Difference between revisions of "Spider exploit"
m (spelling) |
(→Other homebrew) |
||
(13 intermediate revisions by one other user not shown) | |||
Line 1: | Line 1: | ||
+ | {{Newpagepreload|Template:P/3DS Homebrew}} | ||
{{Infobox 3DS Homebrew | {{Infobox 3DS Homebrew | ||
| title = Spider exploit | | title = Spider exploit | ||
Line 11: | Line 12: | ||
| source = | | source = | ||
| discussion = https://gbatemp.net/threads/go-exploit.378049/ | | discussion = https://gbatemp.net/threads/go-exploit.378049/ | ||
− | | below = Exploit working on v2.0 to v9. | + | | below = Exploit working on v2.0 to v9.5.0-22 |
}} | }} | ||
The spider exploit was found by MathewE and used by Gateway-3DS team to launch their flashcard's Gateway v3.0 payload on 3DS system menu version 2.0.x to 9.2.x. | The spider exploit was found by MathewE and used by Gateway-3DS team to launch their flashcard's Gateway v3.0 payload on 3DS system menu version 2.0.x to 9.2.x. | ||
− | It uses a vulnerability in webkit browser (code name Spider) to load a ROP chain using javascript and DOM which allows loading a file from SD card (usually the Launcher.dat | + | It uses a vulnerability in webkit browser of old 3DS (code name Spider) to load a ROP chain using javascript and DOM which allows loading a file from SD card (usually the Launcher.dat filename for Gateway 3DS). |
− | This vulnerability has been fixed in System menu version 9. | + | Gateway used another exploit in addition to this one to get Kernel access which has been patched on System menu version 9.3.0, but the Spider exploit was still possible to use by homebrew. |
+ | |||
+ | This vulnerability has finally been fixed for homebrew too in System menu version 9.5.0-23 with the release of a new Browser Title (Webkit version 1.7585). | ||
== Description == | == Description == | ||
Line 25: | Line 28: | ||
The exploit uses 5 different ROP chains based on the browser's version, detected using the user agent string. | The exploit uses 5 different ROP chains based on the browser's version, detected using the user agent string. | ||
* 3DS System version 2.0 = "Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7412.US" | * 3DS System version 2.0 = "Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7412.US" | ||
− | * 3DS System version 2.1-3.X = "Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1. | + | * 3DS System version 2.1-3.X = "Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7455.US" |
− | * 3DS System version 4.0-4.X = "Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1. | + | * 3DS System version 4.0-4.X = "Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7498.US" |
* 3DS System version 5.0-7.0 = "Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7552.US" | * 3DS System version 5.0-7.0 = "Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7552.US" | ||
* 3DS System version 7.1-9.2 = "Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7567.US" | * 3DS System version 7.1-9.2 = "Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7567.US" | ||
Line 36: | Line 39: | ||
== Usage == | == Usage == | ||
+ | For Gateway 3DS : | ||
Place the Launcher.dat file (Gateway v3.0 or newer) you want to boot on the root of your SD card, and visit http://go.gateway-3ds.com to trigger the exploit. | Place the Launcher.dat file (Gateway v3.0 or newer) you want to boot on the root of your SD card, and visit http://go.gateway-3ds.com to trigger the exploit. | ||
− | == Custom | + | For homebrew : |
+ | See below for custom homebrew projects. | ||
+ | |||
+ | == Custom Projects == | ||
Since the release of this exploit by Gateway 3DS team, users analyzed how this exploit works and extracted all the different user agent's ROP payload. | Since the release of this exploit by Gateway 3DS team, users analyzed how this exploit works and extracted all the different user agent's ROP payload. | ||
+ | The ROP payload has been [http://yifan.lu/category/devices/3ds/ reverse engineered] by Yifan Lu. | ||
− | + | ||
− | + | In attempt to make this Gateway launching method portable and not always rely on internet access, users ported this exploit to multiple supports such as Android or offline private web servers. | |
+ | As the filename target to load from SD Card is included in the javascript ROP chain, users can keep multiple version of launcher.dat files (either exploit or homebrew) on their SD card and select the one to launch by visiting different custom web pages. | ||
You can find a list of custom projects, sources or websites based on the Spider exploit. | You can find a list of custom projects, sources or websites based on the Spider exploit. | ||
− | === | + | === Gateway Launcher === |
{| class="wikitable" | {| class="wikitable" | ||
Line 60: | Line 69: | ||
| Files | | Files | ||
| Download the payload used by Go.gateway-3ds.com, extracted by Falo | | Download the payload used by Go.gateway-3ds.com, extracted by Falo | ||
− | |||
− | |||
− | |||
− | |||
|- | |- | ||
| [https://gbatemp.net/threads/attempt-running-gw3-0-web-exploit-on-a-local-network.378058/page-9#post-5269706 PHP script] | | [https://gbatemp.net/threads/attempt-running-gw3-0-web-exploit-on-a-local-network.378058/page-9#post-5269706 PHP script] | ||
Line 103: | Line 108: | ||
| [https://gbatemp.net/threads/release-static-html-javascript-gw-multilauncher.379080/ Static GW Multilauncher] | | [https://gbatemp.net/threads/release-static-html-javascript-gw-multilauncher.379080/ Static GW Multilauncher] | ||
| Online/Files | | Online/Files | ||
− | | | + | | Javascript based webpage to host the exploit yourself without a PHP server. Allows specifying filename to launch using a GET parameter. |
+ | |- | ||
+ | | [https://gbatemp.net/threads/release-custom-rop-loader-html.379531/ Custom ROP Loader] | ||
+ | | Online/Files | ||
+ | | Javascript based webpage to host the exploit yourself without a PHP server. Doesn't use iframe or browserify anymore, loads first stage ROP directly from a file. | ||
+ | |} | ||
+ | |||
+ | === Other homebrew === | ||
+ | |||
+ | The spider exploit can be used to launch homebrew. | ||
+ | |||
+ | Here is a list of homebrew projects compatible using this launching method. | ||
+ | |||
+ | {| class="prettytable sortable" style="width:100%" | ||
+ | ! style="width:20%" | Title | ||
+ | ! class="unsortable" | Description | ||
+ | ! style="width:20%" | Author | ||
+ | |- | ||
+ | | [[Spider3DSTools]] | ||
+ | | A set of tools for Spider exploit homebrew execution on 9.x [https://github.com/yifanlu/Spider3DSTools Git] [https://gbatemp.net/threads/release-custom-rop-loader-html.379531/ discussion] | ||
+ | | Yifan Lu | ||
+ | |- | ||
+ | | [[Regionthree]] | ||
+ | | region free loader for 3DS/3DSXL/2DS on firmware versions 4.0-9.5. | ||
+ | | Smealum | ||
+ | |- | ||
+ | | [[byebye bluecard]] | ||
+ | | Installs the gateway-3DS MSET exploit on 4.x console without the need of NDS flashcart. [https://gbatemp.net/threads/beta-spider-ds-profile-roploader-4-x-only.380725/ Spider DS Profile ROPLoader] | ||
+ | | peekatyou | ||
+ | |- | ||
+ | | [[Decrypt9]] | ||
+ | | XOR Pad generator for 9.x and lower console version. | ||
+ | | archshift | ||
+ | |- | ||
+ | | MemoryDump | ||
+ | | | ||
+ | | | ||
+ | |- | ||
+ | | Pokémon Injector | ||
+ | | | ||
+ | | | ||
+ | |- | ||
+ | | Virtual Console Injector | ||
+ | | Inject GB/GBC ROMs to launched VC installed channel [https://gbatemp.net/threads/injecting-roms-into-vc-with-only-the-web-browser-sure.379760/ Discussion] | ||
+ | | KazoWAR, shutterbug2000 | ||
+ | |- | ||
+ | | [[rxTools]] | ||
+ | | A collection of tools for ROM and NAND manipulation. (extract keys, decrypt ROMs, etc.) [https://gbatemp.net/threads/release-rxtools-roxas75-3ds-toolkit-fw-2-0-9-2.382782/ discussion] | ||
+ | | Roxas75 | ||
+ | |- | ||
+ | | [[Animal Crossing: New Leaf RAM editor]] | ||
+ | | Animal crossing new leaf, RAM dumper and online editor. [https://gbatemp.net/threads/spider-animal-crossing-new-leaf-ram-editor.382965/ Discussion] | ||
+ | | Marc_max | ||
|} | |} |
Latest revision as of 00:14, 15 July 2015
Spider exploit | |
---|---|
General | |
Author | MathewE |
Links | |
Download | |
Website | |
Discussion | |
Exploit working on v2.0 to v9.5.0-22 |
The spider exploit was found by MathewE and used by Gateway-3DS team to launch their flashcard's Gateway v3.0 payload on 3DS system menu version 2.0.x to 9.2.x.
It uses a vulnerability in webkit browser of old 3DS (code name Spider) to load a ROP chain using javascript and DOM which allows loading a file from SD card (usually the Launcher.dat filename for Gateway 3DS).
Gateway used another exploit in addition to this one to get Kernel access which has been patched on System menu version 9.3.0, but the Spider exploit was still possible to use by homebrew.
This vulnerability has finally been fixed for homebrew too in System menu version 9.5.0-23 with the release of a new Browser Title (Webkit version 1.7585).
Description
The exploit uses 5 different ROP chains based on the browser's version, detected using the user agent string.
- 3DS System version 2.0 = "Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7412.US"
- 3DS System version 2.1-3.X = "Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7455.US"
- 3DS System version 4.0-4.X = "Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7498.US"
- 3DS System version 5.0-7.0 = "Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7552.US"
- 3DS System version 7.1-9.2 = "Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7567.US"
A 6th version is served for browsers with a non compatible user agent.
By visiting the webpage, it checks the user agent and serves the corresponding page based on the user agent. The ROP chain loads the Launcher.dat file located on SD card.
Usage
For Gateway 3DS : Place the Launcher.dat file (Gateway v3.0 or newer) you want to boot on the root of your SD card, and visit http://go.gateway-3ds.com to trigger the exploit.
For homebrew :
See below for custom homebrew projects.
Custom Projects
Since the release of this exploit by Gateway 3DS team, users analyzed how this exploit works and extracted all the different user agent's ROP payload.
The ROP payload has been reverse engineered by Yifan Lu.
In attempt to make this Gateway launching method portable and not always rely on internet access, users ported this exploit to multiple supports such as Android or offline private web servers.
As the filename target to load from SD Card is included in the javascript ROP chain, users can keep multiple version of launcher.dat files (either exploit or homebrew) on their SD card and select the one to launch by visiting different custom web pages.
You can find a list of custom projects, sources or websites based on the Spider exploit.
Gateway Launcher
Name | Type | comment |
---|---|---|
Official Payloads | Files | Download the payload used by Go.gateway-3ds.com, extracted by Falo |
PHP script | Files | PHP script to host the exploit yourself on your own server. |
PHP script | Files | a single file PHP script to host the exploit yourself on you own server. |
esp8266 module | Offline | Hardware mod by lukas_2511 to insert a wifi webserver chipset inside the console |
Android webserver tutorial | Android | Tutorial to setup an android webserver as Access point. |
SD Card Wifi access point | Offline | You can use SD Card with Wifi Access point capability to serves the exploit directly from your 3DS. |
http://go.scmods.com/ | Online | mirror website by Gary Opa serving the gateway exploit |
GW3DS Loader | Android | An android application to serves the exploit. -removed from google play- |
Go! Gateway | Android | Android application to serves the exploit. Possibility to change the exploit file name (default : Launcher.dat) |
MultiLauncher | Online | A mirror website, with ability to specify the filename to load from SD card. Allows launching different "Launcher.dat" file. |
Static GW Multilauncher | Online/Files | Javascript based webpage to host the exploit yourself without a PHP server. Allows specifying filename to launch using a GET parameter. |
Custom ROP Loader | Online/Files | Javascript based webpage to host the exploit yourself without a PHP server. Doesn't use iframe or browserify anymore, loads first stage ROP directly from a file. |
Other homebrew
The spider exploit can be used to launch homebrew.
Here is a list of homebrew projects compatible using this launching method.
Title | Description | Author |
---|---|---|
Spider3DSTools | A set of tools for Spider exploit homebrew execution on 9.x Git discussion | Yifan Lu |
Regionthree | region free loader for 3DS/3DSXL/2DS on firmware versions 4.0-9.5. | Smealum |
byebye bluecard | Installs the gateway-3DS MSET exploit on 4.x console without the need of NDS flashcart. Spider DS Profile ROPLoader | peekatyou |
Decrypt9 | XOR Pad generator for 9.x and lower console version. | archshift |
MemoryDump | ||
Pokémon Injector | ||
Virtual Console Injector | Inject GB/GBC ROMs to launched VC installed channel Discussion | KazoWAR, shutterbug2000 |
rxTools | A collection of tools for ROM and NAND manipulation. (extract keys, decrypt ROMs, etc.) discussion | Roxas75 |
Animal Crossing: New Leaf RAM editor | Animal crossing new leaf, RAM dumper and online editor. Discussion | Marc_max |