Page 1 of 1

ARM11 Kernel Exploit of ninjhax

Posted: Sun Nov 23, 2014 11:19 pm
by 173210
I don't know 3DS well, but I'm not interested in stupid debates on gbatemp.net.
So I'll write what I know to help people understand ninjhax.

ARM11 and ARM9
3DS has 2 CPU, ARM9 and ARM11.
ARM9 play the most important part of security.
So you should get kernel access of ARM9.
See the details below.
http://3dbrew.org/wiki/Hardware

Ninjhax and Kernel Exploit
Ninjhax uses a kernel exploit to install hb:HB in kernel memory of ARM11.
The kernel exploit can be on ARM9 or ARM11.
If it's on ARM9, you can get total access of 3DS.

You can see code referring to hb:HB below.
https://github.com/smealum/3ds_hb_menu/ ... ource/hb.c

Smealum
He denied that it uses a kernel exploit.
So I considered 2 posibilities.
1. The exploit is on ARM11
Even if you can get the kernel privilege on ARM11, you can't do such like installing CIA, emuNAND, debugging, and so on.
2. He is saying a lie.
I thought he had not been saying a lie, but he may have said a lie.
ok ok ok ok, i don't really care enough to give details but i'll say the following and i promise i'm not lying :

1. govanify is full of **** and doesn't seem to know what he's talking about. if he'd actually "reversed it in 2h" he'd know better than to say what he's saying and to use tweets and quotes from an interview as proof (lol)
2. ninjhax does not at any point get unsigned code to run in kernel mode. there's really nothing more to say about that.
3. doing region free on the 3DS does not require kernel mode code exec. again, not much more to say about that.
4. if a part of hbmenu's code actually signified beyond the shadow of a doubt that i've been lying about the nature of the exploit do you seriously think i'd have been dumb enough to a) make it so obvious and b) make hbmenu open source at all ? if so i'm a little insulted.

to sum it up in one word :

please
https://gbatemp.net/threads/speculation ... st-5173686
I may be too perverse, but I wonder why he said "please."

What you should do
Are you interested in a kernel exploit of ARM11?
Do you believe it has a kernel exploit of ARM9?
Then, reverse it!

Re: ARM11 Kernel Exploit of ninjhax

Posted: Sun Nov 23, 2014 11:58 pm
by nightnero253
What's so hard to understand about it being USERMODE exploit only?

Re: ARM11 Kernel Exploit of ninjhax

Posted: Mon Nov 24, 2014 12:19 am
by St4rkDev
Okay urg, i never posted here before, but anyway, i started REing it yesterday/today(just some hours because i am very busy) but the first part of code there is nothing of Kernel Code execution, just things which normal aplications use. I will start the payload.bin(it is encrypted yet) REing and i will check it but i doubt there is a Kernel(ARM11 Kernel) exploit :P


Anyway here a print:
Image
(Sorry for the code, i am very bad with REing :( )

Ps: i need RE the ROP-Chain too to check the flaw to ARM11 code exec :p, this is just the ARM11 code.

Re: ARM11 Kernel Exploit of ninjhax

Posted: Mon Nov 24, 2014 12:34 am
by wololo
173210 wrote: I may be too perverse, but I wonder why he said "please."
From a non native speaker to a non native speaker, this "please" is difficult to explain, but it does not mean the same as the normal "please" (as in "please don't look at my code"). It's more of a slang word to say "please, use your brains before typing more stuff" to the GBATemp posters. see some details here: http://onlineslangdictionary.com/meanin ... -of/please

Re: ARM11 Kernel Exploit of ninjhax

Posted: Mon Nov 24, 2014 12:47 am
by Zecoxao
St4rkDev wrote:Okay urg, i never posted here before, but anyway, i started REing it yesterday/today(just some hours because i am very busy) but the first part of code there is nothing of Kernel Code execution, just things which normal aplications use. I will start the payload.bin(it is encrypted yet) REing and i will check it but i doubt there is a Kernel(ARM11 Kernel) exploit :P


Anyway here a print:
Image
(Sorry for the code, i am very bad with REing :( )

Ps: i need RE the ROP-Chain too to check the flaw to ARM11 code exec :p, this is just the ARM11 code.
you're fast at RE :o

Re: ARM11 Kernel Exploit of ninjhax

Posted: Mon Nov 24, 2014 12:50 am
by St4rkDev
Thank you i think xD, but there is many things which i need understand, but i don't have time now :(

Re: ARM11 Kernel Exploit of ninjhax

Posted: Mon Nov 24, 2014 12:55 am
by yifanlu
What's stopping an arm11 exploit from corrupt arm9 state? Does arm9 run in memory that cannot be mapped to arm11?

Re: ARM11 Kernel Exploit of ninjhax

Posted: Mon Nov 24, 2014 12:58 am
by St4rkDev
yifanlu wrote:What's stopping an arm11 exploit from corrupt arm9 state? Does arm9 run in memory that cannot be mapped to arm11?

Okay, well i don't know if i am sure, but there is some services which is handle by ARM9, you need flaw this services to try get ARM9 code execution(Process9 if i am not mistaken), the GW Exploit was a exploit on RSA_Verify.

Re: ARM11 Kernel Exploit of ninjhax

Posted: Mon Nov 24, 2014 1:06 am
by endrift
yifanlu wrote:What's stopping an arm11 exploit from corrupt arm9 state? Does arm9 run in memory that cannot be mapped to arm11?
I know from the DS at least, it's a NUMA architecture, so there are regions of memory that are specific to each processor. I'd imagine since Nintendo is even more security-conscious with the 3DS that it's even more restricted on that.

Re: ARM11 Kernel Exploit of ninjhax

Posted: Mon Nov 24, 2014 1:28 am
by 173210
yifanlu wrote:What's stopping an arm11 exploit from corrupt arm9 state? Does arm9 run in memory that cannot be mapped to arm11?
http://3dbrew.org/wiki/Memory_layout
I think so.