Line 1: |
Line 1: |
| + | ==Payload== |
| {| class="wikitable" border="1" | | {| class="wikitable" border="1" |
| |- | | |- |
| + | ! Works on latest fw |
| ! Name | | ! Name |
− | ! Supported firms | + | ! Description |
| + | ! Supported firmwares |
| + | |- |
| + | | style="background: lightgreen" | Yes |
| + | | [https://smealum.github.io/3ds/ *hax payload] |
| + | | Booted by all of the below non-sysmodule exploits. '''No longer needed as of [https://github.com/AuroraWright/Luma3DS/releases/tag/v8.0 Luma 8.0]''' |
| + | | From '''9.0.0-7''' up to '''11.9.0-42'''. |
| + | |} |
| + | |
| + | For the rest of this page, "Supported firmwares" refers to the exploit ''itself'', not whether *hax payload supports it. |
| + | |
| + | ==Standalone Homebrew Launcher Exploits== |
| + | The following homebrew exploits can be executed on a previously un-exploited system. ''Please'' see the above Payload section regarding what "Supported firmwares" indicates ''exactly''. |
| + | |
| + | {| class="wikitable" border="1" |
| + | |- |
| + | ! Works on latest fw |
| + | ! Name |
| + | ! Supported firmwares |
| ! Requirements | | ! Requirements |
| ! Author | | ! Author |
| ! Install | | ! Install |
| |- | | |- |
− | | [[ninjhax]] | + | | style="background: salmon" | No |
− | | From '''4.0.0-X''' up to and including '''9.2.0-X''', for '''X''' is between 7 and 20. | + | | [[ninjhax|Ninjhax 1.1b]] |
| + | | From '''4.0.0-7''' up to and including '''9.2.0-20'''. |
| | A cartridge or eShop version (JPN-only) of "Cubic Ninja". | | | A cartridge or eShop version (JPN-only) of "Cubic Ninja". |
| | smea | | | smea |
| | [http://smealum.net/ninjhax/ Install] | | | [http://smealum.net/ninjhax/ Install] |
| |- | | |- |
− | | [[ninjhax2]] | + | | style="background: lightgreen" | Yes |
− | | From '''9.0.0-X''' up to and including '''9.9.0-X''', for '''X''' up to and including 26. | + | | [[ninjhax|Ninjhax 2.x]] |
− | | A cartridge or eShop version (JPN-only) of "Cubic Ninja". | + | | From '''9.0.0-7''' up to and including '''11.9.X'''. |
| + | | A cartridge or eShop version (JPN-only, not available anymore for purchase) of "Cubic Ninja". |
| + | | smea |
| + | | [https://smealum.github.io/ninjhax2/ Install] |
| + | |- |
| + | | style="background: lightgreen" | Yes |
| + | | [http://plutooo.github.io/freakyhax/ freakyhax] |
| + | | From '''9.0.0-7''' up to and including '''11.9.X'''. |
| + | | A cartridge or eShop version (USA/EUR/JPN, not available anymore for purchase) of "Freakyform Deluxe". |
| + | | plutoo |
| + | | [http://plutooo.github.io/freakyhax/ Install] |
| + | |- |
| + | | style="background: salmon" | No |
| + | | [http://plutooo.github.io/smilehax/ smilehax] |
| + | | From '''9.0.0-7''' up to and including '''11.0.0-33''' |
| + | | SmileBASIC (JPN all versions up to 3.32 excluded, USA 3.31 only) |
| + | | plutoo |
| + | | [http://plutooo.github.io/smilehax/ Install] |
| + | |- |
| + | | style="background: lightgreen" | Yes |
| + | | [https://github.com/zoogie/smilehax-IIe smilehax IIe] |
| + | | From '''9.0.0-7''' up to and including '''11.13.0-45''' |
| + | | SmileBASIC (JPN version 3.3.2 via app downgrade, USA/EUR 3.6.0, aka latest app version) |
| + | | zoogie |
| + | | [https://github.com/zoogie/smilehax-IIe/releases/latest Install] |
| + | |- |
| + | | style="background: salmon" | No |
| + | | [http://mrnbayoh.github.io/basicsploit/ BASICSploit] |
| + | | From '''9.0.0-7''' up to and including '''11.0.0-33''' |
| + | | SmileBASIC (USA all versions) |
| + | | MrNbaYoh |
| + | | [http://mrnbayoh.github.io/basicsploit/ Install] |
| + | |- |
| + | | style="background: lightgreen" | Yes |
| + | | [[smashbroshax|smashbroshax]] (beaconhax) |
| + | | (New 3DS only) From '''9.0.0-X''' up to and including '''11.9.0-37'''. |
| + | | Super Smash Bros 3DS (full-game) and a way to broadcast raw wifi beacons. The demo (prior to the updated November 2015 [https://github.com/yellows8/3ds_smashbroshax version]) isn't usable with the *hax payloads. Game-version v1.1.3 fixed the vuln used with this, see the repo for a workaround for that. |
| + | | [[User:Yellows8|Yellows8]] |
| + | | [https://github.com/yellows8/3ds_smashbroshax Install] |
| + | |- |
| + | | style="background: salmon" | No |
| + | | [[browserhax]] |
| + | | From '''9.0.0-2''' to '''11.0.0-33''' |
| + | Note that the browser-version-check bypass is only usable prior to [[10.7.0-32]]. |
| + | | A USA, EUR, JPN, or KOR system. |
| + | | [[User:Yellows8|Yellows8]] |
| + | | [http://yls8.mtheall.com/3dsbrowserhax.php Install] |
| + | |- |
| + | | style="background: salmon" | No |
| + | | [https://github.com/svanheulen/genhax genhax] |
| + | | (New 3DS only) From '''9.9.0-X''' up to and including '''11.2.0-X'''. |
| + | | A gamecard or eShop-install of Monster Hunter X (JPN only), and the DLC encryption key (see installer instructions). '''Note: the secondary exploit still works, see bellow''' |
| + | | svanheulen |
| + | | [https://github.com/svanheulen/genhax_installer Install] |
| + | |- |
| + | | style="background: salmon" | No |
| + | | [https://github.com/nedwill/soundhax soundhax] |
| + | | From '''9.0.0-13''' up to and including '''11.3.0-36'''. |
| + | | A USA, EUR, JPN or KOR system. |
| + | | nedwill |
| + | | [http://soundhax.com Install] |
| + | |- |
| + | | style="background: lightgreen" | Yes |
| + | | [https://github.com/MrNbaYoh/doodlebomb doodlebomb] |
| + | | From '''9.0.0-X'''(?) up to and including '''11.6.0-X'''. |
| + | | An eShop-install of Swapdoodle (version 1.1.1 or lower). As of 2017-4-26, version 1.1.2 was released, blocking outdated app version from sending or receiving messages. |
| + | | MrNbaYoh |
| + | | [https://mrnbayoh.github.io/doodlebomb/ Install] |
| + | |- |
| + | | style="background: lightgreen" | yes |
| + | | [https://github.com/zoogie/MSET9 MSET9] |
| + | | From ''1.1.7=X (?) up to and including '''11.9.0'''. |
| + | | MSET 9 is a exploit installer that can be used on all platforms. It is basic and easy to use. |
| + | | Zoogie |
| + | |[https://github.com/zoogie/MSET9 Install] |
| + | |- |
| + | | style="background: lightgreen" | Yes |
| + | | [https://github.com/MrNbaYoh/rpwng2 RPwnG 2] |
| + | | From '''1.1.7-X'''(?) up to and including '''11.9.0-X'''. |
| + | | A digital copy of RPG Maker Player (free) ver. 1.1.4 on EUR, ver. 1.1.2 on USA. A 3DS on firmware 11.7. |
| + | | MrNbaYoh |
| + | | [https://mrnbayoh.github.io/rpwng2/ Install] |
| + | |- |
| + | | style="background: darkorange" | Only if installed before August 28, 2017 |
| + | | [https://twitter.com/MrNbaYoh/status/899394739543437313 RPwnG] |
| + | | From '''9.0.0-X'''(?) up to and including '''11.9.0-X'''. |
| + | | An digital copy of RPG Maker Player (free) ver. 1.1.4 on EUR, ver. 1.1.2 on USA/JPN is required. As of August 28, 2017 the code is instantly removed after publishing. |
| + | | MrNbaYoh |
| + | | [https://mrnbayoh.github.io/rpwng/ Install] |
| + | |- |
| + | | style="background: salmon" | No |
| + | | [https://github.com/MrNbaYoh/notehax notehax] |
| + | | From '''9.9.0-X''' up to and including '''11.5.0-X'''. |
| + | | A digital copy of Flipnote Studio 3D on ver 1.3.1 (JPN) and ver 1.0.0 for EUR/USA (not the latest) |
| + | | MrNbaYoh |
| + | | [https://mrnbayoh.github.io/notehax/ Install] |
| + | |- |
| + | | style="background: darkorange" | Only if you already purchased Blockfactory before it was removed from the eShop |
| + | | [https://github.com/Stary2001/haxfactory haxfactory] |
| + | | From '''9.0.0-X'''(?) up to and including '''11.9.0-X'''. |
| + | | A digital copy of "Blockfactory" (USA/EUR) |
| + | | Stary2001 |
| + | | [https://github.com/Stary2001/haxfactory Install] |
| + | |} |
| + | |
| + | ==Secondary Exploits== |
| + | Installation of these exploits requires a previously exploited system to install. After installation, they can be used on their own. ''Please'' see the above Payload section regarding what "Supported firmwares" indicates ''exactly''. |
| + | |
| + | {| class="wikitable" border="1" |
| + | ! Works on latest fw |
| + | ! Name |
| + | ! Supported firmwares |
| + | ! Requirements |
| + | ! Author |
| + | ! Install |
| + | |- |
| + | | style="background: salmon" | No |
| + | | [[ironhax]] |
| + | | From '''9.5.0-X''' up to and including '''10.3.0-X''', for '''X''' up to and including 28. |
| + | | A copy of "Ironfall: Invasion" downloaded from eShop before August 11th, 2015. Note the updated version that was released on October 13th, 2015 is not supported. |
| + | | smea |
| + | | [http://smealum.github.io/3ds/ Install] |
| + | |- |
| + | | style="background: lightgreen" | Yes |
| + | | [http://vegaroxas.github.io/ steelhax] |
| + | | From '''9.0.0-X''' up to and including '''11.9.0-X''' |
| + | | A copy of Steel Diver: Sub Wars |
| + | | Vegaroxas |
| + | | [https://github.com/VegaRoXas/vegaroxas.github.io/raw/master/files/steelhax-installer.zip Install] |
| + | |- |
| + | | style="background: lightgreen" | Yes |
| + | | [https://github.com/yellows8/oot3dhax oot3dhax] |
| + | | From '''9.0.0-X''' up to and including '''11.9.0-X''', for '''X''' up to and including 39. |
| + | | A gamecard or eShop-install of Legend of Zelda: Ocarina of Time 3D. Besides using the installer app, writing raw saveimages with a save dongle for example is another option. Before compression was introduced in the 2016-7-18 release, the size of the *hax payload meant the exploit can't co-exist with regular saves on a physical version of the game. |
| + | | Yellows8 / smea et al. |
| + | | See [https://smealum.github.io/3ds/ here]. |
| + | |- |
| + | | style="background: salmon" | No |
| + | | [[menuhax]] |
| + | | JPN/USA/EUR: From '''9.0.0-X''' up to and including '''11.2.0-X'''. |
| + | KOR: From '''9.6.0-X''' up to and including '''11.2.0-X'''. |
| + | | JPN/USA/EUR: Having created [[Home_Menu#Home_Menu_Theme_SD_ExtData|theme extdata]] through opening the official theme selector at least once. |
| + | | [[User:Yellows8|Yellows8]] |
| + | | [https://github.com/yellows8/3ds_homemenuhax/releases Download] |
| + | |- |
| + | | style="background: lightgreen" | Yes |
| + | | [https://github.com/shinyquagsire23/supermysterychunkhax supermysterychunkhax] |
| + | | From '''9.9.0-X''' (USA/JPN) / '''10.2.0-X''' (EUR) up to '''11.9.0-X'''. |
| + | | A gamecard or eShop-install of Pokémon Super Mystery Dungeon. |
| + | | Shiny Quagsire / SALT team |
| + | | [https://smd.salthax.org/ Install]. |
| + | |- |
| + | | style="background: salmon" | No |
| + | | [https://github.com/shinyquagsire23/v_hax (v*)hax] |
| + | | From '''9.0.0-X''' up to and including '''11.0.0-X''', for '''X''' up to and including 33. |
| + | Note that '''9.0.0-X''' is only required for the Homebrew Launcher - the game itself only requires '''2.1.0-X''' for primitive userland code execution. |
| + | | A copy of VVVVVV downloaded after March 2012 (v1). v1.1 patches out the overflow vulnerability used by (v*)hax. |
| + | | Shiny Quagsire / SALT team |
| + | | [https://vvvvvv.salthax.org/ Install]. |
| + | |- |
| + | | style="background: lightgreen" | Yes |
| + | | [https://github.com/Dazzozo/humblehax humblehax] |
| + | | From '''9.0.0-X''' (USA/EUR) up to and including '''11.9.0-X'''. |
| + | | An eShop-install of Citizens of Earth (either v1 or v2), featured in the Humble "Friends of Nintendo" Bundle. |
| + | | Dazzozo / SALT team |
| + | | [https://citizens.salthax.org/ Install]. |
| + | |- |
| + | | style="background: salmon" | No |
| + | | [http://mrnbayoh.github.io/basehaxx/ basehaxx] |
| + | | From '''9.0.0-X''' up to and including '''11.1.0-X'''. |
| + | | A gamecard or eShop-install of Pokémon Omega Ruby / Alpha Sapphire v1 or v1.4 with the ability to have a secret base. |
| + | | MrNbaYoh |
| + | | [http://mrnbayoh.github.io/basehaxx/ install] |
| + | |- |
| + | | style="background: lightgreen" | Yes |
| + | | [https://github.com/yellows8/stickerhax stickerhax] |
| + | | From '''9.0.0-X''' up to and including '''11.6.0-X'''. |
| + | | A gamecard or eShop-install of Paper Mario: Sticker Star. |
| + | | [[User:Yellows8|Yellows8]] |
| + | | [https://github.com/yellows8/stickerhax Here] |
| + | |- |
| + | | style="background: lightgreen" | Yes |
| + | | [https://github.com/svanheulen/genhax genhax] |
| + | | (New 3DS only) From '''9.9.0-X'''(JPN) or '''10.3.0-X'''(EUR/USA) up to and including '''11.3.0-X'''. |
| + | | A gamecard or eShop-install of Monster Hunter Generations or Monster Hunter X (without the game updates installed), and an internet connection during installation. |
| + | | svanheulen |
| + | | [https://github.com/svanheulen/genhax_installer Install] |
| + | |- |
| + | | style="background: lightgreen" | Yes |
| + | | [https://github.com/MrNbaYoh/painthax painthax] |
| + | | From '''9.0.0-X''' up to and including '''11.6.0-X'''. |
| + | | An eShop-install of Pixel Paint. |
| + | | MrNbaYoh |
| + | | [https://github.com/MrNbaYoh/painthax/releases/latest install] |
| + | |- |
| + | | style="background: salmon" | No |
| + | | [https://github.com/yellows8/ctpkpwn ctpkpwn_tfh] |
| + | | From '''9.9.0-X''' up to and including '''11.3.0-X'''. |
| + | | A gamecard or eShop-install of "The Legend of Zelda: Tri Force Heroes", and an Internet connection during installation. Unless you have "CFW", ctr-httpwn >=v1.2 with the included bosshaxx on a compatible system-version is also required. If installing via ctr-httpwn, you can't do so on >=v11.4. Note that the exploit itself was not fixed. |
| + | | [[User:Yellows8|Yellows8]] |
| + | | [https://github.com/yellows8/ctpkpwn/releases Install] |
| + | |- |
| + | | style="background: salmon" | No |
| + | | [https://github.com/MrNbaYoh/doodlebomb doodlebomb] |
| + | | From '''9.0.0-X'''(?) up to and including '''11.4.0-X'''. |
| + | | An eShop-install of Swapdoodle. |
| + | | MrNbaYoh |
| + | | [https://mrnbayoh.github.io/doodlebomb/ Install] |
| + | |- |
| + | | style="background: darkorange" | Only if installed before August 28, 2017 |
| + | | [https://github.com/ChampionLeake/RPwnG3 RPwnG3] |
| + | | From '''9.0.0-X'''(?) up to and including '''11.12.0-X'''. |
| + | | A Digital/Physical copy of "RPGMaker Fes Player/RPGMaker Fes" (USA/JPN 1.1.2 or lower ; EUR 1.1.4 or lower). |
| + | | [[User:ChampionLeake|ChampionLeake]] |
| + | | [https://github.com/ChampionLeake/RPwnG3/releases Install] |
| + | |- |
| + | | style="background: lightgreen" | Yes |
| + | | [https://github.com/luigoalma/nitpic3d nitpic3d] |
| + | | From '''9.6.0-X'''(?) up to and including '''11.13.0-X'''. |
| + | | A digital or physical of Picross 3D: Round 2 |
| + | | Luigoalma and Kartik |
| + | | [https://github.com/luigoalma/nitpic3d Install] |
| + | |- |
| + | | style="background: lightgreen" | Yes |
| + | | [https://github.com/PabloMK7/kartdlphax kartdlphax] |
| + | | All system versions work. |
| + | | A digital or physical of Mario Kart 7 for the same region as both consoles |
| + | | PabloMK7 |
| + | | [https://3ds.hacks.guide/installing-boot9strap-(kartdlphax) Install] |
| + | |} |
| + | |
| + | ==Exploits without Homebrew Launcher== |
| + | |
| + | <u>'''Warning:'''</u> The following exploits can run code, but are missing a 3DSX launcher. They cannot launch any homebrew in the 3DSX format, but could still prove useful by chaining to exploits with higher privileges. |
| + | |
| + | {| class="wikitable" border="1" |
| + | |- |
| + | ! Works on latest fw |
| + | ! Name |
| + | ! Supported firmwares |
| + | ! Requirements |
| + | ! Author |
| + | ! Install |
| + | |- |
| + | | style="background: lime" | Yes |
| + | | [https://safecerthax.rocks safecerthax] (Safe Mode System Updater) |
| + | | (Old3DS (2DS) (XL)) ''' ALL ''' |
| + | |
| + | (New3DS (New2DS) (XL)) '''NOT SUPPORTED''' |
| + | |An O3DS or O2DS that can be booted into [[Recovery_Mode|Recovery Mode]] (hold L+R+Up+A at startup) & an internet connection. |
| + | |[[User:Nba_Yoh|MrNbaYoh]] |
| + | |[https://safecerthax.rocks/user-guide/ Install] |
| + | |- |
| + | | style="background: lime" | Yes (partially) |
| + | | [[bannerbomb3]] (System Settings) |
| + | | (USA / EUR / JPN) '''11.5.0''' to '''11.16.0''' |
| + | |
| + | (KOR / TWN) '''(11.4.0)''' '''11.5.0''' to '''latest''' |
| + | |
| + | An exploit that uses a buffer overflow in a TWL export banner's title strings to gain rop execution. |
| + | |A USA, EUR, JPN, KOR, or TWN system with its movable.sed keyY extracted. |
| + | |[[User:zoogie|zoogie]] |
| + | |[[bannerbomb3|Install]] |
| + | |- |
| + | | style="background: salmon" | No |
| + | | [[browserhax]] (Without the loader in the 3ds_browserhax_common repo) |
| + | | (Old3DS) From '''5.0.0-2''' to '''11.0.0-33''' (Pre-v5.0 is supported for some versions if you manually modify the source) |
| + | |
| + | (New3DS) From '''9.0.0-20''' to '''11.0.0-33''' |
| + | |
| + | Note that the browser-version-check bypass is only usable prior to [[10.7.0-32]]. |
| + | | An USA, EUR, or JPN system. |
| + | | [[User:Yellows8|Yellows8]] |
| + | | [[browserhax|Install]] |
| + | |- |
| + | | style="background: salmon" | No |
| + | | Ninjhax (with specialized payloads) |
| + | | Up to '''9.2.0-20'''? |
| + | | |
| + | | smea + independent developers |
| + | | N/A |
| + | |} |
| + | |
| + | ==Previous Exploits== |
| + | <u>'''Warning:'''</u> These exploits '''do not work'''. They are exploits which no longer function at all, regardless of software or firmware revision. |
| + | {| class="wikitable" border="1" |
| + | ! Works on latest fw |
| + | ! Name |
| + | ! Supported firmwares |
| + | ! Requirements |
| + | ! Author |
| + | ! Install |
| + | |- |
| + | | style="background: salmon" | No |
| + | | [[tubehax|Tubehax]] |
| + | | None. '''Was''': From '''9.0.0-X''' up to and including '''10.1.0-X''', for '''X''' up to and including 27. |
| + | | The YouTube application and an Internet connection. As of October 15, 2015, this is no longer usable due to an update being released which fixes the vuln used by tubehax + app update being forced (see [[YouTube|here]]). |
| | smea | | | smea |
− | | [http://smealum.github.io/ninjhax2/ Install] | + | | [http://smealum.github.io/3ds/ Install] |
| + | |} |
| + | |
| + | ==Other Homebrew Loaders== |
| + | The [https://github.com/yellows8/hblauncher_loader hblauncher_loader] title can be used when running under modded-FIRM which allows running unsigned titles, to boot the *hax payloads. |
| + | |
| + | [https://github.com/AuroraWright/Luma3DS Luma3DS], apart from providing signature patches for the installation and use of custom titles, includes the "Rosalina" system module, which among its features allows cleanly loading 3dsx applications as a native process with full ARM11 system permissions, by replacing an installed title's ExeFS and ExHeader during load time. It is currently the only option for running 3dsx applications on 11.4+ O3DSes; additionally, the *hax 2.x payload is incompatible with Rosalina and therefore so are homebrew applications requiring its target title system. |
| + | |
| + | ==Sysmodule Exploits== |
| + | This section is for system-module exploits, which can be run from the *hax payloads. |
| + | |
| + | {| class="wikitable" border="1" |
| + | ! Works on latest fw |
| + | ! Name |
| + | ! Supported firmwares |
| + | ! Requirements |
| + | ! Author |
| + | |- |
| + | | style="background: salmon" | No, still usable pre-v11.4. |
| + | | [https://github.com/yellows8/ctr-httpwn/releases ctr-httpwn] |
| + | | From '''9.6.0-X''' up to and including '''11.3.0-X'''. This includes bosshaxx. |
| + | | None |
| + | | [[User:Yellows8|Yellows8]] |
| |} | | |} |
| + | |
| + | ==WebKit vuln testing== |
| + | See [https://github.com/yellows8/3ds_browserhax_common/issues/28 here]. |