Difference between revisions of "3DS System Flaws"

From 3dbrew
Jump to navigation Jump to search
Line 8: Line 8:
 
* Pushmo (3DSWare), QR codes: level name is properly limited to 16 characters, game doesn't crash with a longer name. The only possible crashes are triggered by out-of-bounds values, these crashes are caused by the application attempting to load a ptr from a buffer located at NULL.
 
* Pushmo (3DSWare), QR codes: level name is properly limited to 16 characters, game doesn't crash with a longer name. The only possible crashes are triggered by out-of-bounds values, these crashes are caused by the application attempting to load a ptr from a buffer located at NULL.
 
* Pyramids (3DSWare), QR codes: no strings. The LZ10 compression can't be exploited either. Only crashes are from out-of-bounds values (like background ID) and are not exploitable.
 
* Pyramids (3DSWare), QR codes: no strings. The LZ10 compression can't be exploited either. Only crashes are from out-of-bounds values (like background ID) and are not exploitable.
* 3DS browser, 2^32 characters long string: this is similar to the vuln fixed [http://git.chromium.org/gitweb/?p=external/Webkit.git;a=commitdiff;h=ec471f16fbd1f879cb631f9b022fd16acd75f4d4 here], concat-large-strings-crash2.html triggers a crash which is about the same as the one triggered by a 2^32 string. Most of the time this vuln will cause a memory page permissions fault, since the webkit code attempts to copy the string text data to the output buffer located in read-only heap memory. The only difference between a crash triggered by a 2^32 string and the concat-large-strings-crash2.html crash is that the former copies the string data using the original string length(like 1 text character for "x", 4 for "xxxx") while the latter attempts to copy >12MB. Any attempt at exploiting this on 3DS has failed so far.
+
* 3DS browser, 2^32 characters long string: this is similar to the vuln fixed [http://git.chromium.org/gitweb/?p=external/Webkit.git;a=commitdiff;h=ec471f16fbd1f879cb631f9b022fd16acd75f4d4 here], concat-large-strings-crash2.html triggers a crash which is about the same as the one triggered by a 2^32 string. Most of the time this vuln will cause a memory page permissions fault, since the webkit code attempts to copy the string text data to the output buffer located in read-only heap memory. The only difference between a crash triggered by a 2^32 string and the concat-large-strings-crash2.html crash is that the former copies the string data using the original string length(like 1 text character for "x", 4 for "xxxx") while the latter attempts to copy >12MB. In some ''very'' rare cases a thread separate from the string data-copy thread will crash, this might be exploitable however this is useless since it rarely crashes this way.
  
 
==Current efforts==
 
==Current efforts==
Line 18: Line 18:
  
 
==Tips and info==
 
==Tips and info==
The 3DS uses the XN feature of the ARM processor, and only apps that have the necessary permissions in their headers can set memory to be executable. This means that although a usable buffer overflow exploit would still be useful, it would not go the entire way towards allowing code to be run in an easy/practical fashion (ie an actual homebrew launcher) - for that, an exploit in the kernel would probably need to be found. A buffer overflow exploit does, however, provide enough wriggle room through the use of return-oriented programming to potentially trigger a kernel exploit if and when a useful one is found.
+
The 3DS uses the XN feature of the ARM processor, and only apps that have the necessary permissions in their headers can set memory to be executable. This means that although a usable buffer overflow exploit would still be useful, it would not go the entire way towards allowing code to be run in an easy/practical fashion (ie an actual homebrew launcher) - for that, an exploit in the system is required. A buffer overflow exploit does, however, provide enough wriggle room through the use of return-oriented programming to potentially trigger a system exploit.
  
 
SD card [[extdata]] and SD savegames can be attacked, for consoles where the console-unique [[Nand/private/movable.sed|movable.sed]] was dumped.
 
SD card [[extdata]] and SD savegames can be attacked, for consoles where the console-unique [[Nand/private/movable.sed|movable.sed]] was dumped.

Revision as of 18:24, 25 May 2013

Exploits are used to execute unofficial code (homebrew) on the Nintendo 3DS. This page is a list of known 3DS-mode exploits.

List of 3DS exploits

Failed attempts

Here are listed all attempts at exploiting 3DS software that have failed so far.

  • Pushmo (3DSWare), QR codes: level name is properly limited to 16 characters, game doesn't crash with a longer name. The only possible crashes are triggered by out-of-bounds values, these crashes are caused by the application attempting to load a ptr from a buffer located at NULL.
  • Pyramids (3DSWare), QR codes: no strings. The LZ10 compression can't be exploited either. Only crashes are from out-of-bounds values (like background ID) and are not exploitable.
  • 3DS browser, 2^32 characters long string: this is similar to the vuln fixed here, concat-large-strings-crash2.html triggers a crash which is about the same as the one triggered by a 2^32 string. Most of the time this vuln will cause a memory page permissions fault, since the webkit code attempts to copy the string text data to the output buffer located in read-only heap memory. The only difference between a crash triggered by a 2^32 string and the concat-large-strings-crash2.html crash is that the former copies the string data using the original string length(like 1 text character for "x", 4 for "xxxx") while the latter attempts to copy >12MB. In some very rare cases a thread separate from the string data-copy thread will crash, this might be exploitable however this is useless since it rarely crashes this way.

Current efforts

There are people working on finding exploits and documenting the 3DS. Here's a list of some current efforts being made to make homebrew on the 3DS possible:

  • Neimod has been working on a RAM dumping setup for a little while now. He's desoldered the 3DS's RAM chip and hooked it and the RAM pinouts on the 3DS's PCB up to a custom RAM dumping setup. Recent photos show that the setup is working quite well, with the 3DS successfully booting up. Pictures of neimod's work can be found on his Flickr stream.
  • to long or corrupted strings (01Ah 2 Nickname length in characters 050h 2 Message length in characters) in the NVRAM DS user settings cause (System Settings/Other Settings/Profile/Nintendo DS Profile to crush) (this is still 3DS mode)

Tips and info

The 3DS uses the XN feature of the ARM processor, and only apps that have the necessary permissions in their headers can set memory to be executable. This means that although a usable buffer overflow exploit would still be useful, it would not go the entire way towards allowing code to be run in an easy/practical fashion (ie an actual homebrew launcher) - for that, an exploit in the system is required. A buffer overflow exploit does, however, provide enough wriggle room through the use of return-oriented programming to potentially trigger a system exploit.

SD card extdata and SD savegames can be attacked, for consoles where the console-unique movable.sed was dumped.