Homebrew Merry Christmas - Have some RAM Dumping!

[Bug_Checker_]

Yeah it seems like the blacklisted every single nick out there xD

Wrong timing for me to join I guess.

A lot of the dev wikis (dsibrew/wiibrew/wiiubrew/3dbrew) get account creation bots spamming links for people looking to influence seo.

Spoiler

http://3dbrew.org/w/index.php?title=Special:ListUsers&dir=prev&limit=500&creationSort=1

Usually, because they haven't updated their software.

Spoiler

http://dsibrew.org/wiki/Special:Version
http://3dbrew.org/wiki/Special:Version
http://wiibrew.org/wiki/Special:Version
http://wiiubrew.org/wiki/Special:Version

There was a time when spamming was so bad that innocent people got caught up in friendly fire.

Spoiler

• 04:20, 8 September 2013 Crediar (Talk | contribs) blocked Elisherer (Talk | contribs) with an expiry time of infinite (account creation disabled) ‎ (Spamming links to external sites)

 

[fierce waffle]

Says :

 

[Lyrra]

Awesome, keep up the good work!

 

[mathieulh]

Says :
"WE HACKED IT TOO!!!
megazig
xerpi
Fierce Waffle"

Not to kill the mood or anything but you just need to compile an ARM9 payload to use along the rsa_verify request exploit.
The exploit has now been public for several days here https://github.com/naehrwert/p3ds/blob/master/3dsploit.py
and addresses such as the ones for fopen, fwrite... can be bruteforced rather easily.
There should be about 20ish people that can run an ARM9 payload hanging around the #3dsdev channel right now.

All in all, I'd say your initial ram dumper (using ROPs) was a lot more impressive than this, as running an ARM9 payload was just a matter of following each ROP in the chain from the gateway Launcher.dat file once you had a valid ram dump.

What I find astonishing is the amount of people who do not know how the bug technically works, they know from the launcher.dat that they need to use specific ROP gadgets in a specific sequence to trigger the exploit, they know what some/most of the ROP gadgets do, they know where to paste their payload, but they don't know much beyond that, they don't know that the bug is actually tied to a huge rsa_verify request for which the lenght isn't checked, they don't know that the payload written by gateway's ROP chain at 0x080C3EE0 is copied somewhere in the 0x20000000 area by the kernel and what triggers it to jump to the code later on.

I just find it sad that so many people just reuse what's written by the Gateway engineers, only caring about the end result and not knowing how it actually works in the first place, even though it's very interesting from an educational standpoint.

Ok, that was just my 2 cents xD

 

[Kane49]

While the exploit is obviously a piece of genius and I can appreciate what it took to discover / utilize it, it is still only a piece of the puzzle and its one that has already been solved.

Personally I'm grateful for every layer of abstraction that allows me not to care about the internals as much, that doesn't mean they are any less important. For example I like coding in c but I hate asm with a fiery passion ^^

 

[aliak11]

While the exploit is obviously a piece of genius and I can appreciate what it took to discover / utilize it, it is still only a piece of the puzzle and its one that has already been solved.

Personally I'm grateful for every layer of abstraction that allows me not to care about the internals as much, that doesn't mean they are any less important. For example I like coding in c but I hate asm with a fiery passion ^^

Same here, I understand c/c++, but am having a hard time trying to figure out asm.

 

[Kane49]

Same here, I understand c/c++, but am having a hard time trying to figure out asm.

I mean x86 asm though, arm asm is a lot more fun

 

[tyons]

now make a cheat codes feature *.*

 

[mr. fancypants]

Says :
"WE HACKED IT TOO!!!
megazig
xerpi
Fierce Waffle"

great and what do you want to do with it?

 

[xyzmanas]

Not to kill the mood or anything but you just need to compile an ARM9 payload to use along the rsa_verify request exploit.
The exploit has now been public for several days here https://github.com/naehrwert/p3ds/blob/master/3dsploit.py
and addresses such as the ones for fopen, fwrite... can be bruteforced rather easily.
There should be about 20ish people that can run an ARM9 payload hanging around the #3dsdev channel right now.

All in all, I'd say your initial ram dumper (using ROPs) was a lot more impressive than this, as running an ARM9 payload was just a matter of following each ROP in the chain from the gateway Launcher.dat file once you had a valid ram dump.

What I find astonishing is the amount of people who do not know how the bug technically works, they know from the launcher.dat that they need to use specific ROP gadgets in a specific sequence to trigger the exploit, they know what some/most of the ROP gadgets do, they know where to paste their payload, but they don't know much beyond that, they don't know that the bug is actually tied to a huge rsa_verify request for which the lenght isn't checked, they don't know that the payload written by gateway's ROP chain at 0x080C3EE0 is copied somewhere in the 0x20000000 area by the kernel and what triggers it to jump to the code later on.

I just find it sad that so many people just reuse what's written by the Gateway engineers, only caring about the end result and not knowing how it actually works in the first place, even though it's very interesting from an educational standpoint.

Ok, that was just my 2 cents xD

Could you please point towards more stuff which explains the working of this exploit in detail relating to code injection.

 

[minexew]

I mean x86 asm though, arm asm is a lot more fun

It's no secret that the x86 ISA is an abomination. ARM or AVR on the other hand is a joy even when it gets down to counting cycles

 

[xyzmanas]

It's no secret that the x86 ISA is an abomination. ARM or AVR on the other hand is a joy even when it gets down to counting cycles

Is Arm ASM much different from the 8086 MP ASM i did in college? I mean except the number and size of registers are the commands same?

 

[liquidsolidyetboth]

good job man!!

 

[FAST6191]

Is Arm ASM much different from the 8086 MP ASM i did in college? I mean except the number and size of registers are the commands same?

I have not dropped down as low as 8086 (where real mode and protected mode appear is where I came in there, with the GBA and DS it was basically all Real mode though but that changed a bit for the 3ds it seems) and I am hesitant to blindly assume the Z80 stuff is similar enough without checking. However reading through the instructions and memory handling (and allowing for the extras the GBA/DS and presumably 3ds BIOS/coprocessing capabilities will afford) you are not going to be out of your depth like if you were thrown into the deep end with modern X64 and told to play with SIMD and all the nice multimedia stuff.

The GBA and DS has no divide (though the coprocessor has it), no floating point either. The GBA and DS stuff has THUMB mode but that is not so hard to wrap your head around (16 bit instructions but with 32 bit registers). Likewise memory handling is usually done by DMA (which is usually quite civil and without too many odd quirks) and dedicated instructions (you can not mov to or from an address or anything, only limited immediates* and registers). Likewise the amount of registers is enough that instructions become generic unlike some of the SNES stuff were they would have mov equivalents for each (all three of them if you count the accumulator) of the general registers. The ARM stuff is also a great fan of shifting

*you need to fit the immediate and the command into the instruction. Your assembler will probably have psuedo instructions to sort this (ROP might be a different matter of course) and you can do things like movn to inverse the value of your immediate or referenced register.

Have a read of http://www.coranac.com/tonc/text/asm.htm , http://quirkygba.blogspot.com/2008/12/things-you-never-wanted-to-know-about.html http://drunkencoders.com/files/2013/03/unequivocal-answer.html and http://nocash.emubase.de/gbatek.htm
If you want to get a bit more general http://www.heyrick.co.uk/assembler/ and http://www.heyrick.co.uk/armwiki/Main_Page

The ARM manuals are also free and worth a look.

Speaking to people and scanning around http://www.3dbrew.org/wiki/Main_Page it seems the 3ds gained a few more features and now more closely resembles a system developed this century (which is to say it has a kernel and the idea of userland) but that will probably be nothing too hard to work with/around.

 

[minexew]

...

Great summary. Only thing (maybe obvious) I'd like to add is that there is still quite the gap between coding with devkitPro in C++ vs. building a ROP chain from assembly gadgets. Which is why I'm glad that we have an ARM9 loader now. The possibility of 3DS homebrew has never been so real.
Also +1 for mentioning Noca$h GBAtek, it's pretty much the dream of every hardware hacker coming true. I read noca$h docs before sleep for the pure enjoyment, they're just wonderful

 

[mrtofu]

deleted

 

[Snailface]

I installed this and now I get an error when running DS flashcart or DS games. Any way to fix?

You may have to reformat the system. If your profile strings are not cleared (check for weird characters in profile name), you should run this.
http://gbatemp.net/threads/homebrew-development.360646/page-7#post-4891470

 

[mrtofu]

deleted

 

[samljer]

I hope something comes of this, id love to finally put Gateway3DS to rest; dont trust those guys.
a real rom loader would be sweet.

 

[gamesquest1]

yeah.....gateway is pure fake, doesn't work at all..........