zoogie / MSET9

Ultimate gift of Lenny
128 stars 21 forks source link
3ds hax homebrew

MSET9

Thanks

MSET9 in action

What it is

This is an ARM9 primary exploit for 3DS that can be launched with only filename data added to the inserted SD card.

How does it work

In the implementation for FSPXI:EnumerateExtSaveData (called by MSET to parse 3DS extdata IDs for Data Management), the return value of the process9 internal function call to open a directory (when enumerating contents of the extdata directory) was not checked. Therefore, if the call fails, an uninitialised pointer on stack will be used for a vtable call.

As such, a file (instead of an expected folder) that starts with 8 hex digits can crash process9 if placed directly inside the extdata directory. It can crash in various ways based on subtle differences in the way the user triggers the crash event.

While mostly leading to null derefs, in one specific context, process9 jumps directly to an ID1 string being held in ARM9 memory. Surprisingly, the 3DS doesn't discern what characters are used for the ID1 directory name on the SD, only requiring exactly 32 chars. This allows the attacker to insert arm instructions into the unicode ID1 dirname and take control of the ARM9, and thus, full control of the 3DS.
Source: 3Dbrew

Can I do it?

-- You need a 3ds 11.4-11.17, any region (probably, haven't tested them all)
-- A USB to SD reader
-- Windows/MAC/Linux PC (this might be expanded to chromeOS and/or Android at some point, if possible)

Directions

In release archive or, preferably, 3DS Hacks Guide- MSET9.

Troubleshooting

https://3ds.hacks.guide/troubleshooting.html#installing-boot9strap-mset9

FAQ

(the rest of this is more FYI than anything important)

Additional Thanks

These are repos containing homebrew binaries included in the release archive. Many thanks to the authors.
https://github.com/LumaTeam/Luma3DS
https://github.com/d0k3/GodMode9
https://github.com/d0k3/SafeB9SInstaller (renamed SafeB9S.bin)
https://github.com/devkitPro/3ds-hbmenu
https://github.com/SciresM/boot9strap
https://github.com/Steveice10/FBI