Toggle menu
Toggle personal menu
Not logged in
Your IP address will be publicly visible if you make any edits.

Kartdlphax 3DS: Difference between revisions

From GameBrew
No edit summary
 
(15 intermediate revisions by one other user not shown)
Line 1: Line 1:
{{Infobox 3DS homebrew
{{Infobox 3DS Homebrews
| title = kartdlphax
|title=kartdlphax
| image = https://dlhb.gamebrew.org/3dshomebrew/kartdlphax.jpg|250px
|image=kartdlphax3ds.png
| type = Exploits
|description=kartdlphax is a semiprimary exploit for the download play mode of Mario Kart 7.
| version = v1.1
|author=PabloMK7
| licence = Mixed
|lastupdated=2023/07/25
| author = mariohackandglitch
|type=Exploits
| website = https://github.com/mariohackandglitch/kartdlphax
|version=1.3.3
| download = https://dlhb.gamebrew.org/3dshomebrew/Kartdlphaxv1.1.7z
|license=Unlicense
| source = https://github.com/mariohackandglitch/kartdlphax
|download=https://dlhb.gamebrew.org/3dshomebrews/kartdlphax3ds.7z
|website=https://gbatemp.net/threads/kartdlphax-a-mario-kart-7-semi-primary-exploit.587755/
|source=https://github.com/PabloMK7/kartdlphax
}}
}}
<youtube>W2RLSJZhQFc</youtube>
Kartdlphax is a semi-primary exploit for the download play mode of Mario Kart 7. It allows running a userland payload on an unmodified Nintendo 3DS by having it connect through download play to another 3DS with Custom Firmware running the exploit.


= kartdlphax =
==Installation==
https://github.com/mariohackandglitch/kartdlphax/blob/main/DLP.png
To use kartdlphax, you need to install the [[Luma3DS 3GX Loader Edition 3DS]] fork on the host system. The exploit uses a 3GX Plugin, and you can place the .3gx file from the [https://github.com/PabloMK7/kartdlphax/releases/latest Releases page] in the appropriate directories depending on your game region.


kartdlphax is a semiprimary exploit for the download play mode of [https://en.wikipedia.org/wiki/Mario_Kart_7 Mario Kart 7]. It can be used to run an userland payload in an unmodified 3DS by having it connect through download play to another 3DS with Custom Firmware running the exploit.
* EUR: '''luma/plugins/0004000000030700'''
* JAP: '''luma/plugins/0004000000030600'''
* USA: '''luma/plugins/0004000000030800'''


=== Installation ===
By default, the plugin uses the built-in otherapps ([[3DS ROP xPloit Injector]] or [[Universal-otherapp 3DS]]). However, you can place your own otherapp at /kartdlphax_otherapp.bin if desired.
The exploit uses a 3GX Plugin in the host system. Therefore, in order to use this exploit you need to install the [3GX Loader Luma3DS fork](https://github.com/Nanquitas/Luma3DS/releases/latest).


In the host console, place the '.3gx' file from the [Releases page](https://github.com/mariohackandglitch/kartdlphax/releases/latest) in the following directories depending on your game region:
==Usage==
* EUR: `luma/plugins/0004000000030700`
# Enable the plugin loader from the Rosalina menu (L+Down+Select) on the host 3DS.
* JAP: `luma/plugins/0004000000030600`
# Launch the Mario Kart 7 game matching the region of the client 3DS(es).
* USA: `luma/plugins/0004000000030800`
# On the host 3DS, select '''Local Multiplayer''' and enter the settings, including selecting the client 3DS type and exploit type.
# On the client 3DS(es), launch the download play application.
By default, the plugin will use the built-in otherapp payload (universal-otherap). You can place your own otherapp at '/kartdlphax_otherapp.bin', but keep in mind that the hax 2.0 otherapp doesn't work currently.
# On the host 3DS, select '''Create Group''' and let the client 3DS(es) join the group.
# Once the multiplayer menu loads on the host 3DS, select '''Grand Prix''', '''50cc''', any '''driver combination''', and '''the Mushroom Cup'''. The exploit will trigger on the client 3DS(es) after some time.
# Keep in mind that while you can send the exploit to 7 consoles simultaneously, the success rate seems to decrease for each console added.


== Usage ==
==Media==
1. On the host 3ds, make sure the plugin loader is enabled from the Rosalina menu (L+Down+Select), then launch the Mario Kart 7 game matching the region of the client 3ds(es). (You will see a confirmation message in the top screen once the game launches).
'''kartdlphax - A Mario Kart 7 semi-primary exploit for the Nintendo 3DS - ([https://www.youtube.com/watch?v=W2RLSJZhQFc PabloMK7])'''<br>
 
<youtube>W2RLSJZhQFc</youtube>
2. On the client 3ds(es), launch the download play application.
 
3. On the host 3ds, select `Local Multiplayer` then `Create Group`. After that, let the client 3ds(es) join the group.
 
4. Once the multiplayer menu loads on the host 3ds, select `Grand Prix` then `50cc` then any driver combination and finally the `Mushroom Cup`. After a while the exploit will trigger on the client 3ds(es).
 
Keep in mind that while you can send the exploit to 8 consoles at the same time, the success rate seems to decrease for each console added.


==Technical Details==
==Technical Details==
The exploit works by leveraging a '''vtable pwn exploit''' and a ROP chain. The download play child application doesn't have the course files stored in its ROMFS, so it has to ask the host to send them when needed. Since this data is not part of the child .cia and is not signed, arbitrary data can be sent. The client sets up a buffer to receive data from the host but never checks the incoming data size, allowing a buffer overflow to overwrite important data after the receive buffer. By overwriting a vtable, an arbitrary jump in the main thread can be produced, eventually leading to the ROP chain github.com.


This exploit consists of 3 stages + the otherapp.
The '''ROP chain''', using yellows8's 3DS ROP kit as a base, can terminate problematic threads and replace the area at 0x100000 with the next stage using gspwn. A small helper payload is needed first since some gadgets and important functions are in the same area as the otherapp target address. The '''miniapp payload''', based on luigialma's version from nitpic3d, terminates the rest of the problematic threads, reconstructs the partitioned otherapp from the received buffer, maps it to 0x290000 with gspwn, and finally launches it github.com.


# **Vtable pwn exploit**: The download play child application doesn't have the course files stored in its romfs, so it has to ask the host to send them when needed. Since this data is not part of the child `.cia` and is not signed, we can send anything arbitrary. Furthermore, the client sets up a buffer to recieve the data from the host, but it never checks the incoming data size, so we can produce a buffer overflow which overwrites important data after the recieve buffer. By overwriting a vtable, we can produce an arbitrary jump in the main thread and eventually jump to the ROP chain.
==Changelog==
 
'''v1.3.3'''
# **ROP chain**: From the rop chain and using yellows8's 3ds ropkit as a base, we can terminate some problematic threads and replace the area at `0x100000` with the next stage using gspwn. We can't load otherapp directly from ROP because some gadgets and important functions are in the same area as the otherapp target address, so a small helper payload is needed first.
*Fixed menuhax for 11.17 consoles.
 
'''v1.3.2'''
# **Miniapp payload**: This asm payload based on luigialma's version from nitpic3d is responsable of terminating the rest of the problematic threads, reconstructing the partitioned otherapp from the recieved buffer, mapping it to `0x101000` with gspwn and finally launching it.
*Fixed all issues related to firmware version 11.17.
 
'''v1.3.1'''
# You can find more in-depth details in the comments inside the [plugin](plugin/Sources/main.cpp) and [miniapp](3ds_ropkit/miniapp.s) source files.
*Fixed EUR and JPN not working.
'''v1.3.0'''
*Added support for firmware version 11.17.
'''v1.2'''
*Added built-in 3DS ROP xPloit Injector otherapp.
*Added menu to select the target 3DS type and which exploit to use.
'''v1.1'''
*Added compatibility to the American and Japanese versions of the game.
'''v1.0'''
* First Release.


== Credits ==
== Credits ==
* [3ds ropkit](https://github.com/yellows8/3ds_ropkit) (by [yellows8](https://github.com/yellows8)).
* [https://github.com/yellows8/3ds_ropkit 3ds ropkit] (by [https://github.com/yellows8 yellows8]).
* [universal-otherapp](https://github.com/TuxSH/universal-otherapp) (Copyright (c) 2020 [TuxSH](https://github.com/TuxSH)).
* [https://github.com/TuxSH/universal-otherapp universal-otherapp] (Copyright (c) 2020 [https://github.com/TuxSH TuxSH]).
* [CTRPF](https://gbatemp.net/threads/ctrpluginframework-blank-plugin-now-with-action-replay.487729/) (by [Nanquitas](https://github.com/Nanquitas)).
* [https://github.com/PabloMK7/3dsropxploitinjector 3DS ROP xPloit Injector]
* [nitpic3d](https://github.com/luigoalma/nitpic3d)'s developer [luigoalma](https://github.com/luigoalma) for his huge help.
* [https://gbatemp.net/threads/ctrpluginframework-blank-plugin-now-with-action-replay.487729/ CTRPF] (by [https://github.com/Nanquitas Nanquitas]).
* [Kartic](https://github.com/hax0kartik) for his huge help and all the people from his development discord server.
* [https://github.com/luigoalma/nitpic3d nitpic3d]'s developer [https://github.com/luigoalma luigoalma] for his huge help.
* [ihaveamac](https://github.com/ihaveamac) for helping me try the exploit in an American console.
* [https://github.com/hax0kartik Kartic] for his huge help and all the people from his development discord server.
* [https://github.com/ihaveamac ihaveamac] for helping me try the exploit in an American console.


== Notice ==
== Notice ==
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
THE SOFTWARE IS PROVIDED &quot;AS IS&quot;, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
==External Links==
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* Github - https://github.com/PabloMK7/kartdlphax
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* Gbatemp - https://gbatemp.net/threads/kartdlphax-a-mario-kart-7-semi-primary-exploit.587755/
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* Reddit - https://www.reddit.com/r/3dshacks/comments/xfc7ki/kartdlphax_v12_3ds_rop_xploit_injector/
SOFTWARE.

Latest revision as of 15:29, 22 July 2024

kartdlphax
Kartdlphax3ds.png
General
AuthorPabloMK7
TypeExploits
Version1.3.3
LicenseUnlicense
Last Updated2023/07/25
Links
Download
Website
Source

Kartdlphax is a semi-primary exploit for the download play mode of Mario Kart 7. It allows running a userland payload on an unmodified Nintendo 3DS by having it connect through download play to another 3DS with Custom Firmware running the exploit.

Installation

To use kartdlphax, you need to install the Luma3DS 3GX Loader Edition 3DS fork on the host system. The exploit uses a 3GX Plugin, and you can place the .3gx file from the Releases page in the appropriate directories depending on your game region.

  • EUR: luma/plugins/0004000000030700
  • JAP: luma/plugins/0004000000030600
  • USA: luma/plugins/0004000000030800

By default, the plugin uses the built-in otherapps (3DS ROP xPloit Injector or Universal-otherapp 3DS). However, you can place your own otherapp at /kartdlphax_otherapp.bin if desired.

Usage

  1. Enable the plugin loader from the Rosalina menu (L+Down+Select) on the host 3DS.
  2. Launch the Mario Kart 7 game matching the region of the client 3DS(es).
  3. On the host 3DS, select Local Multiplayer and enter the settings, including selecting the client 3DS type and exploit type.
  4. On the client 3DS(es), launch the download play application.
  5. On the host 3DS, select Create Group and let the client 3DS(es) join the group.
  6. Once the multiplayer menu loads on the host 3DS, select Grand Prix, 50cc, any driver combination, and the Mushroom Cup. The exploit will trigger on the client 3DS(es) after some time.
  7. Keep in mind that while you can send the exploit to 7 consoles simultaneously, the success rate seems to decrease for each console added.

Media

kartdlphax - A Mario Kart 7 semi-primary exploit for the Nintendo 3DS - (PabloMK7)

Technical Details

The exploit works by leveraging a vtable pwn exploit and a ROP chain. The download play child application doesn't have the course files stored in its ROMFS, so it has to ask the host to send them when needed. Since this data is not part of the child .cia and is not signed, arbitrary data can be sent. The client sets up a buffer to receive data from the host but never checks the incoming data size, allowing a buffer overflow to overwrite important data after the receive buffer. By overwriting a vtable, an arbitrary jump in the main thread can be produced, eventually leading to the ROP chain github.com.

The ROP chain, using yellows8's 3DS ROP kit as a base, can terminate problematic threads and replace the area at 0x100000 with the next stage using gspwn. A small helper payload is needed first since some gadgets and important functions are in the same area as the otherapp target address. The miniapp payload, based on luigialma's version from nitpic3d, terminates the rest of the problematic threads, reconstructs the partitioned otherapp from the received buffer, maps it to 0x290000 with gspwn, and finally launches it github.com.

Changelog

v1.3.3

  • Fixed menuhax for 11.17 consoles.

v1.3.2

  • Fixed all issues related to firmware version 11.17.

v1.3.1

  • Fixed EUR and JPN not working.

v1.3.0

  • Added support for firmware version 11.17.

v1.2

  • Added built-in 3DS ROP xPloit Injector otherapp.
  • Added menu to select the target 3DS type and which exploit to use.

v1.1

  • Added compatibility to the American and Japanese versions of the game.

v1.0

  • First Release.

Credits

Notice

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

External Links

Advertising: