Difference between revisions of "3DS System Flaws"

Revision as of 17:40, 12 January 2015

Exploits are used to execute unofficial code (homebrew) on the Nintendo 3DS. This page is a list of known 3DS-mode exploits.

List of 3DS exploits

Current Efforts

There are people working on finding exploits and documenting the 3DS. Here's a list of some current efforts being made to make homebrew on the 3DS possible:

See here regarding Ninjhax.

Stale / Rejected Efforts

Neimod has been working on a RAM dumping setup for a little while now. He's de-soldered the 3DS's RAM chip and hooked it and the RAM pinouts on the 3DS' PCB up to a custom RAM dumping setup. Recent photos show that the setup is working quite well, with the 3DS successfully booting up. Pictures of neimod's work can be found on his Flickr stream.

     Neimod's flickr stream is now private and his work is considered awesome.

A loser (who will remain unnamed) has released CFW and CIA installers along with other stolen and illegal stuff.

Failed attempts

Here are listed all attempts at exploiting 3DS software that have failed so far.

Pushmo (3DSWare), QR codes: level name is properly limited to 16 characters, game doesn't crash with a longer name. The only possible crashes are triggered by out-of-bounds array index values, these crashes are not exploitable.

Pyramids (3DSWare), QR codes: no strings. Only crashes are from out-of-bounds values (like background ID) and are not exploitable.

3DS browser, 2^32 characters long string: this is similar to the vulnerability fixed here, concat-large-strings-crash2.html triggers a crash which is about the same as the one triggered by a 2^32 string. Most of the time this vulnerability will cause a memory page permissions fault, since the WebKit code attempts to copy the string text data to the output buffer located in read-only CRO heap memory. The only difference between a crash triggered by a 2^32 string and the concat-large-strings-crash2.html crash is at the former copies the string data using the original string length(like 1 text character for "x", 4 for "xxxx") while the latter attempts to copy >12MB. In some very rare cases a thread separate from the string data-copy thread will crash, this might be exploitable. However, this is mostly useless since it rarely crashes this way.

Tips and info

The 3DS uses the XN feature of the ARM processor, and only apps that have the necessary permissions in their headers can set memory to be executable. This means that although a usable buffer overflow exploit would still be useful, it would not go the entire way towards allowing code to be run in an easy or practical fashion (like an actual homebrew launcher). For that, an exploit in the system is required. A buffer overflow exploit does, however, provide enough wiggle room through the use of return-oriented programming to potentially trigger a system exploit.

SD card extdata and SD savegames can be attacked, for consoles where the console-unique movable.sed was dumped.

Note that the publicly-available <v5.0 total-control exploits are Process9 exploits, not "kernel exploits".

System flaws

FIRM Process9

Summary	Description	Successful exploitation result	Fixed in FIRM system version	Last FIRM system version this flaw was checked for	Timeframe this was discovered	Discovered by
	This can't be exploited from ARM11 userland.	ARM9 code execution	None	9.3.0-X	2012	Yellows8
PS RSA commands buffer overflows	pxips9 cmd1(not accessible via ps:ps) and VerifyRsaSha256: unchecked copy to a buffer in Process9's .bss, from the input FCRAM buffer. The buffer is located before the pxi cmdhandler threads' stacks. SignRsaSha256 also has a buf overflow, but this isn't exploitable. The buffer for this is the buffer for the signature data. With v5.0, the signature buffer was moved to stack, with a check for the signature data size. When the signature data size is too large, Process9 uses svcBreak.	ARM9 code execution	5.0.0-X		2012	Yellows8

ARM11 kernel

Summary	Description	Successful exploitation result	Fixed in FIRM system version	Last FIRM system version this flaw was checked for	Timeframe this was discovered	Discovered by
SVC table too small	The table of function pointers for SVC's only contains entries up to 0x7D, but the biggest allowed SVC for the table is 0x7F. Thus, executing SVC7E or SVC7F would make the SVC-handler read after the buffer, and interpret some ARM instructions as function pointers. However, this would require patching the kernel .text or modifying SVC-access-control. Even if you could get these to execute, they would still jump to memory that isn't mapped as executable.		None	9.3.0-21	2012
svcBackdoor (0x7B)	This backdoor allows executing SVC-mode code at the user-specified code-address. This is used by Process9, using this on the ARM11(with NATIVE_FIRM) requires patching the kernel .text or modifying SVC-access-control.	See description	None	9.3.0-21
0xEFF00000 / 0xDFF00000 ARM11 kernel virtual-memory	The ARM11 kernel-mode 0xEFF00000/0xDFF00000 virtual-memory(size 0x100000) is mapped to phys-mem 0x1FF00000(entire DSP-mem + entire AXIWRAM), with permissions RW-. This is used during ARM11 kernel startup, this never seems to be used after that, however.		None	9.3.0-21
		When combined with other flaws: ARM11-kernelmode code execution	9.3.0-21		February 2014	Yellows8
PXI Command input/output buffer permissions	Originally the ARM11-kernel didn't check permissions for PXI input/output buffers for commands. Starting with 6.0.0 PXI input/output buffers must have RW permissions, otherwise kernelpanic is triggered.		6.0.0-11		2012	Yellows8
svcStartInterProcessDma	For svcStartInterProcessDma, the kernel code had the following flaws: Originally the ARM11-kernel read the input DmaConfig structure directly in kernel-mode(ldr(b/h) instructions), without checking whether the DmaConfig address is readable under userland. This was fixed by copying that structure to the SVC-mode stack, using the ldrbt instruction. Integer overflows for srcaddr+size and dstaddr+size are now checked(with 6.0.0-11), which were not checked before. The kernel now also checks whether the srcaddr/dstaddr (+size) is within userland memory (0x20000000), the kernel now (with 6.0.0-11) returns an error when the address is beyond userland memory. Using an address >=0x20000000 would result in the kernel reading from the process L1 MMU table, beyond the memory allocated for that MMU table(for vaddr->physaddr conversion).		6.0.0-11		DmaConfig issue: unknown. The rest: 2014
svcControlMemory Parameter checks	For svcControlMemory the parameter check had these two flaws: The allowed range for addr0, addr1, size parameters depends on which MemoryOperation is being specified. The limitation for GSP heap was only checked if op=(u32)0x10003. By setting a random bit in op that has no meaning (like bit17?), op would instead be (u32)0x30003, and the range-check would be less strict and not accurate. However, the kernel doesn't actually use the input address for LINEAR memory-mapping at all besides the range-checks, so this isn't actually useful. This was fixed in the kernel by just checking for the LINEAR bit, instead of comparing the entire MemoryOperation value with 0x10003. Integer overflows on (addr0+size) are now checked that previously weren't (this also applies to most other address checks elsewhere in the kernel).		5.0.0-11
Command request/response buffer overflow	Originally the kernel did not check the word-values from the command-header. Starting with 5.0.0-11, the kernel will trigger a kernelpanic() when the total word-size of the entire command(including the cmd-header) is larger than 0x40-words (0x100-bytes). This allows overwriting threadlocalstorage+0x180 in the destination thread. However, since the data written there would be translate parameters (such as header-words + buffer addresses), exploiting this would likely be very difficult, if possible at all. If the two words at threadlocalstorage+0x180 could be overwritten with controlled data this way, one could then use a command with a buffer-header of ((size<<14) \| 2) to write arbitrary memory to any RW userland memory in the destination process.		5.0.0-11		v4.1 FIRM -> v5.0 code diff
SVC stack allocation overflows	Syscalls that allocate a variable-length array on stack, only checked bit31 before multiplying by 4/16 (when calculating how much memory to allocate). If a large integer was passed as input to one of these syscalls, an integer overflow would occur, and too little memory would have been allocated on stack resulting in a buffer overrun. The alignment (size+7)&~7 calculation before allocation was not checked for integer overflow. This might allow for ARM11 kernel code-execution. (Applies to svcSetResourceLimitValues, svcGetThreadList, svcGetProcessList, svcReplyAndReceive, svcWaitSynchronizationN.)		5.0.0-11		v4.1 FIRM -> v5.0 code diff
svcControlMemory MemoryOperation MAP memory-permissions	svcControlMemory with MemoryOperation=MAP allows mapping the already-mapped process virtual-mem at addr1, to addr0. The lowest address permitted for addr1 is 0x00100000. Originally the ARM11 kernel didn't check memory permissions for addr1. Therefore .text as addr1 could be mapped elsewhere as RW- memory, which allowed ARM11 userland code-execution.		4.1.0-8		2012	Yellows8
Command input/output buffer permissions	Originally the ARM11 kernel didn't check memory permissions for the input/output buffers for commands. Starting with 4.0.0-7 the ARM11 kernel will trigger a kernelpanic() if the input/output buffers don't have the required memory permissions. For example, this allowed a FSUSER file-read to .text, which therefore allowed ARM11-userland code execution.		4.0.0-7		2012	Yellows8
svcReadProcessMemory/svcWriteProcessMemory memory permissions	Originally the kernel only checked the first page(0x1000-bytes) of the src/dst buffers, for svcReadProcessMemory and svcWriteProcessMemory. There is no known retail processes which have access to these SVCs.		4.0.0-7		2012?	Yellows8

FIRM ARM11 modules

Summary	Description	Successful exploitation result	Fixed in FIRM system version	Last FIRM system version this flaw was checked for	Timeframe this was discovered	Discovered by
"srv:pm" process registration	Originally any process had access to the port "srv:pm". The PID's used for the (un)registration commands are not checked either. This allowed any process to re-register itself with "srv:pm", and therefore allowed the process to give itself access to any service, bypassing the exheader service-access-control list. This was fixed in 7.0.0-13: starting with 7.0.0-13 "srv:pm" is now a service instead of a globally accessible port. Only processes with PID's less than 6 (in other words: fs, ldr, sm, pm, pxi modules) have access to it. With 7.0.0-13 there can only be one session for "srv:pm" open at a time(this is used by pm module), svcBreak will be executed if more sessions are opened by the processes which can access this. This flaw was needed for exploiting the <=v4.x Process9 PXI vulnerabilities from ARM11 userland ROP, since most applications don't have access to those service(s).	Access to arbitrary services	7.0.0-13		2012	Yellows8

ARM11 system modules

Summary	Description	Successful exploitation result	Fixed in system version	Last system version this flaw was checked for	Timeframe this was discovered	Discovered by
gspwn	GSP module does not validate addresses given to the GPU. This allows a user-mode application/applet to read/write to a large part of physical FCRAM using GPU DMA. From this, you can overwrite the .text segment of the application you're running under, and gain real code-execution from a ROP-chain. Normally applets' .text(Home Menu, Internet Browser, etc) is located beyond the area accessible by the GPU, except for CROs used by applets(Internet Browser for example).	User-mode code execution.	None	9.4.0-21
rohax	Using gspwn, it is possible to overwrite a loaded CRO0/CRR0 after its RSA-signature has been validated. Badly validated CRO0 header leads to arbitrary read/write of memory in the ro-process. This gives code-execution in the ro module, who has access to syscalls 0x70-0x72, 0x7D. This was fixed after ninjhax release by adding checks on CRO0-based pointers before writing to them.	Memory-mapping syscalls.	9.3.0-21	9.4.0-21

ARM11 system applications and applets

Summary	Description	Successful exploitation result	Fixed in system version	Last system version this flaw was checked for	Timeframe this was discovered	Discovered by
3DS System Settings DS profile string stack-smash	Too long or corrupted strings (01Ah 2 Nickname length in characters 050h 2 Message length in characters) in the NVRAM DS user settings (System Settings->Other Settings->Profile->Nintendo DS Profile) cause it to crash in 3DS-mode due to a stack-smash. The DSi is not vulnerable to this, DSi launcher(menu) and DSi System Settings will reset the NVRAM user-settings if the length field values are too long(same result as when the CRCs are invalid). TWL_FIRM also resets the NVRAM user-settings when the string-length(s) are too long.	ROP in mset.	7.0.0-13	7.0.0-13	2012	Whoever originally added the vuln info for this to 3dbrew.

@@ Line 41: / Line 41: @@
 !  Description
 !  Successful exploitation result
-!  Fixed in system version
+!  Fixed in [[FIRM]] system version
-!  Last FIRM version this flaw was checked for
+!  Last [[FIRM]] system version this flaw was checked for
 !  Timeframe this was discovered
+!  Discovered by
 |-
 |
@@ Line 50: / Line 51: @@
 | None
 | [[9.3.0-21|9.3.0-X]]
 | 2012
+| [[User:Yellows8|Yellows8]]
 |-
-| [[Process_Services_PXI|ps:VerifyRsaSha256]] buffer overflow
+| [[Process_Services_PXI|PS RSA]] commands buffer overflows
-| Unchecked copy to a buffer in Process9's .bss. The buffer is located before the pxi cmdhandler threads' stacks.
+| pxips9 cmd1(not accessible via ps:ps) and VerifyRsaSha256: unchecked copy to a buffer in Process9's .bss, from the input FCRAM buffer. The buffer is located before the pxi cmdhandler threads' stacks. SignRsaSha256 also has a buf overflow, but this isn't exploitable.
+The buffer for this is the buffer for the signature data. With v5.0, the signature buffer was moved to stack, with a check for the signature data size. When the signature data size is too large, Process9 uses [[SVC|svcBreak]].
 | ARM9 code execution
-| [[5.0.0-11]]
+| [[5.0.0-11|5.0.0-X]]
 |
 | 2012
+| [[User:Yellows8|Yellows8]]
 |}
@@ Line 66: / Line 70: @@
 !  Description
 !  Successful exploitation result
-!  Fixed in system version
+!  Fixed in [[FIRM]] system version
-!  Last FIRM version this flaw was checked for
+!  Last [[FIRM]] system version this flaw was checked for
 !  Timeframe this was discovered
+!  Discovered by
 |-
 |  [[SVC]] table too small
@@ Line 78: / Line 83: @@
 | [[9.3.0-21|9.3.0-21]]
 | 2012
+|
 |-
 |  [[SVC|svcBackdoor (0x7B)]]
@@ Line 85: / Line 91: @@
 | [[9.3.0-21|9.3.0-21]]
 |
+|
 |-
 | [[Memory_layout#ARM11_Detailed_virtual_memory_map|0xEFF00000]] / 0xDFF00000 ARM11 kernel virtual-memory
@@ Line 91: / Line 98: @@
 | None
 | [[9.3.0-21|9.3.0-21]]
+|
 |
 |-
@@ Line 99: / Line 107: @@
 |
 | February 2014
+| [[User:Yellows8|Yellows8]]
 |-
 | PXI [[RPC_Command_Structure|Command]] input/output buffer permissions
@@ Line 106: / Line 115: @@
 |
 | 2012
+| [[User:Yellows8|Yellows8]]
 |-
 | [[SVC|svcStartInterProcessDma]]
@@ Line 119: / Line 129: @@
 |
 | DmaConfig issue: unknown. The rest: 2014
+|
 |-
 | [[SVC|svcControlMemory]] Parameter checks
@@ Line 131: / Line 142: @@
 |
 |
+|
 |-
 | [[RPC_Command_Structure|Command]] request/response buffer overflow
@@ Line 140: / Line 152: @@
 |
 | v4.1 FIRM -> v5.0 code diff
+|
 |-
 | [[SVC|SVC stack allocation overflows]]
@@ Line 153: / Line 166: @@
 |
 | v4.1 FIRM -> v5.0 code diff
+|
 |-
 | [[SVC|svcControlMemory]] MemoryOperation MAP memory-permissions
@@ Line 160: / Line 174: @@
 |
 | 2012
+| [[User:Yellows8|Yellows8]]
 |-
 | [[RPC_Command_Structure|Command]] input/output buffer permissions
@@ Line 167: / Line 182: @@
 |
 | 2012
+| [[User:Yellows8|Yellows8]]
 |-
 | [[SVC|svcReadProcessMemory/svcWriteProcessMemory memory]] permissions
@@ Line 174: / Line 190: @@
 |
 | 2012?
+| [[User:Yellows8|Yellows8]]
 |}
@@ Line 181: / Line 198: @@
 !  Summary
 !  Description
-!  Fixed in system version
+!  Successful exploitation result
+!  Fixed in [[FIRM]] system version
+!  Last [[FIRM]] system version this flaw was checked for
+!  Timeframe this was discovered
+!  Discovered by
 |-
 | [[Services|"srv:pm"]] process registration
@@ Line 189: / Line 210: @@
 This flaw was needed for exploiting the <=v4.x Process9 PXI vulnerabilities from ARM11 userland ROP, since most applications don't have access to those service(s).
+| Access to arbitrary services
 | [[7.0.0-13]]
+|
+| 2012
+| [[User:Yellows8|Yellows8]]
 |}
@@ Line 201: / Line 226: @@
 !  Last system version this flaw was checked for
 !  Timeframe this was discovered
+!  Discovered by
 |-
 | gspwn
@@ Line 207: / Line 233: @@
 | None
 | [[9.4.0-21]]
+|
 |
 |-
@@ Line 216: / Line 243: @@
 | [[9.3.0-21]]
 | [[9.4.0-21]]
+|
 |
 |}
@@ Line 228: / Line 256: @@
 !  Last system version this flaw was checked for
 !  Timeframe this was discovered
+!  Discovered by
 |-
 | 3DS [[System Settings]] DS profile string stack-smash
@@ Line 235: / Line 264: @@
 | [[7.0.0-13]]
 | 2012
+| Whoever originally added the vuln info for this to 3dbrew.
 |}