Toggle menu
Toggle personal menu
Not logged in
Your IP address will be publicly visible if you make any edits.

Fierce Waffle ROP Loader 3DS: Difference between revisions

From GameBrew
No edit summary
No edit summary
Line 1: Line 1:
{{Infobox 3DS Homebrews
{{Infobox 3DS Homebrews
|title=fierce waffle RAM dumper
|title=3DS Toolkit by Fierce Waffle
|description=Development
|description=3DS RAM dumper.
|author=Fierce Waffle
|author=Fierce Waffle
|lastupdated=2014/01/16
|lastupdated=2013/12/26
|type=System Tools
|type=Developments
|version=2014
|version=2014
|license=Mixed
|license=Mixed
|download=https://dlhb.gamebrew.org/3dshomebrew/fierce-waffles-RAM-dumper.rar
|download=https://dlhb.gamebrew.org/3dshomebrews/3dstoolkitfie.7z
|website=https://gbatemp.net/threads/homebrew-development.360646/
|website=https://gbatemp.net/threads/homebrew-development.360646
}}
}}
<youtube>OuQR4Sm8Jm8</youtube>
{{Obsolete}}


Contains two Launchers, one for GW and one for Waffles Loader, dumps the whole FCRAM to SDCard, might take a few tries to boot.  
The 3DS Toolkit is a utility that can extract memory dump, developed by Fierce Waffle. The project was initially titled ROP Loader, where ROP is an abbreviation for Return-Oriented Programming, and is one of the exploit technologies that utilize the code of programs that are already installed.


Needs about 30 Minutes for the entire dump.
Since the 3DS Toolkit uses the same DS Profile exploit as Gateway 3DS, the operating environment is 4.1-4.5.
 
The DS Profile exploit is/was a well known, but not often performed exploit for the Nintendo 3DS. This exploit involved setting a value too high for the length of a string which caused too much to be read on the stack.
 
There is a file called SYS: /Launcher.dat that 3DS uses to configure the system, and the first character "S" is removed from the string "SYS: /Launcher.dat" in the memory of 3DS. Furthermore, by mounting the SD card as "YS: /", Launcher.dat functions as ROP.
 
However, that alone is only a userland exploit (DS Profile exploit), so in order to go beyond that it would require a kernel exploit. The method this 3DS Toolkit used is through changing the permissions of IOpen_File, which allows user to dump RAM and possbility to execute custom codes.
 
==User guide==
===How to use===
Copy the ROPLoader.nds file to any flashcart compatible 3DS flashcard.
 
Insert the flash card and open the 'game' with the title of ROPLoader.
 
When loaded, press the A button to initiate the initial ROP payload installation process
 
If the verification process fails, repeat steps 2-3. Otherwise, press A to return to your 3DS home menu.
 
Copy the Launcher.dat that you wish to use to your 3DS' SD card and reinsert the SD into your 3DS.
 
To initiate the exploit navigate to System Settings>  Other Settings> Profile> Nintendo DS Profile.
 
===References===
* [http://3dbrew.org/wiki/Filesystem_services Nintendo 3DS Filesystem Services] from 3DBrew.
* [http://3dbrew.org/wiki/Memory_layout Nintendo 3DS Memory Layout] from 3DBrew.
* [http://3dbrew.org/wiki/3DS_System_Flaws Nintendo 3DS Exploits] from 3DBrew.
* [https://web.archive.org/web/20140203084258/http://nocash.emubase.de/gbatek.htm#dsserialperipheralinterfacebusspi DS Serial Peripheral Interface Bus] from GBATEK (archived).
* [https://web.archive.org/web/20140122214721/http://smealum.net/?page_id=299 3DS Homebrew and Custom Firmware] by smealum (archived).
 
==Changelog==
'''v0.0.0.2 2013/12/26'''
* Fixed Verify Bug.
* Fixed an error users would get when installing the ROP Loader.
 
'''v0.0.0.1 2013/12/25'''
* Initial Release.
* RAM dumping from 0x00100000 with a size of 0x00300000 bytes.
 
==External links==
* GitHub - https://github.com/naehrwert/p3ds
* Official website - [https://web.archive.org/web/20140122214721/http://www.fiercewaffle.com/softwareArticle.php?id=10 http://www.fiercewaffle.com/softwareArticle.php?id=10]
* GBAtemp - https://gbatemp.net/threads/homebrew-development.360646
 
[[Category:3DS homebrew loaders]]
[[Category:Homebrew custom firmwares on 3DS]]

Revision as of 04:31, 14 Ocak 2022

3DS Toolkit by Fierce Waffle
General
AuthorFierce Waffle
TypeDevelopments
Version2014
LicenseMixed
Last Updated2013/12/26
Links
Download
Website

The 3DS Toolkit is a utility that can extract memory dump, developed by Fierce Waffle. The project was initially titled ROP Loader, where ROP is an abbreviation for Return-Oriented Programming, and is one of the exploit technologies that utilize the code of programs that are already installed.

Since the 3DS Toolkit uses the same DS Profile exploit as Gateway 3DS, the operating environment is 4.1-4.5.

The DS Profile exploit is/was a well known, but not often performed exploit for the Nintendo 3DS. This exploit involved setting a value too high for the length of a string which caused too much to be read on the stack.

There is a file called SYS: /Launcher.dat that 3DS uses to configure the system, and the first character "S" is removed from the string "SYS: /Launcher.dat" in the memory of 3DS. Furthermore, by mounting the SD card as "YS: /", Launcher.dat functions as ROP.

However, that alone is only a userland exploit (DS Profile exploit), so in order to go beyond that it would require a kernel exploit. The method this 3DS Toolkit used is through changing the permissions of IOpen_File, which allows user to dump RAM and possbility to execute custom codes.

User guide

How to use

Copy the ROPLoader.nds file to any flashcart compatible 3DS flashcard.

Insert the flash card and open the 'game' with the title of ROPLoader.

When loaded, press the A button to initiate the initial ROP payload installation process

If the verification process fails, repeat steps 2-3. Otherwise, press A to return to your 3DS home menu.

Copy the Launcher.dat that you wish to use to your 3DS' SD card and reinsert the SD into your 3DS.

To initiate the exploit navigate to System Settings> Other Settings> Profile> Nintendo DS Profile.

References

Changelog

v0.0.0.2 2013/12/26

  • Fixed Verify Bug.
  • Fixed an error users would get when installing the ROP Loader.

v0.0.0.1 2013/12/25

  • Initial Release.
  • RAM dumping from 0x00100000 with a size of 0x00300000 bytes.

External links

Advertising: