Mario Kart 7 semi-primary exploit for the Nintendo 3DS.

Overview

kartdlphax

kartdlphax is a semiprimary exploit for the download play mode of Mario Kart 7. It can be used to run an userland payload in an unmodified 3DS by having it connect through download play to another 3DS with Custom Firmware running the exploit.

Video Demonstration

Installation

The exploit uses a 3GX Plugin in the host system. Therefore, in order to use this exploit you need to install the 3GX Loader Luma3DS fork.

In the host console, place the .3gx file from the Releases page in the following directories depending on your game region:

  • EUR: luma/plugins/0004000000030700
  • JAP: luma/plugins/0004000000030600
  • USA: luma/plugins/0004000000030800

By default, the plugin will use the built-in otherapp payload (universal-otherap). You can place your own otherapp at /kartdlphax_otherapp.bin, but keep in mind that the hax 2.0 otherapp doesn't work currently.

Usage

  1. On the host 3ds, make sure the plugin loader is enabled from the Rosalina menu (L+Down+Select), then launch the Mario Kart 7 game matching the region of the client 3ds(es). (You will see a confirmation message in the top screen once the game launches).

  2. On the client 3ds(es), launch the download play application.

  3. On the host 3ds, select Local Multiplayer then Create Group. After that, let the client 3ds(es) join the group.

  4. Once the multiplayer menu loads on the host 3ds, select Grand Prix then 50cc then any driver combination and finally the Mushroom Cup. After a while the exploit will trigger on the client 3ds(es).

Keep in mind that while you can send the exploit to 8 consoles at the same time, the success rate seems to decrease for each console added.

Technical Details

This exploit consists of 3 stages + the otherapp.

  1. Vtable pwn exploit: The download play child application doesn't have the course files stored in its romfs, so it has to ask the host to send them when needed. Since this data is not part of the child .cia and is not signed, we can send anything arbitrary. Furthermore, the client sets up a buffer to recieve the data from the host, but it never checks the incoming data size, so we can produce a buffer overflow which overwrites important data after the recieve buffer. By overwriting a vtable, we can produce an arbitrary jump in the main thread and eventually jump to the ROP chain.
  2. ROP chain: From the rop chain and using yellows8's 3ds ropkit as a base, we can terminate some problematic threads and replace the area at 0x100000 with the next stage using gspwn. We can't load otherapp directly from ROP because some gadgets and important functions are in the same area as the otherapp target address, so a small helper payload is needed first.
  3. Miniapp payload: This asm payload based on luigialma's version from nitpic3d is responsable of terminating the rest of the problematic threads, reconstructing the partitioned otherapp from the recieved buffer, mapping it to 0x101000 with gspwn and finally launching it.

You can find more in-depth details in the comments inside the plugin and miniapp source files.

Credits

Notice

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

You might also like...
Level viewer for Super Mario Maker 2, based on JiXiaomai's work

Toost Level viewer for Super Mario Maker 2, based on JiXiaomai's work How to build If building for desktop, obtain development files for sdl2, glew, g

Practice Mod for Super Mario 3D World + Bowsers Fury

Practice Mod This is a mod for Super Mario 3D World + Bowsers Fury that adds different features that intend to aid in speedrun practice (but can also

A Super Mario 64 decompilation, brought to you by a bunch of clever folks.

Super Mario 64 This repo contains a full decompilation of Super Mario 64 (J), (U), (E), and (SH). Naming and documentation of the source code and data

Custom code toolkit for Super Mario Galaxy 2.

Syati Syati is a coding toolkit for custom code injections in Super Mario Galaxy 2. It is able to compile code, link to existing functions and structu

Block Cipher Reverse Engineering: A Challenge by Nintendo European Research & Development
Block Cipher Reverse Engineering: A Challenge by Nintendo European Research & Development

My algorithm cracks NERD HireMe for any output within 1 Second without Brute-Force! Read more if you want to find out how this was accomplished or execute this algorithm yourself on Wandbox - Online C++ Compiler

A Nintendo Switch homebrew for importing and exporting Miis.
A Nintendo Switch homebrew for importing and exporting Miis.

MiiPort A Nintendo Switch homebrew for importing and exporting Miis. Installation Download a release and then place the .nro file at sd:/switch/MiiPor

Moonlight port for Nintendo Switch
Moonlight port for Nintendo Switch

Moonlight-Switch Moonlight-Switch is a port of Moonlight Game Streaming Project for Nintendo Switch. Thanks a lot to Rock88 and his Moonlight-NX, lots

Nintellivision - an Intellivision Emulator for the Nintendo DS/DSi

NINTV-DS NINTV-DS is an Intellivision console emulator running on the DS/DSi. Install : To make this work, place NINTV-DS.NDS on your flashcart or SD

A presentation about Nintendo 64 development, given at Inércia 2021
A presentation about Nintendo 64 development, given at Inércia 2021

Reflective Regret This repository contains a lot of stuff regarding the "Reflective Regret: Adventures in N64 Homebrew Development" presentation I gav

Comments
  • Issue entering unsafe mode

    Issue entering unsafe mode

    After doing the rop injection i get to the point where it says hit x to enter unsafemode. I hit x and then the 3ds just goes to the home screen then turns off. Any idea how to fix that?

    opened by Bchen0190 3
  • Will it support CHN region?

    Will it support CHN region?

    I have 2 CHN consoles to be available to do any test. The CHN MK7 is 00040000 0008B500. Current kartdlphax said it's not compatible with this title, but CHN MK7 should have the same contents as JPN USA EUR since it integrates v1.1 patch.

    opened by MelonGx 0
Releases(v1.2)
Owner
PabloMK7
CTGP-7 main developer. :3
PabloMK7
A tool for [(semi-){un-(tethered jailbreak)}] of iOS 10.3.x 32-bit devices with checkm8 BootROM exploit.

p0insettia A tool for [(semi-){un-(tethered jailbreak)}] of iOS 10.3.4 32-bit devices iPhone 5 with checkm8 BootROM exploit. Note All at your own risk

dora2ios 27 Aug 30, 2022
Some hypervisor research notes. There is also a useful exploit template that you can use to verify / falsify any assumptions you may make while auditing code, and for exploit development.

Introduction Over the past few weeks, I've been doing some hypervisor research here and there, with most of my focus being on PCI device emulation cod

Faith 127 Sep 14, 2022
Arduino-compatible development platform whose primary function is a clock

MakeTime Arduino-compatible development platform whose primary function is a clock Description MakeTime is a clock that uses a ring of 24 RGB LEDs to

null 3 Oct 11, 2021
A Semi Automatic Chessboard Corner Extraction Class

This program realizes semi-automatic chessboard corner extraction, the interface is simple, and the accuracy of corner extraction is guaranteed.

null 1 Oct 6, 2021
Decentralized architecture for loss tolerant semi-autonomous robotics

gestalt-arch Decentralized architecture for loss tolerant semi-autonomous robotics Objective We demonstrate a decentralized robot control architecture

null 4 Dec 18, 2021
This PoC uses two diferent technics for stealing the primary token from all running processes, showing that is possible to impersonate and use whatever token present at any process

StealAllTokens This PoC uses two diferent technics for stealing the primary token from all running processes, showing that is possible to impersonate

lab52.io 46 Sep 9, 2022
This repo includes SVO Pro which is the newest version of Semi-direct Visual Odometry (SVO) developed over the past few years at the Robotics and Perception Group (RPG).

rpg_svo_pro This repo includes SVO Pro which is the newest version of Semi-direct Visual Odometry (SVO) developed over the past few years at the Robot

Robotics and Perception Group 961 Sep 16, 2022
A template to build a 3DS firmware binary which just has an Arm9 section

minifirm A template to build a 3DS firmware binary which just has an Arm9 section. Install dependencies $ sudo apt install gcc-arm-none-eabi binutils-

HIDE 2 Mar 15, 2022
A simple 3D game engine for GameCube, Wii, 3DS, Windows, and Linux.

octave A Simple 3D Game Engine for GameCube, Wii, 3DS, Windows, and Linux Windows Setup Download and Install: Visual Studio Community 2017 (with C++ s

Martin Holtkamp 7 Jul 28, 2022
Extracts and Decompress Mario Sports Mix Files

MSM-File-Converter This is a tool created by TheN00b21 to extract and compress Mario Sports Mix's files. So far it only works with the Menu and Tour f

null 2 Dec 22, 2021