Skip to content

yellows8/ctpkpwn

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

22 Commits

ctpkpwn_tfh

ctpkpwn_tfh

 
 

ctpkpwn_tfh_manager

ctpkpwn_tfh_manager

 
 

README.md

README.md

 
 

ctpkpwn.s

ctpkpwn.s

 
 

Repository files navigation

This is an exploit for the CTRSDK CTPK buffer overflow vuln. This is supposed to be generic enough to be used with other titles, but it would likely need adjusted for use with other titles(if there's any other titles this could be used with for non-RomFS at all).

Currently the only inplementation of this is for "The Legend of Zelda: Tri Force Heroes", hence that implementation is called ctpkpwn_tfh.

ctpkpwn_tfh

For vuln details, see here.

This automatically triggers during the initial "Loading..." screen, ~5s after the screen turns black @ 3ds-logo.

This is installed using custom SpotPass content. The SpotPass task is automatically deleted afterwards, leaving just the downloaded content(and *hax payload). The content and *hax payload are both stored in the SD extdata(the former is only stored as BOSS content, it is never moved elsewhere by the game). The exploit can only be used on the same system it was installed on, since this is extdata. The normal savedata is not affected at all.

This can only be installed with a network-connection since this uses SpotPass.

The manager app loads the *hax payload from SD "/otherapp.bin" during installation, the user must setup this before using the app.

Your system has to allow unsigned SpotPass(BOSS-container) content in order for this to be installed. This can be done with ctr-httpwn >=v1.2(with the included bosshaxx on supported system-versions), or "CFW". ctr-httpwn would have to be run before running this manager app for installation.

The game must have been run at least once, and have SpotPass enabled via the game option for it, before running the manager app.

The manager app should be run from >= *hax payload v2.8, however if you're not installing with an eShop version of the game this shouldn't matter.

Supported regions/versions

Only update-title v2.1.0 is supported. Regular-application titles(if any) which include {update-version} without a seperate update-title are not supported.

Supported regions:

  • JPN
  • USA
  • EUR

Credits

  • profi200: Initial help with EUR support.
  • Myria: locating the ROPBUF addr for JPN + JPN testing. EUR/etc testing. Locating the ROPBUF addr for EUR.

About

Nintendo 3DS exploit for CTRSDK CTPK.

Resources

Readme
Activity

Stars

10 stars

Watchers

5 watching

Forks

1 fork
Report repository

Releases 1

v1.0 Latest
Jan 9, 2017

Packages

No packages published

Languages