Much of this information in this thread is provided by smealum. He's been extremely helpful in ensuring my comprehension on the topic. If you notice any errors or flaws in this thread, please inform me. The exploit used by GW as well as smealum utilizes a stack smash exploit. For more info on this, watch this video : http://videos.securitytube.net/Buffer Overflow Primer Part 1 (Smashing the Stack).mp4
Too long or corrupted strings (01Ah 2 Nickname length in characters 050h 2 Message length in characters) in the NVRAM DS user settings cause (System Settings->Other Settings->Profile->Nintendo DS Profile) to crash in 3DS-mode due to a stack-smash. The reason(presumably) that the DS crashes in this case is that the string that has been corrupted and overflowed is apparent in the stack causing it to crash. The same string then is used to manipulate the stack smash and create a ROP chain(what this string specifically needs to be is beyond me as of yet) loaded from the NVRAM. You can then use function that is already apparent in memory to load another ROP chain located on the SD card. This code that corrupts the DS profile strings can be written in devkitarm. There is NDS code involved for loading the initial NVRAM payload but that's it. The actual 3DS code is loaded from a file put on the SD card.
I have yet to reach this point, keep in mind.
END OF THREAD FOR NOW!
If any of you have achieved the above, feel free to elaborate on how you did so. If we wish to achieve our own CFW and not be reliant on a company(which in theory, their card isn't even necessary) then we need this collaboration.
Too long or corrupted strings (01Ah 2 Nickname length in characters 050h 2 Message length in characters) in the NVRAM DS user settings cause (System Settings->Other Settings->Profile->Nintendo DS Profile) to crash in 3DS-mode due to a stack-smash. The reason(presumably) that the DS crashes in this case is that the string that has been corrupted and overflowed is apparent in the stack causing it to crash. The same string then is used to manipulate the stack smash and create a ROP chain(what this string specifically needs to be is beyond me as of yet) loaded from the NVRAM. You can then use function that is already apparent in memory to load another ROP chain located on the SD card. This code that corrupts the DS profile strings can be written in devkitarm. There is NDS code involved for loading the initial NVRAM payload but that's it. The actual 3DS code is loaded from a file put on the SD card.
I have yet to reach this point, keep in mind.
END OF THREAD FOR NOW!
If any of you have achieved the above, feel free to elaborate on how you did so. If we wish to achieve our own CFW and not be reliant on a company(which in theory, their card isn't even necessary) then we need this collaboration.