Bailey Fox fox8091

## gist:5858275

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              1 star
            
          
                marcomorain
                / gist:5858275
            
            
              Last active
              August 1, 2018 02:55
            
          
    (S)ELF-EXPLOITATION

Jonathan Garrett, Insomniac Games

RATCHET AND CLANK: UP YOUR ARSENAL was an online title which shipped without the ability to patch either code or data. Which was unfortunate.
The game downloads and displays an End User License Agreement each time it’s launched. This is an ascii string stored in a static buffer. This buffer is filled from the server without checking that the size is within the buffer’s capacity.
We exploited this fact to cause the EULA download to overflow the static buffer far enough to also overwrite a known global variable. This variable happened to be the function callback handler for a specific network packet. Once this handler was installed, we could send the network packet to cause a jump to the address in the overwritten global. The address was a pointer to some payload code which was stored earlier in the EULA data.
Valuable data existed between the real end of the EULA buffer and the overwritten global, so the first job of the payload code was to restore

  
## bin2wav.py
import sys
import wave
import struct

# bit0 is a single period sine wave at 1024Hz with a given amplitude
# bit1 is the same but with ~2.7 times the amplitude
bits = [[0x00, 0x09, 0x12, 0x1A, 0x21, 0x27, 0x2C, 0x2F, 0x30, 0x2F, 0x2C, 0x27, 0x21, 0x1A, 0x12, 0x09, 0x00, 0xF6, 0xED, 0xE5, 0xDE, 0xD8, 0xD3, 0xD0, 0xD0, 0xD0, 0xD3, 0xD8, 0xDE, 0xE5, 0xED, 0xF6], [0x00, 0x18, 0x30, 0x46, 0x59, 0x69, 0x75, 0x7C, 0x7F, 0x7C, 0x75, 0x69, 0x59, 0x46, 0x30, 0x18, 0x00, 0xE7, 0xCF, 0xB9, 0xA6, 0x96, 0x8A, 0x83, 0x81, 0x83, 0x8A, 0x96, 0xA6, 0xB9, 0xCF, 0xE7]]
bits[0] = [b^0x80 for b in bits[0]]
bits[1] = [b^0x80 for b in bits[1]]
bits[0] = struct.pack('%sB' % len(bits[0]), *bits[0])

## 1-ntrcardhax.md

      
              2 files
            
          
              0 forks
            
          
              4 comments
            
          
              4 stars
            
          
                kitlith
                / 1-ntrcardhax.md
            
            
              Last active
              August 1, 2020 19:22
            
              
                Collection of Information about ntrcardhax
              
          
    NTRCARDhax

This is in progress, and is by no means finished, fork and comment with a link to your changes and I'll update here.
Information on the 3DS side should be about done.
I still have questions, though, which would be nice to know the answers to.

My thoughts on implementing the gamecard side of things can be found here.
ARM9hax

ARM9 code uses REG_NTRCARDMCNT, at physical address 0x1016400 as a reference.
ARM9 triggers reading by writing 4 bytes to 4 bytes after this address, REG_NTRCARDROMCNT.
This is located at 0x10164004.

  
## gist:e80db121d38aceb8cca0e03cefd5853b
This is an ADVANCED guide and should not be attempted by anyone who does not COMPLETELY understand each step and what it does to their device. Additionally, the prerequisite is that you have already performed a region change on your 3DS. You also need access to another 3DS on the target region that you can format to a non-NNID linked state (you can use emuNAND here). For simplicity, I am going to assume you are region changing a N3DS from Japan to USA and have access to a USD O3DS. The guide is in two parts: System Transfer and NNID Linking. For those who wish to just have access to USA eShop (and the ability to download free games; if you only want to use eShop to purchase games, you do not have to link a NNID) you can skip to the second part.

To modify requests, I use Charles Proxy to set breakpoints so I can change requests and responses as they come in. However, you can do it in any why you choose. Also, since 9.2 eShop was disabled, you may have to additionally modify all requests from the 3DS to send a

## firmswap.py
#!/usr/bin/env python3
import os
import shutil
import sys

helptext = """usage: firmswap.py [options]
swap FIRM partition(s) from 11.0 to 10.4 FIRM

default behavior:
  - create backup of NAND.bin named NAND.bin.bak

## cdndownload.py
#!/usr/bin/env python3

# usage: cdndownload.py <titleid> [titlekey]
# if a system title is given for titleid, titlekey is not used
# system titles should be "legit CIAs" i.e. a stock system will install it

# unlike other cdn downloaders, this doesn't use make_cdn_cia or anything
# it downloads and saves directly to the cia, so it's faster

import base64

## anonymous

<noscript id="textNS">
                |                                             |
                | a  w r i t e u p  r e l e a s e  b y  r o l |
                |      ________  ___  ________  ________      |
                |     <_  __   \/   \/        \/ ____   \     |
                |      T  T<___/\___/\_  /\  _/\ \__j  _/     |
                |      |  |     T   T T /  \ T__\____  T      |
                |      |  |     |   | | \  / |T T   T  |      |
                |      l__j_____l___j_l__><__j| |   |  |      |

## Signatures.txt
Retail NAND FIRM:

Perfect Signature:
B6724531C448657A2A2EE306457E350A10D544B42859B0E5B0BED27534CCCC2A4D47EDEA60A7DD99939950A6357B1E35DFC7FAC773B7E12E7C1481234AF141B31CF08E9F62293AA6BAAE246C15095F8B78402A684D852C680549FA5B3F14D9E838A2FB9C09A15ABB40DCA25E40A3DDC1F58E79CEC901974363A946E99B4346E8A372B6CD55A707E1EAB9BEC0200B5BA0B661236A8708D704517F43C6C38EE9560111E1405E5E8ED356C49C4FF6823D1219AFAEEB3DF3C36B62BBA88FC15BA8648F9333FD9FC092B8146C3D908F73155D48BE89D72612E18E4AA8EB9B7FD2A5F7328C4ECBFB0083833CBD5C983A25CEB8B941CC68EB017CE87F5D793ACA09ACF7

Exponentiated Message:
0002B31331C710412333A587890F9CF0B6A86E71C8A78F96B76082903B3E54EA9AB935978BBF2493BB829E9A5A6060B0C7811881176BCF9FE8B1C5C5E0A95327DB8B52EC178A884AD9CF28DB8BBF2922C05FD034AC81BD231AEB0CBEF6F7DE6F3A30812B9F9A83BF33251891BFA18FA38A64C6FF5F77DBE11C3780C23EA9F6D00F9C01D6FC8A878591D36C4F64ACA6B8D11BBEB21476103C6E86FF2196D465BA4DB78F81F1D3BCCA186BDDD56739A12DD36122F3F5B3DD518DDAC4FA29395EA4CD9DFD80AF8A399990F4FDD3CD6B07EC2122437CCFC3B62B1D1493A7DBB442003

## gist:d110f3e7755ffbe82672eda49ae21af2
1.	enable debugger in rosalina menu
	go to process list
	select a process

2.	launch arm-none-eabi-gdb <path to elf>
	command "target remote ip:port"

3.	command "continue" or "c" to resume execution

4.

## Configuration.h
/**
 * Marlin 3D Printer Firmware
 * Copyright (C) 2016 MarlinFirmware [https://github.com/MarlinFirmware/Marlin]
 *
 * Based on Sprinter and grbl.
 * Copyright (C) 2011 Camiel Gubbels / Erik van der Zalm
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation, either version 3 of the License, or
	import sys
	import wave
	import struct

	# bit0 is a single period sine wave at 1024Hz with a given amplitude
	# bit1 is the same but with ~2.7 times the amplitude
	bits = [[0x00, 0x09, 0x12, 0x1A, 0x21, 0x27, 0x2C, 0x2F, 0x30, 0x2F, 0x2C, 0x27, 0x21, 0x1A, 0x12, 0x09, 0x00, 0xF6, 0xED, 0xE5, 0xDE, 0xD8, 0xD3, 0xD0, 0xD0, 0xD0, 0xD3, 0xD8, 0xDE, 0xE5, 0xED, 0xF6], [0x00, 0x18, 0x30, 0x46, 0x59, 0x69, 0x75, 0x7C, 0x7F, 0x7C, 0x75, 0x69, 0x59, 0x46, 0x30, 0x18, 0x00, 0xE7, 0xCF, 0xB9, 0xA6, 0x96, 0x8A, 0x83, 0x81, 0x83, 0x8A, 0x96, 0xA6, 0xB9, 0xCF, 0xE7]]
	bits[0] = [b^0x80 for b in bits[0]]
	bits[1] = [b^0x80 for b in bits[1]]
	bits[0] = struct.pack('%sB' % len(bits[0]), *bits[0])
	This is an ADVANCED guide and should not be attempted by anyone who does not COMPLETELY understand each step and what it does to their device. Additionally, the prerequisite is that you have already performed a region change on your 3DS. You also need access to another 3DS on the target region that you can format to a non-NNID linked state (you can use emuNAND here). For simplicity, I am going to assume you are region changing a N3DS from Japan to USA and have access to a USD O3DS. The guide is in two parts: System Transfer and NNID Linking. For those who wish to just have access to USA eShop (and the ability to download free games; if you only want to use eShop to purchase games, you do not have to link a NNID) you can skip to the second part.

	To modify requests, I use Charles Proxy to set breakpoints so I can change requests and responses as they come in. However, you can do it in any why you choose. Also, since 9.2 eShop was disabled, you may have to additionally modify all requests from the 3DS to send a
	#!/usr/bin/env python3
	import os
	import shutil
	import sys

	helptext = """usage: firmswap.py [options]
	swap FIRM partition(s) from 11.0 to 10.4 FIRM

	default behavior:
	- create backup of NAND.bin named NAND.bin.bak
	#!/usr/bin/env python3

	# usage: cdndownload.py <titleid> [titlekey]
	# if a system title is given for titleid, titlekey is not used
	# system titles should be "legit CIAs" i.e. a stock system will install it

	# unlike other cdn downloaders, this doesn't use make_cdn_cia or anything
	# it downloads and saves directly to the cia, so it's faster

	import base64

	<noscript id="textNS">
	\| \|
	\| a w r i t e u p r e l e a s e b y r o l \|
	\| ________ ___ ________ ________ \|
	\| <_ __ \/ \/ \/ ____ \ \|
	\| T T<___/\___/\_ /\ _/\ \__j _/ \|
	\| \| \| T T T / \ T__\____ T \|
	\| \| \| \| \| \| \ / \|T T T \| \|
	\| l__j_____l___j_l__><__j\| \| \| \| \|
	Retail NAND FIRM:

	Perfect Signature:
	B6724531C448657A2A2EE306457E350A10D544B42859B0E5B0BED27534CCCC2A4D47EDEA60A7DD99939950A6357B1E35DFC7FAC773B7E12E7C1481234AF141B31CF08E9F62293AA6BAAE246C15095F8B78402A684D852C680549FA5B3F14D9E838A2FB9C09A15ABB40DCA25E40A3DDC1F58E79CEC901974363A946E99B4346E8A372B6CD55A707E1EAB9BEC0200B5BA0B661236A8708D704517F43C6C38EE9560111E1405E5E8ED356C49C4FF6823D1219AFAEEB3DF3C36B62BBA88FC15BA8648F9333FD9FC092B8146C3D908F73155D48BE89D72612E18E4AA8EB9B7FD2A5F7328C4ECBFB0083833CBD5C983A25CEB8B941CC68EB017CE87F5D793ACA09ACF7

	Exponentiated Message:
	0002B31331C710412333A587890F9CF0B6A86E71C8A78F96B76082903B3E54EA9AB935978BBF2493BB829E9A5A6060B0C7811881176BCF9FE8B1C5C5E0A95327DB8B52EC178A884AD9CF28DB8BBF2922C05FD034AC81BD231AEB0CBEF6F7DE6F3A30812B9F9A83BF33251891BFA18FA38A64C6FF5F77DBE11C3780C23EA9F6D00F9C01D6FC8A878591D36C4F64ACA6B8D11BBEB21476103C6E86FF2196D465BA4DB78F81F1D3BCCA186BDDD56739A12DD36122F3F5B3DD518DDAC4FA29395EA4CD9DFD80AF8A399990F4FDD3CD6B07EC2122437CCFC3B62B1D1493A7DBB442003
	1. enable debugger in rosalina menu
	go to process list
	select a process

	2. launch arm-none-eabi-gdb <path to elf>
	command "target remote ip:port"

	3. command "continue" or "c" to resume execution

	4.
	/**
	* Marlin 3D Printer Firmware
	* Copyright (C) 2016 MarlinFirmware [https://github.com/MarlinFirmware/Marlin]
	*
	* Based on Sprinter and grbl.
	* Copyright (C) 2011 Camiel Gubbels / Erik van der Zalm
	*
	* This program is free software: you can redistribute it and/or modify
	* it under the terms of the GNU General Public License as published by
	* the Free Software Foundation, either version 3 of the License, or