This is a POC for a new System Settings userland exploit.
It uses ROP execution to dump DS Internet from System Settings using a custom crafted dsiware export.
This is useful primarily as an enhancement for "Fredminer" variant of seedminer to obtain free cfw on 3ds.
Among other things, it brings free cfw to more regions*, and removes the possibility of Nintendo pulling certain games like Steel Diver from the eshop to thwart homebrew efforts.
~~~ Hbmenu? ~~~
I've been able to get otherapp.bin booting by using 3ds_ropkit and a loader ROP chain. However, shortly after the bottom screen turns yellow, the 3ds just reboots to home menu.
It's really alright though. Fredminer gets you a more stable 3dsx homebrew environment anyway, so this isn't really a high priority issue right now (still would be cool to see hbmenu booting I admit).
~~~ Exploit ~~~
Basically put, this overflows the banner title strings in DSiWare exports (TADs) when you view them in System Settings, and smashes the stack leading to ROP control for the attacker.
You do need the movable.sed to encrypt a payload TAD, but that's easy enough to do nowadays. Movable.sed bruteforcing now only takes about a minute and free online services can do it for you. Over 350,000 people have done it so it can't be that hard :p
~~~ Q&A ~~~
Q: What's with the 3 in Bannerbomb3?
A: It's a tribute to the Wii scene, they did 1 & 2. I love old homebrew scenes.
Q: Why TADmuffin?
A: Muffin sounded funny so I went with that. Just needed to be different from TADpole.
Q: Will this work on the DSi since it has DSiWare exports too?
A: The flaw is definitely there as well, but I've been unsuccessful exploiting it on hardware (I can get code exe on no$gba though). Moot because of Memory Pit anyhow ;)
Q: Is this your first 3ds userland exploit?
A: Yes. Feels good man.
~~~ Thanks ~~~
- Yellows8 for 3ds ropkit
- All the people on #3dsdev, reading my backlog (Ctrl-F "pivot") provided a wealth of good info on the art of stack pivoting.
- Nintendo Homebrew Discord for maintaining online tools/guides and helping all the seed/frog/fredminer users. I hope this sploit makes your jobs a little easier.
- Jhynjhiruu for testing
by zoogie.