First Userland Exploit for 3DS, Bannerbomb 3 Out Now!

Long live the 3DS! It’s clear that the 3DS has so much more to find if we kept looking. The creator of Bannerbomb3 (zoogie) was doing just that when he stumbled upon the 3DS’ first userland exploit. It’s an exciting feeling whenever a new anything is found for any device. So let’s just dig on into it and talk about what it’s all about (and we’ll even let you in on how to put this CFW on your 3DS)!

 

Introduction from zoogie:

“This is a POC for a new System Settings userland exploit. It uses ROP execution to dump DS Internet from System Settings using a custom crafted DSiWare export. This is useful primarily as an enhancement for “Fredminer” variant of seedminer to obtain free cfw on 3ds. Among other things, it brings free cfw to more regions*, and removes the possibility of Nintendo pulling certain games like Steel Diver from the eshop to thwart homebrew efforts. *(except China – iQue System Settings cannot access DSiWare)”

Exploit Explanation:

“Basically put, this overflows the banner title strings in DSiWare exports (TADs) when you view them in System Settings, and smashes the stack leading to ROP control for the attacker. You do need the movable.sed to encrypt a payload TAD, but that’s easy enough to do nowadays. Movable.sed bruteforcing now only takes about a minute and free online services can do it for you. Over 350,000 people have done it so it can’t be that hard :p More exploit details on 3dbrew: <link forthcoming> … and in the comments inside rop_payload/rop_payload.s, of course.”

Questions and Answers:

“Q: Homebrew Menu?

A:I’ve been able to get otherapp.bin booting by using 3ds_ropkit and a loader ROP chain. However, shortly after the bottom screen turns yellow, the 3ds just reboots to home menu. Debugging this, it seems like otherapp is crashing on _aptExit() around here:It’s really alright though. Fredminer gets you a more stable 3dsx homebrew environment anyway, so this isn’t really a high priority issue right now (still would be cool to see hbmenu booting I admit).

Q: What’s with the 3 in Bannerbomb3?

A: It’s a tribute to the Wii scene, they did 1 & 2. I love old homebrew scenes.

 

Q: Why TADmuffin?

A: Muffin sounded funny so I went with that. Just needed to be different from TADpole.

 

Q: Will this work on the DSi since it has DSiWare exports too?

A: The flaw is definitely there as well, but I’ve been unsuccessful exploiting it on hardware (I can get code exe on no$gba though). Moot because of Memory Pit anyhow 😉

 

Q: Is this your first 3ds userland exploit?

A: Yes. Feels good man.”

What you Need for This Exploit to Work:

  1. “11.5 – 11.10 US/EU/JP/KR old/new 3ds needed. An 11.4 New2dsXL *might* work. (Taiwan support should be soon)
  2. Make movable.sed from https://bruteforcemovable.com, or whatever other valid option.”

Instructions:

  1. Download the current Bannerbomb3 release from here.
  2. On PC, drag n’ drop your generated movable.sed on TADmuffin.exe and it should generate “Usa_Europe_Japan_Korea/F00D43DS.bin” next to TADmuffin.
  3. On 3DS sd card, place F00D43DS.bin inside sdmc:/Nintendo 3DS/012345678abcdef012345678abcdef/012345678abcdef012345678abcdef/Nintendo DSiWare/<here>
    (make sure it is the ONLY file inside the Nintendo DSiWare folder – move other .bin files up one directory temporarily).
  4. Turn on the 3DS, go to System Settings -> Data Management -> DSiWare -> SD Card (note: you DON’T have to delete any games under “System Memory”)
  5. The following should happen: Progress swirl, short freeze, bottom screen turns magenta, music stops, system shows error prompt and resets.
    ^ All of that is what’s supposed to happen! If the system crashed but the magenta bottom screen didn’t show or you see a grey “?” icon, the exploit didn’t work.
  6. A new file should now be on your SD card root, 42383841.bin.
  7. This is your exported DS Internet DSiWare. Use this file and the same movable.sed to do Fredminer (free cfw)!

Note: You will have to remove or rename (w/ underscore) F00D43DS.bin if you want DS Data Management to work without crashing.

 

If you like the author’s work, follow him on Twitter @V1RACY and don’t forget to enter the weekly giveaways!

And as always, stay tuned here on Hackinformer.com for so much more and follow us on Twitter @Hackinformer

About V1RACY

Check Also

Review: Sineaptic SE-1 Wireless Headphones are a game-changer in the world of audio technology!

The Sineaptic SE-1 Wireless Headphones are a game-changer in the world of audio technology. Priced …