3dbrew - User contributions [en]

3DS Userland Flaws

2016-12-30T23:08:17Z

TheProgramerEX: /* System applications */

This page lists vulnerabilities / exploits for 3DS applications and applets. Exploiting these initially results in ROP, from that ROP one can then for example try exploiting [[3DS_System_Flaws|system]] flaw(s).

=Non-system applications=
{| class="wikitable" border="1"
|-
! Application name
! Summary
! Description
! Fixed in app/system version
! Last app/system version this flaw was checked for
! Timeframe info related to this was added to wiki
! Timeframe this vuln was discovered
! Vuln discovered by
|-
| Cubic Ninja
| Map-data stack smash
| See [[Ninjhax|here]] regarding Ninjhax.
| None
| App: Initial version. System: [[10.4.0-29]].
| Ninjhax release
| July 2014
| [[User:smea|smea]]
|-
| The Legend of Zelda: Ocarina of Time 3D
| UTF-16 name string buffer overflow via unchecked u8 length field
| The u8 at offset 0x2C in the savefile is the character-length of the UTF-16 string at offset 0x1C. When copying this string, it's essentially a memory-copy with lenval*2, not a string-copy. This can be used to trigger buffer overflows at various locations depending on the string length.
* When value is >=0x6E it crashes when saving the saveslot, this causes a stack-smash however it normally crashes before it returns from the function which had the stack-frame overwritten.
* With value >=0x9A, it crashes via stack-smash in-game once any dialogs are opened(touching buttons on the touch-screen can trigger it too).
* Length value>=0xCD causes a crash while loading the saveslot, via a heap buffer overflow. This buf-overflow overwrites a heap memchunk following the allocated buffer. When the first 16-bits overwriting that heap memchunk is not the memchunk magic-number(0x7373), the mem-alloc code will just return a NULL ptr which later results in a crash. When the magic-number is valid, the mem-alloc code will continue to attempt to parse the memchunk, which may crash depending on the data which overwrote the memchunk. This heap code is separate from the CTRSDK heap code. Exploiting this doesn't seem to be possible: since the heap code actually verifies that the magic-number for the next/prev memchunk ptrs are correct(unlike CTRSDK), it's not possible to change those ptrs to useful arbitrary addresses outside of savedata(like with triggering a write to a c++ object ptr which later is used with a vtable func-call, this is what one would do with CTRSDK heap here).

On March 11, 2015, an exploit using this vuln was released, that one was intended for warez/etc. The following exploit wasn't released before then mainly because doing so would (presumably) result in the vuln being fixed. The following old exploit was released on March 14, 2015: [https://github.com/yellows8/oot3dhax].
| None
| App: Initial version. System: [[10.6.0-31]].
| March 11, 2015
| Around October 22, 2012
| [[User:Yellows8|Yellows8]]
|-
| Super Smash Bros 3DS
| Buffer overflow in local-multiplayer beacon handling.
| See [[smashbroshax|here]].
| App: v1.1.3
| See [[smashbroshax|here]]. System: [[10.3.0-28]].
| Time of exploit release.
| See [[smashbroshax|here]].
| [[User:Yellows8|Yellows8]]
|-
| Pokemon Super Mystery Dungeon
| Heap overflow within linear memory via unchecked save file length
| Pokemon Super Mystery Dungeon uses zlib compression for most of its save files, possibly due to the save files being larger than it's predecessor, Gates to Infinity. When a save file is being prepared to be loaded and read from, only a 0x32000 large buffer is allocated for file reading, and a 0x3e800-large buffer for decompression is also allocated before the file is read. However, the game does not limit the size of the file read to this allocation bound, allowing for the file to overflow into the linear memory heap and into the next allocation. Since Pokemon Super Mystery Dungeon stores allocation memchunks directly before the allocation, overwriting the next memchunk with a corrupted one allows for arbitrary writes of linear heap pointers when the next buffer is allocated or arbitrary writes of any pointer within writable memory when the corrupted buffer is freed.
| None
| [[10.7.0-32]].
| Time of exploit release.
| April 14, 2016
| [[User:Shinyquagsire23|Shiny Quagsire]]
|-
| VVVVVV
| Buffer overflow in XML save file array parsing
| VVVVVV utilizes several XML files (renamed with a .vvv extension) to store level save data, stats and settings. Within these XML files are several tags containing an array of data which, when parsed, is not properly checked to be of proper length for the tag being parsed from. This allows for an overflow of 16-bit array values from the location where the array is parsed. With unlock.vvv, XML data is parsed to the stack, and with level saves the heap. This allows for the pointer where the level save worldmap tag array should be parsed into to be overwritten with a stack address, allowing for ROP from within the XML array parsing function on the next level load.
| None
| [[10.7.0-32]].
| Time of exploit release.
| April 25, 2016
| [[User:Shinyquagsire23|Shiny Quagsire]]
|-
| Citizens of Earth
| Save file read stack smash
| Citizens of Earth also uses "XML" files for saves, which are actually entirely binary data (not XML at all) with no checksums. These files are read from the filesystem on to a fixed size stack buffer which leads to an incredibly trivial stack smash. When using the autosave slot for this, the save is parsed when the user selects "continue". When using one of the dedicated save slots (1-3), the save is parsed shortly after the company splash screens fade. Note that the save is read quite high (descending) on the stack - when exploiting this, one would likely need to move SP due to almost instantly overflowing the physical stack.
| None
| [[10.7.0-32]].
| Time of exploit release.
| May 5, 2016
| [[User:Dazzozo|Dazzozo]]
|-
| SmileBASIC 3.x
| Poor parameter validation on "BGSCREEN" command
| The SmileBASIC "BGSCREEN" command's second parameter is not properly validated as being within range. As a result, one can set the screen size to an absurdly large value. This means that the "BGGET" and "BGPUT" commands can then be used on out-of-range values to read and write a significant chunk of the interpreter's address space.
With a series of carefully-designed BGPUT commands, one can build a ROP chain and cause it to be executed.
| App: 3.3.2.
| System: [[11.0.0-33]].
| July 20, 2016
| Around June 26, 2016
| slackerSnail, 12Me12, incvoid
Exploited by MrNbaYoh and [[User:Plutooo|plutoo]].
|-
| The Legend of Zelda: Tri Force Heroes
| [[3DS_System_Flaws#General.2FCTRSDK|CTRSDK]] CTPK buffer overflow combined with game's usage of SpotPass
| This isn't really useful due to [[BOSS_Services#Custom_SpotPass_content|this]].

During the very first screen displayed by the game during boot("Loading..."), just seconds after title launch, the game loads CTPK from the [[BOSS_Services|stored]] SpotPass content. Hence, this game could be exploited via the vulnerable CTRSDK CTPK code ''if'' one could get custom SpotPass data into extdata somehow.

The code for this runs from a thread separate from the main-thread, with the stack in linearmem heap.

The two SpotPass URLs for this have always(?) returned HTTP 404 as of November 2016. It appears these were intended for use as textures for additional costumes(and never got used publicly), but this wasn't tested.
| None
| App: v2.1.0
| November 18, 2016
| November 14, 2016
| [[User:Yellows8|Yellows8]]
|-
| Pixel Paint
| Buffer overflow via unchecked extdata file length
| Pixel Paint loads pictures saved by the user from extdatas. The file is read to a fixed size buffer but the file length remains unchecked, so with a large enough file, one can overwrite pointers in memory and gain control of the execution flow.
| None
| App: Initial version. System: [[11.2.0-35]].
| December 27, 2016
| November 5, 2016
| [[User:Nba_Yoh|MrNbaYoh]]
|-
| Steel Diver : Sub Wars
| Heap overflow / arbitrary memcpy
| Savefile datas are stored as key/value pairs, a large enough string key makes the game overwrite a memcpy source/destination addresses and size arguments. So one can actually memcpy a rop on the stack and gain control of the execution flow.
| None
| System: [[11.2.0-35]].
| December 27, 2016
| Around July 15, 2016
| [[User:Nba_Yoh|MrNbaYoh]], Vegaroxas
|-
| 1001 Spikes
| Buffer overflow via unchecked array-indexes in XML savefile parsing
| The savefiles are stored as renamed .xml files, which contain several tags with attributes like 'array-index="array-value"', where both of these are converted from ASCII strings to integers as signed-int32, and the array-value given blindly written to an array inside a structure using the (unchecked) index given. With several of these attributes, one can overwrite the stack starting from the stored lr of the function that does this parsing, and write a ROP chain there. Testing used the "LevelAttempts" tag which is the last such tag parsed in that function.
| None
| App: v1.2.0 (TMD v2096)
| December 27, 2016
| Around November 2, 2016
| [[User:Riley|Riley]]
|-
| Pokemon Omega Ruby/Alpha Sapphire
| Secret base team name heap overflow
| When the player wants to edit the team name, it is copied over the heap, however it's length is not verified. So with a large enough team name one can overwrite some pointers and get two arbitrary jumps and then get control of the execution flow.
| None
| App: 1.4. System: [[11.2.0-35]].
| December 30, 2016
| June, 2016
| [[User:Nba_Yoh|MrNbaYoh]]
|}

==Useless crashes / applications which were fuzzed==
* Pushmo (3DSWare), QR codes: level name is properly limited to 16 characters, game doesn't crash with a longer name. The only possible crashes are triggered by out-of-bounds array index values, these crashes are not exploitable due to the index value being 8bit.

* [[Pyramids (3DSWare)]], QR codes: no strings. Only crashes are from out-of-bounds values (like background ID) and are not exploitable.

* [[Pyramids 2 (3DSWare)]], QR codes: no strings. Only crashes are from out-of-bounds values (like background ID) and are not exploitable.

* [https://github.com/yellows8/mm3d_re The Legend of Zelda: Majora's Mask 3D]

* "The Legend of Zelda: A Link Between Worlds" and "The Legend of Zelda: Tri Force Heroes": these games don't crash at all when the entire save-file(minus constant header data) is overwritten with /dev/random output / 0xFF-bytes. All of the CRC32s were updated for this of course.

* Pokemon Mystery Dungeon: Gates to Infinity has the same unchecked file bounds as Pokemon Super Mystery Dungeon, however since save compression was introduced in Pokemon Super Mystery Dungeon, it only allocates one buffer within the application heap instead of several within the linear heap, resulting in nothing to corrupt or overwrite even if the file's length is extended past it's allocation.

* "Kid Icarus: Uprising": Overwriting the entire savedata results in various crashes, nothing useful.

* Savedata/extdata for "Super Smash Bros 3DS": Overwriting the various files stored under savedata/extdata results in useless crashes.

* "StarFox 64 3D": Doesn't crash at all with the entire savedata overwritten.

* "Frogger 3D": Overwriting a savefile with random-data results in *nothing* crashing.

* "Mutant Mudds": Overwriting the savefile with random data results in a crash

* "Animal Crossing: New Leaf": Creating a QR code from random data results in a valid QR code and a random design. In some very rare cases(which aren't always reproducible?) a crash/etc may occur, but this isn't known to be useful.

==Crashes needing investigation==
* Disney Infinity crashes when all savedata overwritten with /dev/urandom. No checksums. 0xFF bytes don't cause a crash.

* Football Up Online / Soccer Up Online and Football Up 3D / Soccer Up 3D crash when teamname(UTF-16) length = 0x48 AND 0x20 null bytes are removed after just the name or if teamname length is way longer than 0x48.

=System applications=
{| class="wikitable" border="1"
|-
! Summary
! Description
! Fixed in version
! Last version this flaw was checked for
! Timeframe this was discovered
! Discovered by
|-
| 3DS [[System Settings]] DS profile string stack-smash
| Too long or corrupted strings (01Ah 2 Nickname length in characters 050h 2 Message length in characters) in the NVRAM DS user settings (System Settings->Other Settings->Profile->Nintendo DS Profile) cause it to crash in 3DS-mode due to a stack-smash. The DSi is not vulnerable to this, DSi launcher(menu) and DSi System Settings will reset the NVRAM user-settings if the length field values are too long(same result as when the CRCs are invalid). TWL_FIRM also resets the NVRAM user-settings when the string-length(s) are too long.
| [[7.0.0-13]]
| [[7.0.0-13]]
| 2012
| [[User:Ichfly|Ichfly]]
|-
| [[Nintendo 3DS Sound]]
| "A heap overflow in tag processing leads to code execution when a specially- crafted m4a file is loaded by Nintendo 3DS Sound." (description from soundhax's github readme)
| None
| [[11.2.0-35]]
| 2016
| [[User:nedwill|nedwill]]
|}

=System applets=
{| class="wikitable" border="1"
|-
! Summary
! Description
! Fixed in version
! Last version this flaw was checked for
! Introduced with version
! Timeframe info related to this was added to wiki
! Timeframe this was discovered
! Discovered by
|-
| Webkit/web-browser bugs
| spider has had at least three different code-execution exploits. Majority of them are use-after-free issues. See also [[browserhax|here]].
|
|
|
| 2013?
|
| A lot of people.
|-
| Old3DS/New3DS [[Internet_Browser|Browser-version-check]] bypass
| When the browser-version-check code runs where the savedata for it was never initialized(such as when the user used the "Initialize savedata" option), it will use base_timestamp=0 instead of the timestamp loaded from savedata. This is then used with "if(cur_timestamp - base_timestamp >= <24h timestamp>){Run browser-version-check HTTPS request code}".
Hence, if the savedata was just initialized, and if the system datetime is set to before January 2, 2000, the browser-version-check will be skipped. This includes January 1, 2000, 00:00, because that's the epoch(timestamp value 0x0) used with this timestamp.

See [http://yls8.mtheall.com/3dsbrowserhax.php here] for bypass usage instructions.

This was fixed with [[10.7.0-32|10.7.0-32]], see [[Internet_Browser|here]] for details.
| [[10.7.0-32|10.7.0-32]]
|
| [[9.9.0-26|9.9.0-26]]
| February 25, 2016
| November 2, 2015 (Exactly one week after the browser version pages were initially updated server-side)
| [[User:Yellows8|Yellows8]]
|}

==Home Menu==
{| class="wikitable" border="1"
|-
! Summary
! Description
! Fixed in version
! Last version this flaw was checked for
! Introduced with version
! Timeframe info related to this was added to wiki
! Timeframe this was discovered
! Discovered by
|-
| bossbannerhax
| This isn't really useful due to [[BOSS_Services#Custom_SpotPass_content|this]].

After successfully loading [[Extended_Banner|extended-banner]] data(done when selecting an icon), Home Menu attempts to load [[CBMD]] data into a 0x100000-byte heap buffer from the [[BOSS_Services|stored]] SpotPass content. When successful and the magic-number is CBMD, Home Menu then decompresses the CGFX sections into another fixed-size heap buffer, without checking the outsize at all. The main CBMD CGFX code with ExeFS checks the size, but this code doesn't.
| None
| [[11.2.0-35|11.2.0-X]]
| [[1.0.0-0|1.0.0-0]]
| November 18, 2016
| December 23, 2014
| [[User:Yellows8|Yellows8]]
|-
| sdiconhax
| This is basically the same as nandiconhax, the vulnerable SD/NAND functions are ''identical'' minus the file-buffer offsets. Exploitation is different due to different heap-buffer location though. Unlike nandiconhax, the icon buffer for SD is located in linearmem(with recent Home Menu versions at least). This is used by [[menuhax]].
| [[11.1.0-34|11.1.0-X]]
|
| [[4.0.0-7|4.0.0-X]]
| July 27, 2016
| October 23, 2015
| [[User:Yellows8|Yellows8]]
|-
| [[System_SaveData|NAND-savedata]] Launcher.dat icons (nandiconhax)
| The homemenu code processing the titleid list @ launcherdat+8 copies those titleIDs to another buffer, where the offset relative to that buffer is calculated using the corresponding s8/s16 entries. Those two values are not range checked at all. Hence, one can use this to write u64(s) with arbitrary values to before/after this allocated output buffer. See [[Home_Menu|here]] regarding Launcher.dat structure.

This can be exploited(with Launcher.dat loading at startup at least) by using a s16 for the icon entry with value 0xFFEC(-20)(and perhaps more icons with similar s16 values to write multiple u64s). The result is that the u64 value is written to outbuf-0xA0, which overwrites object+0(vtable) and object+4(doesn't matter here) for an object that gets used a bit after the vulnerable function triggers. The low 32bits of the u64 can then be set to the address of controlled memory(either outbuf in regular heap or the entire launcherdat buffer in linearmem), for use as a fake vtable in order to get control of PC. From there one can begin ROP via vtable funcptrs to do a stack-pivot(r4=objectaddr at the time the above object gets used).

Originally this vuln could only be triggered via Launcher.dat at Home Menu startup, right after Launcher.dat gets loaded + memory gets allocated, once the file-format version code is finished running. Starting with v9.6 this can be triggered when loading layouts from SD extdata as well. The vuln itself triggers before the layout data is written to Launcher.dat, but it doesn't seem to be possible to overwrite anything which actually gets used before the function which writes Launcher.dat into the layout gets called.

Home Menu has some sort of fail-safe system(or at least on v9.7) when Home Menu crashes due to Launcher.dat(this also applies for other things with Home Menu): after crashing once, Home Menu resets Launcher.dat to a state where it no longer crashes anymore. However, note that any exploits using this which hang/etc without crashing will still brick the system. '''Hence, attempting anything with this on physnand without hw-nand-access isn't really recommended.'''
| [[11.1.0-34|11.1.0-X]]
|
| [[4.0.0-7|4.0.0-X]]
|
| May 14, 2015
| [[User:Yellows8|Yellows8]]
|-
| Theme-data decompression buffer overflow ([[menuhax|themehax]])
| The only func-call size parameter used by the theme decompression function is one for the compressed size, none for the decompressed size. The decompressed-size value from the LZ header is used by this function to check when to stop decompressing, but this function itself has nothing to verify the decompressed_size with. The code calling this function does not check or even use the decompressed size from the header either.

This function is separate from the rest of the Home Menu code: the function used for decompressing themes is *only* used for decompressing themes, nothing else. There's a separate decompression function in Home Menu used for decompressing everything else.

That other decompression function in Home Menu handles decompression size properly(decompressed size check for max buffer size is done by code calling the other function, not in the function itself). Unlike the other function, the theme function supports multiple LZ algorithms, but the one which actually gets used in official themes is the same one supported by the other function anyway.

See also [[menuhax|here]].

With [[10.2.0-28|10.2.0-X]] Home Menu, the only code change was that the following was added right after theme-load and before actual decompression: "if(<get_lzheader_decompressed_size>(compressed_buf) > 0x150000)<exit>;". This fixed the vuln.
| [[10.2.0-28|10.2.0-X]]
| [[10.2.0-28|10.2.0-X]]
| <Old3DS/New3DS version which added initial theme support>
|
| December 22, 2014
| [[User:Yellows8|Yellows8]], [[User:Myria|Myria]] independently (~spring 2015)
|-
| Shuffle body-data buffer overflow ([[menuhax|shufflehax]])
| See [[menuhax|here]].
| [[10.6.0-31|10.6.0-X]]
| [[10.6.0-31|10.6.0-X]]
| [[9.3.0-21|9.3.0-X]]
|
| January 3, 2015
| [[User:Yellows8|Yellows8]]
|-
| Extdata file-data loading buffer overflow
| The extdata file-reading code allocates a fixed-size heap buffer for the expected filesize, then reads the filedata into this buffer using the actual FS filesize. Before v5.0 the filesize used here wasn't validated, hence if the filesize is larger than alloc_size a buffer overflow would occur. ''After'' doing the file-read it does validate that the actual_readsize matches the alloc_size, but at this point the buffer overflow has already occurred.

This affected at least the following: SaveData.dat and Cache.dat.

This can be triggered with SaveData.dat by installing a <v4.0 Home Menu version, with Home Menu extdata from >=v4.0 still on SD. When this is done with v2.0 Home Menu, a kernelpanic occurs when processing an AM command(it appears a buffer ptr which is then passed to a command was overwritten with 0x0 - of course other SaveData.dat filesizes may result in different behaviour).
| [[5.0.0-11|5.0.0-X]]
|
| [[2.0.0-2|2.0.0-X]]
| June 9, 2016
| June 9, 2016
| [[User:Yellows8|Yellows8]]
|}

The icon data arrays used with {sd/nand}iconhax were added to SaveData.dat/Launcher.dat with [[4.0.0-7|4.0.0-X]], hence the vulnerable functions were added with that same version.

With <=v4.0 the SaveData.dat buffer is located in the regular heap. It's unknown when exactly it was moved to linearmem, which is where it's located with recent versions. It's located in linearmem for KOR >=v9.6 for example.

The SaveData.dat/Launcher.dat icon vulns were fixed by doing various unsigned >=60/>=360 checks on the loaded values. When these checks fail, it just skips over handling this icon entry. Hence, the original value can't be negative / out-of-bounds any more.

==Useless crashes==
Old3DS system web-browser:
* 2^32 characters long string(''finally'' fixed with v10.6): this is similar to the vulnerability fixed [http://git.chromium.org/gitweb/?p=external/Webkit.git;a=commitdiff;h=ec471f16fbd1f879cb631f9b022fd16acd75f4d4 here], concat-large-strings-crash2.html triggers a crash which is about the same as the one triggered by a 2^32 string. Most of the time this vulnerability will cause a memory page permissions fault, since the WebKit code attempts to copy the string text data to the output buffer located in read-only [[CRO0|CRO]] heap memory. The only difference between a crash triggered by a 2^32 string and the concat-large-strings-crash2.html crash is at the former copies the string data using the original string length(like 1 text character for "x", 4 for "xxxx") while the latter attempts to copy >12MB. In some ''very'' rare cases a thread separate from the string data-copy thread will crash, this might be exploitable. However, this is mostly useless since it rarely crashes this way.

* Trying to directly load a page via the browser "URL" option with [https://github.com/yellows8/3ds_browserhax_common webkitdebug] setup, causes a crash to trigger in oss.cro due to an use-after-free being caught with webkitdebug. This is presumably some sort of realloc() issue in the libcurl version used by the <={v10.2-v10.3} browser. This happens with *every* *single* *page* one tries to load via the "URL" option, but not when loading links on the current page, hence this is probably useless. A different use-after-free with realloc triggers with loading any page at all regardless of method too(libcurl probably).

* This WebKit build has ''a lot'' of crash-trigger bugs that only happen with [https://github.com/yellows8/3ds_browserhax_common webkitdebug] completely setup(addr accesses near 0x0), with ''just'' trying to load any page at all.

3DS Userland Flaws

2016-12-30T23:02:45Z

TheProgramerEX: /* System applications */

This page lists vulnerabilities / exploits for 3DS applications and applets. Exploiting these initially results in ROP, from that ROP one can then for example try exploiting [[3DS_System_Flaws|system]] flaw(s).

=Non-system applications=
{| class="wikitable" border="1"
|-
! Application name
! Summary
! Description
! Fixed in app/system version
! Last app/system version this flaw was checked for
! Timeframe info related to this was added to wiki
! Timeframe this vuln was discovered
! Vuln discovered by
|-
| Cubic Ninja
| Map-data stack smash
| See [[Ninjhax|here]] regarding Ninjhax.
| None
| App: Initial version. System: [[10.4.0-29]].
| Ninjhax release
| July 2014
| [[User:smea|smea]]
|-
| The Legend of Zelda: Ocarina of Time 3D
| UTF-16 name string buffer overflow via unchecked u8 length field
| The u8 at offset 0x2C in the savefile is the character-length of the UTF-16 string at offset 0x1C. When copying this string, it's essentially a memory-copy with lenval*2, not a string-copy. This can be used to trigger buffer overflows at various locations depending on the string length.
* When value is >=0x6E it crashes when saving the saveslot, this causes a stack-smash however it normally crashes before it returns from the function which had the stack-frame overwritten.
* With value >=0x9A, it crashes via stack-smash in-game once any dialogs are opened(touching buttons on the touch-screen can trigger it too).
* Length value>=0xCD causes a crash while loading the saveslot, via a heap buffer overflow. This buf-overflow overwrites a heap memchunk following the allocated buffer. When the first 16-bits overwriting that heap memchunk is not the memchunk magic-number(0x7373), the mem-alloc code will just return a NULL ptr which later results in a crash. When the magic-number is valid, the mem-alloc code will continue to attempt to parse the memchunk, which may crash depending on the data which overwrote the memchunk. This heap code is separate from the CTRSDK heap code. Exploiting this doesn't seem to be possible: since the heap code actually verifies that the magic-number for the next/prev memchunk ptrs are correct(unlike CTRSDK), it's not possible to change those ptrs to useful arbitrary addresses outside of savedata(like with triggering a write to a c++ object ptr which later is used with a vtable func-call, this is what one would do with CTRSDK heap here).

On March 11, 2015, an exploit using this vuln was released, that one was intended for warez/etc. The following exploit wasn't released before then mainly because doing so would (presumably) result in the vuln being fixed. The following old exploit was released on March 14, 2015: [https://github.com/yellows8/oot3dhax].
| None
| App: Initial version. System: [[10.6.0-31]].
| March 11, 2015
| Around October 22, 2012
| [[User:Yellows8|Yellows8]]
|-
| Super Smash Bros 3DS
| Buffer overflow in local-multiplayer beacon handling.
| See [[smashbroshax|here]].
| App: v1.1.3
| See [[smashbroshax|here]]. System: [[10.3.0-28]].
| Time of exploit release.
| See [[smashbroshax|here]].
| [[User:Yellows8|Yellows8]]
|-
| Pokemon Super Mystery Dungeon
| Heap overflow within linear memory via unchecked save file length
| Pokemon Super Mystery Dungeon uses zlib compression for most of its save files, possibly due to the save files being larger than it's predecessor, Gates to Infinity. When a save file is being prepared to be loaded and read from, only a 0x32000 large buffer is allocated for file reading, and a 0x3e800-large buffer for decompression is also allocated before the file is read. However, the game does not limit the size of the file read to this allocation bound, allowing for the file to overflow into the linear memory heap and into the next allocation. Since Pokemon Super Mystery Dungeon stores allocation memchunks directly before the allocation, overwriting the next memchunk with a corrupted one allows for arbitrary writes of linear heap pointers when the next buffer is allocated or arbitrary writes of any pointer within writable memory when the corrupted buffer is freed.
| None
| [[10.7.0-32]].
| Time of exploit release.
| April 14, 2016
| [[User:Shinyquagsire23|Shiny Quagsire]]
|-
| VVVVVV
| Buffer overflow in XML save file array parsing
| VVVVVV utilizes several XML files (renamed with a .vvv extension) to store level save data, stats and settings. Within these XML files are several tags containing an array of data which, when parsed, is not properly checked to be of proper length for the tag being parsed from. This allows for an overflow of 16-bit array values from the location where the array is parsed. With unlock.vvv, XML data is parsed to the stack, and with level saves the heap. This allows for the pointer where the level save worldmap tag array should be parsed into to be overwritten with a stack address, allowing for ROP from within the XML array parsing function on the next level load.
| None
| [[10.7.0-32]].
| Time of exploit release.
| April 25, 2016
| [[User:Shinyquagsire23|Shiny Quagsire]]
|-
| Citizens of Earth
| Save file read stack smash
| Citizens of Earth also uses "XML" files for saves, which are actually entirely binary data (not XML at all) with no checksums. These files are read from the filesystem on to a fixed size stack buffer which leads to an incredibly trivial stack smash. When using the autosave slot for this, the save is parsed when the user selects "continue". When using one of the dedicated save slots (1-3), the save is parsed shortly after the company splash screens fade. Note that the save is read quite high (descending) on the stack - when exploiting this, one would likely need to move SP due to almost instantly overflowing the physical stack.
| None
| [[10.7.0-32]].
| Time of exploit release.
| May 5, 2016
| [[User:Dazzozo|Dazzozo]]
|-
| SmileBASIC 3.x
| Poor parameter validation on "BGSCREEN" command
| The SmileBASIC "BGSCREEN" command's second parameter is not properly validated as being within range. As a result, one can set the screen size to an absurdly large value. This means that the "BGGET" and "BGPUT" commands can then be used on out-of-range values to read and write a significant chunk of the interpreter's address space.
With a series of carefully-designed BGPUT commands, one can build a ROP chain and cause it to be executed.
| App: 3.3.2.
| System: [[11.0.0-33]].
| July 20, 2016
| Around June 26, 2016
| slackerSnail, 12Me12, incvoid
Exploited by MrNbaYoh and [[User:Plutooo|plutoo]].
|-
| The Legend of Zelda: Tri Force Heroes
| [[3DS_System_Flaws#General.2FCTRSDK|CTRSDK]] CTPK buffer overflow combined with game's usage of SpotPass
| This isn't really useful due to [[BOSS_Services#Custom_SpotPass_content|this]].

During the very first screen displayed by the game during boot("Loading..."), just seconds after title launch, the game loads CTPK from the [[BOSS_Services|stored]] SpotPass content. Hence, this game could be exploited via the vulnerable CTRSDK CTPK code ''if'' one could get custom SpotPass data into extdata somehow.

The code for this runs from a thread separate from the main-thread, with the stack in linearmem heap.

The two SpotPass URLs for this have always(?) returned HTTP 404 as of November 2016. It appears these were intended for use as textures for additional costumes(and never got used publicly), but this wasn't tested.
| None
| App: v2.1.0
| November 18, 2016
| November 14, 2016
| [[User:Yellows8|Yellows8]]
|-
| Pixel Paint
| Buffer overflow via unchecked extdata file length
| Pixel Paint loads pictures saved by the user from extdatas. The file is read to a fixed size buffer but the file length remains unchecked, so with a large enough file, one can overwrite pointers in memory and gain control of the execution flow.
| None
| App: Initial version. System: [[11.2.0-35]].
| December 27, 2016
| November 5, 2016
| [[User:Nba_Yoh|MrNbaYoh]]
|-
| Steel Diver : Sub Wars
| Heap overflow / arbitrary memcpy
| Savefile datas are stored as key/value pairs, a large enough string key makes the game overwrite a memcpy source/destination addresses and size arguments. So one can actually memcpy a rop on the stack and gain control of the execution flow.
| None
| System: [[11.2.0-35]].
| December 27, 2016
| Around July 15, 2016
| [[User:Nba_Yoh|MrNbaYoh]], Vegaroxas
|-
| 1001 Spikes
| Buffer overflow via unchecked array-indexes in XML savefile parsing
| The savefiles are stored as renamed .xml files, which contain several tags with attributes like 'array-index="array-value"', where both of these are converted from ASCII strings to integers as signed-int32, and the array-value given blindly written to an array inside a structure using the (unchecked) index given. With several of these attributes, one can overwrite the stack starting from the stored lr of the function that does this parsing, and write a ROP chain there. Testing used the "LevelAttempts" tag which is the last such tag parsed in that function.
| None
| App: v1.2.0 (TMD v2096)
| December 27, 2016
| Around November 2, 2016
| [[User:Riley|Riley]]
|-
| Pokemon Omega Ruby/Alpha Sapphire
| Secret base team name heap overflow
| When the player wants to edit the team name, it is copied over the heap, however it's length is not verified. So with a large enough team name one can overwrite some pointers and get two arbitrary jumps and then get control of the execution flow.
| None
| App: 1.4. System: [[11.2.0-35]].
| December 30, 2016
| June, 2016
| [[User:Nba_Yoh|MrNbaYoh]]
|}

==Useless crashes / applications which were fuzzed==
* Pushmo (3DSWare), QR codes: level name is properly limited to 16 characters, game doesn't crash with a longer name. The only possible crashes are triggered by out-of-bounds array index values, these crashes are not exploitable due to the index value being 8bit.

* [[Pyramids (3DSWare)]], QR codes: no strings. Only crashes are from out-of-bounds values (like background ID) and are not exploitable.

* [[Pyramids 2 (3DSWare)]], QR codes: no strings. Only crashes are from out-of-bounds values (like background ID) and are not exploitable.

* [https://github.com/yellows8/mm3d_re The Legend of Zelda: Majora's Mask 3D]

* "The Legend of Zelda: A Link Between Worlds" and "The Legend of Zelda: Tri Force Heroes": these games don't crash at all when the entire save-file(minus constant header data) is overwritten with /dev/random output / 0xFF-bytes. All of the CRC32s were updated for this of course.

* Pokemon Mystery Dungeon: Gates to Infinity has the same unchecked file bounds as Pokemon Super Mystery Dungeon, however since save compression was introduced in Pokemon Super Mystery Dungeon, it only allocates one buffer within the application heap instead of several within the linear heap, resulting in nothing to corrupt or overwrite even if the file's length is extended past it's allocation.

* "Kid Icarus: Uprising": Overwriting the entire savedata results in various crashes, nothing useful.

* Savedata/extdata for "Super Smash Bros 3DS": Overwriting the various files stored under savedata/extdata results in useless crashes.

* "StarFox 64 3D": Doesn't crash at all with the entire savedata overwritten.

* "Frogger 3D": Overwriting a savefile with random-data results in *nothing* crashing.

* "Mutant Mudds": Overwriting the savefile with random data results in a crash

* "Animal Crossing: New Leaf": Creating a QR code from random data results in a valid QR code and a random design. In some very rare cases(which aren't always reproducible?) a crash/etc may occur, but this isn't known to be useful.

==Crashes needing investigation==
* Disney Infinity crashes when all savedata overwritten with /dev/urandom. No checksums. 0xFF bytes don't cause a crash.

* Football Up Online / Soccer Up Online and Football Up 3D / Soccer Up 3D crash when teamname(UTF-16) length = 0x48 AND 0x20 null bytes are removed after just the name or if teamname length is way longer than 0x48.

=System applications=
{| class="wikitable" border="1"
|-
! Summary
! Description
! Fixed in version
! Last version this flaw was checked for
! Timeframe this was discovered
! Discovered by
|-
| 3DS [[System Settings]] DS profile string stack-smash
| Too long or corrupted strings (01Ah 2 Nickname length in characters 050h 2 Message length in characters) in the NVRAM DS user settings (System Settings->Other Settings->Profile->Nintendo DS Profile) cause it to crash in 3DS-mode due to a stack-smash. The DSi is not vulnerable to this, DSi launcher(menu) and DSi System Settings will reset the NVRAM user-settings if the length field values are too long(same result as when the CRCs are invalid). TWL_FIRM also resets the NVRAM user-settings when the string-length(s) are too long.
| [[7.0.0-13]]
| [[7.0.0-13]]
| 2012
| [[User:Ichfly|Ichfly]]
|-
| 3DS [[Nintendo 3DS Sound]]
| "A heap overflow in tag processing leads to code execution when a specially- crafted m4a file is loaded by Nintendo 3DS Sound." (description from soundhax's github readme)
| none
| [[11.2.0-35]]
| 2016
| [[User:nedwill|nedwill]]
|}

=System applets=
{| class="wikitable" border="1"
|-
! Summary
! Description
! Fixed in version
! Last version this flaw was checked for
! Introduced with version
! Timeframe info related to this was added to wiki
! Timeframe this was discovered
! Discovered by
|-
| Webkit/web-browser bugs
| spider has had at least three different code-execution exploits. Majority of them are use-after-free issues. See also [[browserhax|here]].
|
|
|
| 2013?
|
| A lot of people.
|-
| Old3DS/New3DS [[Internet_Browser|Browser-version-check]] bypass
| When the browser-version-check code runs where the savedata for it was never initialized(such as when the user used the "Initialize savedata" option), it will use base_timestamp=0 instead of the timestamp loaded from savedata. This is then used with "if(cur_timestamp - base_timestamp >= <24h timestamp>){Run browser-version-check HTTPS request code}".
Hence, if the savedata was just initialized, and if the system datetime is set to before January 2, 2000, the browser-version-check will be skipped. This includes January 1, 2000, 00:00, because that's the epoch(timestamp value 0x0) used with this timestamp.

See [http://yls8.mtheall.com/3dsbrowserhax.php here] for bypass usage instructions.

This was fixed with [[10.7.0-32|10.7.0-32]], see [[Internet_Browser|here]] for details.
| [[10.7.0-32|10.7.0-32]]
|
| [[9.9.0-26|9.9.0-26]]
| February 25, 2016
| November 2, 2015 (Exactly one week after the browser version pages were initially updated server-side)
| [[User:Yellows8|Yellows8]]
|}

==Home Menu==
{| class="wikitable" border="1"
|-
! Summary
! Description
! Fixed in version
! Last version this flaw was checked for
! Introduced with version
! Timeframe info related to this was added to wiki
! Timeframe this was discovered
! Discovered by
|-
| bossbannerhax
| This isn't really useful due to [[BOSS_Services#Custom_SpotPass_content|this]].

After successfully loading [[Extended_Banner|extended-banner]] data(done when selecting an icon), Home Menu attempts to load [[CBMD]] data into a 0x100000-byte heap buffer from the [[BOSS_Services|stored]] SpotPass content. When successful and the magic-number is CBMD, Home Menu then decompresses the CGFX sections into another fixed-size heap buffer, without checking the outsize at all. The main CBMD CGFX code with ExeFS checks the size, but this code doesn't.
| None
| [[11.2.0-35|11.2.0-X]]
| [[1.0.0-0|1.0.0-0]]
| November 18, 2016
| December 23, 2014
| [[User:Yellows8|Yellows8]]
|-
| sdiconhax
| This is basically the same as nandiconhax, the vulnerable SD/NAND functions are ''identical'' minus the file-buffer offsets. Exploitation is different due to different heap-buffer location though. Unlike nandiconhax, the icon buffer for SD is located in linearmem(with recent Home Menu versions at least). This is used by [[menuhax]].
| [[11.1.0-34|11.1.0-X]]
|
| [[4.0.0-7|4.0.0-X]]
| July 27, 2016
| October 23, 2015
| [[User:Yellows8|Yellows8]]
|-
| [[System_SaveData|NAND-savedata]] Launcher.dat icons (nandiconhax)
| The homemenu code processing the titleid list @ launcherdat+8 copies those titleIDs to another buffer, where the offset relative to that buffer is calculated using the corresponding s8/s16 entries. Those two values are not range checked at all. Hence, one can use this to write u64(s) with arbitrary values to before/after this allocated output buffer. See [[Home_Menu|here]] regarding Launcher.dat structure.

This can be exploited(with Launcher.dat loading at startup at least) by using a s16 for the icon entry with value 0xFFEC(-20)(and perhaps more icons with similar s16 values to write multiple u64s). The result is that the u64 value is written to outbuf-0xA0, which overwrites object+0(vtable) and object+4(doesn't matter here) for an object that gets used a bit after the vulnerable function triggers. The low 32bits of the u64 can then be set to the address of controlled memory(either outbuf in regular heap or the entire launcherdat buffer in linearmem), for use as a fake vtable in order to get control of PC. From there one can begin ROP via vtable funcptrs to do a stack-pivot(r4=objectaddr at the time the above object gets used).

Originally this vuln could only be triggered via Launcher.dat at Home Menu startup, right after Launcher.dat gets loaded + memory gets allocated, once the file-format version code is finished running. Starting with v9.6 this can be triggered when loading layouts from SD extdata as well. The vuln itself triggers before the layout data is written to Launcher.dat, but it doesn't seem to be possible to overwrite anything which actually gets used before the function which writes Launcher.dat into the layout gets called.

Home Menu has some sort of fail-safe system(or at least on v9.7) when Home Menu crashes due to Launcher.dat(this also applies for other things with Home Menu): after crashing once, Home Menu resets Launcher.dat to a state where it no longer crashes anymore. However, note that any exploits using this which hang/etc without crashing will still brick the system. '''Hence, attempting anything with this on physnand without hw-nand-access isn't really recommended.'''
| [[11.1.0-34|11.1.0-X]]
|
| [[4.0.0-7|4.0.0-X]]
|
| May 14, 2015
| [[User:Yellows8|Yellows8]]
|-
| Theme-data decompression buffer overflow ([[menuhax|themehax]])
| The only func-call size parameter used by the theme decompression function is one for the compressed size, none for the decompressed size. The decompressed-size value from the LZ header is used by this function to check when to stop decompressing, but this function itself has nothing to verify the decompressed_size with. The code calling this function does not check or even use the decompressed size from the header either.

This function is separate from the rest of the Home Menu code: the function used for decompressing themes is *only* used for decompressing themes, nothing else. There's a separate decompression function in Home Menu used for decompressing everything else.

That other decompression function in Home Menu handles decompression size properly(decompressed size check for max buffer size is done by code calling the other function, not in the function itself). Unlike the other function, the theme function supports multiple LZ algorithms, but the one which actually gets used in official themes is the same one supported by the other function anyway.

See also [[menuhax|here]].

With [[10.2.0-28|10.2.0-X]] Home Menu, the only code change was that the following was added right after theme-load and before actual decompression: "if(<get_lzheader_decompressed_size>(compressed_buf) > 0x150000)<exit>;". This fixed the vuln.
| [[10.2.0-28|10.2.0-X]]
| [[10.2.0-28|10.2.0-X]]
| <Old3DS/New3DS version which added initial theme support>
|
| December 22, 2014
| [[User:Yellows8|Yellows8]], [[User:Myria|Myria]] independently (~spring 2015)
|-
| Shuffle body-data buffer overflow ([[menuhax|shufflehax]])
| See [[menuhax|here]].
| [[10.6.0-31|10.6.0-X]]
| [[10.6.0-31|10.6.0-X]]
| [[9.3.0-21|9.3.0-X]]
|
| January 3, 2015
| [[User:Yellows8|Yellows8]]
|-
| Extdata file-data loading buffer overflow
| The extdata file-reading code allocates a fixed-size heap buffer for the expected filesize, then reads the filedata into this buffer using the actual FS filesize. Before v5.0 the filesize used here wasn't validated, hence if the filesize is larger than alloc_size a buffer overflow would occur. ''After'' doing the file-read it does validate that the actual_readsize matches the alloc_size, but at this point the buffer overflow has already occurred.

This affected at least the following: SaveData.dat and Cache.dat.

This can be triggered with SaveData.dat by installing a <v4.0 Home Menu version, with Home Menu extdata from >=v4.0 still on SD. When this is done with v2.0 Home Menu, a kernelpanic occurs when processing an AM command(it appears a buffer ptr which is then passed to a command was overwritten with 0x0 - of course other SaveData.dat filesizes may result in different behaviour).
| [[5.0.0-11|5.0.0-X]]
|
| [[2.0.0-2|2.0.0-X]]
| June 9, 2016
| June 9, 2016
| [[User:Yellows8|Yellows8]]
|}

The icon data arrays used with {sd/nand}iconhax were added to SaveData.dat/Launcher.dat with [[4.0.0-7|4.0.0-X]], hence the vulnerable functions were added with that same version.

With <=v4.0 the SaveData.dat buffer is located in the regular heap. It's unknown when exactly it was moved to linearmem, which is where it's located with recent versions. It's located in linearmem for KOR >=v9.6 for example.

The SaveData.dat/Launcher.dat icon vulns were fixed by doing various unsigned >=60/>=360 checks on the loaded values. When these checks fail, it just skips over handling this icon entry. Hence, the original value can't be negative / out-of-bounds any more.

==Useless crashes==
Old3DS system web-browser:
* 2^32 characters long string(''finally'' fixed with v10.6): this is similar to the vulnerability fixed [http://git.chromium.org/gitweb/?p=external/Webkit.git;a=commitdiff;h=ec471f16fbd1f879cb631f9b022fd16acd75f4d4 here], concat-large-strings-crash2.html triggers a crash which is about the same as the one triggered by a 2^32 string. Most of the time this vulnerability will cause a memory page permissions fault, since the WebKit code attempts to copy the string text data to the output buffer located in read-only [[CRO0|CRO]] heap memory. The only difference between a crash triggered by a 2^32 string and the concat-large-strings-crash2.html crash is at the former copies the string data using the original string length(like 1 text character for "x", 4 for "xxxx") while the latter attempts to copy >12MB. In some ''very'' rare cases a thread separate from the string data-copy thread will crash, this might be exploitable. However, this is mostly useless since it rarely crashes this way.

* Trying to directly load a page via the browser "URL" option with [https://github.com/yellows8/3ds_browserhax_common webkitdebug] setup, causes a crash to trigger in oss.cro due to an use-after-free being caught with webkitdebug. This is presumably some sort of realloc() issue in the libcurl version used by the <={v10.2-v10.3} browser. This happens with *every* *single* *page* one tries to load via the "URL" option, but not when loading links on the current page, hence this is probably useless. A different use-after-free with realloc triggers with loading any page at all regardless of method too(libcurl probably).

* This WebKit build has ''a lot'' of crash-trigger bugs that only happen with [https://github.com/yellows8/3ds_browserhax_common webkitdebug] completely setup(addr accesses near 0x0), with ''just'' trying to load any page at all.

Homebrew Applications

2016-10-12T21:38:01Z

TheProgramerEX: Just added a description to the DownloadMii app saying that the downloads not working right now.

==Installing==
Applications are installed by copying the necessary files directly to the 3ds/ folder in the root of the SD card, or in a subdirectory of "3ds", in which case said subfolder must be named identically to its executable. Most applications come with two files:
* (app name).3dsx: The executable.
* (app name).smdh: The icon/metadata. (Not required in any case, and may be integrated into the .3dsx)
* (app name).xml: The list of supported targets, i.e. installed titles which the app supports replacing in memory at runtime, thus inheriting its permissions. (Optional)

The [[Homebrew Launcher]] will scan the sdcard for all .3dsx files, but will only display an icon for those who have one according to the format described above. Recent enough versions can freely navigate the filesystem to select an application.

==List==

===Official Launcher===
{| class="wikitable" border="1"
! width="20%" | Name
! width="50%" | Description
! width="10%" | Author
! width="10%" | Download
! width="10%" | Open-Source
|-
| [https://github.com/smealum/3ds_hb_menu Homebrew Launcher]
| Run homebrew on your 3DS!
| [[User:smea|smea]]
| [https://smealum.github.io/ninjhax2/boot.3dsx Here]
| Yes
|-
| [https://github.com/smealum/3ds_hb_menu Homebrew Starter Pack]
| Everything to get you started.
| [[User:smea|smea]]
| [https://smealum.github.io/ninjhax2/starter.zip Here]
| Yes
|}

===Applications===
{| class="wikitable" border="1"
! width="20%" | Name
! width="50%" | Description
! width="10%" | Author
! width="10%" | Download
! width="10%" | Open-Source
! width="10%" | Last Updated
|-
| [https://github.com/yellows8/3ds_homemenu_extdatatool 3DS HomeMenu extdata Tool]
| Tool for accessing the SD extdata which Home Menu uses. This essentially allows writing custom themes to extdata which get loaded at Home Menu startup.
| [[User:yellows8|yellows8]]
| [https://github.com/yellows8/3ds_homemenu_extdatatool/releases]
| Yes
|
|-
| [https://github.com/markwinap/3DS_Nyan_Cat 3DS Nyan Cat]
| 3DS Nyan Cat using LIBSF2D.
| [[User:markwinap|markwinap]]
| [https://www.dropbox.com/s/e400my3xm0zw74r/nyan_cat.zip?dl=0 Here]
| Yes
|
|-
| [https://gbatemp.net/threads/videahs-various-stuff.397562/ 3dsfetch]
| Small 3DS version of a popular Linux ricing script called screenfetch
| [[User:VideahGams|VideahGams]]
| [https://github.com/VideahGams/3dsfetch Here]
| [https://github.com/VideahGams/3dsfetch Yes]
|
|-
| [https://github.com/S3r1alpari4h/Brainfudge3DS Brainfudge]
| Alpha brainfuck interpreter
| [[User:s3r1alpari4h|V0idst4r]]
| [https://github.com/s3r1alpari4h/Brainfudge3DS/releases/ Here]
| [https://github.com/S3r1alpari4h/Brainfudge3DS Yes]
|
|-
| [https://github.com/plutooo/ctrrpc ctrrpc]
| A small and easily extensible RPC server/client written in C/Python. Allows you to quickly poke service-commands and syscalls over wifi from a Python shell on your PC. Useful during reverse-engineering.
| [[User:plutooo|plutoo]]
| N/A
| Yes
|
|-
| [https://github.com/yellows8/ctr-streaming-server ctr-streaming-server]
| This is a server which runs on a 3DS, which receives audio/video for playback. This can also send [[HID_Shared_Memory|HID]] state to the client (see the README) when enabled. The included parse_hidstream tool can be used to parse that HID data to simulate keyboard/mouse input events, via Linux uinput.
| [[User:yellows8|yellows8]]
| N/A
| Yes
|
|-
| [https://github.com/Rinnegatamante/CHMM2 Custom Home Menu Manager 2]
| Theme manager for Nintendo 3DS
| [[User:Rinnegatamante|Rinnegatamante]]
| [http://rinnegatamante.it/CHMM2.rar Here]
| Yes
|
|-
| [https://github.com/DownloadMii/DownloadMii DownloadMii]
| This is a WIP homebrew online store. (Download not currently working)
| [[User:filfat|filfat]]
| [https://homebrew.filfatstudios.com/download/ Latest]
| Yes
|
|-
| [https://github.com/zeta0134/3ds-homebrew-browser Homebrew Browser]
| Download homebrew from the internet!
| [[User:cromo|cromo]] [[User:zeta0134|zeta0134]]
| [https://github.com/zeta0134/3ds-homebrew-browser/releases/tag/v0.1 Here]
| Yes
|
|-
| [https://github.com/linoma/fb43ds fb43ds]
| This is a simple Facebook's chat client
| [[User:linoma|linoma]]
| [https://github.com/linoma/fb43ds Here]
| Yes
|
|-
| [https://github.com/iamevn/for-anyone-who-walks-a-lot for-anyone-who-walks-a-lot]
| Tool to get past the 10 coin per day limit on earning Play Coins by walking.
| [[User:iamevn|iamevn]]
| [https://github.com/iamevn/for-anyone-who-walks-a-lot/releases Here]
| Yes
|
|-
| [https://github.com/SciresM/ScreenInfo ScreenInfo]
| Identify whether N3DS LCD panels are TN or IPS.
| [[User:SciresM|SciresM]]
| [https://github.com/SciresM/ScreenInfo/releases Here]
| Yes
| 2016-9-4 (1.01)
|}

===Game Engines===
{| class="wikitable" border="1"
! width="20%" | Name
! width="50%" | Description
! width="10%" | Author
! width="10%" | Download
! width="10%" | Open-Source
! width="10%" | Last Updated
|-
| [https://gbatemp.net/threads/release-l%C3%B6vepotion-l%C3%96ve-api-for-3ds-homebrew-beta.397559/ LövePotion]
| An unofficial work in progress implementation of the LÖVE API for 3DS Homebrew
| [[User:VideahGams|VideahGams]]
| [https://github.com/VideahGams/LovePotion/releases Here]
| [https://github.com/VideahGams/LovePotion Yes]
|
|-
| [http://ctrulua.github.io/ ctrµLua]
| A Lua interpreter for 3DS brought to life by the remnants of the µLua community
| [[User:Firew0lf|Firew0lf]], Reuh, Negi
| [https://github.com/ctruLua/ctruLua/releases Here]
| [https://github.com/ctruLua/ctruLua Yes]
|
|}

===Games===
{| class="wikitable" border="1"
! width="20%" | Name
! width="50%" | Description
! width="10%" | Author
! width="10%" | Download
! width="10%" | Open-Source
! width="10%" | Last Updated
|-
| [http://gbatemp.net/threads/release-100-boxes-2ds.384714/ 100 Boxes 2DS]
| Simple puzzle game.
| [[User:Cid2mizard|Cid2mizard]]
| [http://3ds.nintendomax.com/Homebrews/Jeux/100Boxes2DS/100_Boxes_2DS.rar Here]
| Yes
|
|-
| [https://github.com/MrJPGames/2048-3D 2048-3D]
| "2048 was a big hit not so long ago, and I still see many people at my school playing it. So I thought it would be pretty cool to be able to play 2048 on the go on the 3DS."
| [[User:MrJPGames|Jasper Peters]]
| [https://github.com/MrJPGames/2048-3D/blob/master/2048-3D.3dsx?raw=true Here]
| Yes
|
|-
| [https://github.com/smealum/3dscraft 3DSCraft]
| Minecraft clone.
| [https://twitter.com/smealum smea]
| [http://smealum.github.io/3dscraft/downloads/3dscraft_141120.zip Here]
| Yes
|
|-
| [https://gbatemp.net/threads/preview-ld-34-port-antibounce.406361 Antibounce]
| Move your player to bounce around and collect coins. Go between screens through the holes in the sides of the floor. 3D can also be enabled.
| TurtleP
| [https://github.com/TurtleP/Antibounce/releases Here]
| [https://github.com/TurtleP/Antibounce Yes]
|
|-
| [https://github.com/UnsureSherlock/checkers3ds/tree/master checkers3ds]
| A buggy ASCII checkers game
| [[User:UnsureSherlock|UnsureSherlock]]
| [http://www.filedropper.com/checkers3ds Here]
| Yes
|
|-
| [https://gbatemp.net/threads/release-drawattack-networked-drawing-game.402291/ DrawAttack]
| Online multiplayer drawing game like pictionary.
| [[User:Cruel|Cruel]]
| [https://github.com/Cruel/DrawAttack/releases/latest Here]
| [https://github.com/Cruel/DrawAttack Yes]
| 16/Nov/15
|-
| [http://gbatemp.net/threads/release-hamsters-2ds.383457/ Hamsters 2DS]
| A hamster breeding game in text mode.
| [[User:Cid2mizard|Cid2mizard]]
| [http://3ds.nintendomax.com/Homebrews/Jeux/Hamsters2DS/Hamsters_2DS.rar Here]
| No
|
|-
| [https://github.com/BHSPitMonkey/Helii3DS Helii]
| Fly a helicopter through a 2D tunnel! Ported from the Wii.
| [[User:BHSPitMonkey|BHSPitMonkey]]
| [https://github.com/BHSPitMonkey/Helii3DS/releases/ Here]
| [https://github.com/BHSPitMonkey/Helii3DS Yes]
| 18/Sep/15
|-
| [http://gowengamedev.com/insectoid-defense/ Insectoid Defense]
| A Sci-Fi Tower Defense game. This is merely a port of the Android/iOS/Windows Phone version.
| [http://www.3dbrew.org/wiki/User:Sgowen sgowen]
| [https://github.com/GowenGameDevOpenSource/insectoid-defense/releases/download/v1.0-all/insectoid-defense-3DS.zip Here]
| [https://github.com/GowenGameDevOpenSource/insectoid-defense Yes]
|
|-
| [https://gbatemp.net/threads/videahs-various-stuff.397562/ NumberFucker3DS]
| Simple math game, originally used as a debug game for LövePotion
| [[User:VideahGams|VideahGams]]
| [https://github.com/VideahGams/NumberFucker3DS Here]
| [https://github.com/VideahGams/NumberFucker3DS Yes]
|
|-
| [https://gbatemp.net/threads/release-mastermind-3ds.394710/#post-5611660 Mastermind 3DS]
| Mastermind on 3DS
| [[User:MrJPGames|Jasper Peters]]
| [https://github.com/MrJPGames/Mastermind-3DS/blob/master/Mastermind.zip?raw=true Here]
| Yes
|
|-
| [http://gbatemp.net/threads/release-minesweeper-2ds.384185/ Minesweeper 2DS]
| Minesweeper clone.
| [[User:Cid2mizard|Cid2mizard]]
| [http://3ds.nintendomax.com/Homebrews/Jeux/Minesweeper2DS/Minesweeper_2DS.rar Here]
| Yes
|
|-
| [http://gbatemp.net/threads/release-paddle-puffle-3ds.392215/ Paddle Puffle 3DS]
| A port of [http://puffles.gatuno.mx Paddle Puffle] for the 3DS.
| Peanut42
| [http://puffles.gatuno.mx/releases/paddlepuffle3ds.zip Here]
| [https://github.com/gatuno/PaddlePuffle3DS Yes]
|
|-
| [http://david.dantoine.org/proyecto/26/ Pituka Classics]
| The goal is to bring CPC classics using my [http://david.dantoine.org/proyecto/4/ Pituka Emulator-Core] as base with new features to your 3DS.
| [[User:D_Skywalk|D_Skywalk]]
| [http://david.dantoine.org/descargas/72 Here]
| Yes (see core)
|
|-
| [http://gbatemp.net/threads/release-pixel-shuffle-2ds.398540/ Pixel Shuffle 2DS]
| Puzzle game.
| [[User:Cid2mizard|Cid2mizard]]
| [http://3ds.nintendomax.com/Homebrews/Jeux/PixelShuffle2DS/Pixel_Shuffle_2DS.rar Here]
| Yes
|
|-
| [http://gbatemp.net/threads/release-pixel-swap-2ds.395749/ Pixel Swap 2DS]
| Relaxing Puzzle game.
| [[User:Cid2mizard|Cid2mizard]]
| [http://3ds.nintendomax.com/Homebrews/Jeux/PixelSwap2DS/Pixel_Swap_2DS.rar Here]
| Yes
|
|-
| [https://github.com/smealum/portal3DS Portal3DS]
| An adaptation of [https://en.wikipedia.org/wiki/Portal_(video_game) Portal] for the 3DS.
| [https://twitter.com/smealum smea]
| [http://www.mediafire.com/file/yo463wt6y4tybch/portal3DS.rar Here]
| [https://github.com/smealum/portal3DS Yes]
|
|-
| [https://gbatemp.net/threads/release-reversi-othello-for-3ds.395442/ Reversi]
| [https://en.wikipedia.org/wiki/Reversi Reversi] for the 3DS.
| [[User:MrJPGames|Jasper Peters]]
| [https://github.com/MrJPGames/Othello-3DS/releases Here]
| [https://github.com/MrJPGames/Othello-3DS Yes]
|
|-
| [https://gbatemp.net/threads/release-space-fruit.399088/ Space Fruit]
| Hackathon game by 4 friends ported to 3DS. Asteroids but with fruit (kinda)
| TurtleP
| [https://github.com/TurtleP/Space_Fruit/releases Here]
| [https://github.com/TurtleP/Space_Fruit/tree/3DS Yes]
|
|-
| [http://gowengamedev.com/tappy-plane/ Tappy Plane]
| A Flappy Bird clone, but with a colorful plane. This is merely a port of the Android/iOS/Windows Phone version.
| [http://www.3dbrew.org/wiki/User:Sgowen sgowen]
| [https://github.com/GowenGameDevOpenSource/tappy-plane/releases/download/v1.0-all/tappy-plane-3DS.zip Here]
| [https://github.com/GowenGameDevOpenSource/tappy-plane Yes]
|
|-
| [http://gbatemp.net/threads/release-tilemap-2ds.386733/ TileMap 2DS]
| Puzzle game.
| [[User:Cid2mizard|Cid2mizard]]
| [http://3ds.nintendomax.com/Homebrews/Jeux/TileMap2DS/TileMap_2DS.rar Here]
| Yes
|
|-
| [http://gbatemp.net/threads/release-tiles-2ds.385796/ Tiles 2DS]
| Puzzle game, Lights Out Like.
| [[User:Cid2mizard|Cid2mizard]]
| [http://3ds.nintendomax.com/Homebrews/Jeux/Tiles2DS/Tiles_2DS.rar Here]
| Yes
|
|-
| [http://gbatemp.net/threads/trucmuche-2ds-09.404859// Trucmuche 2DS 09]
| Hidden Objects.
| [[User:Cid2mizard|Cid2mizard]]
| [http://3ds.nintendomax.com/Homebrews/Jeux/Trucmuche2DS09/Trucmuche_2DS_09.rar Here]
| Yes
|
|-
| [https://github.com/Steveice10/WorldOf3DSand World of 3DSand]
| World of Sand clone.
| [[User:Steveice10|Steveice10]]
| [https://github.com/Steveice10/WorldOf3DSand/releases/ Here]
| Yes
|
|-
| [https://github.com/smealum/yeti3DS Yeti3DS]
| A quick and dirty port of Derek Evans' Yeti3D software rendering engine.
| [https://twitter.com/smealum smea]
| N/A
| Yes
|
|-
| [https://github.com/masterfeizz/ctrQuake ctrQuake]
| Unofficial port of Quake for the 3DS, fully playable.
| [https://twitter.com/masterfeizz MasterFeizz]
| [https://github.com/masterfeizz/ctrQuake/releases/ Here]
| Yes
|
|-
| [https://github.com/masterfeizz/EDuke3D EDuke3D]
| Unofficial port of EDuke32 for the Nintendo 3DS
| [https://twitter.com/masterfeizz MasterFeizz]
| [https://github.com/masterfeizz/EDuke3D/releases/ Here]
| Yes
|
|-
| [https://github.com/landm2000/sokoban Sokoban]
| Puzzle game. Unofficial port of Sokoban for the Nintendo 3DS
| [https://www.3dbrew.org/wiki/User:Landm Landm]
| [https://github.com/landm2000/sokoban Here]
| Yes
|
|-
| [https://github.com/Kaisogen/CookieCollector-3DS- Cookie Collector]
| Cookie Collector game. Very tiny and not much in it. Good car trip or time waster game. On version 1.2 as of now.
| [https://twitter.com/Kaisogen Kaisogen]
| [http://www.mediafire.com/download/qpojx6avkm6oo18/CookieCollector.zip Here]
| Yes
| 4/5/2016
|-
| [https://thp.itch.io/tetrepetete-3ds Tetrepetete 3DS]
| A game with blocks.
| [[User:thp|thp]]
| [https://thp.itch.io/tetrepetete-3ds Here]
| No
|
|-
| [https://thp.itch.io/that-rabbit-game-3ds That Rabbit Game 3DS]
| Inverse duck hunt with accelerometer input and stereoscopic 3D.
| [[User:thp|thp]]
| [https://thp.itch.io/that-rabbit-game-3ds Here]
| No
|
|-
| [https://pyug.at/PyWeek/2012-09 One Whale Trip]
| Five-lane underwater whale swimming/pearl pickup adventure game in Python.
| [[User:thp|thp]]
| [https://bitbucket.org/pyugat/pyweek1209/downloads/OneWhaleTrip-2016-07-18-3DS.zip Here]
| [https://bitbucket.org/pyugat/pyweek1209/src/default/3ds/ Yes]
|
|-
| [https://github.com/TheMachinumps/Cookie_Clicker_3DS/ Cookie Clicker 3DS]
| A simple Cookie Clicker type of game inspired by [https://twitter.com/Kaisogen Kaisogen]'s Cookie Collector
| [[User:TheMachinumps|TheMachinumps]]
| [https://github.com/TheMachinumps/Cookie_Clicker_3DS/releases/download/v1.0/Cookie.Clicker.3DS.zip Here]
| Yes
|
|-
|}

===Emulators===
{| class="wikitable" border="1"
! width="20%" | Name
! width="50%" | Description
! width="10%" | Author
! width="10%" | Download
! width="10%" | Open-Source
! width="10%" | Last Updated
|-
| [https://github.com/st4rk/3DNES 3DNES]
| An NES emulator. (No longer being worked on)
| St4rk
| [http://filetrip.net/3ds-downloads/homebrew/dl-3dnes-1-2-f32931.html Here]
| Yes
| March 2015
|-
| [http://asie.pl/homebrew atari800-3DS]
| An Atari 8-bit home computer emulator.
| asie
| [http://asie.pl/homebrew Here]
| Yes
| 2016-7-23 (0.1.1)
|-
| [https://github.com/StapleButter/blargSnes blargSnes]
| A Super Nintendo emulator. A compatibility list can be found [http://wiki.gbatemp.net/wiki/BlargSnes_Compatibility_List here].
| StapleButter
| [http://kuribo64.net/get.php?id=fYRTHLeS0pR3DXFw Here]
| Yes
| May 2015
|-
| [https://github.com/xerpi/CHIP-3DS CHIP-3DS]
| A simple and slow CHIP-8 emulator.
| xerpi
| [https://www.mediafire.com/?y94yjhzf70fsfsi Here]
| Yes
| March 2015
|-
| [https://gbatemp.net/threads/chip8-3ds.434425/ CHIP8-3DS]
| CHIP-8 emulator with savestates and touch controls.
| xerpi
| [https://github.com/nopy4869/CHIP8-2DS/releases Here]
| Yes
| 2016-7-20
|-
| [https://github.com/shinyquagsire23/gpsp CitrAGB]
| Yet another GBA emulator.
| shinyquagsire23
| [https://www.dropbox.com/s/sxb7x34u58g4zo2/3ds.3dsx?dl=0 Here]
| Yes
| September 2015
|-
| [https://easy-rpg.org/blog/2016/05/player-for-nintendo-3ds/ EasyRPG Player]
| RPG Maker 2000/2003 interpreter
| Rinnegatamante & EasyRPG Team
| [https://easy-rpg.org/player/downloads/ Here]
| Yes
| May 2016
|-
| [https://github.com/Steveice10/GameYob/ GameYob]
| A Game Boy (Color) emulator. A compatibility list can be found [http://wiki.gbatemp.net/wiki/GameYob_3DS_Compatibility_List here].
| Drenn/Steveice10
| [https://github.com/Steveice10/GameYob/releases Here]
| Yes
| November 2015
|-
| [https://github.com/mrdanielps/r3Ddragon r3Ddragon]
| A virtual boy emulator.
| mrdanielps
| [https://github.com/mrdanielps/r3Ddragon/releases/download/v0.85-preview.1/r3Ddragon.cia Here]
| Yes
| October 2015
|-
| [https://github.com/libretro/RetroArch RetroArch]
| A multisystem emulator. (GB, GBA, SNES, Genesis, CPS1, CPS2, etc.)
| libretro
| [http://buildbot.libretro.com/nightly/nintendo/3ds/ Here]
| Yes
| Undergoing rapid development.
|-
| [https://github.com/bubble2k16/snes9x_3ds SNES9x for 3DS]
| A SNES emulator for the old 3DS / 2DS. Optimised from Snes9x 1.43 and runs many games at full speed. Compatibility list [http://wiki.gbatemp.net/wiki/Snes9x_for_3DS here]
| bubble2k16
| [https://github.com/bubble2k16/snes9x_3ds/releases Here]
| Yes
| Sep 2016. Active development
|-
| [https://github.com/mgba-emu/mgba mGBA]
| A GBA emulator that runs well without kernel hax.
| endrift
| [https://mgba.io/downloads.html Here]
| Yes
| Sep 2016. Active development
|}

===Title managers===
{| class="wikitable" border="1"
! width="20%" | Name
! width="50%" | Description
! width="10%" | Author
! width="10%" | Download
! width="10%" | Open-Source
! width="10%" | Last Updated
|-
| [https://github.com/Steveice10/FBI FBI]
| Open source CIA (un)installer and launcher.
| [[User:Steveice10|Steveice10]]
| [https://github.com/Steveice10/FBI/releases?after=2.0.0 Here]
| Yes
| 2015-12-2 (1.4.17)
|-
| [https://github.com/Steveice10/FBI FBI 2]
| Multipurpose file/title/ticket/save manager
| [[User:Steveice10|Steveice10]]
| [https://github.com/Steveice10/FBI/releases/ Here]
| Yes
| Undergoing rapid development.
|-
| [https://gbatemp.net/threads/release-nasa-universal-cia-manager-for-fw-4-1-10-3.409806/ NASA]
| Universal CIA Manager for FWs 4.1 - 10.7
| [[User:Rinnegatamante|Rinnegatamante]]
| [http://rinnegatamante.it/site/3ds_hbs.php Here]
| No
| 2016-4-13 (1.6)
|}

===Save managers===
{| class="wikitable" border="1"
! width="20%" | Name
! width="50%" | Description
! width="10%" | Author
! width="10%" | Download
! width="10%" | Open-Source
! width="10%" | Last Updated
|-
| save_manager
| Proof of concept save exporter/importer
| [[User:profi200|profi200]]
| [http://gbatemp.net/attachments/save_manager_-with_smdh-zip.24349/ Here]
| [https://gist.github.com/profi200/d0d092c11d0eb0692748 Yes]
| 2015-9-13
|-
| [https://github.com/meladroit/svdt svdt]
| Save Data Explorer/Manager
| [[User:meladroit|meladroit]]
| [https://github.com/meladroit/svdt/releases Here]
| Yes
| 2015-10-16 (0.10.42d)
|-
| [https://gbatemp.net/threads/release-jks-savemanager-homebrew-cia-save-manager.413143/ JK's Save Manager]
| Save/Extdata Manager
| JK_
| [https://github.com/J-D-K/JKSM/releases Here]
| Yes
| 2016-6-30
|}

===File servers===
{| class="wikitable" border="1"
! width="20%" | Name
! width="50%" | Description
! width="10%" | Author
! width="10%" | Download
! width="10%" | Open-Source
! width="10%" | Last Updated
|-
| [https://github.com/mtheall/ftpd ftpd (ftBrony)]
| A FTP server.
| [https://github.com/mtheall mtheall]
| [https://github.com/mtheall/ftpd/releases Here]
| Yes
|
|-
| [https://github.com/iamevn/FTP-3DS FTP-3DS]
| Fork of ftBRONY with a Nintendo theme.
| [[User:iamevn|iamevn]]
| [https://github.com/iamevn/FTP-3DS/releases Here]
| Yes
|
|-
| [https://github.com/smealum/ftPONY ftPONY]
| A basic FTP server, useful for testing new homebrew versions without swapping the SD card.
| [[User:smea|smea]]
| [https://mega.co.nz/#!nchBkL7B!T3vXnX4q8Uwp6APYYTDSZi2bkm25la-Qyz6j4CjsllI Here]
| Yes
|
|}

===Icon Packs===
Icon Packs are SMDH Packs for homebrew apps
{| class="wikitable" border="1"
! width="20%" | Name
! width="50%" | Description
! width="10%" | Author
! width="10%" | Download
! width="10%" | Last Updated
|-
|Simplok
|The first 3DS Icon pack.
|link6155
|[http://1drv.ms/1EJCq2e Download]
| 7 September 2015
|-
|1LP
|Cool Icon Pack!.
|[[User:100pcrack|100pcrack]]
|[http://github.com/100pcrack/1LP/releases Releases]
| 27 November 2015
|-
|Modern UI
|A simple icon pack with a flat and minimalist design.
|[https://gbatemp.net/members/louch-%E9%9B%AA-daishiteru.371920/ LouchDaishiteru]
|[https://gbatemp.net/threads/icon-pack-modern-ui.404366/ Download]
| 20 January 2016
|}

===Demos===
{| class="wikitable" border="1"
! width="20%" | Name
! width="50%" | Description
! width="10%" | Author
! width="10%" | Download
! width="10%" | Open-Source
! width="10%" | Last Updated
|-
| cubedemo
| A short demo of Homebrew on 3ds with working sound.
| [[User:plutoo|plutoo]]
| [https://mega.co.nz/#!KUQFiQYA!pv8HDEyrmuX6Eyw2hW0opL7gf9Ztmjd9J5pPsvs_rD4 Here]
| No
|
|-
| Spine 2D
| Demo of [http://esotericsoftware.com/ Spine] 2D skeletal animations
| [[User:Cruel|Cruel]]
| [https://mega.nz/#!Xg411B5R!kcVHP69Ilggmjh4q5OYmr2cFvf5UGdHWA98-_VttDTo 3DSX] [https://mega.nz/#!z8gxHSQb!H0as1A4wqYrdKBhXJwdYik7nPd_msXJhz5N1CeZm1Iw CIA]
| No
|
|-
| demo ou mourir
| Small demo for the 3DS with music and 2D effects
| Desire
| [http://www.pouet.net/prod.php?which=66607 Pouet]
| No
| November 2015
|}

===Alternate Launchers===
{| class="wikitable" border="1"
! width="20%" | Name
! width="50%" | Description
! width="10%" | Author
! width="10%" | Download
! width="10%" | Open-Source
|-
| Mashers HBL
| Homebrew Launcher with a grid and folders support.
| [[User:Mashers|Mashers]]
| [http://gbatemp.net/threads/release-homebrew-launcher-with-grid-layout.397527/ Here]
| No
|}