More actions
(Created page with "{{Infobox 3DS homebrew | title = universal-otherapp | image = https://dlhb.gamebrew.org/3dshomebrew/universal-otherapp.jpg|250px | type = Exploits | version = v1.3.0 | licence...") |
m (Text replacement - "Infobox 3DS homebrew" to "Infobox-3DS-Homebrews") |
||
| Line 1: | Line 1: | ||
{{Infobox 3DS | {{Infobox-3DS-Homebrews | ||
| title = universal-otherapp | | title = universal-otherapp | ||
| image = https://dlhb.gamebrew.org/3dshomebrew/universal-otherapp.jpg|250px | | image = https://dlhb.gamebrew.org/3dshomebrew/universal-otherapp.jpg|250px | ||
Revision as of 13:38, 6 September 2021
Template:Infobox-3DS-Homebrews
universal-otherapp
Otherapp payload compatible with system versions 1.0 to 11.14 (all regions, all models) that leverages full exploit chains to ultimately execute a payload from the SD card.
Usage
This depends on the exploit. The recommended exploit for system versions 1.0 to 11.3 is soundhax, in which case you just have to put otherapp.bin onto the root of your SD card.
Technical details
We leverage a kernel exploit to alter L1 translation tables entries that were never previously accessed, then run kernelhaxcode_3ds which does the rest of the job.
- Below system version 9.3: we use memchunkhax1
- 9.3 and above: we exploit
smthen leverage this to exploitspi. SPI sysmodule has access toGPUPROT, subsequently allowing us to GPU DMA over the kernel memory - Full writeup coming around Christmas
spivulnerability has been documented on 3dbrew for yearssmvulnerability is an unreported 0day, however I have fixed the bug in Luma3DS's reimpl back in 2017. I believe this is fine to release it now, as the 3DS is EoL and people can use seedminer on latest system version anywaysafehaxoragbhaxused depending on version
Testing with Luma3DS
Need to disable firmlaunch patches & build without custom sm sysmodule if using Luma3DS.
Credits
- @zoogie: testing and debugging on exotic firmware versions
- @fincs: exploitation ideas, etc.
- @aliaspider: memchunkhax code