How The Nintendo 3DS Was Hacked Using a Music File
2 minutes read
SoundHax was one of the most accessible exploits to get unsigned code running on the Nintendo 3DS. It worked by abusing a bug found in the Nintendo 3DS Sound application with a specially-crafted .m4a
file.
The exploit is special as it was the first exploit on the 3DS that was free, offline, and worked on every version of the firmware as of when SoundHax was launched.
To fully appreciate this brilliant symphony of hacks, a basic understanding of memory management is recommended.
Before proceeding, I'd also highly suggest reading the writeup on Nedwill's GitHub page
The Vulnerability
At its core, SoundHax exploits a bug in how the 3DS Sound application handles MP4 atom tags:
- A 256-byte buffer is allocated for song names (the maxsize according to the MP4 spec).
- The song name is then copied from the file into the buffer using one of two functions.
- For ASCII strings,
strncpy(dst, src, 256)
is used, which is safe. - For Unicode strings,
memcpy
is used, which takes a user-provided size instead of 256 (not safe!).
This was likely because strncpy
stops at the first null terminating byte (which works for ASCII strings). As Unicode can have null bytes as parts of characters, strncpy
wouldn't work well.
Instead, song names are simply gathered by copying over as many bytes as the file specifies, even if the number is greater than 256.
This means that the program code is vulnerable to a
The Exploit Chain
Taking advantage of this bug, we can get arbitrary code execution on the 3DS using the following steps:
- Crafted M4A file with oversized Unicode title
- Buffer overflow in heap
- Heap manipulation (fake chunk creation)
- Unlink exploitation
- Arbitrary write primitive
- ROP chain setup
- gspwn GPU exploit
- Code execution
Anyways, here's how it works.
1. Attack Plan
The goal is to create a specially crafted .m4a
"audio" file with an oversized Unicode title to overflow the heap.