More actions
No edit summary |
|||
(14 intermediate revisions by one other user not shown) | |||
Line 1: | Line 1: | ||
{{Infobox 3DS | {{Infobox 3DS Homebrews | ||
| title = kartdlphax | |title=kartdlphax | ||
| image = | |image=kartdlphax3ds.png | ||
| type = Exploits | |description=kartdlphax is a semiprimary exploit for the download play mode of Mario Kart 7. | ||
| version = | |author=PabloMK7 | ||
| | |lastupdated=2023/07/25 | ||
| | |type=Exploits | ||
|version=1.3.3 | |||
| | |license=Unlicense | ||
| source = https://github.com/ | |download=https://dlhb.gamebrew.org/3dshomebrews/kartdlphax3ds.7z | ||
|website=https://gbatemp.net/threads/kartdlphax-a-mario-kart-7-semi-primary-exploit.587755/ | |||
|source=https://github.com/PabloMK7/kartdlphax | |||
}} | }} | ||
Kartdlphax is a semi-primary exploit for the download play mode of Mario Kart 7. It allows running a userland payload on an unmodified Nintendo 3DS by having it connect through download play to another 3DS with Custom Firmware running the exploit. | |||
= kartdlphax | ==Installation== | ||
To use kartdlphax, you need to install the [[Luma3DS 3GX Loader Edition 3DS]] fork on the host system. The exploit uses a 3GX Plugin, and you can place the .3gx file from the [https://github.com/PabloMK7/kartdlphax/releases/latest Releases page] in the appropriate directories depending on your game region. | |||
* EUR: '''luma/plugins/0004000000030700''' | |||
* JAP: '''luma/plugins/0004000000030600''' | |||
* USA: '''luma/plugins/0004000000030800''' | |||
By default, the plugin uses the built-in otherapps ([[3DS ROP xPloit Injector]] or [[Universal-otherapp 3DS]]). However, you can place your own otherapp at /kartdlphax_otherapp.bin if desired. | |||
==Usage== | |||
# Enable the plugin loader from the Rosalina menu (L+Down+Select) on the host 3DS. | |||
# Launch the Mario Kart 7 game matching the region of the client 3DS(es). | |||
# On the host 3DS, select '''Local Multiplayer''' and enter the settings, including selecting the client 3DS type and exploit type. | |||
# On the client 3DS(es), launch the download play application. | |||
# On the host 3DS, select '''Create Group''' and let the client 3DS(es) join the group. | |||
# Once the multiplayer menu loads on the host 3DS, select '''Grand Prix''', '''50cc''', any '''driver combination''', and '''the Mushroom Cup'''. The exploit will trigger on the client 3DS(es) after some time. | |||
# Keep in mind that while you can send the exploit to 7 consoles simultaneously, the success rate seems to decrease for each console added. | |||
== | ==Media== | ||
'''kartdlphax - A Mario Kart 7 semi-primary exploit for the Nintendo 3DS - ([https://www.youtube.com/watch?v=W2RLSJZhQFc PabloMK7])'''<br> | |||
<youtube>W2RLSJZhQFc</youtube> | |||
==Technical Details== | ==Technical Details== | ||
The exploit works by leveraging a '''vtable pwn exploit''' and a ROP chain. The download play child application doesn't have the course files stored in its ROMFS, so it has to ask the host to send them when needed. Since this data is not part of the child .cia and is not signed, arbitrary data can be sent. The client sets up a buffer to receive data from the host but never checks the incoming data size, allowing a buffer overflow to overwrite important data after the receive buffer. By overwriting a vtable, an arbitrary jump in the main thread can be produced, eventually leading to the ROP chain github.com. | |||
The '''ROP chain''', using yellows8's 3DS ROP kit as a base, can terminate problematic threads and replace the area at 0x100000 with the next stage using gspwn. A small helper payload is needed first since some gadgets and important functions are in the same area as the otherapp target address. The '''miniapp payload''', based on luigialma's version from nitpic3d, terminates the rest of the problematic threads, reconstructs the partitioned otherapp from the received buffer, maps it to 0x290000 with gspwn, and finally launches it github.com. | |||
==Changelog== | |||
'''v1.3.3''' | |||
*Fixed menuhax for 11.17 consoles. | |||
'''v1.3.2''' | |||
*Fixed all issues related to firmware version 11.17. | |||
'''v1.3.1''' | |||
*Fixed EUR and JPN not working. | |||
'''v1.3.0''' | |||
*Added support for firmware version 11.17. | |||
'''v1.2''' | |||
*Added built-in 3DS ROP xPloit Injector otherapp. | |||
*Added menu to select the target 3DS type and which exploit to use. | |||
'''v1.1''' | |||
*Added compatibility to the American and Japanese versions of the game. | |||
'''v1.0''' | |||
* First Release. | |||
== Credits == | == Credits == | ||
* [ | * [https://github.com/yellows8/3ds_ropkit 3ds ropkit] (by [https://github.com/yellows8 yellows8]). | ||
* [ | * [https://github.com/TuxSH/universal-otherapp universal-otherapp] (Copyright (c) 2020 [https://github.com/TuxSH TuxSH]). | ||
* [ | * [https://github.com/PabloMK7/3dsropxploitinjector 3DS ROP xPloit Injector] | ||
* [ | * [https://gbatemp.net/threads/ctrpluginframework-blank-plugin-now-with-action-replay.487729/ CTRPF] (by [https://github.com/Nanquitas Nanquitas]). | ||
* [ | * [https://github.com/luigoalma/nitpic3d nitpic3d]'s developer [https://github.com/luigoalma luigoalma] for his huge help. | ||
* [ | * [https://github.com/hax0kartik Kartic] for his huge help and all the people from his development discord server. | ||
* [https://github.com/ihaveamac ihaveamac] for helping me try the exploit in an American console. | |||
== Notice == | == Notice == | ||
THE SOFTWARE IS PROVIDED | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. | ||
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, | |||
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE | ==External Links== | ||
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER | * Github - https://github.com/PabloMK7/kartdlphax | ||
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, | * Gbatemp - https://gbatemp.net/threads/kartdlphax-a-mario-kart-7-semi-primary-exploit.587755/ | ||
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE | * Reddit - https://www.reddit.com/r/3dshacks/comments/xfc7ki/kartdlphax_v12_3ds_rop_xploit_injector/ | ||
Latest revision as of 15:29, 22 July 2024
kartdlphax | |
---|---|
General | |
Author | PabloMK7 |
Type | Exploits |
Version | 1.3.3 |
License | Unlicense |
Last Updated | 2023/07/25 |
Links | |
Download | |
Website | |
Source | |
Kartdlphax is a semi-primary exploit for the download play mode of Mario Kart 7. It allows running a userland payload on an unmodified Nintendo 3DS by having it connect through download play to another 3DS with Custom Firmware running the exploit.
Installation
To use kartdlphax, you need to install the Luma3DS 3GX Loader Edition 3DS fork on the host system. The exploit uses a 3GX Plugin, and you can place the .3gx file from the Releases page in the appropriate directories depending on your game region.
- EUR: luma/plugins/0004000000030700
- JAP: luma/plugins/0004000000030600
- USA: luma/plugins/0004000000030800
By default, the plugin uses the built-in otherapps (3DS ROP xPloit Injector or Universal-otherapp 3DS). However, you can place your own otherapp at /kartdlphax_otherapp.bin if desired.
Usage
- Enable the plugin loader from the Rosalina menu (L+Down+Select) on the host 3DS.
- Launch the Mario Kart 7 game matching the region of the client 3DS(es).
- On the host 3DS, select Local Multiplayer and enter the settings, including selecting the client 3DS type and exploit type.
- On the client 3DS(es), launch the download play application.
- On the host 3DS, select Create Group and let the client 3DS(es) join the group.
- Once the multiplayer menu loads on the host 3DS, select Grand Prix, 50cc, any driver combination, and the Mushroom Cup. The exploit will trigger on the client 3DS(es) after some time.
- Keep in mind that while you can send the exploit to 7 consoles simultaneously, the success rate seems to decrease for each console added.
Media
kartdlphax - A Mario Kart 7 semi-primary exploit for the Nintendo 3DS - (PabloMK7)
Technical Details
The exploit works by leveraging a vtable pwn exploit and a ROP chain. The download play child application doesn't have the course files stored in its ROMFS, so it has to ask the host to send them when needed. Since this data is not part of the child .cia and is not signed, arbitrary data can be sent. The client sets up a buffer to receive data from the host but never checks the incoming data size, allowing a buffer overflow to overwrite important data after the receive buffer. By overwriting a vtable, an arbitrary jump in the main thread can be produced, eventually leading to the ROP chain github.com.
The ROP chain, using yellows8's 3DS ROP kit as a base, can terminate problematic threads and replace the area at 0x100000 with the next stage using gspwn. A small helper payload is needed first since some gadgets and important functions are in the same area as the otherapp target address. The miniapp payload, based on luigialma's version from nitpic3d, terminates the rest of the problematic threads, reconstructs the partitioned otherapp from the received buffer, maps it to 0x290000 with gspwn, and finally launches it github.com.
Changelog
v1.3.3
- Fixed menuhax for 11.17 consoles.
v1.3.2
- Fixed all issues related to firmware version 11.17.
v1.3.1
- Fixed EUR and JPN not working.
v1.3.0
- Added support for firmware version 11.17.
v1.2
- Added built-in 3DS ROP xPloit Injector otherapp.
- Added menu to select the target 3DS type and which exploit to use.
v1.1
- Added compatibility to the American and Japanese versions of the game.
v1.0
- First Release.
Credits
- 3ds ropkit (by yellows8).
- universal-otherapp (Copyright (c) 2020 TuxSH).
- 3DS ROP xPloit Injector
- CTRPF (by Nanquitas).
- nitpic3d's developer luigoalma for his huge help.
- Kartic for his huge help and all the people from his development discord server.
- ihaveamac for helping me try the exploit in an American console.
Notice
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.