Homebrew My Understanding of Ninjhax (Thus Far)

Relys

Relys

^(Software | Hardware) Exploit? Development.$
OP
Member
Level 7
Joined
Jan 5, 2007
Messages
878
Trophies
1
XP
1,239
Country
United States


Video Description said:
If you want to look into how this exploit works use my NCCH decryptor (https://github.com/Relys/3DS_Multi_Decryptor) to decrypt Cubic Ninja .3DS and ctrtool to extract the .code portion from the ExeFS.bin Then load up the extracted code.bin in IDA and find the functions that handle the QR loading. From there it's just understanding how the overflow works. Next you can piece together the payload and reverse the ROP chain. To determine how the rop gadgets work you will have to have the binaries from which they are called from. :) This means you will have to have RAM dumps (kernel access) or the title keys to decrypt from the CDN (https://github.com/Relys/3DS_Multi_Decryptor) for the firmware version you're targeting.

So, I haven't fully looked into it yet. But I think it works along these lines:
1. QR Code Overflow
2. Jump to ROP chain in QR code payload
3. Download AES encrypted payload smealum.net/ninjhax/p/POST5_WEST_4096_4096.bin from internet.
4. Escalate privilege level by exploiting a sysmodule and installing a new service used to launch .3dsx.
5. Transfer execution over to boot.3dsx
Click to expand...
 
  • Like
Reactions: Cyjizzle, Margen67, ernilos and 2 others
WaryLouka

WaryLouka

Official Representative of the SuperCard Team
Banned
Level 2
Joined
Jun 22, 2013
Messages
216
Trophies
1
Age
40
Location
NO RECORDS
XP
176
Country
United States
The exploit and Homebrew Channel are not installed on the system. It is installed in the writable portion of the game card. No kernel access is ever used. End of story.
 
K

ken28

Well-Known Member
Member
Level 9
Joined
Oct 21, 2010
Messages
1,181
Trophies
1
XP
1,693
Country
Germany
WaryLouka said:
The exploit and Homebrew Channel are not installed on the system. It is installed in the writable portion of the game card. No kernel access is ever used. End of story.
Click to expand...
this could be intentionally though to let it look like less then it is, just saying.
 
WaryLouka

WaryLouka

Official Representative of the SuperCard Team
Banned
Level 2
Joined
Jun 22, 2013
Messages
216
Trophies
1
Age
40
Location
NO RECORDS
XP
176
Country
United States
ken28 said:
this could be intentionally though to let it look like less then it is, just saying.
Click to expand...


Sure, Smealum had to go to the long process of intentionally rewiring a game (and thus removing portions of it) to execute a file off the sd card while he could just install directly the channel on the system menu.
Good job at creating a verifiable and believable theory!
 
  • Like
Reactions: SuzieJoeBob and gamefan5
Relys

Relys

^(Software | Hardware) Exploit? Development.$
OP
Member
Level 7
Joined
Jan 5, 2007
Messages
878
Trophies
1
XP
1,239
Country
United States
WaryLouka said:
The exploit and Homebrew Channel are not installed on the system. It is installed in the writable portion of the game card. No kernel access is ever used. End of story.
Click to expand...

Nothing is installed on the system NAND. I never stated that and it would obviously brick the system during boot due to signature verification. However, it does appear to overwrite kernelspace to add a new service. I believe it inherits the access permission level of whatever system title they exploit during their privileged escalation phase. This is how they bypass DEP:

https://github.com/smealum/3ds_hb_menu/blob/master/source/hb.c
 
  • Like
Reactions: Margen67, Ryanrocks462 and ken28
WaryLouka

WaryLouka

Official Representative of the SuperCard Team
Banned
Level 2
Joined
Jun 22, 2013
Messages
216
Trophies
1
Age
40
Location
NO RECORDS
XP
176
Country
United States
Relys said:
Nothing is installed on the system. I never stated that. However, it does appear to overwrite kernelspace to add a new service. I believe it inherits the access permission level of whatever system title they exploit during their privileged escalation phase. This is how they bypass DEP:

https://github.com/smealum/3ds_hb_menu/blob/master/source/hb.c
Click to expand...


It's just that some people mistaken your post for saying the exploit clearly has kernel mode access.
 
Plasmastar510

Plasmastar510

Well-Known Member
Member
Level 2
Joined
Dec 10, 2013
Messages
103
Trophies
0
Age
35
XP
156
Country
United States
WaryLouka said:
The exploit and Homebrew Channel are not installed on the system. It is installed in the writable portion of the game card. No kernel access is ever used. End of story.
Click to expand...

The EXPLOIT is installed on the game card, which proceeds to load boot.3dsx (Which is the HomeBrew Menu)

But I could be wrong.
 
Huntereb

Huntereb

Well-Known Member
Member
Level 11
Joined
Sep 1, 2013
Messages
3,234
Trophies
0
Website
lewd.pics
XP
2,446
Country
United States
WaryLouka said:
The exploit and Homebrew Channel are not installed on the system. It is installed in the writable portion of the game card. No kernel access is ever used. End of story.
Click to expand...


Spot-on description!
suicide.gif
 
  • Like
Reactions: Warft
shinyquagsire23

shinyquagsire23

SALT/Sm4sh Leak Guy
Member
Level 13
Joined
Nov 18, 2012
Messages
1,977
Trophies
2
Age
26
Location
Las Vegas
XP
3,765
Country
United States
Relys said:
Nothing is installed on the system NAND. I never stated that and it would obviously brick the system during boot due to signature verification. However, it does appear to overwrite kernelspace to add a new service. I believe it inherits the access permission level of whatever system title they exploit during their privileged escalation phase. This is how they bypass DEP:

https://github.com/smealum/3ds_hb_menu/blob/master/source/hb.c
Click to expand...

I'm willing to bet the service they used was the Web Browser, considering that the WiFi had to be on and some people have reported it popping up instead of the launcher. And for some reason all the usage is reported to that service as well.

EDIT: Or it downloads that .bin from the internet. Some stuff is definitely going on with that web browser though.
 

Site & Scene News

Go to forum More news

Popular threads in this forum

Hacking Homebrew  A new way to experience StreetPass

Is it possible...?

After the 8th of April, will it still be possible to create a new NNID (Nintendo Network ID) and/or transfer a NNID from one console to another?

Hacking Homebrew  how to link pnid to 3ds/how to use juxtaposition?

Hacking  New 2ds Refuses to boot

Hacking Misc  VCRUNTIME140.dll UCRTBASED.dll Master Thread

Translation Project  DQM2SP translation

3DS won't boot into DS Mode, Extended Memory Mode and more

General chit-chat
Help Users
  • RedColoredStars @ RedColoredStars:
    the L hdmi adapters work great on my tv and receiver. so much less stress on the ports using them than regular cables. in that instance anyway.
  • K3Nv2 @ K3Nv2:
    A bigger battery could defeat the need for weighted magnets tbf
  • ZeroT21 @ ZeroT21:
    Nowadays pc mice come as light as can be, liked mine with some heft
  • K3Nv2 @ K3Nv2:
    You like holding girth
  • SylverReZ @ SylverReZ:
    @RedColoredStars, I also listen to Beck, some of their songs are fine. Only found out about them through Windows Me; you know, that one operating system nobody ever likes?
  • RedColoredStars @ RedColoredStars:
    i dont know why tv manufactures put the hdmi ports in dumb locations so the cables have to stick out, and then down, putting strain on the ports. Instead of having the ports along the bottom edge of the tv facing downwards.
  • ZeroT21 @ ZeroT21:
    windows me was mostly on laptops if i remembered correctly
  • SylverReZ @ SylverReZ:
    @RedColoredStars, I hate that too where you have to use an HDMI extension for an Amazon Fire Stick.
     +1
  • RedColoredStars @ RedColoredStars:
    I had a desktop with ME on it.
  • SylverReZ @ SylverReZ:
    @ZeroT21, And also cheap-ass desktop PCs like eMachines.
  • RedColoredStars @ RedColoredStars:
    Worst MS OS in history. Period.
  • K3Nv2 @ K3Nv2:
    My entertainment centers blocking all my io gotta fix that eventually
  • ZeroT21 @ ZeroT21:
    I had used win 98 SE till XP arrived
  • SylverReZ @ SylverReZ:
    Had a ton of bugs and often crashed. It even didn't support DOS compatibility with older games. :feelsbadman:
  • SylverReZ @ SylverReZ:
    I only grew up with Windows XP because I was lucky.
  • RedColoredStars @ RedColoredStars:
    I downloaded XP on dialup when it came out. Overnights for like a week. cuz I couldn't tie up the phone line during the day. It was so awesome and worked so great going from ME to XP.
  • K3Nv2 @ K3Nv2:
    Vga pins were a dick
  • K3Nv2 @ K3Nv2:
    I kind of want down a large pizza at 10am then crash out
  • ZeroT21 @ ZeroT21:
    Having pizza all day? done it
  • K3Nv2 @ K3Nv2:
    Nah pizza hut open at 10:30
  • ZeroT21 @ ZeroT21:
    just buy a stack of pizza and keep the rest you don't need yet frozen
  • K3Nv2 @ K3Nv2:
    Or buy frozen pizza
  • ZeroT21 @ ZeroT21:
    I buy the regular kind, not the frozen stuff
  • ZeroT21 @ ZeroT21:
    supermarket pizza is ass
  • K3Nv2 @ K3Nv2:
    x65 would just yell at me
    K3Nv2 @ K3Nv2: x65 would just yell at me