More actions
m (Text replacement - "Infobox 3DS homebrew" to "Infobox-3DS-Homebrews") |
No edit summary |
||
(11 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
{{Infobox | {{Infobox 3DS Homebrews | ||
| title = Spider3DSTools | |title=Spider3DSTools | ||
| image = | |image=3dspc.png | ||
| type = PC Utilities | |description=Proof-of-concept code execution on Nintendo 3DS via browser exploit. | ||
| version = | |author=yifanlu | ||
| | |lastupdated=2015/03/28 | ||
| | |type=PC Utilities | ||
|version=2015 | |||
| | |license=Mixed | ||
| source = https:// | |download=https://dlhb.gamebrew.org/3dshomebrews/spider3dstools.zip | ||
|website=https://github.com/yifanlu/Spider3DSTools | |||
|source=https://github.com/yifanlu/Spider3DSTools | |||
}} | }} | ||
{{Obsolete}} | |||
This is a collection of scripts and tools used for loading code on 9.x 3DS. See [http://yifan.lu/category/devices/3ds/ here] to see how all this works. | |||
Please note this is only for developers and 3DS researchers and there is nothing here for the end user. This is not a CFW or any kind of ROM loader. | |||
==Building== | |||
You need an arm-none-eabi-gcc toolchain installed. Then just run "make". The toolchain that is tested with is [http://www.yagarto.de/ YAGARTO]. | |||
'''LoadCode:''' | |||
* This is an Spider ROP script that loads "code.bin" as ARM11 userland code from the SD card and runs it. | |||
* It exploits the [http://smealum.net/?p=517 gspwn] vulnerability to load the code. | |||
'''LoadROP:''' | |||
* This is an deobfuscated and cleaned up version of GW's first stage Launcher.dat loader with two changes. | |||
* 1) No decryption is done, and 2) no indexing is done. This means you place the raw ROP.dat on the sdcard. | |||
* It is tested to work with [http://github.com/smealum/regionthree regionthree]. | |||
'''MemoryDump:''' | |||
* Taken from [https://github.com/WinterMute/ROPInstaller WinterMute] ROP scripts for mset on 4.x and 6.x. | |||
* Dumps memory to sdcard with 9.x spider. | |||
'''Code (UVLoader Lite):''' | |||
* A stripped down version of [http://github.com/yifanlu/UVLoader UVLoader] that generates ARM code that runs with LoadCode. | |||
* Currently it does nothing except display a random pattern on screen. Think of it as a lazy hello world. It is a starting point for your code. | |||
'''Browserify:''' | |||
* Compile with "gcc -o browserify browserify.c" on your computer. | |||
* Then convert any spider ROP payload to JS string with "browserify LoadCode.dat" (as an example). | |||
'''On spider ROP payloads: ''' | |||
* There are specific data at specific offsets that spider must see for the ROP to work. | |||
* If you look in any of the example linker script, you'll see where the data is placed. | |||
* Additionaly, you must make sure the ROP script is exactly 0x300 bytes long. | |||
==Media== | |||
'''[3DS] Spider3DSTools Windows Installation & Usage Guide''' ([https://www.youtube.com/watch?v=ohThYRWhltQ BullyWiiPlaza]) <br> | |||
<youtube>ohThYRWhltQ</youtube> | <youtube>ohThYRWhltQ</youtube> | ||
= | ==Credits== | ||
* smea for ROP gadgets used in LoadCode. | |||
* WinterMute for ROP boilerplate code and inspiration for MemoryDump. | |||
==External links== | |||
* Author's website - https://yifan.lu/projects | |||
* GitHub - https://github.com/yifanlu/Spider3DSTools | |||
== | |||
Latest revision as of 11:49, 22 Haziran 2024
Spider3DSTools | |
---|---|
General | |
Author | yifanlu |
Type | PC Utilities |
Version | 2015 |
License | Mixed |
Last Updated | 2015/03/28 |
Links | |
Download | |
Website | |
Source | |
This application has been obsoleted by one or more applications that serve the same purpose, but are more stable or maintained. |
This is a collection of scripts and tools used for loading code on 9.x 3DS. See here to see how all this works.
Please note this is only for developers and 3DS researchers and there is nothing here for the end user. This is not a CFW or any kind of ROM loader.
Building
You need an arm-none-eabi-gcc toolchain installed. Then just run "make". The toolchain that is tested with is YAGARTO.
LoadCode:
- This is an Spider ROP script that loads "code.bin" as ARM11 userland code from the SD card and runs it.
- It exploits the gspwn vulnerability to load the code.
LoadROP:
- This is an deobfuscated and cleaned up version of GW's first stage Launcher.dat loader with two changes.
- 1) No decryption is done, and 2) no indexing is done. This means you place the raw ROP.dat on the sdcard.
- It is tested to work with regionthree.
MemoryDump:
- Taken from WinterMute ROP scripts for mset on 4.x and 6.x.
- Dumps memory to sdcard with 9.x spider.
Code (UVLoader Lite):
- A stripped down version of UVLoader that generates ARM code that runs with LoadCode.
- Currently it does nothing except display a random pattern on screen. Think of it as a lazy hello world. It is a starting point for your code.
Browserify:
- Compile with "gcc -o browserify browserify.c" on your computer.
- Then convert any spider ROP payload to JS string with "browserify LoadCode.dat" (as an example).
On spider ROP payloads:
- There are specific data at specific offsets that spider must see for the ROP to work.
- If you look in any of the example linker script, you'll see where the data is placed.
- Additionaly, you must make sure the ROP script is exactly 0x300 bytes long.
Media
[3DS] Spider3DSTools Windows Installation & Usage Guide (BullyWiiPlaza)
Credits
- smea for ROP gadgets used in LoadCode.
- WinterMute for ROP boilerplate code and inspiration for MemoryDump.
External links
- Author's website - https://yifan.lu/projects
- GitHub - https://github.com/yifanlu/Spider3DSTools