h0RTS7y.png

As some of you are probably aware, the Nintendo 3DS has been a tough nut to crack when it came to homebrews or hacks. Exploiters "Smealum" and "Yellows8" started the SDK ctrulib and released the first "hax" for the Ubisoft game Cubic Ninja, which led to all sorts of homebrews and eventually Kernal Access for firmwares 9.2 and below. Since that day, Nintendo has been locking down their software more and more with their "stability" updates, which eventually patched both the Webkit exploit Browserhax and the menu exploit Menuhax. However, for those of you who have been following the scene, you probably know that kernel access was nothing short of a dream if you were above firmware 9.2, until today that is.

At 32C3 earlier today, Smealum, DerrekR6, and Plutoo all spoke about their efforts in the 3DS scene, their methods, and how the console worked. There is a full recording available, which will be linked below.

For those of you who would prefer a run-down of what was talked about, here is what the stream taught us: the Nintendo 3DS uses a special function called NS that is sand-boxed on the system, which nothing can access since it handles all of the main functions such as encryption and downgrading. Our current means of user-land access from our "hax" that was released unfortunately can't touch that sandbox without some added privileges or work with ROP. At this point of the stream, Smealum introduces some interesting information of what the GPU can and cannot access in the sandbox.

The NS has am:u access, which lets us downgrade individual titles and it has access to system module-specific calls. NS is also in a region of the sandbox we can partially mess with, however, it is beyond the cutoff of what the GPU can access... but what if we were to move it?

The main idea is to remove NS and fill its place with garbage data to essentially push it to where it can be accessed.

RNEByJC.png

This isn't a foolproof plan, since we need NS in order to launch it in the first place and we can't run multiple instances of it. Luckily, the 3DS has a "safe mode" feature where most system titles have their own safe mode partner; there is a catch, however. The system still can't run a safe mode title if a normal version is already running. But for some reason, Nintendo decided to introduce a small concept to the New 3DS that could prove useful since it is a separate title beside NS, which in turn provides us with a simple way to keep NS running but allocate more data so that you can get below the cutoff and run the New 3DS version of NS.

xWX5y8j.png

This exploit will give us code execution under a system module which will then give us access to other exploits, such as downgrades. This is just a rough overview; there is much more detail to this to this, especially once the other speakers come on during the stream. You can watch the full stream below if you would like any more insight on this hack.

https://streaming.media.ccc.de/32c3/relive/7240/