Fierce Waffle ROP Loader 3DS

From GameBrew

3DS Toolkit by Fierce Waffle
AuthorFierce Waffle
Last Updated2013/12/26
TypeSystem Tools

The 3DS Toolkit is a utility that can extract memory dump, developed by Fierce Waffle. The project was initially titled ROP Loader, where ROP is an abbreviation for Return-Oriented Programming, and is one of the exploit technologies that utilize the code of programs that are already installed.

User guide

How does it work

Since the 3DS Toolkit uses the same DS Profile exploit as Gateway 3DS, the operating environment is 4.1-4.5. The DS Profile exploit is/was a well known, but not often performed exploit for the Nintendo 3DS. This exploit involved setting a value too high for the length of a string which caused too much to be read on the stack.

There is a file called SYS: /Launcher.dat that 3DS uses to configure the system, and the first character "S" is removed from the string "SYS: /Launcher.dat" in the memory of 3DS. Furthermore, by mounting the SD card as "YS: /", Launcher.dat functions as ROP.

However, that alone is only a userland exploit (DS Profile exploit), so in order to go beyond that it would require a kernel exploit. The method this 3DS Toolkit used is through changing the permissions of IOpen_File, which allows user to dump RAM and possbility to execute custom codes.

How to use

Copy the ROPLoader.nds file to any flashcart compatible 3DS flashcard.

Insert the flash card and open the 'game' with the title of ROPLoader.

When loaded, press the A button to initiate the initial ROP payload installation process

If the verification process fails, repeat steps 2-3. Otherwise, press A to return to your 3DS home menu.

Copy the Launcher.dat that you wish to use to your 3DS' SD card and reinsert the SD into your 3DS.

To initiate the exploit navigate to System Settings > Other Settings > Profile > Nintendo DS Profile.



v0.0.0.2 2013/12/26

  • Fixed Verify Bug.
  • Fixed an error users would get when installing the ROP Loader.

v0.0.0.1 2013/12/25

  • Initial Release.
  • RAM dumping from 0x00100000 with a size of 0x00300000 bytes.

External links