Advertising (This ad goes away for registered users. You can Login or Register)

ARM11 Kernel Exploit of ninjhax

Underground 3DS Discussions
Forum rules
Forum rule Nº 15 is strictly enforced in this subforum.
Post Reply
173210
Guru
Posts: 195
Joined: Fri Jul 15, 2011 11:32 pm

ARM11 Kernel Exploit of ninjhax

Post by 173210 » Sun Nov 23, 2014 11:19 pm

I don't know 3DS well, but I'm not interested in stupid debates on gbatemp.net.
So I'll write what I know to help people understand ninjhax.

ARM11 and ARM9
3DS has 2 CPU, ARM9 and ARM11.
ARM9 play the most important part of security.
So you should get kernel access of ARM9.
See the details below.
http://3dbrew.org/wiki/Hardware

Ninjhax and Kernel Exploit
Ninjhax uses a kernel exploit to install hb:HB in kernel memory of ARM11.
The kernel exploit can be on ARM9 or ARM11.
If it's on ARM9, you can get total access of 3DS.

You can see code referring to hb:HB below.
https://github.com/smealum/3ds_hb_menu/ ... ource/hb.c

Smealum
He denied that it uses a kernel exploit.
So I considered 2 posibilities.
1. The exploit is on ARM11
Even if you can get the kernel privilege on ARM11, you can't do such like installing CIA, emuNAND, debugging, and so on.
2. He is saying a lie.
I thought he had not been saying a lie, but he may have said a lie.
ok ok ok ok, i don't really care enough to give details but i'll say the following and i promise i'm not lying :

1. govanify is full of **** and doesn't seem to know what he's talking about. if he'd actually "reversed it in 2h" he'd know better than to say what he's saying and to use tweets and quotes from an interview as proof (lol)
2. ninjhax does not at any point get unsigned code to run in kernel mode. there's really nothing more to say about that.
3. doing region free on the 3DS does not require kernel mode code exec. again, not much more to say about that.
4. if a part of hbmenu's code actually signified beyond the shadow of a doubt that i've been lying about the nature of the exploit do you seriously think i'd have been dumb enough to a) make it so obvious and b) make hbmenu open source at all ? if so i'm a little insulted.

to sum it up in one word :

please
https://gbatemp.net/threads/speculation ... st-5173686
I may be too perverse, but I wonder why he said "please."

What you should do
Are you interested in a kernel exploit of ARM11?
Do you believe it has a kernel exploit of ARM9?
Then, reverse it!
Advertising
Donate!
Bitconin: 1Aq3NruiohEvUsGJAmHoXjTq764HDS5zef
Paypal: http://173210.github.io/

nightnero253
Posts: 58
Joined: Tue Nov 20, 2012 5:06 am

Re: ARM11 Kernel Exploit of ninjhax

Post by nightnero253 » Sun Nov 23, 2014 11:58 pm

What's so hard to understand about it being USERMODE exploit only?
Advertising

User avatar
St4rkDev
Posts: 5
Joined: Sat May 24, 2014 6:23 pm

Re: ARM11 Kernel Exploit of ninjhax

Post by St4rkDev » Mon Nov 24, 2014 12:19 am

Okay urg, i never posted here before, but anyway, i started REing it yesterday/today(just some hours because i am very busy) but the first part of code there is nothing of Kernel Code execution, just things which normal aplications use. I will start the payload.bin(it is encrypted yet) REing and i will check it but i doubt there is a Kernel(ARM11 Kernel) exploit :P


Anyway here a print:
Image
(Sorry for the code, i am very bad with REing :( )

Ps: i need RE the ROP-Chain too to check the flaw to ARM11 code exec :p, this is just the ARM11 code.

wololo
Site Admin
Posts: 3615
Joined: Wed Oct 15, 2008 12:42 am
Location: Japan

Re: ARM11 Kernel Exploit of ninjhax

Post by wololo » Mon Nov 24, 2014 12:34 am

173210 wrote: I may be too perverse, but I wonder why he said "please."
From a non native speaker to a non native speaker, this "please" is difficult to explain, but it does not mean the same as the normal "please" (as in "please don't look at my code"). It's more of a slang word to say "please, use your brains before typing more stuff" to the GBATemp posters. see some details here: http://onlineslangdictionary.com/meanin ... -of/please
If you need US PSN Codes, this technique is what I recommend.

Looking for guest bloggers and news hunters here at wololo.net, PM me!

User avatar
Zecoxao
Posts: 281
Joined: Mon Sep 27, 2010 7:27 pm

Re: ARM11 Kernel Exploit of ninjhax

Post by Zecoxao » Mon Nov 24, 2014 12:47 am

St4rkDev wrote:Okay urg, i never posted here before, but anyway, i started REing it yesterday/today(just some hours because i am very busy) but the first part of code there is nothing of Kernel Code execution, just things which normal aplications use. I will start the payload.bin(it is encrypted yet) REing and i will check it but i doubt there is a Kernel(ARM11 Kernel) exploit :P


Anyway here a print:
Image
(Sorry for the code, i am very bad with REing :( )

Ps: i need RE the ROP-Chain too to check the flaw to ARM11 code exec :p, this is just the ARM11 code.
you're fast at RE :o
My sig is original :D

User avatar
St4rkDev
Posts: 5
Joined: Sat May 24, 2014 6:23 pm

Re: ARM11 Kernel Exploit of ninjhax

Post by St4rkDev » Mon Nov 24, 2014 12:50 am

Thank you i think xD, but there is many things which i need understand, but i don't have time now :(

yifanlu
Guru
Posts: 760
Joined: Sun Mar 11, 2012 6:42 am
Contact:

Re: ARM11 Kernel Exploit of ninjhax

Post by yifanlu » Mon Nov 24, 2014 12:55 am

What's stopping an arm11 exploit from corrupt arm9 state? Does arm9 run in memory that cannot be mapped to arm11?

User avatar
St4rkDev
Posts: 5
Joined: Sat May 24, 2014 6:23 pm

Re: ARM11 Kernel Exploit of ninjhax

Post by St4rkDev » Mon Nov 24, 2014 12:58 am

yifanlu wrote:What's stopping an arm11 exploit from corrupt arm9 state? Does arm9 run in memory that cannot be mapped to arm11?

Okay, well i don't know if i am sure, but there is some services which is handle by ARM9, you need flaw this services to try get ARM9 code execution(Process9 if i am not mistaken), the GW Exploit was a exploit on RSA_Verify.

User avatar
endrift
Guru
Posts: 42
Joined: Mon Feb 27, 2012 10:43 pm
Location: California
Contact:

Re: ARM11 Kernel Exploit of ninjhax

Post by endrift » Mon Nov 24, 2014 1:06 am

yifanlu wrote:What's stopping an arm11 exploit from corrupt arm9 state? Does arm9 run in memory that cannot be mapped to arm11?
I know from the DS at least, it's a NUMA architecture, so there are regions of memory that are specific to each processor. I'd imagine since Nintendo is even more security-conscious with the 3DS that it's even more restricted on that.

173210
Guru
Posts: 195
Joined: Fri Jul 15, 2011 11:32 pm

Re: ARM11 Kernel Exploit of ninjhax

Post by 173210 » Mon Nov 24, 2014 1:28 am

yifanlu wrote:What's stopping an arm11 exploit from corrupt arm9 state? Does arm9 run in memory that cannot be mapped to arm11?
http://3dbrew.org/wiki/Memory_layout
I think so.
Donate!
Bitconin: 1Aq3NruiohEvUsGJAmHoXjTq764HDS5zef
Paypal: http://173210.github.io/

Post Reply

Return to “Programming and Security”