| #35044 posted 2016-12-13 @ 07:01 GMT |
slowhax / waithax
Implementation of the slowhax / waithax ARM11 kernel exploit.
Kind of intended as a reference implementation, sort of based on [Steveice10's memchunkhax2 implementation](https://github.com/Steveice10/memchunkhax2/).
Definitely does not look the cleanest possible, feel free to contribute.
Can only work from 9.0 to 11.1, as the vulnerability was patched on 11.2. Use faster exploits if you can, though.
Only tested on my 10.3 New3DS, but I don't see why it would fail on other consoles. There are no hardcoded addresses in this implementation.
Exploit written in less than a day. Finding the strat took more time.
No one really seemed to care about doing it apparently...
How to use
Please check the `main.c` file in the `source` folder for information on how to use this implementation in your own application.
Take note that this implementation does not patch the SVC call access table, nor the process PID on its own.
However, an helper method is given to run your own kernel mode code after running the exploit. This method *sort of* acts like svcBackdoor; but the given code will be run with the SVC-mode stack, instead of the userland caller thread stack.
Estimated time for running the exploit
Takes around 20 minutes for New3DS, and around 1 hour for Old3DS.
- nedwill/derrek for discovering the vulnerability, they're the real guys here
- Steveice10 for the memchunkhax2 implementation
- AuroraWright/TuxSH for Luma3DS and its exception handlers, Subv/cell9 for the SVC access check patches which were extensively used for development
- TuxSH for finding the KSyncObject address leaking used in memchunkhax2, Kernel11 RE and lots of more stuff
- if I missed anyone in there please tell me
_____________________________ ____________ __________________ /\________
\ __________________ \ _____/____/ _ \ /_ /
/ / | l/ _/ ____) _/ _ \ \/ cREAM /
/______________l_______/ \______________\_______| \_ /________/
-+--Mo!-------------- \________/ ------------------- l_______/_____\ -----+-