MSET9 3DS

MSET9
General
Author	zoogie
Type	Exploits
Version	1.2
License	Mixed
Last Updated	2023/11/01
Links
Download
Website
Source

MSET9 is a an exploit for the Nintendo 3DS that operates using the ARM9 architecture. It can be initiated by simply adding a specific filename to a SD card inserted into the console. This exploit takes advantage of a vulnerability present in the FSPXI:EnumerateExtSaveData function, which is invoked by MSET to parse 3DS extdata IDs for Data Management.

1. The exploit takes advantage of a vulnerability in the FSPXI:EnumerateExtSaveData function.
2. This function is called by MSET to parse 3DS extdata IDs for Data Management.
3. If the function fails to open a directory, an uninitialized pointer on the stack is used for a vtable call.
4. A file starting with 8 hex digits placed directly inside the extdata directory can cause process9 to crash.
5. In some cases, the crash can lead to null dereferences.
6. In a specific context, process9 jumps directly to an ID1 string being held in ARM9 memory.
7. The 3DS requires exactly 32 characters for the ID1 directory name on the SD, allowing the attacker to insert ARM instructions into the unicode ID1 dirname.
8. This gives the attacker control of the ARM9, and thus, full control of the 3DS.

Requirements

• You need a 3ds 11.4-11.17, any region (probably, haven't tested them all)
• A USB to SD reader
• Windows/Linux PC (this might be expanded to MAC and/or Android at some point, if possible)

Installation

Head over to 3DS guide for the latest tutorial on MSET9.

Q: This installs boot9strap and writes to NAND?
A: Yes! What else ya gonna do with ARM9 control, a9lh? pastaCFW? sketchy tetris clones" :p

Q: That sounds dangerous, Zoogie!
A: Yeah, it kinda is but the scene's been doing this dangerous stuff for years. Just sit out the beta phase if concerned.

Q: What happens if I fail to uninstall the exploit when I'm done?
A: You'll have trouble launching previously installed titles, in addition to random crashes in FBI and System Settings. So make sure to clean up the exploit! (option 4 in the mset9.py menu does this)

(the rest of this is more FYI than anything important)

Q: That file that triggers the exploit (002F003A.txt) ... it kinda looks like ... some virtual address, huh?
A: It's the characters ":/", something we can't display in a typical file/folder name. A convenient fact of that file (besides triggering the overall crash) is that the first 8 chars of that hex filename are converted to a u32 that happens to exist 0x44 past SP, so I can use it to plug in the missing chars in the payload filepath "sdmc??b9", and keep the PC's OS happy.

Q: You suggested in the hack explanation above that FS_EnumerateExtData is the responsible function for allowing the crash in MSET/ARM9, could this be called in userland homebrew to take over ARM9?
A: Maybe? I briefly played around with this very idea, but was unable to find a crash context that I could control, unlike the pre-userland method MSET9 is. Maybe this could be an exercise for the dedicated user to explore and flesh out this potential variant of MSET9! It could be useful down the line. Fun fact: The 8 digit hex file, if left in extdata, will also crash FBI when selecting the "Ext Save Data" option in its main menu. It's the only homebrew I know that calls FS_EnumerateExtData.

Q: You shortened SafeB9SInstaller.bin to SafeB9S.bin, why?
A: Keeps FAT's 8.3 filename standard which avoids Long File Names, and thus enables significant space savings in the FatFs library. "B9" is also used for the same reason albeit not FatFs related. Small code footprint is of paramount importance everywhere in this exploit.

Q: Why doesn't this work on MAC?
A: Because it refuses to render the following unicode craziness: �﫿餑䠇䚅敩ꄈ∁䬅䞘䙨䙙꫿ᰗ䙃䰃䞠䞸退ࠊꁱࠅ캙ࠄsdmc退ࠊb9

• [mset9.py shows error ".../title.db doesn't exist on sd card"?] Inside sdmc:/Nintendo 3DS/ID0/ID1/dbs, create empty files title.db and import.db. You need to create the dbs folder first. Now go to System Settings -> Data Management -> Nintendo 3DS -> Software and say yes to the prompts to build your database files. Now redo everything from the start.
• [Swirling System Settings loop] This is just a general crash of arm9. Did you follow the instructions EXACTLY?
• [Nothing happens when I reinstert card - just shows mii maker icon] Did you try option 2 on mset9.py on step 6? Go back to step
• [Still can't get it to work] In some stubborn cases, it might be better to just start fresh with a spare blank SD card. For that, follow these steps:

1. Format the spare SD card with SD formatter.
2. Put SD card into 3DS and turn on, wait for menu data to format automatically.
3. Go to Mii Maker and launch it, wait for extdata format, then exit. Turn off 3DS.
4. Take out SD card, put in computer and create the following two empty files (and dbs folder if needed):
   • sdmc:/Nintendo 3DS/aaaabbbbccccdddd1111222233334444/aaaabbbbccccdddd1111222233334444/dbs/title.db
   • sdmc:/Nintendo 3DS/aaaabbbbccccdddd1111222233334444/aaaabbbbccccdddd1111222233334444/dbs/import.db
   • (the long hex number folder names above are just examples, yours will be different)
5. Put SD card back in the 3DS and go to System Settings -> Data Management -> Nintendo 3DS -> Software and agree to the prompts to rebuild the database.
6. Proceed to step 1 on instructions.txt.

1.2

• macOS support added, thanks @danny8376.

1.1

• Refactored mset9.py script, thanks @ToxicAven!
• Pared down some unnecessary files in release archive.

1.0

• Same as v4beta.
• Hotfix 10/11/23: better clarity for users regarding common problems, fix version to match this release

v4beta

• Convenient menu to choose your 3ds type. Thank you Lily for this feature!

v3beta

• Expand compat to new3ds, and down to firmware 11.4. Still preset to old3ds, 11.8-17. More on that whenever this is added to 3ds Guide or Wiki.
• Most contents of release folder are moved to archive root, no more SDMC dir to confuse.
• Hotfix 10/7/23: contents moved up to root in release archive (for real this time)

v2beta

• This BETA version uses a slightly modified usr2arm9ldr for the stage1 payload, and then it loads SafeB9SInstaller for added piece of mind. Only old3ds 11.8-11.17 support for now.
• Hotfix 10/4/23: titleDB gen opportunity after error and another hotfix for that

v1beta

• MSET9 setup script added to automate and check a lot of stuff. Seems to work ok on Windows. Almost there on Linux, but stops working once sd card is removed. I would hate for users to re-run the script after every command.
• MacOS is completely no go because of the ugly arm/unicode ID1 thing- it just barfs immediately. Hopefully there is a workaround or we might have to make an SD image and use Balena Etcher or something to install it.

v0beta

• First Release.

These are repos containing homebrew binaries included in the release archive. Many thanks to the authors.

• https://github.com/LumaTeam/Luma3DS
• https://github.com/d0k3/GodMode9
• https://github.com/d0k3/SafeB9SInstaller (renamed SafeB9S.bin)
• https://github.com/devkitPro/3ds-hbmenu
• https://github.com/SciresM/boot9strap
• https://github.com/Steveice10/FBI

• Gbatemp - https://gbatemp.net/threads/mset9.640689/
• Github - https://github.com/zoogie/MSET9