Toggle menu
Toggle personal menu
Not logged in
Your IP address will be publicly visible if you make any edits.

UnSAFE MODE 3DS: Difference between revisions

From GameBrew
(Created page with "{{Infobox 3DS homebrew | title = unSAFE MODE | image = https://dlhb.gamebrew.org/3dshomebrew/unSAFEMODE.jpg|250px | type = Exploits | version = | licence = Mixed | author = Tu...")
 
m (Text replacement - "Category:3DS homebrew loaders" to "")
 
(12 intermediate revisions by the same user not shown)
Line 1: Line 1:
{{Infobox 3DS homebrew
{{Infobox 3DS Homebrews
| title = unSAFE MODE
|title=unSAFE MODE
| image = https://dlhb.gamebrew.org/3dshomebrew/unSAFEMODE.jpg|250px
|image=3ds.png
| type = Exploits
|description=3DS userland secondary exploit for SAFE_MODE system updater. It's actually a pretty safe hax ( ͡° ͜ʖ ͡°).  
| version =
|author=zoogie
| licence = Mixed
|lastupdated=2022/12/06
| author = TuxSH
|type=Exploits
| website = https://github.com/TuxSH/unSAFE_MODE
|version=1.3
| download = https://dlhb.gamebrew.org/3dshomebrew/unSAFEMODE.rar
|license=MIT
| source = https://dlhb.gamebrew.org/3dshomebrew/unSAFEMODE.rar
|download=https://github.com/zoogie/unSAFE_MODE/releases/tag/v1.3
|website=https://github.com/zoogie/unSAFE_MODE
|source=https://github.com/zoogie/unSAFE_MODE
|donation=
}}
}}
<youtube>VVDTJbIWxTM</youtube>
{{#seo:
|title= (Exploits) - GameBrew
|title_mode=append
|image=3ds.png
|image_alt=unSAFE MODE
}}
UnSAFE_MODE is a new exploit for the SAFE_MODE system updater on the Nintendo 3DS. This system updater is normally used to internet update a 3DS from a corrupted state and repair any damaged system titles. When launching, the SAFE_MODE sysupdater checks all 3 wifi slots for a working access point to perform a sysupdate.


= unSAFE_MODE =
If it can't find one, it allows the user to access wifi connection settings to make changes. However, a stack smash is possible if the attacker had previously altered the location of the NULL terminator in the wifi slot data.


== Intro ==
Note: Most users are advised to refer to the recommended instructions provided [https://3ds.hacks.guide/seedminer.html in the guide].


This is a new exploit for SAFE_MODE system updater. SAFE_MODE sysupdater is the recovery mode app that launches when L+R+Up+A are held while coldbooting the 3DS. It's normally used to internet update the 3DS from a corrupted state and hopefully repair any damaged system titles. Because it runs ''under'' SAFE_MODE firm, it's a very interesting (and safe) hax target ;)
==About The Exploit==
The SAFE_MODE sysupdater checks the wifi slots for a functioning access point during sysupdate. If it fails to find one, it allows the user to modify the wifi connection settings. However, selecting Proxy Settings -> Detailed Setup can trigger a stack smash vulnerability because the proxy URL string's length isn't adequately checked. An attacker who had already modified the string's NULL terminator location in the wifi slot data could exploit this vulnerability.


== Directions ==
Userland execution with either cfg:i or cfg:s is required to modify the necessary slot. For instance, cfg:s service can be obtained by slightly modifying the "*hax" otherapp source or using an mset entrypoint such as bannerbomb3. Notably, SAFE_MODE sysupdater is a fork of firmware 1.0's mset, which had the same vulnerability at some point. However, the bug was fixed in firmware 3.0, but the fix wasn't backported to SAFE_MODE sysupdater, as updates for SAFE_MODE titles are infrequent.


The recommended instructions can be found [https://3ds.hacks.guide/seedminer.html in this guide].<br> The instructions in the Release archives aren't recommended for most users.
==Media==
'''New Exploit for the 3DS | unSAFE_MODE - Get CFW for FREE on 11.14! [Preview] [HD] - ([https://www.youtube.com/watch?v=CaTvZSqaHGA NintendoBrew])'''<br>
<youtube>CaTvZSqaHGA</youtube>


== Exploit ==
== FAQ ==
Q: Um, ... is this unsafe?<br />
A: It's no more unsafe than any other full exploit chain in terms of user safety. The &quot;unsafe&quot; part is ribbing Nintendo for calling SAFE_MODE as such given, from their perspective, it's full of exploitable bugs (since they never backport fixes from NATIVE_FIRM). The name also refers to the exploit running un(der)SAFE_MODE firm, which is a unique (and nice) aspect of this version of safehax.


When SAFE_MODE sysupdater launches, it will check all 3 wifi slots for a working access point to perform a sysupdate. If it can't find one, it will allow the user to access wifi connection settings to make changes. When Proxy Settings -&gt; Detailed Setup is selected, the displayed proxy URL string is not adequately checked for length, and a stack smash is possible if the attacker had previously altered the location of the string's NULL terminator in the wifi slot data.<br><br> In order to prepare the necessary slot modification, userland execution is needed with either cfg:i or cfg:s available. For example, it's possible to attain the cfg:s service with a small modification to the &quot;*hax&quot; otherapp source, or running an mset entrypoint (i.e. bannerbomb3). Note that SAFE_MODE sysupdater is actually a fork of firmware 1.0's mset (System Settings). As a result, mset also had this same bug at one point, but it was fixed in firmware 3.0. The fix obviously was never backported to SAFE_MODE sysupdater due to the fact that SAFE_MODE titles are seldom updated for whatever reason.
Q: I see the abbreviation &quot;USM&quot; occasionally, I've think I've seen that before in this scene...<br />
A: Yeah, USM is coincidentely also the abbreviation for &quot;Unnamed Smash Mod&quot;. That is not related to unSAFE_MODE at all, but you should [https://unnamedmods.com/ check it out] anyway because it's awesome!


== FAQ ==
Q: One of my shoulder buttons is hosed, what can I do?<br />
A: Some people report that blowing hot humid air into the buttons temporarily allows them to work, but that's just gross and unsanitary (I'd totally do it, but I'm a weirdo).<br />
The best plan B is probably to just use ntrboot or seedminer.
 
Q: You mentioned safehax a couple of times, does unSAFE_MODE have that?<br />
A: It's bundled in, yes. Usm.bin contains the safehax code (and several other stages). It will automatically install boot9strap to firm0/1 for permanent cfw.
 
Q: Is this fixable with a firmware update?<br />
A: I think so. Nintendo has a weird track record ignoring my previous exploits, but they could fix this, and possibly do so without even touching SAFE_MODE titles (they prefer leaving SAFE_MODE untouched, as already mentioned). While the fix I'm thinking of is pretty straightforward, I'd rather not give any hints right now.


Q: Um, ... is this unsafe?<br> A: It's no more unsafe than any other full exploit chain in terms of user safety. The &quot;unsafe&quot; part is ribbing Nintendo for calling SAFE_MODE as such given, from their perspective, it's full of exploitable bugs (since they never backport fixes from NATIVE_FIRM). The name also refers to the exploit running un(der)SAFE_MODE firm, which is a unique (and nice) aspect of this version of safehax. Q: I see the abbreviation &quot;USM&quot; occasionally, I've think I've seen that before in this scene...<br> A: Yeah, USM is coincidentely also the abbreviation for &quot;Unnamed Smash Mod&quot;. That is not related to unSAFE_MODE at all, but you should [https://unnamedmods.com/ check it out] anyway because it's awesome! Q: One of my shoulder buttons is hosed, what can I do?<br> A: Some people report that blowing hot humid air into the buttons temporarily allows them to work, but that's just gross and unsanitary (I'd totally do it, but I'm a weirdo).<br> The best plan B is probably to just use ntrboot or seedminer. Q: You mentioned safehax a couple of times, does unSAFE_MODE have that?<br> A: It's bundled in, yes. Usm.bin contains the safehax code (and several other stages). It will automatically install boot9strap to firm0/1 for permanent cfw. Q: Is this fixable with a firmware update?<br> A: I think so. Nintendo has a weird track record ignoring my previous exploits, but they could fix this, and possibly do so without even touching SAFE_MODE titles (they prefer leaving SAFE_MODE untouched, as already mentioned). While the fix I'm thinking of is pretty straightforward, I'd rather not give any hints right now.
==Changelog==
'''v.1.3'''
* Hotfix 12/6/22 - cia stability
* Hotfix 5/23/22 - fix write permission error on bb3 installer
* Mini_b9s_installer has been removed and now usm launches SafeB9Sinstaller instead.
* Updated universal-otherapp submodule.
* Some warnings fixed and other minor things.
'''v.1.2'''
* A completely new safehax implementation by main Luma3DS dev TuxSH, many thanks to him! This version features cleaner and more stable code. Memchunkhax + Firmlaunchhax is now used for both old/new 3ds. There shouldn't be any difference noticed for the everyday user besides a snazzier looking exploit text scroll!
* The bannerbomb3 installer now offers a menu interface instead of confusing flashing colors. You can select install or restore slots and the current status of your wifi slots is shown before you choose.
* Both installers now backup your wifi data in the unused parts of your slots instead of your sd card. This makes cleanup easier and has less chance of losing data. Unlike before, both installers now use the same backup method so they can be used interchangeably (ex. install hax with bb3 and restore wifi slots with slotTool).
* Extra safety for mini b9s installer
* CIA version of slotTool added. You can use this to restore your slots after cfw is installed if you don't like bannerbomb3 or .3dsx's for some reason.
'''v.1.1'''
* Fix for non-working arm9 fs code on 2GB sd cards (old3ds).
* Stealth 7/24/2020: Added standalone slotTool.3dsx with mset takeover. This means you can run it without special otherapps and you can choose the homebrew entrypoint of your liking.
'''v.1.0'''
* First Release.


== Thanks ==
== Thanks ==
This project is licensed as MIT except the code used and modified from these other projects:<br />


This project is licensed as MIT except the code used and modified from these other projects:<br><br> General Rop/Code
General Rop/Code


* yellows8 https://github.com/yellows8/3ds_ropkit (otherapp loader)
* yellows8 https://github.com/yellows8/3ds_ropkit (otherapp loader)
* dukesrg https://github.com/dukesrg/rop3ds (rop templates, macros)
* dukesrg https://github.com/dukesrg/rop3ds (rop templates, macros)
* smealum https://github.com/zoogie/ninjhax2.x (ninjhax fork with cfg:s changes - superto and o3ds_newpayloads branches) Safehax related
* smealum https://github.com/zoogie/ninjhax2.x (ninjhax fork with cfg:s changes - superto and o3ds_newpayloads branches)
* kartik https://github.com/hax0kartik/pre9otherapp (k11/a9 sploit framework)
* DeadPhoenix https://usm.bruteforcemovable.com/ (hosting bb3 usm installer and providing good project feedback)
 
Safehax related
 
* tuxsh https://github.com/TuxSH/universal-otherapp (v1.2+ complete safehax implementation)
* kartik https://github.com/hax0kartik/pre9otherapp (&lt;= v1.1 k11/a9 sploit framework)
* patois https://github.com/patois/Brahma (&lt;= v1.1 firmlaunchhax)
* tuxsh https://github.com/TuxSH/usr2arm9ldr (&lt;= v1.1 rsaverify)
* normmatt https://gist.github.com/Normmatt/b72f7323686af5c9cd7 (&lt;= v1.1 rsaverify)
* aliaspider https://github.com/aliaspider/svchax/ (memchunkhax1)
* aliaspider https://github.com/aliaspider/svchax/ (memchunkhax1)
* patois https://github.com/patois/Brahma (firmlaunchhax)
* tuxsh https://github.com/TuxSH/usr2arm9ldr (rsaverify)
* normmatt https://gist.github.com/Normmatt/b72f7323686af5c9cd7 (rsaverify)
* SciresM https://github.com/SciresM/boot9strap (mini b9s installer template &amp; b9s itself)
* SciresM https://github.com/SciresM/boot9strap (mini b9s installer template &amp; b9s itself)
* AuroraWright https://github.com/AuroraWright/SafeA9LHInstaller (writefirm)
* AuroraWright https://github.com/AuroraWright/SafeA9LHInstaller (writefirm for mini b9s installer)
 
== External links ==
* Github - https://github.com/zoogie/unSAFE_MODE
 
 
[[Category:Exploits for 3DS]]

Latest revision as of 06:03, 6 Mayıs 2024

unSAFE MODE
3ds.png
General
Authorzoogie
TypeExploits
Version1.3
LicenseMIT License
Last Updated2022/12/06
Links
Download
Website
Source

UnSAFE_MODE is a new exploit for the SAFE_MODE system updater on the Nintendo 3DS. This system updater is normally used to internet update a 3DS from a corrupted state and repair any damaged system titles. When launching, the SAFE_MODE sysupdater checks all 3 wifi slots for a working access point to perform a sysupdate.

If it can't find one, it allows the user to access wifi connection settings to make changes. However, a stack smash is possible if the attacker had previously altered the location of the NULL terminator in the wifi slot data.

Note: Most users are advised to refer to the recommended instructions provided in the guide.

About The Exploit

The SAFE_MODE sysupdater checks the wifi slots for a functioning access point during sysupdate. If it fails to find one, it allows the user to modify the wifi connection settings. However, selecting Proxy Settings -> Detailed Setup can trigger a stack smash vulnerability because the proxy URL string's length isn't adequately checked. An attacker who had already modified the string's NULL terminator location in the wifi slot data could exploit this vulnerability.

Userland execution with either cfg:i or cfg:s is required to modify the necessary slot. For instance, cfg:s service can be obtained by slightly modifying the "*hax" otherapp source or using an mset entrypoint such as bannerbomb3. Notably, SAFE_MODE sysupdater is a fork of firmware 1.0's mset, which had the same vulnerability at some point. However, the bug was fixed in firmware 3.0, but the fix wasn't backported to SAFE_MODE sysupdater, as updates for SAFE_MODE titles are infrequent.

Media

New Exploit for the 3DS | unSAFE_MODE - Get CFW for FREE on 11.14! [Preview] [HD] - (NintendoBrew)

FAQ

Q: Um, ... is this unsafe?
A: It's no more unsafe than any other full exploit chain in terms of user safety. The "unsafe" part is ribbing Nintendo for calling SAFE_MODE as such given, from their perspective, it's full of exploitable bugs (since they never backport fixes from NATIVE_FIRM). The name also refers to the exploit running un(der)SAFE_MODE firm, which is a unique (and nice) aspect of this version of safehax.

Q: I see the abbreviation "USM" occasionally, I've think I've seen that before in this scene...
A: Yeah, USM is coincidentely also the abbreviation for "Unnamed Smash Mod". That is not related to unSAFE_MODE at all, but you should check it out anyway because it's awesome!

Q: One of my shoulder buttons is hosed, what can I do?
A: Some people report that blowing hot humid air into the buttons temporarily allows them to work, but that's just gross and unsanitary (I'd totally do it, but I'm a weirdo).
The best plan B is probably to just use ntrboot or seedminer.

Q: You mentioned safehax a couple of times, does unSAFE_MODE have that?
A: It's bundled in, yes. Usm.bin contains the safehax code (and several other stages). It will automatically install boot9strap to firm0/1 for permanent cfw.

Q: Is this fixable with a firmware update?
A: I think so. Nintendo has a weird track record ignoring my previous exploits, but they could fix this, and possibly do so without even touching SAFE_MODE titles (they prefer leaving SAFE_MODE untouched, as already mentioned). While the fix I'm thinking of is pretty straightforward, I'd rather not give any hints right now.

Changelog

v.1.3

  • Hotfix 12/6/22 - cia stability
  • Hotfix 5/23/22 - fix write permission error on bb3 installer
  • Mini_b9s_installer has been removed and now usm launches SafeB9Sinstaller instead.
  • Updated universal-otherapp submodule.
  • Some warnings fixed and other minor things.

v.1.2

  • A completely new safehax implementation by main Luma3DS dev TuxSH, many thanks to him! This version features cleaner and more stable code. Memchunkhax + Firmlaunchhax is now used for both old/new 3ds. There shouldn't be any difference noticed for the everyday user besides a snazzier looking exploit text scroll!
  • The bannerbomb3 installer now offers a menu interface instead of confusing flashing colors. You can select install or restore slots and the current status of your wifi slots is shown before you choose.
  • Both installers now backup your wifi data in the unused parts of your slots instead of your sd card. This makes cleanup easier and has less chance of losing data. Unlike before, both installers now use the same backup method so they can be used interchangeably (ex. install hax with bb3 and restore wifi slots with slotTool).
  • Extra safety for mini b9s installer
  • CIA version of slotTool added. You can use this to restore your slots after cfw is installed if you don't like bannerbomb3 or .3dsx's for some reason.

v.1.1

  • Fix for non-working arm9 fs code on 2GB sd cards (old3ds).
  • Stealth 7/24/2020: Added standalone slotTool.3dsx with mset takeover. This means you can run it without special otherapps and you can choose the homebrew entrypoint of your liking.

v.1.0

  • First Release.

Thanks

This project is licensed as MIT except the code used and modified from these other projects:

General Rop/Code

Safehax related

External links

Advertising: