More actions
(Created page with "{{Infobox 3DS homebrew | title = Soundhax | image = https://dlhb.gamebrew.org/3dshomebrew/Soundhax.png|250px | type = Exploits | version = unknown | licence = Mixed | author =...") |
m (Text replacement - "Category:3DS homebrew loaders" to "") |
||
(16 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
{{Infobox 3DS | {{Infobox 3DS Homebrews | ||
| title = Soundhax | |title=Soundhax | ||
| image = | |image=soundhax3ds.png | ||
| type = Exploits | |description=Free 3DS Primary Entrypoint <= 11.3. | ||
| version = | |author=nedwill | ||
| | |lastupdated=2020/12/09 | ||
| | |type=Exploits | ||
| website = | |version=2020 | ||
| | |license=Mixed | ||
| | |download=http://soundhax.com/ | ||
|website=http://soundhax.com/ | |||
|source=https://github.com/nedwill/soundhax | |||
|donation=http://soundhax.com/ | |||
}} | }} | ||
< | Soundhax is a primary homebrew entrypoint that works on firmwares up to 11.3. It is a new exploit that gives you access to the homebrew launcher without needing a game to exploit. This vulnerability exploits the default sound application preinstalled on all 3DS devices. Soundhax (when combined with the Homebrew Launcher) is compatible with versions 9.0.0 through 11.3.0 in the EUR, JPN, KOR, and USA regions. | ||
==About This Exploit== | |||
There is a bug in the 3DS Sound application where it uses a <code>memcpy</code> function instead of a unicode <code>strncpy</code> variant to copy a song name from mp4 atom tags onto the heap, potentially causing a buffer overflow. The exploit takes advantage of this overflow to control the malloc header of the next heap chunk, which allows for arbitrary writes to memory. | |||
By manipulating the free list and causing a stack overflow, the exploit can turn the arbitrary write primitive into ROP and use the gspwn GPU exploit to write shellcode over the text section of the sound process, allowing for code execution. | |||
== Regions and Versions == | == Regions and Versions == | ||
{| | |||
{| class="wikitable" | |||
! Version | ! Version | ||
! N3DS | ! N3DS/N2DS | ||
! O3DS/2DS | ! O3DS/2DS | ||
|- | |- | ||
| US | | US 1.0-11.3 | ||
| ✓ | | ✓ | ||
| ✓ | | ✓ | ||
|- | |- | ||
| JPN | | JPN 1.0-11.3 | ||
| ✓ | | ✓ | ||
| ✓ | | ✓ | ||
|- | |- | ||
| EUR | | EUR 1.0-11.3 | ||
| ✓ | | ✓ | ||
| ✓ | | ✓ | ||
|- | |- | ||
| KOR | | KOR 4.0-11.3 | ||
| ✓ | | ✓ | ||
| ✓ | | ✓ | ||
|- | |- | ||
| CHN | | CHN 4.0-11.3 | ||
| N/A | |||
| | |||
| ✓ | | ✓ | ||
|- | |- | ||
| | | TWN 4.1-11.3 | ||
| N/A | |||
| ✓ | | ✓ | ||
|} | |} | ||
'''All existing versions of Nintendo 3DS Sound prior to Nintendo fixing the vulnerability are now supported'''. | |||
If your box is checked, then put [https://smealum.github.io/3ds/#otherapp otherapp.bin] on the root of your SD card along with soundhax.m4a and launch the song from the sound player. | |||
It can be used along [[Pre9otherapp 3DS]] to launch an arm9 payload from the SD card on pre 9.0 firms (2.1 - 9.2). | |||
== Installation == | == Installation == | ||
# Download the relevant soundhax-region-console.m4a file for your device. | # Download the relevant soundhax-region-console-firmware.m4a file for your device. | ||
# Save the soundhax song file and copy to the root of your SD. | # Save the soundhax song file and copy to the root of your SD. | ||
# Download the [https://smealum.github.io/3ds/ otherapp payload] for your 3DS version, rename it to <code>otherapp.bin</code>, and copy it to the root of the SD card. | # Download the [https://smealum.github.io/3ds/ otherapp payload] for your 3DS version, rename it to <code>otherapp.bin</code>, and copy it to the root of the SD card. | ||
# Download the [ | # Download the [[The Homebrew Launcher 3DS|Homebrew Menu]] and place <code>boot.3dsx</code> in the root of the SD card (if it is not there already). | ||
# Insert the SD card into the 3DS and start Nintendo 3DS Sound. | # Insert the SD card into the 3DS and start Nintendo 3DS Sound. | ||
# Locate your new song and play it to start the Homebrew | # Locate your new song and play it to start the Homebrew Menu! | ||
== | |||
Fixing the annoying bird: Click through all of the bird tips then close the app normally. When you exploit it it doesn't save the fact that you've opened the app before, so closing and reopening normally seems to fix this. | |||
= | |||
==Media== | |||
'''[3DS] How To Install & Use Soundhax - ([https://www.youtube.com/watch?v=Uysb6oQ7Bag DarkFlare])'''<br> | |||
<youtube>Uysb6oQ7Bag</youtube> | |||
== Thanks == | == Thanks == | ||
Subv and Citra authors - for help emulating sound, this was invaluable plutoo - stage 2 shellcode yellows8 - help with gpu address translation for gspwn, initial JPN support, finished KOR support smea - homebrew launcher d3m3vilurr - EUR, JPN, partial KOR support TuxSH - O3DS offset Konng - Testing EUR payloads | * Subv and Citra authors - for help emulating sound, this was invaluable | ||
* plutoo - stage 2 shellcode | |||
* yellows8 - help with gpu address translation for gspwn, initial JPN support, finished KOR support | |||
* smea - homebrew launcher | |||
* d3m3vilurr - EUR, JPN, partial KOR support | |||
* TuxSH - O3DS offset | |||
* Konng - Testing EUR payloads | |||
* cakey - advice and support | |||
* PPP - teaching me everything I know | |||
* geohot, comex, j00ru, loki, project zero - inspiring me to pursue bug hunting | |||
==External Links== | |||
* Official Site - http://soundhax.com/ | |||
* Github - https://github.com/nedwill/soundhax | |||
[[Category:Exploits for 3DS]] |
Latest revision as of 06:05, 6 Mayıs 2024
Soundhax | |
---|---|
General | |
Author | nedwill |
Type | Exploits |
Version | 2020 |
License | Mixed |
Last Updated | 2020/12/09 |
Links | |
Download | |
Website | |
Source | |
Support Author | |
Soundhax is a primary homebrew entrypoint that works on firmwares up to 11.3. It is a new exploit that gives you access to the homebrew launcher without needing a game to exploit. This vulnerability exploits the default sound application preinstalled on all 3DS devices. Soundhax (when combined with the Homebrew Launcher) is compatible with versions 9.0.0 through 11.3.0 in the EUR, JPN, KOR, and USA regions.
About This Exploit
There is a bug in the 3DS Sound application where it uses a memcpy
function instead of a unicode strncpy
variant to copy a song name from mp4 atom tags onto the heap, potentially causing a buffer overflow. The exploit takes advantage of this overflow to control the malloc header of the next heap chunk, which allows for arbitrary writes to memory.
By manipulating the free list and causing a stack overflow, the exploit can turn the arbitrary write primitive into ROP and use the gspwn GPU exploit to write shellcode over the text section of the sound process, allowing for code execution.
Regions and Versions
Version | N3DS/N2DS | O3DS/2DS |
---|---|---|
US 1.0-11.3 | ✓ | ✓ |
JPN 1.0-11.3 | ✓ | ✓ |
EUR 1.0-11.3 | ✓ | ✓ |
KOR 4.0-11.3 | ✓ | ✓ |
CHN 4.0-11.3 | N/A | ✓ |
TWN 4.1-11.3 | N/A | ✓ |
All existing versions of Nintendo 3DS Sound prior to Nintendo fixing the vulnerability are now supported.
If your box is checked, then put otherapp.bin on the root of your SD card along with soundhax.m4a and launch the song from the sound player.
It can be used along Pre9otherapp 3DS to launch an arm9 payload from the SD card on pre 9.0 firms (2.1 - 9.2).
Installation
- Download the relevant soundhax-region-console-firmware.m4a file for your device.
- Save the soundhax song file and copy to the root of your SD.
- Download the otherapp payload for your 3DS version, rename it to
otherapp.bin
, and copy it to the root of the SD card. - Download the Homebrew Menu and place
boot.3dsx
in the root of the SD card (if it is not there already). - Insert the SD card into the 3DS and start Nintendo 3DS Sound.
- Locate your new song and play it to start the Homebrew Menu!
Fixing the annoying bird: Click through all of the bird tips then close the app normally. When you exploit it it doesn't save the fact that you've opened the app before, so closing and reopening normally seems to fix this.
Media
[3DS] How To Install & Use Soundhax - (DarkFlare)
Thanks
- Subv and Citra authors - for help emulating sound, this was invaluable
- plutoo - stage 2 shellcode
- yellows8 - help with gpu address translation for gspwn, initial JPN support, finished KOR support
- smea - homebrew launcher
- d3m3vilurr - EUR, JPN, partial KOR support
- TuxSH - O3DS offset
- Konng - Testing EUR payloads
- cakey - advice and support
- PPP - teaching me everything I know
- geohot, comex, j00ru, loki, project zero - inspiring me to pursue bug hunting
External Links
- Official Site - http://soundhax.com/
- Github - https://github.com/nedwill/soundhax