humblehax

3DS userland exploit for Citizens of Earth

humblehax exploits a trivial savegame stack overflow (see here for code) to obtain ROP under Citizens of Earth, selected due to its recent participation in the Humble "Friends of Nintendo" Bundle.

Installation

To install the exploit to Citizens of Earth, use the installer found here, extract it to your SD card and run it using the Homebrew Launcher. An existing homebrew entrypoint such as browserhax, Smash Bros or Cubic Ninja is required (see the Homebrew Launcher page and Homebrew Exploits on 3dbrew).

Note: the installer requires a *hax payload version of 2.8 or later due to a much improved takeover method.
The mmaps used previously are no longer required and can be deleted if you still have them.

Note that installing humblehax will wipe any existing savegame data in slot 3, and the original game will not be able to be used while humblehax is installed. humblehax automatically triggers during game boot once installed (after company splash screens).
For uninstallation, see below.

Updating *hax

humblehax includes a payload which allows the *hax payload to be updated in the event that a system update is released, without requiring the installer to be run again. To access this functionality, hold SELECT while the exploit is loading and you will be taken to a menu.
In this menu, select Update *hax payload and select the version of the *hax payload you wish to install, and then press A to have it downloaded and installed to the savegame.

Upgrading the game from v1 to v2

There is currently almost no benefit for doing so, but should you choose to update Citizens of Earth to a newer exploitable version, first update and rerun salt_sploit_installer from the releases page before downloading the game update via the eShop. salt_sploit_installer will detect the game version that you currently have installed, you will be able to change this manually to the target version. Once the new exploit has been installed, it will not be possible to boot *hax using humblehax until the correct version of the game has been downloaded, or the exploit is reinstalled via another entrypoint.

If you have some other method for booting *hax, it does not matter when you reinstall the exploit (it can be done after downloading the update). The above suggestion of doing it before only applies if humblehax is currently your only method of accessing homebrew.

Removal

To remove the exploit, you can simply remove SaveData3.xml (using a save manager like svdt) to return the game to a playable state.
For a full savegame format, use the humblehax menu described above (hold SELECT) and choose the Clear savegame option.

Credits

Vulnerability discovery, ROP implementation and installer by Dazzozo
SALT greetz: Shiny Quagsire and WulfyStylez
ironhax by smealum for ROP build system/payload base
sploit installer by smealum and yellows8

FAQ

What changed between v1 and v2?

The update that reinstated the game on the eShop appears to be an SDK update, nothing more. No attempt was made to fix the vulnerability currently in use - most of the "work" involved in updating humblehax was porting and handling the SDK update. Almost like no one was actually told that the game had been exploited...

Is this game going to be removed for a second time?

Maybe. I hope not. This update was too easy, and someone else would've done it if not me. How many games need to be removed before Nintendo changes this ridiculous policy of removing exploitable third-party titles but not their own, or perhaps considers fixing the platform's security instead?

Write-up?

07:00 Dazzozo
gonna look at citizens of earth

07:07 Dazzozo
and i crashed it already