Hacking [WIP] KARL3DS - Kernel access on N3DS via Ninjhax + Loadcode

[Rokkubro]

noooooooooooooonononononono. Just because the kernel is loaded to the same location in memory doesn't mean its offsets are the same. N3DS has its own NATIVE_FIRM because there's a bunch of new stuff the system has to do. Thus, every single specific patch offset for 9.x old 3DS will differ.
You should be getting your offsets from N3DS NATIVE_FIRM, not conjecture. You can grab it from NUS and decrypt it with an exploitable old 3DS. It's like super duper critical that you familiarize yourself with the NATIVE_FIRM of the system and sw version you're trying to hack. If you plan on doing almost everything you mentioned wanting to do, you're going to need to map out quite a few things in Process9 in order to make patches.

It is correct, it works, did you check the link I posted, or look at shinyquagsire23's code? There is a large amount of overlap. The Old3DS 5.1-6.x and 7.2 offset is identical, as are the 5.0 and 7.0 offset. Additionally, as I found out by looking at 3dbrew and outlined above the 8.0-9.2 patch offset for AXIWRAM are the same on both New and old 3ds. This is because the virtual memory addresses are mapped from dff00000 to e0000000 for these system software versions.

Edit: Ah, I think I may see your confusion? We are not doing anything to FIRM at the moment, that comes later, we are just exploiting the Arm11 kernel for now.

Edited to remove frostiness, sorry

 

[WulfyStylez]

It is correct, it works, did you check the link I posted, or look at shinyquagsire23's code? There is a large amount of overlap. The Old3DS 5.1-6.x and 7.2 offset is identical, as are the 5.0 and 7.0 offset. Additionally, as I found out by looking at 3dbrew and outlined above the 8.0-9.2 patch offset for AXIWRAM are the same on both New and old 3ds. This is because the virtual memory addresses are mapped from dff00000 to e0000000 for these system software versions.

Edit: Ah, I think I may see your confusion? We are not doing anything to FIRM at the moment, that comes later, we are just exploiting the Arm11 kernel for now.

Edited to remove frostiness, sorry

Ah, but you are. Remember, FIRM consists of the arm11 kernel, arm11 modules, and process9 (arm9 kernel). Your patch needs to target the right place in the arm11 kernel. That location can be determined by comparing arm11 kernels. I'm really convinced that the offsets shouldn't be the same between New and old 3DS, but I guess I could be wrong.

 

[Rokkubro]

Ah, but you are. Remember, FIRM consists of the arm11 kernel, arm11 modules, and process9 (arm9 kernel). Your patch needs to target the right place in the arm11 kernel. That location can be determined by comparing arm11 kernels. I'm really convinced that the offsets shouldn't be the same between New and old 3DS, but I guess I could be wrong.

We really need to keep our conversation in one place and where everyone can see it. Anyway, luckily, early on, it seems the offsets are the same at least, I'm guessing New 3DS just has some extensions added on? Do you have a new 3ds wulfy?

 

[WulfyStylez]

We really need to keep our conversation in one place and where everyone can see it. Anyway, luckily, early on, it seems the offsets are the same at least, I'm guessing New 3DS just has some extensions added on? Do you have a new 3ds wulfy?

I don't, but that doesn't really affect my ability to help out much.

 

[Rokkubro]

I don't, but that doesn't really affect my ability to help out much.

Ah, that's cool, have you looked at and compiled shinyquagsire23's code? I'd be interested to see what result you'd get...

 

[WulfyStylez]

Some quick looking tells me that your patch address should be 0x1FF8382F - so 0xDFF8382F virtual I think? Also make sure your code is set to either check for the proper kernel version, or just skip the version check entirely.

 

[Rokkubro]

Some quick looking tells me that your patch address should be 0x1FF8382F - so 0xDFF8382F virtual I think? Also make sure your code is set to either check for the proper kernel version, or just skip the version check entirely.

It appears to be working with 0xDFF83837, here's a screenshot of what I'm getting now, it seems all good!

Spoiler: Screenshot

Edit: Could you explain why you picked 82F? I'm curious how these values are discovered.

 

[Rokkubro]

So now we just need to write some arm11 kernel code to execute to test if it's actually working...Memory dump is pointless if we haven't run anything. Regardless, thanks to shinyquagsire23 for writing an amazing Arm11 kernel exploit. Holy Baloney, that's awesome! To shiny, I'm not sure why it's not working for you... It might be your 3ds as you say, or maybe Yifanlu's writeup was designed for later firmware versions? Anyway, I have to go now, as my phone is almost out of power, I'll write a widget tomorrow and see if it runs and dumps, and then we can move on to firmlaunchhax!

 

[WulfyStylez]

It appears to be working with 0xDFF83837, here's a screenshot of what I'm getting now, it seems all good!Edit: Could you explain why you picked 82F? I'm curious how these values are discovered.

Ohhhh whoops, my bad. I was finding the address by looking in 4.1's kernel address and finding that function (and same instructions) in N3DS 9.0's. I did that fine, but the actual address for 4.1 is wrong in quagsire's source, thus the wrong address overall. I'll use 9.0's kernel as a reference in the future, I guess.

 

[Rokkubro]

Ohhhh whoops, my bad. I was finding the address by looking in 4.1's kernel address and finding that function (and same instructions) in N3DS 9.0's. I did that fine, but the actual address for 4.1 is wrong in quagsire's source, thus the wrong address overall. I'll use 9.0's kernel as a reference in the future, I guess.

Wait... 4.1 is wrong in shiny's source? ....wouldn't that be why it isn't working for him?

 

[BurningDesire]

Hello everyone! After sensing some interest in the community after reading this thread, I thought I'd make a page for a project I've been working on, so people can join in, give advice etc.

The project is called KARL3DS(a bad acronym originally meant to stand for Kernel Anti-piracy Region-free Loader....3DS) - and its goal is to have usable kernel access on N3DS for Nand dumping and decrypting, cartridge dumping and decrypting and hopefully(!) the ability to launch a CFW that allows for the bypassing of region lock. A project outline is below.

1. Gathering of team and resources (the intent of this thread)

2. Gaining kernel access from within Ninjhax
1. Memchunkhax to get Arm11 kernel access using gspwn
2. Firmlaunchhax to Arm9code execution

2b. Gaining Arm11 userland code execution
1. Porting Yifan Lu's LoadCode to N3DS Skater(what I am currently working on) and mapping out the correct values in the global address space(can possibly be avoided by smart coding in the 2nd stage)
2. Injecting the ported code to replace Ninjhax's Thread 0 ROP
3. Testing with UVLoader(or some other publicly available code)
3b. Gaining kernel access from within userland
1. Converting Gateway's Arm11 exploit to New3DS(as usual, using Yifan's writeup and the info on 3dbrew) - fairly simple
2. Converting Gateway's Arm9 exploit to New3DS(it is possible we could use Roxas' work here, it'd probably be more work though) - quite difficult
3. Utilising our new-found power! (I haven't thought too much about this to be honest, so just ideas)
1. Work out nand interface and dump nand
2. Work out cartridge interface and dump cartridge
3. Work out decryption and do that (maybe look at VOID?)
4. Figure out how to create and boot a region free REDNand
5. On the fly game patching
6. Modify Sysnand to boot into our kernel code
7. Use 3ds as a remote control for our pet flying pig(with gyroscope function!)


So that's it... any help, advice or criticism is appreciated, I want this to be a community project so there'll be regular updates, if you're interested in joining the project PM me.

Please note that although the project's goal is region free via kernel access, we make no promises. We aren't getting paid for this and our motivation(well, at least my motivation) is mostly a hacker's curiosity, so no-one is entitled to receive anything we create.

That being said, I'm looking forward to working on this project, and working with the people of this forum. I hope we'll be able to release something in the near future! Watch this space.

I can help you out. Is there anything I could do on the computer side since I foolishly updated my 3ds to 9.5.0?

 

[Rokkubro]

I can help you out. Is there anything I could do on the computer side since I foolishly updated my 3ds to 9.5.0?

C-c-combo breaker!
Seriously though, absolutely everything we are doing is on the PC, to be honest, we barely even need a 3ds, except for testing. How much experience do you have programming in assembly, or with ctrulib or reverse engineering?

 

[BurningDesire]

To save future generations from my stupidity I shall delete this

 

[shinyquagsire23]

It appears to be working with 0xDFF83837, here's a screenshot of what I'm getting now, it seems all good!

Spoiler: Screenshot

Edit: Could you explain why you picked 82F? I'm curious how these values are discovered.

Ah, fantastic! I was wondering why that wasn't working. I'll have to take a look at Gateway's 4.1 usermode code, because I grabbed the offsets from the ROP code but I might have messed up some how, or they do something different.

Ohhhh whoops, my bad. I was finding the address by looking in 4.1's kernel address and finding that function (and same instructions) in N3DS 9.0's. I did that fine, but the actual address for 4.1 is wrong in quagsire's source, thus the wrong address overall. I'll use 9.0's kernel as a reference in the future, I guess.

If you could do that, that would be absolutely fantastic. I really want to get exploring in the ARM11 kernel on my N3DS if I can. Just curious, but are the N3DS fims bundled in the same native_firm that the old 3DS uses, or are you using CDN to grab them and then an old 3DS to decrypt them?

 

[Rokkubro]

I am learning C and assembly so this could be a good way to motivate me to learn more. As for ctrulib and RE-ing it is a no.

OK, before you start setting up your environment or anything check out 3dbrew and Yifanlu's writeup to understand what we are aiming towards. Once you've got a handle on that it's devkitpro you're looking for, anyway I gotta split.

 

[BurningDesire]

C-c-combo breaker!
Seriously though, absolutely everything we are doing is on the PC, to be honest, we barely even need a 3ds, except for testing. How much experience do you have programming in assembly, or with ctrulib or reverse engineering?

sorry It does say I'm a newbie I didn't know if I had to do another post on the thread or reply to you so you can see my message so just incase here you go!

-I am learning C and assembly so this could be a good way to motivate me to learn more. As for ctrulib and RE-ing it is a no.

 

[WulfyStylez]

Ah, fantastic! I was wondering why that wasn't working. I'll have to take a look at Gateway's 4.1 usermode code, because I grabbed the offsets from the ROP code but I might have messed up some how, or they do something different.

If you could do that, that would be absolutely fantastic. I really want to get exploring in the ARM11 kernel on my N3DS if I can. Just curious, but are the N3DS fims bundled in the same native_firm that the old 3DS uses, or are you using CDN to grab them and then an old 3DS to decrypt them?

I'm pulling it from CDN and decrypting with an old 3DS. If you guys need any help finding other addresses, I can definitely help there too.

 

[shinyquagsire23]

I'm pulling it from CDN and decrypting with an old 3DS. If you guys need any help finding other addresses, I can definitely help there too.

Ah, I might try that myself. The main two that I need is a proper 4.1 address (although I'll probably check back on Gateway's code for this one to make sure I didn't mess anything up in my code) and an offset in the N3DS 9.x kernel. Maybe as a kind of short term test/product/something we could use ARM11 kernel mode to do a region free cartridge launch from ns:s on a New 3DS. Would certainly be interesting to try out.

 

[2skies]

I really hope this project takes off and CFW just kills it for N3DS. F Gatewait.

 

[Slushie3DS]

I just wanted to hop in and say good work and good job! I'm slightly busy working on something, but if you need me to do anything, I will attempt.