byte page in .text used with the payload in physmem, across the entire APPLICATION memregion. Hence, this bypasses the codebin physmem randomization added with v10.4, which was later enabled for more titles with v11.0.
    by yellows8.
  11. Kartdlphax

    kartdlphax es un exploit semiprimario para la versión digital de Mario Kart 7 de Nintendo 3DS.
    Se puede usar para ejecutar un payload en modo usuario en una Nintendo 3DS sin modificar conectándolo a través del juego de descarga a otra Nintendo 3DS con Custom Firmware ejecutando el exploit.
    Instalación de Kartdlphax
    El exploit usa un plugin 3GX en el sistema host. Por lo tanto, para usar este exploit es necesario instalar el fork 3GX Loader Luma3DS.
    En la consola host coloca el archivo .3gx de Kartdlphax descargado desde aquí mismo en uno de los siguientes directorios, dependiendo de la región de tu juego:
    EUR: luma/plugins/0004000000030700 JAP: luma/plugins/0004000000030600 USA: luma/plugins/0004000000030800 (Las versiones TWN, CHN y KOR no han sido testeadas).
    Por defecto, el plugin usará el payload otherapp que viene precargado (universal-otherap). Puedes colocar tu propio otherapp en la ruta /kartdlphax_otherapp.bin, pero ten en cuenta que otherapp hax 2.0 no funciona actualmente.

    Uso de Kartdlphax
    On the host 3ds, make sure the plugin loader is enabled from the Rosalina menu (L+Down+Select), then launch the Mario Kart 7 game matching the region of the client 3ds(es). (You will see a confirmation message in the top screen once the game launches). On the client 3ds(es), launch the download play application. On the host 3ds, select Local Multiplayer then Create Group. After that, let the client 3ds(es) join the group. Once the multiplayer menu loads on the host 3ds, select Grand Prix then 50cc then any driver combination and finally the Mushroom Cup. After a while the exploit will trigger on the client 3ds(es). Keep in mind that while you can send the exploit to 8 consoles at the same time, the success rate seems to decrease for each console added.
    Technical Details
    This exploit consists of 3 stages + the otherapp.
    Vtable pwn exploit: The download play child application doesn't have the course files stored in its romfs, so it has to ask the host to send them when needed. Since this data is not part of the child .cia and is not signed, we can send anything arbitrary. Furthermore, the client sets up a buffer to recieve the data from the host, but it never checks the incoming data size, so we can produce a buffer overflow which overwrites important data after the recieve buffer. By overwriting a vtable, we can produce an arbitrary jump in the main thread and eventually jump to the ROP chain. ROP chain: From the rop chain and using yellows8's 3ds ropkit as a base, we can terminate some problematic threads and replace the area at 0x100000 with the next stage using gspwn. We can't load otherapp directly from ROP because some gadgets and important functions are in the same area as the otherapp target address, so a small helper payload is needed first. Miniapp payload: This asm payload based on luigialma's version from nitpic3d is responsable of terminating the rest of the problematic threads, reconstructing the partitioned otherapp from the recieved buffer, mapping it to 0x101000 with gspwn and finally launching it. You can find more in-depth details in the comments inside the plugin and miniapp source files.
    Credits
    3ds ropkit (by yellows8). universal-otherapp (Copyright (c) 2020 TuxSH). CTRPF (by Nanquitas). nitpic3d's developer luigoalma for his huge help. Kartic for his huge help and all the people from his development discord server. Notice
    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
    by PabloMK7.
  12. pre9otherapp

    Otherapp payload which can be used on firmwares earlier than 9.2 to launch an arm9 payload from the sd card directly.
    Note
    The otherapp payload which is produced by this repo can be used on all regions and 3ds consoles but works on all between 1.X and 9.2
    Usage
    The otherapp can be used with soundhax to launch an arm9 payload such as safeb9sinstaller. The otherapp looks for a arm9.bin on the root of your sd card.
    Steps
    Get the soundhax file for your console and region Get the arm9 payload, safeb9sinstaller in this case Download the otherapp.bin from the releases page Put all the files on the root of your sd(for safeb9sinstaller, just copy the arm9.bin from the zip) Launch soundhax If everything goes correctly you will be in safeb9sinstaller, this might/might not work on the first try.
    Technical details
    I have incorporated an edited version of svchax(memchunkhax) and brahma(firmlaunchhax) to gain arm11 and arm9 execution. So we first use memchunkhax to gain arm11 execution, then we map the arm11 and arm9 payload and then perform a firmlaunch. On Pre 4.0 firms we use usr2arm9ldr to gain arm9 code execution
    Credits
    Huge parts of this project are parts of pre-existing projects. I would like to thank anyone who has aided in the development of BrahmaLoader, svchax, ctrulib, usr2arm9ldr and ninjhax2.x
    I'll also like to thank my testers:- @jason0597, @saibotu, @knight-ryu12, @ihaveamac and @frozenchen
    Wouldn't have been able to do it without you guys!
    Also thanks to TuxSH for helping me out with various questions!
    by hax0kartik.
  13. Soundhax

    A heap overflow in tag processing leads to code execution when a specially- crafted m4a file is loaded by Nintendo 3DS Sound.
    This bug is particularly good, because as far as I can tell it is the first ever homebrew exploit that is free, offline, and works on every version of the firmware for which the sound app is available.
    Regions and Versions
    Version N3DS/N2DS O3DS/2DS US 1.0-11.3 ✓ ✓ JPN 1.0-11.3 ✓ ✓ EUR 1.0-11.3 ✓ ✓ KOR 4.0-11.3 ✓ ✓ CHN 4.0-11.3 N/A ✓ TWN 4.1-11.3 All existing versions of Nintendo 3DS Sound prior to Nintendo fixing the vulnerability are now supported.
    If your box is checked, then put otherapp.bin on the root of your SD card along with soundhax.m4a and launch the song from the sound player.
    It can be used along pre9otherapp to launch an arm9 payload from the SD card on pre 9.0 firms (2.1 - 9.2).
    Installation
    Download the relevant soundhax-region-console-firmware.m4a file for your device. Save the soundhax song file and copy to the root of your SD. Download the otherapp payload for your 3DS version, rename it to otherapp.bin, and copy it to the root of the SD card. Download the Homebrew Menu and place boot.3dsx in the root of the SD card (if it is not there already). Insert the SD card into the 3DS and start Nintendo 3DS Sound. Locate your new song and play it to start the Homebrew Menu! Fixing the annoying bird: Click through all of the bird tips then close the app normally. When you exploit it it doesn't save the fact that you've opened the app before, so closing and reopening normally seems to fix this. Build
    Install Python 2.7 and devkitARM.
    Then run python exp.py <usa/eur/jpn/kor/chn/twl> <new/old> <pre21/v21and22/v3xand4x/post5> to generate soundhax-*.m4a.
    Writeup
    The Bug
    3DS Sound mallocs a buffer of 256 bytes to hold the name of song as described in its mp4 atom tags. This is sensible since it's the maximum allowed size according to the spec. When parsing an ascii title, strncpy(dst, src, 256) is used, which is safe and correct. However, because unicode strings contain null bytes, rather than using a unicode strncpy variant, the application simply memcpys the name bytes onto the heap using the user provided size, which can be arbitrarily large.
    Exploit
    I overflow my data onto the next heap chunk, which lets me fully control the malloc header of that chunk, which happens to be allocated at the time of the overflow. When that chunk is freed, a heap unlink is performed, which allows me to do an arbitrary write. This means I can write a dword to the stack and control PC.
    Unfortunately, there aren't any usable gadgets (trust me, I looked), so I had to use a more advanced technique to exploit the bug. I used the arbitrary write to overwrite the free list header with a stack address, while setting the start and end fields of the chunk being freed to cause the block to appear undersized, thus causing it to not be added to the free list and so the stack address I just wrote is used on the next malloc.
    Because malloc jumps through the free list looking for a suitable block, I had to find a stack address at which there appears to be a valid heap chunk header with a large enough size for the requested allocation and null pointers for the next and prev entries in the list, so that my stack chunk is chosen as the 'best' one.
    Once all of these conditions are met, the next malloc returns the stack address as the 'heap' location to write my next tag data, which lets me turn the arbitrary write primitive into ROP.
    From there I use the gspwn GPU exploit to write my stage2 shellcode over the text section of the sound process, before finally jumping to it.
    In summary, the process looks like this:
    heap overflow -> arbitrary write to free list -> stack overflow -> gspwn -> code execution Thanks
    Subv and Citra authors - for help emulating sound, this was invaluable plutoo - stage 2 shellcode yellows8 - help with gpu address translation for gspwn, initial JPN support, finished KOR support smea - homebrew launcher d3m3vilurr - EUR, JPN, partial KOR support TuxSH - O3DS offset Konng - Testing EUR payloads #cakey - advice and support PPP - teaching me everything I know geohot, comex, j00ru, loki, project zero - inspiring me to pursue bug hunting by nedwill.
  14. Otherapp

    Payload Otherapp compatible con las versiones del sistema 1.0 a 11.14 de Nintendo 3DS (todas las regiones, todos los modelos) que aprovecha las cadenas de explotación completas para ejecutar finalmente un payload desde la tarjeta SD.
    Uso
    Depende del exploit utilizado. El exploit recomendado para lasversiones del sistema de la 1.0 a la 11.3 es soundhax. En ese caso se debe colocar el archivo otherapp.bin en la carpeta raíz de la tarjeta SD.
    Detalles técnicos
    Aprovechamos un exploit del kernel para alterar las entradas de las tablas de traducción L1 a las que nunca se ha accedido previamente, y luego ejecutamos kernelhaxcode_3ds que hace el resto del trabajo.
    Por debajo de la versión 9.3 del sistema: utilizamos memchunkhax1 9.3 y superiores: explotamos sm y luego aprovechamos esto para explotar spi. El sysmodule SPI tiene acceso a GPUPROT, lo que nos permite hacer GPU DMA sobre la memoria del kernel El informe completo se publicará en Navidad. la vulnerabilidad spi ha sido documentada en 3dbrew durante años sm vulnerabilidad es un 0day no reportado, sin embargo he corregido el error en el reimpl de Luma3DS allá por 2017. Creo que está bien liberarlo ahora, ya que la 3DS es EoL y la gente puede usar seedminer en la última versión del sistema de todos modos safehax o agbhax utilizado dependiendo de la versión Testeado con Luma3DS
    Es necesario deshabilitar los parches firmlaunch y crearlo sin sysmodule personalizado si se usa Luma3DS.
    Créditos
    zoogie fincs aliaspider Aplicación creada por TuxSH.
  15. Old Browserhax XL

    Old-browserhax-XL is another primary userland exploit for the old3ds browser, Spider. It's the successor to old-browserhax, which was murdered by firmware 11.14. RIP.
    What's needed
    An old3ds (or old2ds) on firmware:
    11.14.0-46 on regions US,EU,JP,KR,CH,TW
    Directions (hbmenu)
    In the release folder (same as old-browserhax), find your region (USA, EUROPE, JAPAN) and take all files inside that folder and put them on the root of your sd card. Do not copy the entire region folder over, just its contents. Place the homebrew launcher boot.3dsx from here also on the root of your sd card. With wifi on and working, scan this QR after pressing L+R should buttons together and tapping the QR button on the bottom screen. The link to the sploit page is https://zoogie.github.io/web/nbhax if you want to type it in manually and/or bookmark it. Click on the "PROCEED TO HAXX" button, then press A twice to confirm two pop-ups. The exploit should then load the homebrew menu. Make sure to add homebrews to the sdmc:/3ds folder first in order to have something to run. See other guides online about what you can do with homebrew. Note that CH & TW regions cannot run hbmenu homebrew. Only cfw options like AGBhax are possible with these regions. This is a limitation of the *hax homebrew environment, not this exploit. Exploit details
    A certain line of javascript moves an object from an iframe to its parent while the iframe is still being parsed. This results in a Use-After-Free crash. It's based on the webkit test case here.
    Troubleshooting (hbmenu)
    Problem: The 3ds freezes on a yellow screen. Solution: Try again. Boot rate is about 75-80%. This has always been an issue with hax homebrew and not specific to this implementation. If this keeps occurring over and over, it's likely being caused by running browserhax while cfw (luma3ds + boot9strap) is already installed -- don't do this! Follow https://3ds.hacks.guide for proper instructions on how to launch .3dsx homebrew under cfw. Hard freezing with regular screens (ie no solid colored screen) can also indicate running under cfw. Problem: The 3ds freezes on some other color screen or "An error has occured" prompt shows up. Solution: Make sure you have all the correct files. Check your region is correct.  At minimum, make sure to have the below 3 files in the sd root as shown. sdmc:/arm11code.bin sdmc:/browserhax_hblauncher_ropbin_payload.bin sdmc:/boot.3dsx Problem: I still can't get the exploit to work and the two solutions above didn't help. Solution: Go to your browser's settings and select Clear History and Delete Cookies. Now create a bookmark with https://zoogie.github.io/web/nbhax as the address (or just edit an existing bookmark). Exit the browser, then launch it again (this saves your changes), and then finally launch that nbhax bookmark you just made. It may also be helpful to power cycle the 3ds in between attempts if the exploit is still being stubborn. FAQ
    Q: Will this exploit be fixed in a firmware update? A: Last time I suggested about 50% odds new-browserhax being fixed which turned out to be 100% odds. So I guess that means we average those two and get a 75% chance of it being fixed this time 😛 I really don't know. Q: Will this work with unSAFE_MODE and AGBhax? A: Works for me! The directions for these exploit chains are out of scope for this readme though. by zoogie.
  16. GBABF

    This is a tool for reflashing GBA bootlegs on the DS.
    I recommend placing your GBA roms in a directory called "GBA" on the root of your SD-card, as it will be opened by default.
    USE AT YOUR OWN RISK!
    While I've successfully tested this with about a dozen bootlegs, there's no guarantee that this will work with yours. There's also a chance that this will manage to erase the data, but not flash new data leaving your bootleg in an unplayable state.
    If you do run into errors, try cleaning the pins and make sure the cart is inserted properly.

    Features
    Flash ROM Flashes a rom file to the cart (7 flashing methods available) Detect Flash Tries to detect which flashing method will work with the cart Compare cart to file For checking if flashing was succesful ROM Viewer Allows you to look at the data on the cart, useful for making sure the cart is inserted & recognized properly List EG0xx-Multicart Games Lists the games in different banks on an "EG0xx" -multicart (EG0xx refers to multicarts that have "EG" followed by some 2 numbers and "2048M" on the label) Dump Data Dump data from the rom to the SD card, useful for dumping roms or save data Flash Data Flash data starting at a specified block, useful for injecting save data Erase Flash Erases the contents of the entire cart (this option is not needed for flashing) Launch Slot-2 Game Allows quickly booting the slot-2 game, with options like selecting which screen to play on and custom border loading (border image must be a 15-bit bmp) by fexean.
  17. R4 Downloader

    A kernel installer for R4i-SDHC and R4iSDHC.
    If you ever needed to get your R4i Gold Pro 20-whatever up and running, or wanted to try out YSMenu on it, then this is the tool for you. R4 Downloader uses a mix of standard CMD and PowerShell command-line utilities to get everything you need on your microSD card. It also includes 7zA, a stripped down version of the 7z command-line utility primarily for extracting RetroGameFan's Multi Cart Update.
    Credits to RGF for the Multi Cart Update.
  18. M3i Zero GMP-Z003 Updater Plus 450HW Update

    This is the updated patch for M3i zero to support 3ds v4.5.0-10 and DSi V1.45.
    This updated software package supports only the M3i Zero card (GMP-Z003 model), the code is printed on the top right of the label of the card.
    *If you used this package upgrade, you also need to use the "M3i Zero Core data file V4.5.0" to upgrade again to compatible with 3DS 4.5.0-10x firmware.
  19. NTRBoot

    The drag-and-drop method of setting up ntrboot for PC-less b9s installation.
    I designed this pack in order to easily carry only a few things and still be ready to exploit any console as quickly as possible
    This pack includes everything you need to get someone started with CFW and homebrew, all within 30mb, meaning it should easily fit on any modern SD card.
    To get started, you'll need to use the version of boot9strap_ntr that loads ntrboot.firm instead of the standard boot.firm. This version is included in the pack as well within the ntrboot folder.
    Tools:
    If you keep these four items on you, you will be able to hack any 3ds without using a PC:
    Flashcard with microSD: You'll obviously need a compatible flashcard in order to use ntrboot. The microSD within the flashcard will act as the source SD Magnet: Self explanatory. The magnet you will use to activate ntrboot. microSD to SD adapter: Allows you to use your flashcard microSD in systems that require a standard SD Screwdriver bit: A small screwdriver bit used to unscrew systems that have the SD covered by the back plate Setup:
    If you don't already have the specialty version of boot9strap_ntr (within the ntrboot folder) flashed to your flashcard, use the provided boot9strap_ntr.firm with ntrboot_flasher Copy the contents within the SD folder to the root of your flashcard microSD. Remember, the CONTENTS of the SD folder, not the folder itself. Usage:
    Turn off the target systems Remove the target system's SD card and replace with source SD (the SD card from your flashcard) Insert flashcard into target system, place the magnet and boot ntrboot (X+Start+Select+Power). The target system should boot into safeb9sinstaller follow any prompts to complete the install process (should take less than a minute) Once the SigHaxed FIRM installs, press A to continue. The console should reboot into godmode9 Once godmode9 boots, press home, go to "More...", then "Scripts...". Select copy_ntrboot, and accept any prompts that pop up. Once the script completes, press R+B, then remove the source SD and replace with target SD Select "[9:] RAMDRIVE" to open it. Scroll to "paste_ntrboot.gm9", select it, then select "Execute GM9 script". Accept any prompts the show up Once the script completes, press the start to reboot the system. The console should boot into Luma3DS configuation. Check these options then press start: -"Show NAND or user string in System Settings" -"Patch ARM9 access" - required for 3dsx versions of homebrew like FBI Once you system boots to home menu, open download play. Push L+Down+Select to open Rosalina. Go to "Miscellaneous options...", then select "Switch the hb. title to current app." Once that completes, push b and select "Save settings", then press b twice to exit rosalina menu. Press home, close download play, then re-open it. You should now be met with a blue screen with "DSP1 - zoogie" at the time. Let it run until it completes. Instead of pushing Start or B when prompted, press home, close the app then power off the 3ds. Hold start and power on the 3ds to boot into godmode9 Once godmode9 boots, press home, select "More...", then select "Scripts..." Select finalize and follow any prompts or instructions it gives, accepting them all When asked to relock, accept If you wish to make a nand backup (some users may not have enough space to do so), go back to the "Scripts..." once more and run "Backup SysNAND" Press start to reboot the 3ds. The process can very easliy be memorized and completed in under 5 minutes.
    All homebrew will run as a 3dsx from HBL (which is set to download play). No CIA installations to worry about! Future CIA installs still possible with FBI.3dsx
    Included homebrew:
    freeShop BootNTRSelector FBI JKSM Luma Updater FTPD Themely I also decided to remove a lot of the homebrew from the homebrew starter kit as most of it is pretty much deprecated and are replaced by luma functionality.
    Also includes a few custom themes by default
    Credits:
    @Ryccardo for the version of boot9strap_ntr that loads ntrboot.firm instead of boot.firm @squall14716 for giving me the original idea Creators of all homebrew used. They've made some seriously great stuff! And of course anyone that helped bring us ntrboot. Without that this would not even be possible! by TheCyberQuake.
  20. new browserhax XL

    New-browserhax-XL is another primary userland exploit for the new3ds browser, Skater. It's the successor to new-browserhax, which bravely fell in battle against firmware 11.14. RIP.
    What's needed
    A new3ds (or new2ds) on firmware:
    11.14.0-46 on all 4 new3ds regions US,EU,JP,KR Directions
    In the release folder, find your region (USA, EUROPE, JAPAN, KOREA) and take all files inside that folder and put them on the root of your sd card. Do not copy the entire region folder over, just its contents. Place the homebrew launcher boot.3dsx from here also on the root of your sd card. With wifi on and working, scan this QR after pressing L+R should buttons together and tapping the QR button on the bottom screen. The link to the sploit page is https://zoogie.github.io/web/nbhax-xl/ if you want to type it in manually and/or bookmark it. The exploit should then immediately flash colors and load the homebrew menu. Make sure to add homebrews to the sdmc:/3ds folder first in order to have something to run. See other guides online about what you can do with homebrew. Exploit details
    This is a simple stack smash that occurs when a .css @import command contains a '#' (url fragment) at the beginning of the url. The webkit test demo this is based on can be found here.
    Troubleshooting
    Problem: The 3ds freezes on a yellow screen.
    Solution: Try again. Boot rate is about 75-80%. This has always been an issue with hax homebrew and not specific to this implementation. If this keeps occurring over and over, it's likely being caused by running browserhax while cfw (luma3ds + boot9strap) is already installed -- don't do this! Follow https://3ds.hacks.guide for proper instructions on how to launch .3dsx homebrew under cfw. Hard freezing with regular screens (ie no solid colored screen) can also indicate running under cfw.
    Problem: I get a "An exception occured" black screen with white text on both screens.
    Solution: You already have cfw and there's no reason to run browserhax. Consult this for instructions on how to run homebrew properly under cfw.
    Problem: The 3ds freezes on some other color screen or "An error has occured" prompt shows up.
    Solution: Make sure you have all the correct files. Check your region is correct.
    At minimum, make sure to have the below 3 files in the sd root as shown.
    sdmc:/arm11code.bin sdmc:/browserhax_hblauncher_ropbin_payload.bin sdmc:/boot.3dsx Note that these are the same files used as in the previous new-browserhax, so no need to change them if they're already there.
    Problem: I still can't get the exploit to work and the three solutions above didn't help.
    Solution: First, tap the bottom left star icon, then select top right History tab, and delete History button at the bottom. Then go to your browser's settings and select Delete Cookies. Now create a bookmark with https://zoogie.github.io/web/nbhax-xl/ as the address (or just edit an existing bookmark). Exit the browser, then launch it again, and then finally launch that nbhax-xl bookmark you just made. It may also be helpful to power cycle the 3ds in between attempts if the exploit is still being stubborn. FAQ
    Q: Will you support old3ds, old2ds?
    A: Planned. I already have a working exploit for spider but it's pretty unstable. Needs more time.
    Q: Can I install unSAFE_MODE with this to get cfw?
    A: Absolutely, be my guest : ) You can boot slotTool.3dsx and install the hacked wifi slots, then run the unSAFE_MODE exploit. No explicit directions will be given for that here, but guides should pop up soon with directions.
    Q: Where did this browser exploit come from originally?
    A: https://github.com/WebKit/webkit/blob/master/LayoutTests/http/tests/css/css-imports-url-fragment.css
    Q: I looked at the source and noticed the html file seems to import itself as a .css, wat?
    A: That's an html quirk that I don't quite understand myself, but it's convenient. It's actually not part of the vuln; I could've used a separate file for the .css code, but chose not to.
    Q: Why did you name it new-browserhax-XL?
    A: I am creatively bankrupt.
    Q: Will this exploit be fixed in a firmware update?
    A: Last time I suggested about 50% odds new-browserhax being fixed which turned out to be 100% odds. So I guess that means we average those two and get a 75% chance of it being fixed this time 😛
    I really don't know.
    by zoogie.
  21. 3DSBank

    Have you hit the 300 title limit on your 3DS, and/or want more than 300 titles, but don't want to make an EmuNAND (or 2nd one), or use another SD card?
    The answer, is 3DSBank!
    With this, you can store your Nintendo 3DS folder into a bank, and select or create another one to use, containing your other titles (and themes, and badges).

    Adding custom names
    The custom names can be defined in 3DSBank/3DSBank.ini like so:
    [3DSBANK] SLOT_NAME_0 = Favorites SLOT_NAME_1 = More Fav. SLOT_NAME_2 = Homebrew Games etc.... Credits
    DrStraightface: Updated source to allow custom naming of folders, and having currently active folder selected on startup.
    by RocketRobz.
  22. TinyVNC

    Un visor VNC para Nintendo 3DS. Con este software homebrew, puedes conectarte a cualquier ordenador que ejecute un servidor VNC, ver el contenido de la pantalla y controlarlo con tu 3DS.
    Instalación de TinyVNC:
    Instale CIA con FBI, ejecute 3dsx desde el lanzador homebrew (ponga el archivo 3dsx en el directorio /3ds/vice3DS-C64) o ejecute 3ds desde la tarjeta flash. Aparte de esto, es necesario un DSP-dump para que el sonido funcione correctamente en la versión CIA.
    Uso de TinyVNC:
    Durante el primer inicio, TinyVNC escribirá sus archivos de configuración en la tarjeta SD. Puede personalizar el archivo /3ds/TinyVNC/keymap para personalizar las asignaciones de los botones. Las asignaciones de botones preconfiguradas son:
    A: a-key B: b-key X: x-key Y: y-key L, R: q, w-keys ZL, ZR: 1, 2-keys C-Pad: Cursor up, down, left, right D-Pad: t, g, f, h-keys C-Stick: i, k, j, l-keys SELECT: Escape-key START: Disconnect La pantalla táctil actúa como un panel táctil para el control del ratón (toque para hacer clic, doble toque para hacer doble clic, toque y arrastre)
    TinyVNC es una aplicación creada por badda71.
  23. nitpic3d

    nitpic3d, a secondary 3DS userland exploit for Picross 3D: Round 2 (Europe and USA) and カタチ新発見! 立体ピクロス2 (Japan).
    Exploit explanation
    Summary:
    Out of bounds array access allowing to point to fabricated objects and vtable.
    Description:
    Game only checks save header. With the last interacted save slot index at +0xb270 in the save data unchecked we can achieve a predictable out of bounds access, as well inserting ROP data without detecting save corruption. Game references an object from an array of 3 elements and passes it to a function that will read object pointers and hit a vtable call. With a copy save data left in memory and a properly calculated index, we can point to a fake object position in the save, vtable jump to a stack pivot and start the ROP chain.
    Installing
    Place the nitpic3d_installer itself from releases or your built output in build/ and place it in the 3ds's SD card in /3ds/. After copying folder, place the desired otherapp.bin in the desired region folder inside /3ds/nitpic3d_installer/. otherapp.bin can be obtained here, except for European consoles running version 11.10 or above, for that go here instead. Select the desired system version exploit will be running on and download with Download otherapp. Run it from another another homebrew entrypoint, or another homebrewed console if planing to install to cart version. Instructions on provided README.md inside nitpic3d_installer, plus simple control on screen when installer is running. Running the exploit
    Just open the game, tap to enter the saves screen.
    If you get the message Welcome to the Picross 3D Café! (Europe and USA) or いらっしゃいませ。 立体ピクロス カフェへようこそ。 (Japan) with no save slots used, just tap again. If doesn't run, double check if you installed exploit properly.
    Credits and special thanks
    Kartik for finding that the game is crashable with random data, letting me investigate and helping me search initial pivot points. Also testing completed exploit save in EUR New3DS. (And enduring my excitement at given moments during exploitation.) yellows8 for the the very handy 3ds_ropkit Zoogie for helping with the 3ds_ropkit and finding stack pivot, as well helping me test out initial testing phase SAVEDATAs knight-ryu12 for testing completed exploit SAVE on JPN New3DS ihaveahax for testing on USA New3DS and Old3DS LunaDook for testing on JPN Old3DS and USA New3DS too Everyone I've may forgotten to mention that assisted and/or supported me If I forgot someone, or some detail, tell me by luigoalma.
  24. Wumiibo

    Wumiibo permite la emulación de Amiibo en Nintendo 3DS.
    Cómo utilizar Wumiibo
    Necesitas tener la última versión de Luma3DS para que esto funcione correctamente.
    Pon la carpeta 0004013000004002 en luma/titles/ Descarga el amiibo que quieras emular desde aquí. Todo lo que hace este sitio web es producir un archivo bin con amiiboID en él, por lo que el archivo producido puede ser compartido libremente. Coloca los bins descargados en una carpeta y pon esa carpeta en sd:/wumiibo. También puedes colocar los bins directamente dentro de sd:/wumiibo. Puedes tener hasta 49 carpetas y dentro de cada carpeta puedes tener más subcarpetas. Así que si ordenas tus carpetas correctamente, no hay límite en el número de amiibos que puedes tener a la vez. Activa el parcheado de títulos desde el menú de luma. Abre tu juego y llega a la pantalla donde te dice que coloques tu amiibo. Pulsa L + DOWN + START para que aparezca el menú Wumiibo y selecciona el amiibo que quieres emular. Si todo ha ido bien, tu amiibo debería estar emulado ahora. Si quieres usar tus amiibos reales, tendrás que desactivar el wumiibo desactivando el parcheo del juego desde el menú luma.

    Solución para los juegos que se congelan
    Algunos juegos se congelan después de cerrar el menú wumiibo. La siguiente solución se puede utilizar para emular los amiibos en dichos juegos.
    Después de abrir el juego, pulsa el botón de inicio. Abre el menú wumiibo y elige lo que quieres hacer. Vuelve a abrir el juego. No intentes abrir el menú wumiibo en este tipo de juegos.
    Wumiibo es una aplicación creada por hax0kartik.
  25. old-browserhax

    This is a new homebrew menu loading userland exploit for the old3ds browser, Spider.
    What's needed
    An old3ds (or old2ds) on firmwares:
    11.9.0-42 -> 11.13.0-45 for USA or JAPAN 11.10.0-43 -> 11.13.0-45 for EUROPE Note: The last number on the firmware version matters. If you updated from a cartridge to your current firmware, you will need to update to latest firmware as your browser would have been erased by the cart update.
    Directions
    In the release folder, find your region (USA, EUROPE, JAPAN) and take the two files inside that folder and put them on the root of your sd card. Do not copy the entire folder over. Place the homebrew launcher boot.3dsx from here also on the root of your sd card. With wifi on and working, scan this QR after pressing L+R should buttons together and tapping the QR button on the bottom screen. The link to the sploit page is https://zoogie.github.io/web/nbhax if you want to type it in manually and/or bookmark it. Click on the "PROCEED TO HAXX" button and the exploit should then load the homebrew menu. Make sure to add homebrews to the sdmc:/3ds folder first in order to have something to run. See other guides online about what you can do with homebrew. Exploit details
    This is a Use-After-Free based on the layout crash test here.
    Troubleshooting
    Problem: The 3ds freezes on a yellow screen. Solution: Try again. Boot rate is about 75-80%. This has always been an issue with *hax homebrew and not specific to this implementation. Problem: The 3ds freezes on some other color screen or "An error has occured" prompt shows up. Solution: Make sure you have all the correct files. Check your region is correct. At minimum, make sure to have the below 3 files in the sd root as shown. sdmc:/arm11code.bin sdmc:/browserhax_hblauncher_ropbin_payload.bin sdmc:/boot.3dsx Problem: I still can't get the exploit to work and the two solutions above didn't help. Solution: Go to your browser's settings and select Clear History and Delete Cookies. Now create a bookmark with https://zoogie.github.io/web/nbhax as the address (or just edit an existing bookmark). Exit the browser, then launch it again (this saves your changes), and then finally launch that nbhax bookmark you just made. FAQ
    Q: Will you support new3ds, new2ds?
    A: Always have: new-browserhax
    Q: Will you support the other 3 minor regions (Korea, China, Taiwan)?
    A: I'll think about it. It should be possible but it would be a lot of work, and I don't have consoles in these regions on hand for testing.
    Q: Can I install unSAFE_MODE with this to get cfw?
    A: Absolutely, be my guest : ) You can boot slotTool.3dsx and install the hacked wifi slots, then run the unSAFE_MODE exploit. No explicit directions will be given for that here, but guides should pop up soon with directions.
    Q: Where did this browser exploit come from originally?
    A: There's no CVE of this exploit that I know of. It is based on that webkit layout test I mentioned above. The adding and removing of objects, then crashing made it seem like a use-after-free was the obvious culprit. I tested my theory with heap spraying dynamically sized fuzz objects, and I got a crash with PC control pretty quickly : )
    Q: The 3ds_browserhax_common code you used works in php server code, why does your hax just use a github io page?
    A: I used a local webserver to emit the unescape output of y8's hb loading code, then converted it to a u32int array for my implementation. I used this script for the conversion. I just really wanted to avoid having to set up a server or asking someone else for that favor.
    Q: Will this exploit be fixed in a firmware update?
    A: Don't know, but it's definitely possible. N has never fixed one of my exploits but they've always been proactive about fixing browser exploits. I give it 50/50 odds.
    Thanks
    MrNbaYoh for his nice blogs. Yellows8 for the hbmenu loader code. by zoogie.

×
×
  • Crear nuevo...