forked from patois/Brahma
-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathREADME
132 lines (105 loc) · 5.7 KB
/
README
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
Brahma II is a port of the original Brahma in order to
make it run in the new homebrew methods like Ninjhax2.
Current status :
- Success rate (OLD3DS) : 100% (20/20)
- Success rate (NEW3DS) : To be tested
- Tested on : TubeHax, ThemeHax
2015, Delebile
=========================================================
Brahma - Privilege elevation exploit for the Nintendo 3DS
=========================================================
WTF is 'Brahma'?
----------------
Brahma is a development tool for the Nintendo 3DS platform that enables
privileged code execution on the ARM9 processor of the Nintendo 3DS platform.
It does so by exploiting two vulnerabilities in order to elevate its
privileges.
The exploits utilized by Brahma are based on "commercial" exploits that
have been reverse engineered. Brahma has been developed with the goal of
understanding and documenting the nature of the exploits in mind and has
been put further effort into during its development process in order to
achieve reliable exploitation and stability.
Brahma comes with full source code that is based on libctru and requires
existing user mode code execution privileges (Ninjhax), and can then be
used to further elevate privileges to ARM9 pre-kernel / SVC mode.
Also, "Brahma, the creator" is a god in hinduism that is often portrayed
with four heads and arms (heh... so funny :\).
How to build:
-------------
- Download and install devkitARM (http://devkitpro.org/wiki/Getting_Started)
- Open a shell and run make
How to use:
-----------
- Prebuilt binary releases are available at
https://github.com/patois/Brahma/releases
- Run brahma.3dsx (using homebrew launcher)
- By default, the exploit will attempt to gain ARM11 kernel privileges before
finally gaining ARM9 pre-kernel privileges (by performing a "firmlaunch")
"Hotkeys" (press and hold during startup of BRAHMA):
----------------------------------------------------
* LEFT : Loads 'arm9payload.bin' from the root folder of the 3DS' SD card
and executes it
* RIGHT : Performs a reboot / firm launch of the 3DS system
* NONE : Displays a menu which allows payload files to be received via
a WiFi network connection or loaded from the '/brahma' folder
located in the root folder of the SD card
In order to send payload files to the 3DS via a network connection,
the Python script '/tools/client.py' can be used. Alternatively, netcat
does the job as well.
Syntax:
-------
client.py: 'python client.py <3DS ip> <filename>'
netcat: 'nc <3DS ip> 80 < <filename>'
Examples:
---------
client.py: 'python client.py 10.0.0.5 payload.bin'
netcat: 'nc 10.0.0.5 80 < payload.bin'
Example programs that run in privileged ARM9 mode can be downloaded from
https://github.com/patois/3DSProjects/tree/master/Brahma/
A memory dumper (3DSDevTools) for Brahma is available at
https://github.com/patois/3DSDevTools/releases
There is also a port of Decrypt9 by archshift which can be loaded using
bootstrap or Brahma (use 'make' to build the project, then use one of the
methods supported by Brahma to load the Decrypt9 payload). Decrypt9 can be
downloaded from https://github.com/archshift/Decrypt9/tree/bootstrap
Developers:
-----------
Brahma and its exploits which enable privileged ARM9 code execution
on the Nintendo 3DS may also be used as a "library" (#include "brahma.h")
- call brahma_init() - initializes Brahma
- call load_arm9_payload() - loads a payload binary from disk
- call firm_reboot() - executes a payload binary (privileged ARM9 code)
- (please check the source code for more features and options)
ARM9 payload must consist of valid ARM9 executable code and will be
mapped to physical address 0x23F00000 during run-time. Its code should begin
with a branch instruction at offset 0 and a 'placeholder' for a u32
variable at offset 4, which will be filled by Brahma with a backup of
the original ARM9 entry point of the FIRM header during runtime.
Brahma is written in a way that allows developers of payload binaries
to easily return control to the 3DS' firmware by simply returning from
the main() function of the payload.
This allows reading and altering of memory contents, such as the mapped
Nintendo firmware (including ARM9 kernel, Process9, ARM11 kernel and several
processes running on the ARM11 core), for testing purposes, without requiring
any changes on the file system level.
Credits:
--------
- To 3dbrew.org and all its contributors for being such a great resource
- To whomever initially found the vulnerabilities and wrote the publicly
available exploit code
- To everybody who's been working on porting this exploit and its various
"bootstrap" branches to newer firmware versions and improving its stability
(in particular yifanlu, yuriks and shinyquagsire23)
- To everybody involved in creating libctru, Ninjhax and the Homebrew Menu
Disclaimer:
THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED WARRANTIES,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS
OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY
OF SUCH DAMAGE.
(c) 2015, patois