SSSpwn

Unfortunately I haven’t taken the time to document the work I’ve been doing on the 3DS lately here, even though it’s been pretty extensive. Normally, I’d try to cover things chronologically, but since I decided to reveal a new exploit today, it kind of takes priority as there’s a lot of stuff I need to clear up. To start off, here’s a video showing ssspwn in action :

What it is, what it isn’t

If you’ve read my (now really old and outdated) article on 3DS hacking, you’ll recall that for a number of reasons, hacking the console happened by chaining multiple exploits with one another. The most widely used hack (used by flashcart teams, myself and a number of other people) reliies on not one but two completely distinct exploits : the mset DS user settings exploit, which gives us arm11 usermode ROP capabilities, through which a FIRM vuln is exploited to obtain arm9 code exec. This last part was fixed with firmware version 5.0, and it’s the real critical part : while there’s a pretty high number of games that could potentially be exploited through saves to do usermode ROP, it’s useless if you don’t have another exploit to chain that gives you code exec capabilities. This is where ssspwn comes in; it essentially replaces the FIRM exploit we had on 4.5 and lets us execute arbitrary code. That’s why the video looks similar to the one I’d done when I got 4.5 code exec : the first stage exploit used is the same, just fine tuned to work on 6.3.

What does that mean ? Simply that because the two exploits are completely separate, there’s no reason to believe that just because the mset bug was fixed in 7.0, so was ssspwn. That’s right; ssspwn has yet to be plugged by Nintendo, and could in theory give us code exex on latest firmware version. This isn’t the case yet because we haven’t really looked for a new entrypoint, but that’s the next step.

To release or not to release

Generally speaking, the thing that’s been stopping me (and others) from releasing working exploits has been the fact that they might be used for piracy. Fortunately, that should not be a factor in this case, as by its very nature, ssspwn can not by itself allow piracy. That’s right, it’s the sweet spot that gives us just enough to get awesome homebrew code running in arm11 user mode, but not enough to break the system bad enough to let anyone do whatever the hell they want. As such, I personally have no qualms with releasing the exploit into the wild.

You might be wondering why there isn’t a download link available yet. The reason for that is that, as I mentioned, ssspwn has yet to be fixed. In my opinion, it would be dumb to burn such a nice vuln on just 6.3 when we know full well that we should be able to use this on 7.x, and possibly even 8.x+ with some work.

Plan of action

Now, while I don’t think it’s a good idea to release this publicly just yet, I do think it would be a good idea to get it into the hands of devs with consoles still on 4.5-6.3 so we can make progress creating 3DS homebrew development tools. We’ve been making tremendous progress as it is, but we could do much more with some more talented and motivated developers. As such, I want to share this with as many reputable and available devs as possible so that they can work on making things ready for the (hopefully) upcoming 7.1+ release.

Do note that I don’t have a developer-friendly version ready just yet, but I will let everyone know as soon as I do.

Other thoughts

This is, in my opinion, the best shot we have at making a successful and accessible 3DS homebrew scene happen. I’m going to try not to fuck it up. That means that unfortunately the number of devs I’ll feel comfortable sharing the current iteration of ssspwn with will be rather limited, in an effort to avoid premature leaks. Even then, there’s a good chance this whole thing is a bad idea and that it’ll lead to the vuln being plugged before we ever get a chance to exploit it on latest system version. I’m choosing to trust people, and I sincerely hope it’s not something that will backfire.

On another, more personal note, this is my first own big boy exploit I unveil so I think that’s pretty cool.

28 comments
  1. Seeing as how you have been able to modify the core software, is it at all possible for you to create some sort of custom semi-sandboxed environment (to prevent piracy and viruses) for developers such as myself? I’m genuinely curious of whether this is possible.

  2. wow, congrats on your efforts! i really like the fact that you are not engaged on piracy :)

  3. Yuuki said:

    this is it, i wont update my 3ds anymore (7.0) not big deal eihter since pq is still years away from me (eu)

  4. Yacir said:

    Du tres bon boulout man, depuis le temps qu’ont attend! bravo et bonne continuation avec ton plan.
    vivement in portal en 3d:)

  5. Huntereb said:

    So this means I’m going to have to rely on someone else to make a 100% free 3DS developing environment? All this time of looking up to you and it’s come to this, eh?

    • TomAto said:

      I half expected it. My hopes kept the other half waiting. That’s life I guess.

  6. Shin said:

    Do you think that would be possible to run imported 3ds cartridges with this without enabling piracy?
    Congrats on your work, chers!

    • Lavitz said:

      I’d love to know this too! The ability to play imported games would be great

    • S said:

      I’m also curious about getting at disabling the region lock, so many jap exlusives and sometimes over a year wait for them:(

      • Peter Ji said:

        I don’t think Smea can do it.Since SSSPwn can’t run arm9 code,modifying system code is rather impossible.

        • S said:

          Sad panda ;( all I want is region lock gone. Losing faith in Nintendo.

          • alexenochs said:

            If you want region lock gone and you have a DS mode flashcart (and a 4.5 3ds) download gateways latest software and run it and install it from a DS mode flashcart boot into classic mode from the exploit and bam region free

  7. Chris said:

    I don’t care about piracy, i just want to be able to take screenshots of any game, both screens ideally individually or seperately.

    Most games do not have Miiverse coverage, and you can’t take screenshots of them.

    • YaManicKill said:

      Yes! If we can get this, plus emulators…I’m happy.

  8. Drenn said:

    If this is just for arm11 userland code execution, I’m guessing game hacking and rednand won’t be possible? Somewhat disappointing, since nintendo will surely patch this…

    In any case, it’s cool that the 3ds homebrew scene may finally start properly. I just hope you don’t sit on rednand forever, even if that requires 4.5.

  9. JW said:

    Very cool..although my system’s currently running the 4.x based exploit, it’s good to know that there’s another potential way of running homebrew…the more people that have access to this (or any other) exploit, the larger the homebrew scene can potentially grow.

  10. Almamu said:

    I’m interested in this too. 7.1.0E here if you need to test the exploit with 7.x

  11. le Bogoss du 38 said:

    Hi smealum !!! I am a a huge fan of your 3d model of Magikarp. I think it is the best pokemon ever !! I told everybody in my middle school and then love your magikarp. But I just have one request : Peux tu me donner le code de mon téléphone gros con
    I’m looking forward to become your best friend forever!!!!!!!! <3 <3

  12. le Bogoss du 38 said:

    Et ne t’avise pas de m’envoyer la réponse par sms…

  13. Firdaus said:

    Do you take beta testers? I have a 4.5 3ds and also a 7.1 3ds.

  14. I’m too interested in you work. I’m have a 7.1.0U firmware if you want to test anything.

    I’m from México :)

  15. Alex said:

    Hi Smealum. I have one question for you. Is it possible to hack 3DS Eshop to add funds like 10 000 USA money or Swedish etc..
    I mean, If someone could create like a device for 3DS and hacks for downloaded apps. If we then could create a code to 3DS Eshop, we could make our account to have like I said 10 000 dollars etc..
    I hope that my question will be replied.

    • smea said:

      nope, not possible.

  16. Blite said:

    i have 4 seperate NAND dumps within the range you need, plus the latest. I would love to look into this. If you feel like sharing, you have my e-mail, or search for me online.

  17. Yacir said:

    Update ? pls ????

  18. Anon said:

    Pretty much useless if it doesn’t allow piracy. That’s the only use of hacking the 3DS. Homebrew is crap.

    Only exception being Lemmings for DS.

  19. Yacir said:

    When will u release the ssspwn? will we be able to launch emulators? gba 4 ex?

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>