microaeris/3DS Hacking notes

## 3DS Hacking notes
# 3DS Hacking Notes

ARM11 is a group of 32-bit RISC ARM processor cores licensed by ARM Holdings.

https://www.reddit.com/r/3dshacks/comments/5kxhvm/psa_a_quick_reminder_on_layers_of_3ds_security/?st=IXCW4OS7&sh=12d494ae
    A dual- or quad-core Arm11 CPU with half-decent usermode sandboxing
    A single-core Arm9 CPU that handles all system-critical processes, with no separation between User and Kernel mode

    Arm11 Userland, where all the games and apps run, with their own sets of privileges.
    Arm11 Kernel, which gives unlimited access to much, but not all of the software features, and some hardware.
    Arm9 Kernel, which gives full, direct access to all of the hardware.


ROM
    read only memory, cheaper than writable memory, can act as primary storage on a machine (main memory). But note that parts of main memory can also be writable. Note: RAM is writable.


Flash Memory (NAND)
    Flash memory is an electronic (solid-state) non-volatile computer storage medium that can be electrically erased and reprogrammed. Examples: EEPROM, The two main types of flash memory are named after the NAND and NOR logic gates.

    Whereas EPROMs had to be completely erased before being rewritten, NAND-type flash memory may be written and read in blocks (or pages) which are generally much smaller than the entire device. NOR-type flash allows a single machine word (byte) to be written—to an erased location—or read independently.

    The NAND type operates primarily in memory cards, USB flash drives, solid-state drives (those produced in 2009 or later).

    NAND is re-programmable. It's not ROM. It's also called Flash Memory. it's non-volatile memory.
    https://en.wikipedia.org/wiki/Flash_memory


OTP
    One Time Programmable (fuse)
    https://3ds.guide/otp-info


OTP Guide - 3DS Hacking Guide
    https://3ds.guide/
    Right now most people are using menuhax/ctrboot, which loads at the same time that the normal ds home screen would be loading.
    With this hack, you could take over the actual boot process.


MPU vs MCU
    MPU = microprocessor
    MCU = microcontroller
    MCU uses on chip "embedded" flash mem (eg. NAND), faster to boot up, space is limited.
    MPUs are not memory limited because they use external memory for program and data storage. The program is typically stored in non-volatile memory, such as NAND or serial Flash, and at start-up is loaded into an external DRAM and then commences execution. This means the MPU will not be up and running as quickly as an MCU.
    Another difference is power. By embedding its own power supply, an MCU needs just one single voltage power rail. By comparison, an MPU requires several difference voltage rails for core, DDR etc.


.cia - CTR Importable Archive
    .cia is the file format that digital 3DS games come packaged in. When you install a CIA file for a game, that runs 100% exactly the same as if you just purchased it from the eshop and downloaded it.
    https://www.reddit.com/r/3dshacks/comments/3u6dhx/how_to_use_cia_files/
    https://www.3dbrew.org/wiki/CIA


.3dz or .3ds
    files are the same as .3ds files but with a modified header to allow the rom to be used online.


General Resource
    https://www.3dbrew.org/wiki/


Console Hacking - Breaking the 3DS [32c3]
    https://www.youtube.com/watch?v=UutYOidFx3c

    Arm11 runs everything that we can see. Has full access to main mem (Wram, Vram, Fcram).
    Arm9 seperate CPU that runs process 9, broker access to the hardware. eg. brokers access to storage media and crypto stuff. Has a key scrambler in the hardware. Hardware AES implementation. Has access to main mem and its own internal memory.

    4 layers of security. Arm9 has access to a sys call -> svc 0x78 that lets you run things in kernel mode as a user on the Arm9. So that means there are effectively 3 layers of security.

    Arm11 entry point: webkit through web browser or youtube app. Or games like cube ninja. You can crash the game through how the QR codes are read.

    To get our own code to run, use a ROP, which is when you build a fake stack and return into code sections we wrote.

    ROP - Return-oriented programming
        computer security exploit technique that allows an attacker to execute code in the presence of security defenses such as non-executable memory (W xor X technique) and code signing.
        Gains control of the call stack to hijack program control flow and then executes carefully chosen machine instruction sequences that are already presented in machine's memory, called "gadgets".
        Each gadget typically ends in a return instruction and is located in a subroutine within the existing program and/or shared library code.
        Chained together, these gadgets allow an attacker to perform arbitrary operations on a machine employing defenses that thwart simpler attacks.
        https://en.wikipedia.org/wiki/Return-oriented_programming

    W^X ("Write XOR Execute"; spoken as W xor X)
        - aka DEP (Data Execution Prevention)
        the name of a security feature in operating systems and virtual machines. It is a memory protection policy whereby every page in a process's or kernel's address space may be either writable or executable, but not both.
        NX means non-executable. CPU enforces execution rights at the hardware level.
        https://en.wikipedia.org/wiki/W%5EX

    GPU DMA
    Vuln with the GPU. can get custom code execution using GPU. "can render data into main memory, into the part of main mem with application code". Can overwrite the .text section, and execute custom code in application sandbox. But still can't access to system calls. Can only access its own save data. Can't allocate more executable pages (can't alter mem layout).

    "sandbox escape"
        need to get more access than what we have in userland.

    Homebrew "service" is written as a background service to the home menu, written with ROP. This allows us to run code under any app. Can use this modify commercial games!
        1. Load game, take it over
        2. Load app's code onto menu heap
        3. Patch code (by redirecting data reads to SD card)
        4. gspwn code and jump to it.

    Lots of Arm11 entry points. all the *hax I hear about.

    How to exploit the kernel on Arm11? Can try to target NS, which is the "Nintendo Shell". So safe mode shell has a different process ID on the N3DS, so a copy of NS can start SNS (safe NS) within the teach of the GPU (eg. allocate enough space on the FCRAM, and then start the SNS). This gives a lot of privilege while still being in userland. This is N3DS only. This is an attack on the system module.

    Pt 2. Arm11 Kernel Exploit

    This is nintendo's first gaming console kernel. All previous consoles ran on "bare metal". This kernal is multi core (its thread safe). Has 130 SVCs (syscalls).
    3DS Arm11 kernal has a IPC system -> talks to services (eg. gsp service)
    All pure ARM code. Code size is small. No symbols. Physically isolated in its own memory. This 3DS ARM kernel only has access to 50 sys calls - all the interesting ones are disabled.

    Types of SVCs - Normal, enhanced, debug, privileged.
    Can only use normal SVCs.

    Malloc SVC has a vuln -> allocated space to the kernal in user accessible memory (memchunkhax). Nintendo fixed this, but there was still an issue with how they mapped the free space to userspace. There are a few cycles between when they map the free space to userspace and when they try to access the next pointer in the header of the free space. Another thread can try to edit that next pointer to be somewhere in kernel land, which would effectively map kernel pages to userspace. Issue: requires perfect timing and needs a MemChunkHdr at that new next pointer.

    To exploit Arm11 kernel:
        1. Setup some Kobjects
        2. call SVC malloc
        3. Patch the next pointer to space in the slab heap (which has pointers that resembles the memChunkHdr)
        4. Overwrite the slabHeap pages with your code!
        5. Call svcCloseHandle to deallocate all KObjects -> which jumps to the modified vtable function.

    Pt. 3 Arm9 Kernel
    Used as a security processor when executing 3DS code. Is a stripped down version of the ARM11 kernel. No MMU (everything is identity (direct) mapped).

    NTRCARDHAX
        The DS cartridges are read into a region of memory shared by ARM11 and ARM9 (shared IO region). It does not check the range it's reading in. Can change the register of the index from ARM11 to ask for more space than the 0x200 bytes. Buffer overrun!

        The data is read from a DS cartridge. So they made their own cartridge! Called a "Pass me" (?). Connect that with an FPGA to edit header info! And that gives you code execution on the ARM9.

    Arm9LoaderHax
        Chain of Trust - (of the O3DS) - verifies (with RSA) firmware binary at load time by the bootrom.

        On the N3DS, they added a new layer of crypto - ARM9Loader as a part of the firmware binary. A9L uses keys from NAND-sector. Keys are encrypted per-console using a hash of the OTP (hwid). OTP access is later disabled after the A9L.


RSA
    RSA is one of the first practical public-key cryptosystems and is widely used for secure data transmission.  In RSA, this asymmetry is based on the practical difficulty of factoring the product of two large prime numbers, the *factoring problem*.
    https://en.wikipedia.org/wiki/RSA_(cryptosystem)

    Using the RSA system, the identity of the sender can be identified as genuine without revealing her private code.

    See the math proof here:
    http://mathworld.wolfram.com/RSAEncryption.html


MMU
    VA -> PA
    Is a computer hardware unit having all memory references passed through itself, primarily performing the translation of virtual memory addresses to physical addresses. It is usually implemented as part of the central processing unit (CPU), but it also can be in the form of a separate integrated circuit.
    https://en.wikipedia.org/wiki/Memory_management_unit

    Some diagrams
    https://cseweb.ucsd.edu/classes/su09/cse120/lectures/Lecture7.pdf


Slab Heap
    It eliminates fragmentation caused by allocations and deallocations. The technique is used to retain allocated memory that contains a data object of a certain type for reuse upon subsequent allocations of objects of the same type.
    https://en.wikipedia.org/wiki/Slab_allocation

    A slab is a set of one or more contiguous pages of memory set aside by the slab allocator for an individual cache. This memory is further divided into equal segments the size of the object type that the cache is managing.
    http://www.secretmango.com/jimb/Whitepapers/slabs/slab.html


Malloc vs. brk
    https://stackoverflow.com/questions/10116033/heap-memory-and-slab-allocation

    malloc() isn't really related to the page table; it allocates virtual addresses, and the kernel is responsible for keeping track of where the pages are actually stored in physical RAM or on disk.

    malloc() interacts with the kernel via the brk() system call, which asks the kernel to allocate more pages to the process, or releases pages back to the kernel. So there are really two levels of memory allocation.

    The implementation of free() can't use brk() to shrink the data segment because there are still other allocated blocks at higher addresses. So the pages remain allocated to your program from the kernel standpoint, even though they're "free space" from the malloc() standpoint.

    malloc() operates within a userspace process.


DMA - Direct memory access
    allows certain hardware subsystems to access main system memory (RAM), independent of the central processing unit (CPU). This feature is useful at any time that the CPU cannot keep up with the rate of data transfer, or when the CPU needs to perform useful work while waiting for a relatively slow I/O data transfer.
    https://en.wikipedia.org/wiki/Direct_memory_access


ASLR - Address Space Layout Randomization
    To combat ROP, ASLR was developed. ASLR involves randomly offsetting memory structures and module base addresses to make guessing the location of ROP gadgets and APIs very difficult.

    Eg. On Windows Vista and 7, ASLR randomises the location of executables and DLLs in memory, as well as the stack and heaps.

    When all of these mechanisms are combined with DEP, we are prevented from executing shellcode. This is because we cannot execute the stack, but we also don't know where any of our ROP instructions are going to be in memory.  Certain tricks can be done with nop sleds to create a probabilistic exploit, but they are not entirely successful and aren't always possible to create.

    Seriously good stackex post with an example of ROP, NX and ASLR.
    https://security.stackexchange.com/questions/18556/how-do-aslr-and-dep-work


Info on further exploits:
    https://security.stackexchange.com/questions/20497/stack-overflows-defeating-canaries-aslr-dep-nx


IPC
    Interprocess communication
    Mechanisms an OS provides to allow processes it manages to share data


SVC - Supervisor Call instruction
    Syscalls of 3ds Kernel


Kernel
    A kernel connects the application software to the hardware of a computer.  It is the first program loaded on startup, and then manages the remainder of the startup. The kernel performs its tasks, such as executing processes and handling interrupts, in *kernel space*, whereas everything a user normally does, such as writing text in a text editor or running programs in a GUI (graphical user interface), is done in *user space*.

    When a process makes requests of the kernel, the request is called a *system call*.

    https://en.wikipedia.org/wiki/Kernel_(operating_system)


Bare metal
    means a computer without its operating system. Today it is mostly applicable to embedded systems and firmware, while everyday programs are run by a *runtime system* within an operating system.


Stack Smashing
    stack buffer overflow or stack buffer overrun occurs when a program writes to a memory address on the program's call stack outside of the intended data structure, which is usually a fixed-length buffer.
    https://en.wikipedia.org/wiki/Stack_buffer_overflow


Non-volatile memory (NVM)
    NVM or non-volatile storage is a type of computer memory that can retrieve stored information even after having been power cycled (turned off and back on). Examples of non-volatile memory include read-only memory, flash memory, Ferroelectric RAM, most types of magnetic computer storage devices (e.g. hard disk drives, floppy disks, and magnetic tape), optical discs, and early computer storage methods such as paper tape and punched cards.
    https://en.wikipedia.org/wiki/Non-volatile_memory


Firmware
    code on the device that provides the low-level control for the device.
    https://en.wikipedia.org/wiki/Firmware


Where to go from here?
    The 3DS wiki has a wealth of information.
    https://3dbrew.org/wiki


Questions

Hardmod?
Which custom firmware should I use?
	# 3DS Hacking Notes

	ARM11 is a group of 32-bit RISC ARM processor cores licensed by ARM Holdings.

	https://www.reddit.com/r/3dshacks/comments/5kxhvm/psa_a_quick_reminder_on_layers_of_3ds_security/?st=IXCW4OS7&sh=12d494ae
	A dual- or quad-core Arm11 CPU with half-decent usermode sandboxing
	A single-core Arm9 CPU that handles all system-critical processes, with no separation between User and Kernel mode

	Arm11 Userland, where all the games and apps run, with their own sets of privileges.
	Arm11 Kernel, which gives unlimited access to much, but not all of the software features, and some hardware.
	Arm9 Kernel, which gives full, direct access to all of the hardware.


	ROM
	read only memory, cheaper than writable memory, can act as primary storage on a machine (main memory). But note that parts of main memory can also be writable. Note: RAM is writable.


	Flash Memory (NAND)
	Flash memory is an electronic (solid-state) non-volatile computer storage medium that can be electrically erased and reprogrammed. Examples: EEPROM, The two main types of flash memory are named after the NAND and NOR logic gates.

	Whereas EPROMs had to be completely erased before being rewritten, NAND-type flash memory may be written and read in blocks (or pages) which are generally much smaller than the entire device. NOR-type flash allows a single machine word (byte) to be written—to an erased location—or read independently.

	The NAND type operates primarily in memory cards, USB flash drives, solid-state drives (those produced in 2009 or later).

	NAND is re-programmable. It's not ROM. It's also called Flash Memory. it's non-volatile memory.
	https://en.wikipedia.org/wiki/Flash_memory


	OTP
	One Time Programmable (fuse)
	https://3ds.guide/otp-info


	OTP Guide - 3DS Hacking Guide
	https://3ds.guide/
	Right now most people are using menuhax/ctrboot, which loads at the same time that the normal ds home screen would be loading.
	With this hack, you could take over the actual boot process.


	MPU vs MCU
	MPU = microprocessor
	MCU = microcontroller
	MCU uses on chip "embedded" flash mem (eg. NAND), faster to boot up, space is limited.
	MPUs are not memory limited because they use external memory for program and data storage. The program is typically stored in non-volatile memory, such as NAND or serial Flash, and at start-up is loaded into an external DRAM and then commences execution. This means the MPU will not be up and running as quickly as an MCU.
	Another difference is power. By embedding its own power supply, an MCU needs just one single voltage power rail. By comparison, an MPU requires several difference voltage rails for core, DDR etc.


	.cia - CTR Importable Archive
	.cia is the file format that digital 3DS games come packaged in. When you install a CIA file for a game, that runs 100% exactly the same as if you just purchased it from the eshop and downloaded it.
	https://www.reddit.com/r/3dshacks/comments/3u6dhx/how_to_use_cia_files/
	https://www.3dbrew.org/wiki/CIA


	.3dz or .3ds
	files are the same as .3ds files but with a modified header to allow the rom to be used online.


	General Resource
	https://www.3dbrew.org/wiki/


	Console Hacking - Breaking the 3DS [32c3]
	https://www.youtube.com/watch?v=UutYOidFx3c

	Arm11 runs everything that we can see. Has full access to main mem (Wram, Vram, Fcram).
	Arm9 seperate CPU that runs process 9, broker access to the hardware. eg. brokers access to storage media and crypto stuff. Has a key scrambler in the hardware. Hardware AES implementation. Has access to main mem and its own internal memory.

	4 layers of security. Arm9 has access to a sys call -> svc 0x78 that lets you run things in kernel mode as a user on the Arm9. So that means there are effectively 3 layers of security.

	Arm11 entry point: webkit through web browser or youtube app. Or games like cube ninja. You can crash the game through how the QR codes are read.

	To get our own code to run, use a ROP, which is when you build a fake stack and return into code sections we wrote.

	ROP - Return-oriented programming
	computer security exploit technique that allows an attacker to execute code in the presence of security defenses such as non-executable memory (W xor X technique) and code signing.
	Gains control of the call stack to hijack program control flow and then executes carefully chosen machine instruction sequences that are already presented in machine's memory, called "gadgets".
	Each gadget typically ends in a return instruction and is located in a subroutine within the existing program and/or shared library code.
	Chained together, these gadgets allow an attacker to perform arbitrary operations on a machine employing defenses that thwart simpler attacks.
	https://en.wikipedia.org/wiki/Return-oriented_programming

	W^X ("Write XOR Execute"; spoken as W xor X)
	- aka DEP (Data Execution Prevention)
	the name of a security feature in operating systems and virtual machines. It is a memory protection policy whereby every page in a process's or kernel's address space may be either writable or executable, but not both.
	NX means non-executable. CPU enforces execution rights at the hardware level.
	https://en.wikipedia.org/wiki/W%5EX

	GPU DMA
	Vuln with the GPU. can get custom code execution using GPU. "can render data into main memory, into the part of main mem with application code". Can overwrite the .text section, and execute custom code in application sandbox. But still can't access to system calls. Can only access its own save data. Can't allocate more executable pages (can't alter mem layout).

	"sandbox escape"
	need to get more access than what we have in userland.

	Homebrew "service" is written as a background service to the home menu, written with ROP. This allows us to run code under any app. Can use this modify commercial games!
	1. Load game, take it over
	2. Load app's code onto menu heap
	3. Patch code (by redirecting data reads to SD card)
	4. gspwn code and jump to it.

	Lots of Arm11 entry points. all the *hax I hear about.

	How to exploit the kernel on Arm11? Can try to target NS, which is the "Nintendo Shell". So safe mode shell has a different process ID on the N3DS, so a copy of NS can start SNS (safe NS) within the teach of the GPU (eg. allocate enough space on the FCRAM, and then start the SNS). This gives a lot of privilege while still being in userland. This is N3DS only. This is an attack on the system module.

	Pt 2. Arm11 Kernel Exploit

	This is nintendo's first gaming console kernel. All previous consoles ran on "bare metal". This kernal is multi core (its thread safe). Has 130 SVCs (syscalls).
	3DS Arm11 kernal has a IPC system -> talks to services (eg. gsp service)
	All pure ARM code. Code size is small. No symbols. Physically isolated in its own memory. This 3DS ARM kernel only has access to 50 sys calls - all the interesting ones are disabled.

	Types of SVCs - Normal, enhanced, debug, privileged.
	Can only use normal SVCs.

	Malloc SVC has a vuln -> allocated space to the kernal in user accessible memory (memchunkhax). Nintendo fixed this, but there was still an issue with how they mapped the free space to userspace. There are a few cycles between when they map the free space to userspace and when they try to access the next pointer in the header of the free space. Another thread can try to edit that next pointer to be somewhere in kernel land, which would effectively map kernel pages to userspace. Issue: requires perfect timing and needs a MemChunkHdr at that new next pointer.

	To exploit Arm11 kernel:
	1. Setup some Kobjects
	2. call SVC malloc
	3. Patch the next pointer to space in the slab heap (which has pointers that resembles the memChunkHdr)
	4. Overwrite the slabHeap pages with your code!
	5. Call svcCloseHandle to deallocate all KObjects -> which jumps to the modified vtable function.

	Pt. 3 Arm9 Kernel
	Used as a security processor when executing 3DS code. Is a stripped down version of the ARM11 kernel. No MMU (everything is identity (direct) mapped).

	NTRCARDHAX
	The DS cartridges are read into a region of memory shared by ARM11 and ARM9 (shared IO region). It does not check the range it's reading in. Can change the register of the index from ARM11 to ask for more space than the 0x200 bytes. Buffer overrun!

	The data is read from a DS cartridge. So they made their own cartridge! Called a "Pass me" (?). Connect that with an FPGA to edit header info! And that gives you code execution on the ARM9.

	Arm9LoaderHax
	Chain of Trust - (of the O3DS) - verifies (with RSA) firmware binary at load time by the bootrom.

	On the N3DS, they added a new layer of crypto - ARM9Loader as a part of the firmware binary. A9L uses keys from NAND-sector. Keys are encrypted per-console using a hash of the OTP (hwid). OTP access is later disabled after the A9L.


	RSA
	RSA is one of the first practical public-key cryptosystems and is widely used for secure data transmission. In RSA, this asymmetry is based on the practical difficulty of factoring the product of two large prime numbers, the factoring problem.
	https://en.wikipedia.org/wiki/RSA_(cryptosystem)

	Using the RSA system, the identity of the sender can be identified as genuine without revealing her private code.

	See the math proof here:
	http://mathworld.wolfram.com/RSAEncryption.html


	MMU
	VA -> PA
	Is a computer hardware unit having all memory references passed through itself, primarily performing the translation of virtual memory addresses to physical addresses. It is usually implemented as part of the central processing unit (CPU), but it also can be in the form of a separate integrated circuit.
	https://en.wikipedia.org/wiki/Memory_management_unit

	Some diagrams
	https://cseweb.ucsd.edu/classes/su09/cse120/lectures/Lecture7.pdf


	Slab Heap
	It eliminates fragmentation caused by allocations and deallocations. The technique is used to retain allocated memory that contains a data object of a certain type for reuse upon subsequent allocations of objects of the same type.
	https://en.wikipedia.org/wiki/Slab_allocation

	A slab is a set of one or more contiguous pages of memory set aside by the slab allocator for an individual cache. This memory is further divided into equal segments the size of the object type that the cache is managing.
	http://www.secretmango.com/jimb/Whitepapers/slabs/slab.html


	Malloc vs. brk
	https://stackoverflow.com/questions/10116033/heap-memory-and-slab-allocation

	malloc() isn't really related to the page table; it allocates virtual addresses, and the kernel is responsible for keeping track of where the pages are actually stored in physical RAM or on disk.

	malloc() interacts with the kernel via the brk() system call, which asks the kernel to allocate more pages to the process, or releases pages back to the kernel. So there are really two levels of memory allocation.

	The implementation of free() can't use brk() to shrink the data segment because there are still other allocated blocks at higher addresses. So the pages remain allocated to your program from the kernel standpoint, even though they're "free space" from the malloc() standpoint.

	malloc() operates within a userspace process.


	DMA - Direct memory access
	allows certain hardware subsystems to access main system memory (RAM), independent of the central processing unit (CPU). This feature is useful at any time that the CPU cannot keep up with the rate of data transfer, or when the CPU needs to perform useful work while waiting for a relatively slow I/O data transfer.
	https://en.wikipedia.org/wiki/Direct_memory_access


	ASLR - Address Space Layout Randomization
	To combat ROP, ASLR was developed. ASLR involves randomly offsetting memory structures and module base addresses to make guessing the location of ROP gadgets and APIs very difficult.

	Eg. On Windows Vista and 7, ASLR randomises the location of executables and DLLs in memory, as well as the stack and heaps.

	When all of these mechanisms are combined with DEP, we are prevented from executing shellcode. This is because we cannot execute the stack, but we also don't know where any of our ROP instructions are going to be in memory. Certain tricks can be done with nop sleds to create a probabilistic exploit, but they are not entirely successful and aren't always possible to create.

	Seriously good stackex post with an example of ROP, NX and ASLR.
	https://security.stackexchange.com/questions/18556/how-do-aslr-and-dep-work


	Info on further exploits:
	https://security.stackexchange.com/questions/20497/stack-overflows-defeating-canaries-aslr-dep-nx


	IPC
	Interprocess communication
	Mechanisms an OS provides to allow processes it manages to share data


	SVC - Supervisor Call instruction
	Syscalls of 3ds Kernel


	Kernel
	A kernel connects the application software to the hardware of a computer. It is the first program loaded on startup, and then manages the remainder of the startup. The kernel performs its tasks, such as executing processes and handling interrupts, in kernel space, whereas everything a user normally does, such as writing text in a text editor or running programs in a GUI (graphical user interface), is done in user space.

	When a process makes requests of the kernel, the request is called a system call.

	https://en.wikipedia.org/wiki/Kernel_(operating_system)


	Bare metal
	means a computer without its operating system. Today it is mostly applicable to embedded systems and firmware, while everyday programs are run by a runtime system within an operating system.


	Stack Smashing
	stack buffer overflow or stack buffer overrun occurs when a program writes to a memory address on the program's call stack outside of the intended data structure, which is usually a fixed-length buffer.
	https://en.wikipedia.org/wiki/Stack_buffer_overflow


	Non-volatile memory (NVM)
	NVM or non-volatile storage is a type of computer memory that can retrieve stored information even after having been power cycled (turned off and back on). Examples of non-volatile memory include read-only memory, flash memory, Ferroelectric RAM, most types of magnetic computer storage devices (e.g. hard disk drives, floppy disks, and magnetic tape), optical discs, and early computer storage methods such as paper tape and punched cards.
	https://en.wikipedia.org/wiki/Non-volatile_memory


	Firmware
	code on the device that provides the low-level control for the device.
	https://en.wikipedia.org/wiki/Firmware


	Where to go from here?
	The 3DS wiki has a wealth of information.
	https://3dbrew.org/wiki




	Questions

	Hardmod?
	Which custom firmware should I use?