SSSpwn

Unfortunately I haven’t taken the time to document the work I’ve been doing on the 3DS lately here, even though it’s been pretty extensive. Normally, I’d try to cover things chronologically, but since I decided to reveal a new exploit today, it kind of takes priority as there’s a lot of stuff I need to clear up. To start off, here’s a video showing ssspwn in action :

What it is, what it isn’t

If you’ve read my (now really old and outdated) article on 3DS hacking, you’ll recall that for a number of reasons, hacking the console happened by chaining multiple exploits with one another. The most widely used hack (used by flashcart teams, myself and a number of other people) reliies on not one but two completely distinct exploits : the mset DS user settings exploit, which gives us arm11 usermode ROP capabilities, through which a FIRM vuln is exploited to obtain arm9 code exec. This last part was fixed with firmware version 5.0, and it’s the real critical part : while there’s a pretty high number of games that could potentially be exploited through saves to do usermode ROP, it’s useless if you don’t have another exploit to chain that gives you code exec capabilities. This is where ssspwn comes in; it essentially replaces the FIRM exploit we had on 4.5 and lets us execute arbitrary code. That’s why the video looks similar to the one I’d done when I got 4.5 code exec : the first stage exploit used is the same, just fine tuned to work on 6.3.

What does that mean ? Simply that because the two exploits are completely separate, there’s no reason to believe that just because the mset bug was fixed in 7.0, so was ssspwn. That’s right; ssspwn has yet to be plugged by Nintendo, and could in theory give us code exex on latest firmware version. This isn’t the case yet because we haven’t really looked for a new entrypoint, but that’s the next step.

To release or not to release

Generally speaking, the thing that’s been stopping me (and others) from releasing working exploits has been the fact that they might be used for piracy. Fortunately, that should not be a factor in this case, as by its very nature, ssspwn can not by itself allow piracy. That’s right, it’s the sweet spot that gives us just enough to get awesome homebrew code running in arm11 user mode, but not enough to break the system bad enough to let anyone do whatever the hell they want. As such, I personally have no qualms with releasing the exploit into the wild.

You might be wondering why there isn’t a download link available yet. The reason for that is that, as I mentioned, ssspwn has yet to be fixed. In my opinion, it would be dumb to burn such a nice vuln on just 6.3 when we know full well that we should be able to use this on 7.x, and possibly even 8.x+ with some work.

Plan of action

Now, while I don’t think it’s a good idea to release this publicly just yet, I do think it would be a good idea to get it into the hands of devs with consoles still on 4.5-6.3 so we can make progress creating 3DS homebrew development tools. We’ve been making tremendous progress as it is, but we could do much more with some more talented and motivated developers. As such, I want to share this with as many reputable and available devs as possible so that they can work on making things ready for the (hopefully) upcoming 7.1+ release.

Do note that I don’t have a developer-friendly version ready just yet, but I will let everyone know as soon as I do.

Other thoughts

This is, in my opinion, the best shot we have at making a successful and accessible 3DS homebrew scene happen. I’m going to try not to fuck it up. That means that unfortunately the number of devs I’ll feel comfortable sharing the current iteration of ssspwn with will be rather limited, in an effort to avoid premature leaks. Even then, there’s a good chance this whole thing is a bad idea and that it’ll lead to the vuln being plugged before we ever get a chance to exploit it on latest system version. I’m choosing to trust people, and I sincerely hope it’s not something that will backfire.

On another, more personal note, this is my first own big boy exploit I unveil so I think that’s pretty cool.

62 comments
  1. Seeing as how you have been able to modify the core software, is it at all possible for you to create some sort of custom semi-sandboxed environment (to prevent piracy and viruses) for developers such as myself? I’m genuinely curious of whether this is possible.

  2. wow, congrats on your efforts! i really like the fact that you are not engaged on piracy :)

  3. Yuuki said:

    this is it, i wont update my 3ds anymore (7.0) not big deal eihter since pq is still years away from me (eu)

  4. Yacir said:

    Du tres bon boulout man, depuis le temps qu’ont attend! bravo et bonne continuation avec ton plan.
    vivement in portal en 3d:)

  5. Huntereb said:

    So this means I’m going to have to rely on someone else to make a 100% free 3DS developing environment? All this time of looking up to you and it’s come to this, eh?

    • TomAto said:

      I half expected it. My hopes kept the other half waiting. That’s life I guess.

  6. Shin said:

    Do you think that would be possible to run imported 3ds cartridges with this without enabling piracy?
    Congrats on your work, chers!

    • Lavitz said:

      I’d love to know this too! The ability to play imported games would be great

    • S said:

      I’m also curious about getting at disabling the region lock, so many jap exlusives and sometimes over a year wait for them:(

      • Peter Ji said:

        I don’t think Smea can do it.Since SSSPwn can’t run arm9 code,modifying system code is rather impossible.

        • S said:

          Sad panda ;( all I want is region lock gone. Losing faith in Nintendo.

          • alexenochs said:

            If you want region lock gone and you have a DS mode flashcart (and a 4.5 3ds) download gateways latest software and run it and install it from a DS mode flashcart boot into classic mode from the exploit and bam region free

  7. Chris said:

    I don’t care about piracy, i just want to be able to take screenshots of any game, both screens ideally individually or seperately.

    Most games do not have Miiverse coverage, and you can’t take screenshots of them.

    • YaManicKill said:

      Yes! If we can get this, plus emulators…I’m happy.

      • Lolwut said:

        There are already very, very early builds of 3ds emulators, but their only use (currently) is for homebrew development/debugging

  8. Drenn said:

    If this is just for arm11 userland code execution, I’m guessing game hacking and rednand won’t be possible? Somewhat disappointing, since nintendo will surely patch this…

    In any case, it’s cool that the 3ds homebrew scene may finally start properly. I just hope you don’t sit on rednand forever, even if that requires 4.5.

  9. JW said:

    Very cool..although my system’s currently running the 4.x based exploit, it’s good to know that there’s another potential way of running homebrew…the more people that have access to this (or any other) exploit, the larger the homebrew scene can potentially grow.

  10. Almamu said:

    I’m interested in this too. 7.1.0E here if you need to test the exploit with 7.x

  11. le Bogoss du 38 said:

    Hi smealum !!! I am a a huge fan of your 3d model of Magikarp. I think it is the best pokemon ever !! I told everybody in my middle school and then love your magikarp. But I just have one request : Peux tu me donner le code de mon téléphone gros con
    I’m looking forward to become your best friend forever!!!!!!!! <3 <3

  12. le Bogoss du 38 said:

    Et ne t’avise pas de m’envoyer la réponse par sms…

  13. Firdaus said:

    Do you take beta testers? I have a 4.5 3ds and also a 7.1 3ds.

  14. I’m too interested in you work. I’m have a 7.1.0U firmware if you want to test anything.

    I’m from México :)

  15. Alex said:

    Hi Smealum. I have one question for you. Is it possible to hack 3DS Eshop to add funds like 10 000 USA money or Swedish etc..
    I mean, If someone could create like a device for 3DS and hacks for downloaded apps. If we then could create a code to 3DS Eshop, we could make our account to have like I said 10 000 dollars etc..
    I hope that my question will be replied.

    • smea said:

      nope, not possible.

      • Tom said:

        No, It is completely possible. Why would you say that? Kid go take your parents credit card and give yourself 10,000 usa money for the eshop, do it I’m sure they won’t mind.

  16. Blite said:

    i have 4 seperate NAND dumps within the range you need, plus the latest. I would love to look into this. If you feel like sharing, you have my e-mail, or search for me online.

  17. Yacir said:

    Update ? pls ????

  18. Anon said:

    Pretty much useless if it doesn’t allow piracy. That’s the only use of hacking the 3DS. Homebrew is crap.

    Only exception being Lemmings for DS.

    • Chris said:

      fully agree with you.

  19. Yacir said:

    When will u release the ssspwn? will we be able to launch emulators? gba 4 ex?

  20. 2357 said:

    Fake~lol~

  21. Jasper said:

    Will this also allow for DS homebrew like AS en DSCraft to work on the 3DS without the need of a DS Fashcard?

    • smea said:

      it unfortunately will not

  22. benny said:

    Have you ever tried the 2ds?
    Tks

  23. plinkerfly said:

    “…with great power comes great responsibility…. ”

    we discovered fire and brought it into our homes, shall we abandon the idea because it might burn down the house? Shall we stop using electricity because a baby might stick his finger in an outlet and electrocute himself?

    the pro-c team created the inferno driver so that we can have the most games compatibility for the psp. No one is complaining.

    The operation doom train team translated the final fantasy type 0 game and part of the process is combining the two isos of the game. did they ask us to download only if we legally own the game? i think not.

    creators can try to limit themselves but what will you end up with? a creation with limited possibilities and capabilities.

    So just do it… why? BECAUSE YOU CAN!

    like the Pro Team, Team operation Doomtrain, DarkAlex, TN, Neuron and all the other that gave life to the dying PSP.

    SMEA GIVE LIFE TO THE 3DS.

    YOU ARE DEUX EX MACHINA!

    • Zix said:

      As fun as the PSP scene was, piracy destroyed the purpose for which the console was created for… actual PSP games, they were terrible after these hacks became rampant because company’s did not want to invest in the console!

      If we allow this to happen on our 3DS consoles then this will happen to our beloved handheld as well. A 3DS scene can still thrive without this kind of piracy through homebrew games and apps and emulation, emulation being the main reason most people hack there console anyway.

      Just another way of looking at it, surely you bought your 3DS to receive good quality titles up until the consoles death.

      • plinkerfly said:

        I’m not promoting piracy. but if SMEA can go all out on this exploit then by all means GO FOR IT! it’s gonna be patched a few days after its release. If it turns out to be a ONE SHOT, might as well get the BULL’SEYE!!

        SMEA YOU ARE DEUX EX MACHINA!!

      • pirate said:

        Piracy ruined the PSP? OK.
        Now explain PS Vita’s massive failure with its unbreakable security.

        • plinkerfly said:

          Obviously I’m very much a PSP fan… or am I?

          Monster Hunter, not available on PS Vita because it was Resident Evil all over again. *just google why capcom moved MH and RE from Sony to Nintendo*

          So I bought the 3ds Monster Hunter Ultimate 3 Bundle…nice!…then I bought the MH4… sweet! Yes, I bought a console to be able to play these two titles. And guess what?.. flashcards were already available even during the NDS and NDS lite. that didn’t stop nintendo from being the number 1.

          Piracy was up and running even during the NES era…UFO.. remember? maybe you’re not that old but i am.

          Death was only a metaphor for cease of usage. If people finds no use for it, Death comes. But as for Dying or ceasing to exist, that is called phasing out which Sony is very good at. They do this even before they cease production of the older console making it look like that the OLD CONSOLE IS DYING.

          Why did the PS vita failed? You and all the others can keep pointing to piracy.

          But what about the abnormal overheating of the quadcore processor. The magical cracks that appear from the edges of the screen.
          And of course the very short list of game titles. This btw is bacause of the premium the game developers has to pay for making a game. plus the short period Sony gave before Game console’s launch.

          Imagine going to PSN and downloading PSP games and PSP minis on your PS Vita.. WTF?
          Can’t really give the PS Vita good recommendations.

          Stop pointing at Piracy as the culprit. It may be a factor but not the main reasons for Sony’s failure.

          Whatever exploit found on whatever console gives the user more control and gives the console more purpose and usage.

          Stop assuming that everyone that is excited over this exploit is a PIRATE. A PIRATE IS WHAT A PIRATE DOES.

          Jeesh, and I explained it to a person that answers to the name PIRATE.

          • pirate said:

            wut

          • pirate said:

            I was replaying to Zix… yeah I totally agree with what you just wrote.

            I don’t think any competent developer has ever been hurt by piracy.

        • plinkerfly said:

          sori mate for the mix-up. Btw… didn’t you notice that release is taking quite longer for an exploit that’s almost finish? It think your ship will be sailing the pirate seas mate. AAArrrr

          • pirate said:

            Well, I hope his exploit has a way of spoofing firmware revisions too.
            Because it doesn’t matter how long it takes to be released, it’s probably gonna be patched after a few weeks.
            Who the hell is going to keep an outdated firmware for a year (that’s probaly the time it’s gonna take until homebrew gets anywhere), locked out of the e-shop and newer games, just to load a few emulators on the 3DS?(and possibly some media players, because homebrew developers seem to think these things are highly relevant)

  24. Zix said:

    I have a question, and forgive me if its already been mentioned!

    but does this hack still require a flash cart? or is the hack able to be launched from an sd card?

    the 3ds scene is starting to get exciting now!

  25. blood_talon said:

    Remarquable exploit!
    +1 pour un region free mod.

  26. pirate said:

    To Smealum and other smart guys who have been cracking the 3DS protections and repeat this same ‘piracy is bad’ bullshit:

    The most sucessful consoles were the biggest ‘victims of piracy’.
    NES, SNES, DS, PS1, PS2… All of them got cracked up pretty fast and I don’t remember seeing Sony or Nintendo having any problem with the boosted console sales due to the massive increase in popularity.

    Videogame piracy only harms incompetent game companies, just like movie piracy harms shitty directors/studios. The news about their lame works spread fast.. way before they can scam enough money out of their customers to maintain their undeserved position.

    Now of course it’s all up to you to release or keep it secret. Just don’t use the piracy as an excuse unless you actually have facts to support it.

    Also, the main purpose of homebrew is to allow piracy anyway. Anything else is just gimmicks.
    If anyone wants emulators there are already plenty of portable android devices that you can even hook to a TV and connect a PS3 controller.
    If anyone wants to develop games there are already plenty of tools to do it and export it to multiple platforms using the same code.

    About your precious homebrew scene…
    Like it ALWAYS happens, the console will die before homebrew gets anywhere interesting. All we’re gonna have in the 3DS is more of the same old console emulators we already have in pretty much all the devices scattered about our homes.

    Anyway good luck with your projects!

    • Andy said:

      Sadly, the main reason for homebrew is not to allow piracy. It’s like saying the main purpose of the NASA Apollo missions was to be able to colonize Mars. It’s not the main purpose, but it could eventually leads up to it. All it takes it some guy who is creative enough to figure it out, and has a lot of time on his hands.

      A developer who works hard to try and prevent piracy with his exploit/cfw will take a long time to release his exploit, obfuscating his code and adding in patches and checks to make sure piracy isn’t possible, but that’s his Due Diligence. Again, this would only require a creative person with a lot of time and coding knowledge to reverse engineer the exploit and figure out how to create a pro-piracy version, but I for one prefer exploits for the homebrew.

      That’s my primary goal for it. It’s also why the only ‘unlicensed’ flash cart I’ve ever seen sold in stores like Walmart was the Datel’s Game ‘n Music, which only allowed homebrew. Big companies are more forgiving for things like this when they try hard to allow homebrew, but deny piracy.

      Anyways, to each his own. Good luck Smea. I wish I could help test this. I tend not to share things, and keep promises. Don’t know what the proper procedures would be to test this, without giving it away to Nintendo. But hope to see this released some day. I for one want 3DS homebrew.

      • pirate said:

        Unless this exploit abuses a flaw in some vital component of the console, making it costly to fix, it’s gonna be patched soon. Sure it’s not as dangerous to them as the Gateway, but it still hurts their profits.

        Do you think they’re gonna allow you to run emulators for free when they could sell you the old games through Virtual Console? LOL

        Homebrew is mostly interesting for developers, for them to feel the accomplishment of running their little illegal code on a locked device.
        There’s not really a lot for players there.

        • Andy said:

          No. I also don’t think they’ll be providing emulators, even when people have been screaming that they’d pay for it.

          GBA games, anyone? People have been saying they wanted them, but Nintendo hasn’t done anything, so it should be in the hands of homebrew.

          And unsigned code isn’t necessarily illegal code. It’s just not code that’s been approved by Nintendo. You could make a completely homebrew game that doesn’t use anything from the sold games, and it wouldn’t be illegal.

          • pirate said:

            GBA games would probably work with a supervisor, like gbaemu4ds.
            It didn’t get finished on the DS… good luck getting something similar on the 3DS with a crippled exploit.

          • pirate said:

            hypervisor*

  27. TomAto said:

    Honestly I don’t understand why this guy would hack the 3ds and brag about it in the first place if he’s against piracy. It’s like selling guns while being against war. Also the fact that he won’t release it. What’s the purpose? To tease everyone?
    Makes no sense.

    • Brian said:

      Well, you can hack a device without giving the hack you made enough access to run unsigned roms, but enough to run homebrew. That’s what holding him back mostly, to find this sweet spot ;)

      • Stef said:

        There is not really a sweet spot..If his exploit can run ROMS then eventually this would lead to a full kernel access and ROM emulation.. The funny thing is that other hackers will try to hack a hackers security system just like the PS3 dongles..

  28. J’imagine que ca sera notre devkitpro pour 3DS je me trompe?

    H.S.: J’ai vu que t’avais entreposé la source d’un futur 3DSCraft. Est-ce que c’est le même code que DSCraft?

    J’ai posté aussi ici : http://smealum.net/?page_id=299
    Mais j’aurais dû tout poster ici car l’autre article date. :)

  29. Shaw said:

    Please include region unlocking that’s all I ask!

  30. Kelton2 said:

    Are you taking beta testers? I have a 4.5 console.

  31. JP Logan said:

    Hi Smea just wanted to say I have a rather small idea of how difficult doing something like this is as I did an internship with a company that does anti-reverse engineering for companies. If you are taking the time to develop it it should be your choice whether to release or not or to try to make it not useful for pirates. That said it has been some time since anything has appeared on your blog regarding this and once you came out and announce this and said you would be releasing it after the next major firmware updates then it would be polite to your followers to give us an update. I’ve heard your twitter has had some stuff but I have enough problems with social media taking up too much of my time. Could you please give us an update?

    • smea said:

      next week

      • JP Logan said:

        yeah like a day after i posted i read about that on gbatemp. Looking forward to it

  32. RickS said:

    Hey, I heard you bought stocks in Cubic Ninja INC. Before you announced the game. Care to comment?

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>