Homebrew My Understanding of Ninjhax (Thus Far)

Relys

Relys

^(Software | Hardware) Exploit? Development.$
OP
Member
Level 7
Joined
Jan 5, 2007
Messages
878
Trophies
1
XP
1,239
Country
United States


Video Description said:
If you want to look into how this exploit works use my NCCH decryptor (https://github.com/Relys/3DS_Multi_Decryptor) to decrypt Cubic Ninja .3DS and ctrtool to extract the .code portion from the ExeFS.bin Then load up the extracted code.bin in IDA and find the functions that handle the QR loading. From there it's just understanding how the overflow works. Next you can piece together the payload and reverse the ROP chain. To determine how the rop gadgets work you will have to have the binaries from which they are called from. :) This means you will have to have RAM dumps (kernel access) or the title keys to decrypt from the CDN (https://github.com/Relys/3DS_Multi_Decryptor) for the firmware version you're targeting.

So, I haven't fully looked into it yet. But I think it works along these lines:
1. QR Code Overflow
2. Jump to ROP chain in QR code payload
3. Download AES encrypted payload smealum.net/ninjhax/p/POST5_WEST_4096_4096.bin from internet.
4. Escalate privilege level by exploiting a sysmodule and installing a new service used to launch .3dsx.
5. Transfer execution over to boot.3dsx
Click to expand...
 
  • Like
Reactions: Cyjizzle, Margen67, ernilos and 2 others
WaryLouka

WaryLouka

Official Representative of the SuperCard Team
Banned
Level 2
Joined
Jun 22, 2013
Messages
216
Trophies
1
Age
40
Location
NO RECORDS
XP
176
Country
United States
The exploit and Homebrew Channel are not installed on the system. It is installed in the writable portion of the game card. No kernel access is ever used. End of story.
 
K

ken28

Well-Known Member
Member
Level 9
Joined
Oct 21, 2010
Messages
1,181
Trophies
1
XP
1,693
Country
Germany
WaryLouka said:
The exploit and Homebrew Channel are not installed on the system. It is installed in the writable portion of the game card. No kernel access is ever used. End of story.
Click to expand...
this could be intentionally though to let it look like less then it is, just saying.
 
WaryLouka

WaryLouka

Official Representative of the SuperCard Team
Banned
Level 2
Joined
Jun 22, 2013
Messages
216
Trophies
1
Age
40
Location
NO RECORDS
XP
176
Country
United States
ken28 said:
this could be intentionally though to let it look like less then it is, just saying.
Click to expand...


Sure, Smealum had to go to the long process of intentionally rewiring a game (and thus removing portions of it) to execute a file off the sd card while he could just install directly the channel on the system menu.
Good job at creating a verifiable and believable theory!
 
  • Like
Reactions: SuzieJoeBob and gamefan5
Relys

Relys

^(Software | Hardware) Exploit? Development.$
OP
Member
Level 7
Joined
Jan 5, 2007
Messages
878
Trophies
1
XP
1,239
Country
United States
WaryLouka said:
The exploit and Homebrew Channel are not installed on the system. It is installed in the writable portion of the game card. No kernel access is ever used. End of story.
Click to expand...

Nothing is installed on the system NAND. I never stated that and it would obviously brick the system during boot due to signature verification. However, it does appear to overwrite kernelspace to add a new service. I believe it inherits the access permission level of whatever system title they exploit during their privileged escalation phase. This is how they bypass DEP:

https://github.com/smealum/3ds_hb_menu/blob/master/source/hb.c
 
  • Like
Reactions: Margen67, Ryanrocks462 and ken28
WaryLouka

WaryLouka

Official Representative of the SuperCard Team
Banned
Level 2
Joined
Jun 22, 2013
Messages
216
Trophies
1
Age
40
Location
NO RECORDS
XP
176
Country
United States
Relys said:
Nothing is installed on the system. I never stated that. However, it does appear to overwrite kernelspace to add a new service. I believe it inherits the access permission level of whatever system title they exploit during their privileged escalation phase. This is how they bypass DEP:

https://github.com/smealum/3ds_hb_menu/blob/master/source/hb.c
Click to expand...


It's just that some people mistaken your post for saying the exploit clearly has kernel mode access.
 
Plasmastar510

Plasmastar510

Well-Known Member
Member
Level 2
Joined
Dec 10, 2013
Messages
103
Trophies
0
Age
35
XP
156
Country
United States
WaryLouka said:
The exploit and Homebrew Channel are not installed on the system. It is installed in the writable portion of the game card. No kernel access is ever used. End of story.
Click to expand...

The EXPLOIT is installed on the game card, which proceeds to load boot.3dsx (Which is the HomeBrew Menu)

But I could be wrong.
 
Huntereb

Huntereb

Well-Known Member
Member
Level 11
Joined
Sep 1, 2013
Messages
3,234
Trophies
0
Website
lewd.pics
XP
2,446
Country
United States
WaryLouka said:
The exploit and Homebrew Channel are not installed on the system. It is installed in the writable portion of the game card. No kernel access is ever used. End of story.
Click to expand...


Spot-on description!
suicide.gif
 
  • Like
Reactions: Warft
shinyquagsire23

shinyquagsire23

SALT/Sm4sh Leak Guy
Member
Level 13
Joined
Nov 18, 2012
Messages
1,977
Trophies
2
Age
26
Location
Las Vegas
XP
3,765
Country
United States
Relys said:
Nothing is installed on the system NAND. I never stated that and it would obviously brick the system during boot due to signature verification. However, it does appear to overwrite kernelspace to add a new service. I believe it inherits the access permission level of whatever system title they exploit during their privileged escalation phase. This is how they bypass DEP:

https://github.com/smealum/3ds_hb_menu/blob/master/source/hb.c
Click to expand...

I'm willing to bet the service they used was the Web Browser, considering that the WiFi had to be on and some people have reported it popping up instead of the launcher. And for some reason all the usage is reported to that service as well.

EDIT: Or it downloads that .bin from the internet. Some stuff is definitely going on with that web browser though.
 

Site & Scene News

Go to forum More news

Popular threads in this forum

Hacking Homebrew  A new way to experience StreetPass

Is it possible...?

Hacking Hardware  New Nintendo 3DS XL Louvre

Hardware  Why does my 3DS take so long to turn off?

Emulation  i have citra, i have my aes keys installed, how do i get the home menu

What's the best 3DS emulator (especially after Citra's shutdown)?

Hacking Misc  VCRUNTIME140.dll UCRTBASED.dll Master Thread

Tutorial  How to fix 007-2001

General chit-chat
Help Users
  • BakerMan @ BakerMan:
    why do i feel the sudden urge to start singing pirate's scorn from the donkey kong country cartoon?
  • BigOnYa @ BigOnYa:
    Are you being for real, cause that's hard to believe, DK is Nintendo and made in japan, Sea of thieves was from Microsoft, in America. I'm not calling you a liar, just didn't know.
  • BigOnYa @ BigOnYa:
    Ok yes they were both made by Rare, but DK was from Rare back then, Rare now is owned by MS. So makes since.
     +1
  • Psionic Roshambo @ Psionic Roshambo:
    They even developed a LJN game.... lol
  • K3Nv2 @ K3Nv2:
    It was pretty rare
  • Psionic Roshambo @ Psionic Roshambo:
    https://en.wikipedia.org/wiki/Who_Framed_Roger_Rabbit_(1989_video_game)
  • Psionic Roshambo @ Psionic Roshambo:
    I wonder what deal with Satan LJN worked to get Rare to make that one...
  • BigOnYa @ BigOnYa:
    I remember couple years ago, they announced they were working on a Perfect Dark remake, wonder what ever happen with that?
  • K3Nv2 @ K3Nv2:
    It went into the darkness
  • BigOnYa @ BigOnYa:
    Me and buddies used to play the hell out of Perfect Dark on N64, that and Goldeneye, was the first real PvP shooter games I remember
  • BigOnYa @ BigOnYa:
    4-way split screen on a tiny 19" TV, lol
  • K3Nv2 @ K3Nv2:
    Did you share joysticks also
  • BigOnYa @ BigOnYa:
    Nuh we had the 4 controller add on thingy for n64. Duh I just got your joke, lol
  • K3Nv2 @ K3Nv2:
    So you touched ends
  • BigOnYa @ BigOnYa:
    Yea, but being in the boy scouts, they forced us to
  • K3Nv2 @ K3Nv2:
    Chopped down some wood for the scout master
  • BigOnYa @ BigOnYa:
    Big Gay Al was our Scout leader.
  • BigOnYa @ BigOnYa:
    I was actually in the scouts for 1 week, til they assigned me homework, n I was like f this, and quit, I was like 10 yrs old. And no I didn't join the girl Scouts.
  • K3Nv2 @ K3Nv2:
    Was the homework about getting to know the scout leaders
  • BigOnYa @ BigOnYa:
    I had to memorize how to tell 15 different trees species, I think, been awhile. But yea it was about knowing Wood.
  • K3Nv2 @ K3Nv2:
    Could've just wrote down firewood
  • BigOnYa @ BigOnYa:
    It was lame. Like the goal was to earn badges/patches to wear on your uniform. Stupid.
  • K3Nv2 @ K3Nv2:
    Scooby doo was the only thing that made the scouts seem cool back then
  • Psionic Roshambo @ Psionic Roshambo:
    Hmmm for me it was Golden Eye or Tribes on PC can't remember which was first.
  • K3Nv2 @ K3Nv2:
    https://m.imdb.com/title/tt0189071/
    K3Nv2 @ K3Nv2: https://m.imdb.com/title/tt0189071/