More actions
(Created page with "{{Infobox 3DS homebrew | title = unSAFE MODE | image = https://dlhb.gamebrew.org/3dshomebrew/unSAFEMODE.jpg|250px | type = Exploits | version = | licence = Mixed | author = Tu...") |
m (Text replacement - "Category:3DS homebrew loaders" to "") |
||
(12 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
{{Infobox 3DS | {{Infobox 3DS Homebrews | ||
| title = unSAFE MODE | |title=unSAFE MODE | ||
| image = | |image=3ds.png | ||
| type = Exploits | |description=3DS userland secondary exploit for SAFE_MODE system updater. It's actually a pretty safe hax ( ͡° ͜ʖ ͡°). | ||
| version = | |author=zoogie | ||
| | |lastupdated=2022/12/06 | ||
| | |type=Exploits | ||
|version=1.3 | |||
| | |license=MIT | ||
| source = https:// | |download=https://github.com/zoogie/unSAFE_MODE/releases/tag/v1.3 | ||
|website=https://github.com/zoogie/unSAFE_MODE | |||
|source=https://github.com/zoogie/unSAFE_MODE | |||
|donation= | |||
}} | }} | ||
{{#seo: | |||
|title= (Exploits) - GameBrew | |||
|title_mode=append | |||
|image=3ds.png | |||
|image_alt=unSAFE MODE | |||
}} | |||
UnSAFE_MODE is a new exploit for the SAFE_MODE system updater on the Nintendo 3DS. This system updater is normally used to internet update a 3DS from a corrupted state and repair any damaged system titles. When launching, the SAFE_MODE sysupdater checks all 3 wifi slots for a working access point to perform a sysupdate. | |||
If it can't find one, it allows the user to access wifi connection settings to make changes. However, a stack smash is possible if the attacker had previously altered the location of the NULL terminator in the wifi slot data. | |||
Note: Most users are advised to refer to the recommended instructions provided [https://3ds.hacks.guide/seedminer.html in the guide]. | |||
==About The Exploit== | |||
The SAFE_MODE sysupdater checks the wifi slots for a functioning access point during sysupdate. If it fails to find one, it allows the user to modify the wifi connection settings. However, selecting Proxy Settings -> Detailed Setup can trigger a stack smash vulnerability because the proxy URL string's length isn't adequately checked. An attacker who had already modified the string's NULL terminator location in the wifi slot data could exploit this vulnerability. | |||
Userland execution with either cfg:i or cfg:s is required to modify the necessary slot. For instance, cfg:s service can be obtained by slightly modifying the "*hax" otherapp source or using an mset entrypoint such as bannerbomb3. Notably, SAFE_MODE sysupdater is a fork of firmware 1.0's mset, which had the same vulnerability at some point. However, the bug was fixed in firmware 3.0, but the fix wasn't backported to SAFE_MODE sysupdater, as updates for SAFE_MODE titles are infrequent. | |||
==Media== | |||
'''New Exploit for the 3DS | unSAFE_MODE - Get CFW for FREE on 11.14! [Preview] [HD] - ([https://www.youtube.com/watch?v=CaTvZSqaHGA NintendoBrew])'''<br> | |||
<youtube>CaTvZSqaHGA</youtube> | |||
== | == FAQ == | ||
Q: Um, ... is this unsafe?<br /> | |||
A: It's no more unsafe than any other full exploit chain in terms of user safety. The "unsafe" part is ribbing Nintendo for calling SAFE_MODE as such given, from their perspective, it's full of exploitable bugs (since they never backport fixes from NATIVE_FIRM). The name also refers to the exploit running un(der)SAFE_MODE firm, which is a unique (and nice) aspect of this version of safehax. | |||
Q: I see the abbreviation "USM" occasionally, I've think I've seen that before in this scene...<br /> | |||
A: Yeah, USM is coincidentely also the abbreviation for "Unnamed Smash Mod". That is not related to unSAFE_MODE at all, but you should [https://unnamedmods.com/ check it out] anyway because it's awesome! | |||
Q: One of my shoulder buttons is hosed, what can I do?<br /> | |||
A: Some people report that blowing hot humid air into the buttons temporarily allows them to work, but that's just gross and unsanitary (I'd totally do it, but I'm a weirdo).<br /> | |||
The best plan B is probably to just use ntrboot or seedminer. | |||
Q: You mentioned safehax a couple of times, does unSAFE_MODE have that?<br /> | |||
A: It's bundled in, yes. Usm.bin contains the safehax code (and several other stages). It will automatically install boot9strap to firm0/1 for permanent cfw. | |||
Q: Is this fixable with a firmware update?<br /> | |||
A: I think so. Nintendo has a weird track record ignoring my previous exploits, but they could fix this, and possibly do so without even touching SAFE_MODE titles (they prefer leaving SAFE_MODE untouched, as already mentioned). While the fix I'm thinking of is pretty straightforward, I'd rather not give any hints right now. | |||
==Changelog== | |||
'''v.1.3''' | |||
* Hotfix 12/6/22 - cia stability | |||
* Hotfix 5/23/22 - fix write permission error on bb3 installer | |||
* Mini_b9s_installer has been removed and now usm launches SafeB9Sinstaller instead. | |||
* Updated universal-otherapp submodule. | |||
* Some warnings fixed and other minor things. | |||
'''v.1.2''' | |||
* A completely new safehax implementation by main Luma3DS dev TuxSH, many thanks to him! This version features cleaner and more stable code. Memchunkhax + Firmlaunchhax is now used for both old/new 3ds. There shouldn't be any difference noticed for the everyday user besides a snazzier looking exploit text scroll! | |||
* The bannerbomb3 installer now offers a menu interface instead of confusing flashing colors. You can select install or restore slots and the current status of your wifi slots is shown before you choose. | |||
* Both installers now backup your wifi data in the unused parts of your slots instead of your sd card. This makes cleanup easier and has less chance of losing data. Unlike before, both installers now use the same backup method so they can be used interchangeably (ex. install hax with bb3 and restore wifi slots with slotTool). | |||
* Extra safety for mini b9s installer | |||
* CIA version of slotTool added. You can use this to restore your slots after cfw is installed if you don't like bannerbomb3 or .3dsx's for some reason. | |||
'''v.1.1''' | |||
* Fix for non-working arm9 fs code on 2GB sd cards (old3ds). | |||
* Stealth 7/24/2020: Added standalone slotTool.3dsx with mset takeover. This means you can run it without special otherapps and you can choose the homebrew entrypoint of your liking. | |||
'''v.1.0''' | |||
* First Release. | |||
== Thanks == | == Thanks == | ||
This project is licensed as MIT except the code used and modified from these other projects:<br /> | |||
General Rop/Code | |||
* yellows8 https://github.com/yellows8/3ds_ropkit (otherapp loader) | * yellows8 https://github.com/yellows8/3ds_ropkit (otherapp loader) | ||
* dukesrg https://github.com/dukesrg/rop3ds (rop templates, macros) | * dukesrg https://github.com/dukesrg/rop3ds (rop templates, macros) | ||
* smealum https://github.com/zoogie/ninjhax2.x (ninjhax fork with cfg:s changes - superto and o3ds_newpayloads branches) Safehax related | * smealum https://github.com/zoogie/ninjhax2.x (ninjhax fork with cfg:s changes - superto and o3ds_newpayloads branches) | ||
* kartik https://github.com/hax0kartik/pre9otherapp (k11/a9 sploit framework) | * DeadPhoenix https://usm.bruteforcemovable.com/ (hosting bb3 usm installer and providing good project feedback) | ||
Safehax related | |||
* tuxsh https://github.com/TuxSH/universal-otherapp (v1.2+ complete safehax implementation) | |||
* kartik https://github.com/hax0kartik/pre9otherapp (<= v1.1 k11/a9 sploit framework) | |||
* patois https://github.com/patois/Brahma (<= v1.1 firmlaunchhax) | |||
* tuxsh https://github.com/TuxSH/usr2arm9ldr (<= v1.1 rsaverify) | |||
* normmatt https://gist.github.com/Normmatt/b72f7323686af5c9cd7 (<= v1.1 rsaverify) | |||
* aliaspider https://github.com/aliaspider/svchax/ (memchunkhax1) | * aliaspider https://github.com/aliaspider/svchax/ (memchunkhax1) | ||
* SciresM https://github.com/SciresM/boot9strap (mini b9s installer template & b9s itself) | * SciresM https://github.com/SciresM/boot9strap (mini b9s installer template & b9s itself) | ||
* AuroraWright https://github.com/AuroraWright/SafeA9LHInstaller (writefirm) | * AuroraWright https://github.com/AuroraWright/SafeA9LHInstaller (writefirm for mini b9s installer) | ||
== External links == | |||
* Github - https://github.com/zoogie/unSAFE_MODE | |||
[[Category:Exploits for 3DS]] |
Latest revision as of 06:03, 6 Mayıs 2024
unSAFE MODE | |
---|---|
General | |
Author | zoogie |
Type | Exploits |
Version | 1.3 |
License | MIT License |
Last Updated | 2022/12/06 |
Links | |
Download | |
Website | |
Source | |
UnSAFE_MODE is a new exploit for the SAFE_MODE system updater on the Nintendo 3DS. This system updater is normally used to internet update a 3DS from a corrupted state and repair any damaged system titles. When launching, the SAFE_MODE sysupdater checks all 3 wifi slots for a working access point to perform a sysupdate.
If it can't find one, it allows the user to access wifi connection settings to make changes. However, a stack smash is possible if the attacker had previously altered the location of the NULL terminator in the wifi slot data.
Note: Most users are advised to refer to the recommended instructions provided in the guide.
About The Exploit
The SAFE_MODE sysupdater checks the wifi slots for a functioning access point during sysupdate. If it fails to find one, it allows the user to modify the wifi connection settings. However, selecting Proxy Settings -> Detailed Setup can trigger a stack smash vulnerability because the proxy URL string's length isn't adequately checked. An attacker who had already modified the string's NULL terminator location in the wifi slot data could exploit this vulnerability.
Userland execution with either cfg:i or cfg:s is required to modify the necessary slot. For instance, cfg:s service can be obtained by slightly modifying the "*hax" otherapp source or using an mset entrypoint such as bannerbomb3. Notably, SAFE_MODE sysupdater is a fork of firmware 1.0's mset, which had the same vulnerability at some point. However, the bug was fixed in firmware 3.0, but the fix wasn't backported to SAFE_MODE sysupdater, as updates for SAFE_MODE titles are infrequent.
Media
New Exploit for the 3DS | unSAFE_MODE - Get CFW for FREE on 11.14! [Preview] [HD] - (NintendoBrew)
FAQ
Q: Um, ... is this unsafe?
A: It's no more unsafe than any other full exploit chain in terms of user safety. The "unsafe" part is ribbing Nintendo for calling SAFE_MODE as such given, from their perspective, it's full of exploitable bugs (since they never backport fixes from NATIVE_FIRM). The name also refers to the exploit running un(der)SAFE_MODE firm, which is a unique (and nice) aspect of this version of safehax.
Q: I see the abbreviation "USM" occasionally, I've think I've seen that before in this scene...
A: Yeah, USM is coincidentely also the abbreviation for "Unnamed Smash Mod". That is not related to unSAFE_MODE at all, but you should check it out anyway because it's awesome!
Q: One of my shoulder buttons is hosed, what can I do?
A: Some people report that blowing hot humid air into the buttons temporarily allows them to work, but that's just gross and unsanitary (I'd totally do it, but I'm a weirdo).
The best plan B is probably to just use ntrboot or seedminer.
Q: You mentioned safehax a couple of times, does unSAFE_MODE have that?
A: It's bundled in, yes. Usm.bin contains the safehax code (and several other stages). It will automatically install boot9strap to firm0/1 for permanent cfw.
Q: Is this fixable with a firmware update?
A: I think so. Nintendo has a weird track record ignoring my previous exploits, but they could fix this, and possibly do so without even touching SAFE_MODE titles (they prefer leaving SAFE_MODE untouched, as already mentioned). While the fix I'm thinking of is pretty straightforward, I'd rather not give any hints right now.
Changelog
v.1.3
- Hotfix 12/6/22 - cia stability
- Hotfix 5/23/22 - fix write permission error on bb3 installer
- Mini_b9s_installer has been removed and now usm launches SafeB9Sinstaller instead.
- Updated universal-otherapp submodule.
- Some warnings fixed and other minor things.
v.1.2
- A completely new safehax implementation by main Luma3DS dev TuxSH, many thanks to him! This version features cleaner and more stable code. Memchunkhax + Firmlaunchhax is now used for both old/new 3ds. There shouldn't be any difference noticed for the everyday user besides a snazzier looking exploit text scroll!
- The bannerbomb3 installer now offers a menu interface instead of confusing flashing colors. You can select install or restore slots and the current status of your wifi slots is shown before you choose.
- Both installers now backup your wifi data in the unused parts of your slots instead of your sd card. This makes cleanup easier and has less chance of losing data. Unlike before, both installers now use the same backup method so they can be used interchangeably (ex. install hax with bb3 and restore wifi slots with slotTool).
- Extra safety for mini b9s installer
- CIA version of slotTool added. You can use this to restore your slots after cfw is installed if you don't like bannerbomb3 or .3dsx's for some reason.
v.1.1
- Fix for non-working arm9 fs code on 2GB sd cards (old3ds).
- Stealth 7/24/2020: Added standalone slotTool.3dsx with mset takeover. This means you can run it without special otherapps and you can choose the homebrew entrypoint of your liking.
v.1.0
- First Release.
Thanks
This project is licensed as MIT except the code used and modified from these other projects:
General Rop/Code
- yellows8 https://github.com/yellows8/3ds_ropkit (otherapp loader)
- dukesrg https://github.com/dukesrg/rop3ds (rop templates, macros)
- smealum https://github.com/zoogie/ninjhax2.x (ninjhax fork with cfg:s changes - superto and o3ds_newpayloads branches)
- DeadPhoenix https://usm.bruteforcemovable.com/ (hosting bb3 usm installer and providing good project feedback)
Safehax related
- tuxsh https://github.com/TuxSH/universal-otherapp (v1.2+ complete safehax implementation)
- kartik https://github.com/hax0kartik/pre9otherapp (<= v1.1 k11/a9 sploit framework)
- patois https://github.com/patois/Brahma (<= v1.1 firmlaunchhax)
- tuxsh https://github.com/TuxSH/usr2arm9ldr (<= v1.1 rsaverify)
- normmatt https://gist.github.com/Normmatt/b72f7323686af5c9cd7 (<= v1.1 rsaverify)
- aliaspider https://github.com/aliaspider/svchax/ (memchunkhax1)
- SciresM https://github.com/SciresM/boot9strap (mini b9s installer template & b9s itself)
- AuroraWright https://github.com/AuroraWright/SafeA9LHInstaller (writefirm for mini b9s installer)