zoogie/Bannerbomb3 zoogie/Bannerbomb3

  • Stars
    star
    111
  • Rank 314,510 (Top 7 %)
  • Language
    C
  • License
    MIT License
  • Created over 5 years ago
  • Updated over 1 year ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
zoogie/Bannerbomb3
github

zoogie

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

3DS Userland Exploit for System Settings

Bannerbomb3
(patched on firmware 11.17.0-50 for US/EU/JP)

Intro

This is a POC for a new System Settings userland exploit. It uses ROP and ARM execution to dump DS Internet (and possibly others) from System Settings using a custom crafted dsiware export. This is useful primarily as an enhancement for "Fredminer" variant of seedminer to obtain free cfw on 3ds.

Among other things, it brings free cfw to more regions*, and removes the possibility of Nintendo pulling certain games like Steel Diver from the eshop to thwart homebrew efforts.

*(except China - iQue System Settings cannot access dsiware)

Directions

Directions are provided in the Release archive.

Optionally, here's an online service for non-windows users (also has Taiwan support): https://jenkins.nelthorya.net/job/DSIHaxInjector%20v2/

Using bannerbomb3 in conjunction with decent homebrew guides is probably the best strategy for most users, though. https://3ds.hacks.guide/seedminer (like this one)

Hbmenu?

I've been able to get otherapp.bin booting by using 3ds_ropkit and a loader ROP chain. However, shortly after the bottom screen turns yellow, the 3ds just reboots to home menu. Debugging this, it seems like otherapp is crashing on _aptExit() around here: https://github.com/smealum/ninjhax2.x/blob/o3ds_newpayloads/cn_secondary_payload/source/main.c#L629

It's really alright though. Fredminer gets you a more stable 3dsx homebrew environment anyway, so this isn't really a high priority issue right now (still would be cool to see hbmenu booting I admit).

Exploit

Basically put, this overflows the banner title strings in DSiWare exports (TADs) when you view them in System Settings, and smashes the stack leading to ROP control for the attacker. You do need the movable.sed to encrypt a payload TAD, but that's easy enough to do nowadays. Movable.sed bruteforcing now only takes about a minute and free online services can do it for you. Over 350,000 people have done it so it can't be that hard :p

More exploit details on 3dbrew: https://www.3dbrew.org/wiki/3DS_Userland_Flaws#System_applications ... and in the comments inside rop_payload/rop_payload.s, of course.

Q&A

Q: What's with the 3 in Bannerbomb3? A: It's a tribute to the Wii scene, they did 1 & 2. I love old homebrew scenes.

Q: Why TADmuffin? A: Muffin sounded funny so I went with that. Just needed to be different from TADpole.

Q: Will this work on the DSi since it has DSiWare exports too? A: The flaw is definitely there as well, but I've been unsuccessful exploiting it on hardware (I can get code exe on no$gba though). Moot because of Memory Pit anyhow ;)

Q: Is this your first 3ds userland exploit? A: Yes. Feels good man.

Thanks

  • Yellows8 for 3ds ropkit
  • All the people on #3dsdev, reading my backlog (Ctrl-F "pivot") provided a wealth of good info on the art of stack pivoting.
  • Nintendo Homebrew Discord for maintaining online tools/guides and helping all the seed/frog/fredminer users. I hope this sploit makes your jobs a little easier.
  • Jhynjhiruu for testing
  • Smea for regionFour, which I base the arm part of code_payload on.
  • Wintermute for ROPinstaller, for the gspwn codeload ROP (Bootstrap.S) that I used in code_payload.

More Repositories

1

DSP1

Dsp firmware dumper
C
217
star
2

MSET9

Ultimate gift of Lenny
C
128
star
3

unSAFE_MODE

3DS userland secondary exploit for SAFE_MODE system updater. It's actually a pretty safe hax ( ͡° ͜ʖ ͡°).
C
100
star
4

seedminer

34.2c3 POC
C
95
star
5

Frogminer

Hax your 3DS with a cute little froggy -- for free! Gero!
C
83
star
6

new-browserhax

Port of https://github.com/WiiUTest/JsTypeHax to New 3DS browser.
HTML
59
star
7

super-skaterhax

Return of Browserhax
HTML
59
star
8

old-browserhax

Fast and free old 3ds browser exploit for latest firmware.
HTML
39
star
9

Kartminer7

Use Mario Kart 7 as a blue shell to take control of your 3DS
Python
38
star
10

dumpTool

Dump DSi NAND w/ nocash footer
C
37
star
11

new-browserhax-XL

Another one!
HTML
35
star
12

Frogtool

Frogminer title manager
C
26
star
13

ninjhax2-dx

One QR Ninjhax returns
Assembly
22
star
14

lasagnahax

Hax for a fat cat. Not me - the other one.
Assembly
20
star
15

petit-compwner

A DSiWare primary exploit for US Petit Computer v2.2
C
19
star
16

menuhax67

A 3DS secondary entrypoint for Home Menu. A meme for all the peasants out there too. Works on 11.15.0-47.
Makefile
18
star
17

old-browserhax-XL

/\/( ͡°͡° ͜ʖ ͡°͡°)\/\ ==> 11.14
HTML
17
star
18

smilehax-IIe

Primary 3DS userland sploit for Smilebasic 3.6.0 EUR/USA (latest version). 3.3.2 JPN support via app downgrade from > 3.3.2. Works on 11.17.0-50.
Assembly
14
star
19

pichaxx

Implementation of MrNbaYoh's old 3DS userland sploit for Pokemon Picross that was documented on 3dbrew but not released
Assembly
13
star
20

TADpole

DSiWare export manager for 3ds
C++
12
star
21

SystemFlaaw

A flaw for a game called System Flaw
Python
12
star
22

web

https://zoogie.github.io/web
HTML
11
star
23

Fredtool

FRogminer + seEDminer
C++
8
star
24

b9s_check

Check b9s version and whatever else
C
8
star
25

uloader

Launch universal-otherapp via .3dsx instead of otherapp.bin. More entrypoints, like Ninjhax, are now compatible.
Makefile
8
star
26

TADpoli

TADpole, but for the DSi (DSiWare export tool)
C
7
star
27

2DSaver

Un-3d-slider-brick your 3ds/2ds with Luma.
Makefile
7
star
28

3DS_NVRAMtool

3DS nvram manager tool thingy. Deserves its own repo I guess.
C
6
star
29

nodes

v2 and v1 msed databases for *miner sploits (v1 is deprecated). This data assists in increasing bruteforce speed. Keyspace improvement since seedminer's inception: 2^42 -> 2^34 (256x speed improvement).
Python
6
star
30

Stuff

Random 3ds stuff that probably deserves its own repo
Makefile
5
star
31

error

Source for decoding 3DS error codes online. Link: https://zoogie.github.io/error/
HTML
4
star
32

squirrelboot

Launch the free squirrel dsiware on jpn systems
Makefile
4
star
33

Randomii

Create scary looking Mii QRs for your 3DS in the comfort of your own home.
Python
4
star
34

seedminer_toolbox

seedminer's little helpers
Python
4
star
35

sh

HTML
3
star
36

usmTool

C
3
star
37

Firmify

Batch convert your a9lh payloads to firm format
Python
3
star
38

ninj1x

HTML
2
star
39

APthief

Python
2
star
40

footer_adjust

C
1
star
41

lfcs_data

Gathers useful data for future seedminer methods
Makefile
1
star
42

usmlist

Python
1
star
43

memchunkhax2

Implementation of memchunkhax2 for the 3DS.
C
1
star
44

TADpole-Online

TADpole-Online Injector
JavaScript
1
star