When we are talking about exploit or crack or hack, we are very familar with Smealum who is the very famous hacker in 3DS area. And so is yellow8, here we listed some exploit/crack methods yellow8 has released recently.
browserhax fright
These are Nintendo 3DS system web-browser webkit exploits for Old3DS and New3DS.
This requires the following repo: https://github.com/yellows8/3ds_browserhax_common See that repo for usage info as well.
These are webkit exploits, so you may have to retry them multiple times before they work correctly without crashing.
Two exploits are contained here, one is implemented only for Old3DS, and the other is only implemented for New3DS:
Home Menu haxx
When Home Menu is starting up, it can load theme-data from the home-menu theme SD extdata. The flaw can be triggered from here. The ROP starts running at roughly the same time the LCD backlight gets turned on.
Although this triggers during Home Menu boot, this can't cause any true bricks: just remove the *SD card if any booting issues ever occur(or delete/rename the theme-cache extdata directory). Note that this also applies when the ROP causes a crash, like when the ROP is for a different version of Home Menu(this can also happen if you boot into a nandimage which has a different Home Menu version, but still uses the exact same SD data). However, it seems that normally(?) Home Menu crashes with this just result in Home Menu displaying the usual error dialog for system-applet crashes.
Since this is a theme exploit, a normal theme can't be used unless you build with the THEMEDATA_PATH option below(the ROP runs a good while after the theme is loaded). Due to how this hax works, the theme is really only usable for BGM(as described below).
Source: https://github.com/yellows8/3ds_homemenuhax
Till now, you can view all the exploit for 3DS from this site: http://3dbrew.org/wiki/Homebrew_Exploits
Sky3ds can support some of these exploits working on 3ds console to realize the function of region free, CIA gaming, SFC/SNES Emulator etc.
browserhax fright
These are Nintendo 3DS system web-browser webkit exploits for Old3DS and New3DS.
This requires the following repo: https://github.com/yellows8/3ds_browserhax_common See that repo for usage info as well.
These are webkit exploits, so you may have to retry them multiple times before they work correctly without crashing.
Two exploits are contained here, one is implemented only for Old3DS, and the other is only implemented for New3DS:
- Old3DS: 3dsbrowserhax_webkit_r158724.php, aka "sliderhax". All system-versions <=10.1.0-27(minus the first version of the browser) are supported, as of when this repo was released. This isn't actually fixed for the New3DS browser as of 10.1.0-27, but there's no known way to even have a crash trigger for it which actually works right. To trigger it, wait for the page to fully load. Then ideally zoom in all the way, so that the slider is displayed as large as possible. Then touch the far right of the slider at the exact location where the slider ends, within the slider bar(the location you touch might(?) be related to how reliable the exploit is).
- New3DS: 3dswebkithax_removewinframe.php, supported on all system-versions below 9.9.0-26(or more specifically <{X.X.X-26}). The vuln used here was fixed for the New3DS browser with 9.9.0-26, but on Old3DS it's still not fixed as of 10.1.0-27. No user-input is needed to trigger this besides starting the page-load. The actual exploit after the heap-spray takes a while to trigger, since the heap-spray takes a while. Note that this is very unreliable.
- 3dsbrowserhax_webkit_r158724.php in the initial form that got control over the object-data used in the use-after-free, is originally from January 2014. The vuln used here was discovered to affect Old3DS web-browser by ichfly.
- 3dswebkithax_removewinframe.php: This is based on a certain PoC, see the source for details on that. This was implemented in March 2015, soon after the time the pastebin for the PoC was created.
Home Menu haxx
When Home Menu is starting up, it can load theme-data from the home-menu theme SD extdata. The flaw can be triggered from here. The ROP starts running at roughly the same time the LCD backlight gets turned on.
Although this triggers during Home Menu boot, this can't cause any true bricks: just remove the *SD card if any booting issues ever occur(or delete/rename the theme-cache extdata directory). Note that this also applies when the ROP causes a crash, like when the ROP is for a different version of Home Menu(this can also happen if you boot into a nandimage which has a different Home Menu version, but still uses the exact same SD data). However, it seems that normally(?) Home Menu crashes with this just result in Home Menu displaying the usual error dialog for system-applet crashes.
Since this is a theme exploit, a normal theme can't be used unless you build with the THEMEDATA_PATH option below(the ROP runs a good while after the theme is loaded). Due to how this hax works, the theme is really only usable for BGM(as described below).
Source: https://github.com/yellows8/3ds_homemenuhax
Till now, you can view all the exploit for 3DS from this site: http://3dbrew.org/wiki/Homebrew_Exploits
Standalone Homebrew Launcher Exploits
The following homebrew exploits can be executed on a previously un-exploited system.
| Name | Supported firmwares | Requirements | Author | Install |
|---|---|---|---|---|
| Ninjhax 1.1b | From 4.0.0-X up to and including 9.2.0-X, for X is between 7 and 20. | A cartridge or eShop version (JPN-only) of "Cubic Ninja". | smea | Install |
| Ninjhax 2.1 | From 9.0.0-X up to and including 10.1.0-X, for X up to and including 27. | A cartridge or eShop version (JPN-only) of "Cubic Ninja". | smea | Install |
| Tubehax | From 9.0.0-X up to and including 10.1.0-X, for X up to and including 27. | The YouTube application and an internet connection. | smea | Install |
| smashbroshax (beaconhax) | (New3DS-only) From 9.0.0-X up to and including 10.1.0-X, for X up to and including 27. | Super Smash Bros 3DS (full-game or demo) and a way to broadcast raw wifi beacons. | Yellows8 | Install |
| browserhax | (Old3DS) From 9.0.0-16 to 9.5.0-22, 9.5.0-23 to 9.8.0-25, 9.9.0-26 to 10.1.0-27 (New3DS) From 9.0.0-20 to 9.2.0-20, 9.3.0-21 to 9.5.0-23, 9.6.0-24 to 9.8.0-25, 9.9.0-26 to 10.1.0-27 | Yellows8 | Install |
Note that ninjhax 1.x is still not obsolete. Even though ninjhax 2.x can
be run on 9.3+, this was made possible (amongst other things) by
sacrificing the memory remapping exploit used in ninjhax 1.x (rohax).
Therefore, things like JIT engines for emulators can only be supported
on ninjhax 1.x. Furthermore, ninjhax 2.x does not run on system versions
below 9.0.0-X, while ninjhax 1.x does.
Secondary Exploits
Installation of these exploits requires a previously exploited system to install. After installation, they can be used on their own.| Name | Supported firmwares | Requirements | Author | Install |
|---|---|---|---|---|
| ironhax | From 9.5.0-X up to and including 10.1.0-X, for X up to and including 27. | A copy of "Ironfall: Invasion" (not available on eShop as of August 11th, 2015) and a self-exploitable title. | smea | Install |
| oot3dhax | From 9.5.0-X up to and including 10.1.0-X, for X up to and including 27. | A gamecard or eShop-install of Legend of Zelda: Ocarina of Time 3D. | Actual hax/payload: Yellows8/smea et all. Installer: Meladroit. | Installer |
| themehax | From 9.0.0-X up to and including 10.1.0-X, for X up to and including 27. | Yellows8 | Download |
Exploits without Homebrew Launcher (Not recommended)
Warning: The following exploits can run code, but are missing a 3DSX launcher. They cannot launch any homebrew in the 3DSX format.| Name | Supported firmwares | Requirements | Author | Install |
|---|---|---|---|---|
| browserhax (Without the loader in the 3ds_browserhax_common repo) | (Old3DS) From 2.1.0-4 to 3.0.0-6, 4.0.0-7 to 4.5.0-10, 5.0.0-11 to 7.0.0-13, 7.1.0-16 to 9.5.0-22, 9.5.0-23 to 9.8.0-25, 9.9.0-26 to 10.1.0-27 (New3DS) From 9.0.0-20 to 9.2.0-20, 9.3.0-21 to 9.5.0-23, 9.6.0-24 to 9.8.0-25, 9.9.0-26 to 10.1.0-27 | Yellows8 | Install |
Sky3ds can support some of these exploits working on 3ds console to realize the function of region free, CIA gaming, SFC/SNES Emulator etc.
No comments:
Post a Comment