Homebrew My Understanding of Ninjhax (Thus Far)

[Relys]

If you want to look into how this exploit works use my NCCH decryptor (https://github.com/Relys/3DS_Multi_Decryptor) to decrypt Cubic Ninja .3DS and ctrtool to extract the .code portion from the ExeFS.bin Then load up the extracted code.bin in IDA and find the functions that handle the QR loading. From there it's just understanding how the overflow works. Next you can piece together the payload and reverse the ROP chain. To determine how the rop gadgets work you will have to have the binaries from which they are called from. This means you will have to have RAM dumps (kernel access) or the title keys to decrypt from the CDN (https://github.com/Relys/3DS_Multi_Decryptor) for the firmware version you're targeting.

So, I haven't fully looked into it yet. But I think it works along these lines:
1. QR Code Overflow
2. Jump to ROP chain in QR code payload
3. Download AES encrypted payload smealum.net/ninjhax/p/POST5_WEST_4096_4096.bin from internet.
4. Escalate privilege level by exploiting a sysmodule and installing a new service used to launch .3dsx.
5. Transfer execution over to boot.3dsx

 

[piratesephiroth]

So it gets kernel access through userland... could this be related to what Gateway is cooking?

 

[Ryanrocks462]

It obtains the kernel privilege in the course of installing hb:HB.

 

[WaryLouka]

The exploit and Homebrew Channel are not installed on the system. It is installed in the writable portion of the game card. No kernel access is ever used. End of story.

 

[piratesephiroth]

The exploit and Homebrew Channel are not installed on the system. It is installed in the writable portion of the game card. No kernel access is ever used. End of story.

interesting

 

[ken28]

The exploit and Homebrew Channel are not installed on the system. It is installed in the writable portion of the game card. No kernel access is ever used. End of story.

this could be intentionally though to let it look like less then it is, just saying.

 

[WaryLouka]

this could be intentionally though to let it look like less then it is, just saying.

Sure, Smealum had to go to the long process of intentionally rewiring a game (and thus removing portions of it) to execute a file off the sd card while he could just install directly the channel on the system menu.
Good job at creating a verifiable and believable theory!

 

[endoverend]

this could be intentionally though to let it look like less then it is, just saying.

It's all a government conspiracy. Smaelum confirmed Illuminati.

 

[Ryanrocks462]

It's all a government conspiracy. Smealum confirmed Illuminati.

i new it xD

 

[Lordjontan]

clearly Smealum is being threatened by the Chinese mafia

 

[Relys]

The exploit and Homebrew Channel are not installed on the system. It is installed in the writable portion of the game card. No kernel access is ever used. End of story.

Nothing is installed on the system NAND. I never stated that and it would obviously brick the system during boot due to signature verification. However, it does appear to overwrite kernelspace to add a new service. I believe it inherits the access permission level of whatever system title they exploit during their privileged escalation phase. This is how they bypass DEP:

https://github.com/smealum/3ds_hb_menu/blob/master/source/hb.c

 

[WaryLouka]

Nothing is installed on the system. I never stated that. However, it does appear to overwrite kernelspace to add a new service. I believe it inherits the access permission level of whatever system title they exploit during their privileged escalation phase. This is how they bypass DEP:

https://github.com/smealum/3ds_hb_menu/blob/master/source/hb.c

It's just that some people mistaken your post for saying the exploit clearly has kernel mode access.

 

[Plasmastar510]

The exploit and Homebrew Channel are not installed on the system. It is installed in the writable portion of the game card. No kernel access is ever used. End of story.

The EXPLOIT is installed on the game card, which proceeds to load boot.3dsx (Which is the HomeBrew Menu)

But I could be wrong.

 

[Huntereb]

The exploit and Homebrew Channel are not installed on the system. It is installed in the writable portion of the game card. No kernel access is ever used. End of story.

Spot-on description!

 

[CalebW]

The EXPLOIT is installed on the game card, which proceeds to load boot.3dsx (Which is the HomeBrew Menu)

But I could be wrong.

I believe it is installed to the save file on the gamecard.

 

[shinyquagsire23]

Nothing is installed on the system NAND. I never stated that and it would obviously brick the system during boot due to signature verification. However, it does appear to overwrite kernelspace to add a new service. I believe it inherits the access permission level of whatever system title they exploit during their privileged escalation phase. This is how they bypass DEP:

https://github.com/smealum/3ds_hb_menu/blob/master/source/hb.c

I'm willing to bet the service they used was the Web Browser, considering that the WiFi had to be on and some people have reported it popping up instead of the launcher. And for some reason all the usage is reported to that service as well.

EDIT: Or it downloads that .bin from the internet. Some stuff is definitely going on with that web browser though.

 

[dronesplitter]

shinyquagsire23, do you mean time spent in the homebrew loader accumulates for the internet browser in activity log and not for cubic ninja?

 

[Qtis]

Relys, do you mean time spent in the homebrew loader accumulates for the internet browser in activity log and not for cubic ninja?

It accumulates as Cubic Ninja. Smea mentioned this a while ago (am on mobile so can't access the tweet/post on smea's site)

 

[Duo8]

Wait it downloads a file with a ROP chain?

 

[ChrisX930]

Wait it downloads a file with a ROP chain?

Yes, it downloads a bin-file from smealums server