More actions
m (Text replacement - "Infobox 3DS homebrew" to "Infobox-3DS-Homebrews") |
No edit summary |
||
Line 3: | Line 3: | ||
| image = https://dlhb.gamebrew.org/3dshomebrew/universal-otherapp.jpg|250px | | image = https://dlhb.gamebrew.org/3dshomebrew/universal-otherapp.jpg|250px | ||
| type = Exploits | | type = Exploits | ||
| version = v1.3.0 | | version=v1.3.0 | ||
| lastupdated = 2021/02/14 | |||
| licence = Mixed | | licence = Mixed | ||
| author = TuxSH | | author = TuxSH | ||
| website = https://github.com/TuxSH/universal-otherapp | | website = https://github.com/TuxSH/universal-otherapp | ||
| download = https://dlhb.gamebrew.org/3dshomebrew/universal-otherapp.rar | | download = https://dlhb.gamebrew.org/3dshomebrew/universal-otherapp.rar | ||
| source = https:// | | source = https://github.com/TuxSH/universal-otherapp | ||
}} | }} | ||
<youtube>1DFUeFjYgUE</youtube> | <youtube>1DFUeFjYgUE</youtube> |
Revision as of 08:39, 8 September 2021
Template:Infobox-3DS-Homebrews
universal-otherapp
Otherapp payload compatible with system versions 1.0 to 11.14 (all regions, all models) that leverages full exploit chains to ultimately execute a payload from the SD card.
Usage
This depends on the exploit. The recommended exploit for system versions 1.0 to 11.3 is soundhax, in which case you just have to put otherapp.bin
onto the root of your SD card.
Technical details
We leverage a kernel exploit to alter L1 translation tables entries that were never previously accessed, then run kernelhaxcode_3ds
which does the rest of the job.
- Below system version 9.3: we use memchunkhax1
- 9.3 and above: we exploit
sm
then leverage this to exploitspi
. SPI sysmodule has access toGPUPROT
, subsequently allowing us to GPU DMA over the kernel memory - Full writeup coming around Christmas
spi
vulnerability has been documented on 3dbrew for yearssm
vulnerability is an unreported 0day, however I have fixed the bug in Luma3DS's reimpl back in 2017. I believe this is fine to release it now, as the 3DS is EoL and people can use seedminer on latest system version anywaysafehax
oragbhax
used depending on version
Testing with Luma3DS
Need to disable firmlaunch patches & build without custom sm
sysmodule if using Luma3DS.
Credits
- @zoogie: testing and debugging on exotic firmware versions
- @fincs: exploitation ideas, etc.
- @aliaspider: memchunkhax code