The 3DS scene is always popping with something, from Pokemon hacks, mods, and exploits to run homebrew and much more. The most recent exploit we like to tell you about is Slowhax or Waithax and that is exactly how this exploit works, theirs a lot of waiting, so its diffidently a slow process for either of the 3DS to do. It should take about 20 minutes for the N3ds and about a 1hr for the O3DS and it only works on FW 9.0 to 11.1. It probably won’t be the most popular exploit to use on either of the 3DS but if you don’t mind then give it a try and go make a sandwich or two while you’re waiting around. 😉
“Implementation of the slowhax / waithax ARM11 kernel exploit. Kind of intended as a reference implementation, sort of based on Steveice10’s memchunkhax2 implementation. Definitely does not look the cleanest possible, feel free to contribute.”
Can only work from 9.0 to 11.1, as the vulnerability was patched on 11.2. Use faster exploits if you can, though.
“Only tested on my 10.3 New3DS, but I don’t see why it would fail on other consoles. There are no hardcoded addresses in this implementation. Exploit written in less than a day. Finding the strat took more time. No one really seemed to care about doing it apparently…”
https://twitter.com/JustPingo/status/808014763036917760
https://twitter.com/smealum/status/808126718556807169
“While there are no user tools at the moment which take advantage of this development, expect tools very soon which can facilitate DSi downgrading among other hacks. ” Once a developer implements this into an existing DSi exploit installer (Such as Yellows8’s), we will be able to inject and then downgrade directly from a single console instead of having to do the transfer method as described in Plailect’s guide! My advice is to get an entrypoint exploit working (See Smea’s website) and run HTTPWN on your 11.0-11.1 3DS and download a compatible, exploitable, DSi Ware game before Nintendo pulls them! (They have already pulled the popular exploitable ones already!)”
How to use it:
Please check the main.c file in the source folder for information on how to use this implementation in your own application. Take note that this implementation does not patch the SVC call access table, nor the process PID on its own. However, a helper method is given to run your own kernel mode code after running the exploit. This method sort of acts like svcBackdoor; but the given code will be run with the SVC-mode stack, instead of the userland caller thread stack.
Known issues:
- Crash in PM when rebooting the console / running another homebrew / exiting to Home Menu (probably due to some invalid handle or something). Minor issue.
Credits:
- nedwill/derrek for discovering the vulnerability, they’re the real guys here
- Steveice10 for the memchunkhax2 implementation
- AuroraWright/TuxSH for Luma3DS and its exception handlers, Subv/cell9 for the SVC access check patches which were extensively used for development
- TuxSH for finding the KSyncObject address leaking used in memchunkhax2, Kernel11 RE and lots of more stuff
- if I missed anyone in there please tell me.
3DS dsiwarehax installer & check this for more information about waithax.:
Downloads: dsiwarehax_installer.3dsx