Closed d3m3vilurr closed 7 years ago
Mrrraou
commented
7 years ago that's curious. never got any issues with this. we should probably agree on some stubbed svc to point on svcBackdoor as well, that way we don't have to add or reimplement another svc. if you have any other ideas, please feel free to tell me.
Mrrraou
commented
7 years ago still, the best thing would have to completely free other 3dsx apps (like fbi or bootntr) from kernel exploits. another solution would be to patch svc acl checks but that would be more difficult and less firmware version independent.
d3m3vilurr
commented
7 years ago I don't know why, It's quite same of fasthax. not restore pid after hax, can all work inside hax installer, but will stuck next homebrew after exit installer. I'm not tested with o3ds, but n3ds does.
it maybe just hiding problem cuz thair application's layer https://github.com/Steveice10/FBI/blob/1eb963f/source/hax/khax.c#L93-L106
it's another issue about this issue, but I agree. but embedding hax problem can cause not exist checking API about installed exploit. and resolving issue quite simple(yep only hax side..), arm11 hax(and cfw) provide patched override backdoor to svc 0x30. if that can make to defacto, application side can use this for the check. It make halping apps to free from kernel exploits.
but currently homebrew side cannot decided this before changing hax, because direct call svcBackdoor without ACL, application will hanging, Sometimes it looks bad experience.
nedwill
commented
7 years ago @Mrrraou I definitely like your idea of just having the kexploit install a backdoor and have any client applications do what they like with it. I was using a stubbed svc as you saw, and if we agree on one it'd be nice to use so the exploits can be used interchangeably.
Mrrraou
commented
7 years ago SendSyncRequest3 (SVC 0x30) indeed seems to be a good candidate for this. Most userland apps should have access to it, and is stubbed (on retail firmwares, at least). dlplay does have access to it, for sure, which means *hax homebrew running under dlplay will have access to it, unless dlplay is updated to remove access to it. It means that, the homebrew will be able to check if the backdoor is implemented by calling that stubbed SVC, and check if it returns the "Not implemented" Result code. (which means, hang-free).
I am thinking of redirecting the funcptr of that SVC in the SVC table to svcBackdoor. Tell me what you think of this, and I will update waithax in consequence.
d3m3vilurr
commented
7 years ago yes. i like it. fasthax implement totally same in your word :)
Mrrraou
commented
7 years ago Implemented in commit https://github.com/Mrrraou/waithax/commit/a4aef2334dae665c96b740d34af743dcaa744e39, and in release v1.1.0. I will update the README in order to reflect the latest changes.
d3m3vilurr
commented
7 years ago looks awesome! thanks
Mrrraou
commented
7 years ago The README has been updated, and code snippets also have been added as example usage for developers.
You (or @nedwill) can also refer to this, reuse the snippets or link to them if needed. They are licensed under the MIT License.
Issue introduced this and tested with n3ds 10.3
Refs