From cd896fe644960dce450b11b67ab57a6fc223f296 Mon Sep 17 00:00:00 2001 From: patois Date: Wed, 15 Apr 2015 19:20:56 +0200 Subject: [PATCH] update readme, fix python script --- README | 57 ++++++++++++++++++++++++++++++++++++++----------- tools/client.py | 6 +++--- 2 files changed, 47 insertions(+), 16 deletions(-) diff --git a/README b/README index 438ea59..1ee8911 100644 --- a/README +++ b/README @@ -1,12 +1,20 @@ -BRAHMA - Privilege elevation exploit for the Nintendo 3DS +Brahma - Privilege elevation exploit for the Nintendo 3DS ========================================================= - WTF is 'BRAHMA'? + WTF is 'Brahma'? ---------------- - BRAHMA is a privilege elevation exploit that is based on reverse engineered - code of a publicly available, 'commercial' exploit. With existing user mode - code execution privileges (e.g. Ninjhax), it can be used to further - elevate privileges to ARM9 pre-kernel / SVC mode. + Brahma is development tool for the Nintendo 3DS platform that is based on + two vulnerabilities whose exploitation lead to elevation of privileges. + + The exploits utilized by Brahma are based on "commercial" exploits that + have been reverse engineered. Brahma has been developed with the goal of + understanding and documenting the nature of the exploits in mind and has + been put further effort into during its development process in order to + achieve reliable exploitation and stability. + + Brahma comes with full source code that is based on libctru and requires + existing user mode code execution privileges (Ninjhax), and can be used to + further elevate privileges to ARM9 pre-kernel / SVC mode. Also, "Brahma, the creator" is a god in hinduism that is often portrayed with four heads and arms (heh... so funny :\). @@ -50,19 +58,42 @@ BRAHMA - Privilege elevation exploit for the Nintendo 3DS client.py: 'python client.py 10.0.0.5 payload.bin' netcat: 'nc 10.0.0.5 80 < payload.bin' + Example programs that run in privileged ARM9 mode can be downloaded from + https://github.com/patois/3DSProjects/tree/master/Brahma/ + + A memory dumper (3DSDevTools) for Brahma is available at + https://github.com/patois/3DSDevTools/releases + + There is also a port of Decrypt9 by archshift which can be loaded using + bootstrap or Brahma (use 'make' to build the project, then use one of the + methods supported by Brahma to load the Decrypt9 payload). Decrypt9 can be + downloaded from https://github.com/archshift/Decrypt9/tree/bootstrap + + Developers: + ----------- + The exploits used by Brahma which enable privileged ARM9 code execution + may also be used as a "library" (#include "brahma.h") + + - call brahma_init() in order to initialize Brahma + - call load_arm9_payload() to load payload binary from disk + - call firm_reboot() to execute a payload binary (privileged ARM9 code) + - (please check the source code for even more features and options) + ARM9 payload must consist of valid ARM9 executable code and will be mapped to physical address 0x23F00000 during run-time. Its code should begin with a branch instruction at offset 0 and a 'placeholder' for a u32 variable at offset 4, which will be filled by BRAHMA with a backup of the original ARM9 entry point of the FIRM header during runtime. - Example programs that run in privileged ARM9 mode can be downloaded from - https://github.com/patois/3DSProjects/tree/master/Brahma/ - - There is also a 'bootstrap' port of Decrypt9 by archshift which can be loaded - using Brahma (use 'make' to build the project, then use one of the methods - supported by Brahma to load the Decrypt9 payload). Decrypt9 for bootstrap - can be downloaded from https://github.com/archshift/Decrypt9/tree/bootstrap + Brahma is written in a way that allows developers of payload binaries + to easily return control to the Nintendo firmware after custom payload binary + code has been executed - simply by returning from the main() function of its + code! + + This allows reading and altering of memory contents, such as the mapped + Nintendo firmware (including ARM9 kernel, Process9, ARM11 kernel and several + processes running on the ARM11 core), for testing purposes, without requiring + any changes on the file system level. Credits: -------- diff --git a/tools/client.py b/tools/client.py index 879fbad..1af3d3a 100644 --- a/tools/client.py +++ b/tools/client.py @@ -7,16 +7,16 @@ print "python client.py \n" sys.exit(0) -s = socket.socket() -host = sys.argv[1] port = 80 +host = sys.argv[1] pfile = sys.argv[2] +s = socket.socket() s.connect((host, port)) f = open(pfile, "rb") buf = f.read() f.close(); -if (f and len): +if (f and len(buf)): sent = s.send(buf) print "Sent %d bytes\n" % sent s.close