| menuhax67 | |
|---|---|
 | |
| General | |
| Author | zoogie |
| Type | Exploits |
| Version | 1.2 |
| License | MIT License |
| Last Updated | 2023/05/30 |
| Links | |
| Download | |
| Website | |
| Source | |
menuhax67 is a secondary userland exploit for the 3DS home menu that requires user interaction by tapping the home icon on the top left of the bottom screen.
It is currently in a developer proof-of-concept stage due to the initial intended purpose of launching SAFE_MODE sysupdater without functioning shoulder button(s) being unlikely. However, this exploit could be useful in the future if an arm11 kernel sploit shows up, as it could help attack arm9 in SAFE_MODE.
Exploit details
The exploit works by setting the config block 0x50001, which contains a u8 brightness setting that indexes a table of u32 addresses, to an out-of-bounds index (its normally 1-5).
Located within the cfg block 0x50009, there exists a single controllable u32 that's located within the u8's range. With these set properly, one can eventually redirect a function pointer to an address of their choice.
What's needed
To use the exploit, you'll need a 3DS with a firmware version within the following ranges:
- 11.7.0-X -> 11.15.0-X for USA, JAPAN
- 11.10.0-X -> 11.15.0-X for EUROPE
- 11.5.0-X -> 11.15.0-X for KOREA
You will also need a userland entrypoint with cfg:s or cfg:i to launch the 3dsx installer.
Troubleshooting
If you encounter any issues with the exploit and want to uninstall it, you can launch a DS title, press the home button, hold START, and press down until the screen brightness noticeably changes. This should restore your brightness to a normal value and unlink the exploit. However, it's still strongly recommended to uninstall with the 3dsx app at some point.
The name menuhax67 is a reference to the "menuhax" series, which is a meme in the 3DS homebrew community. The number "67" is likely a reference to a specific meme or inside joke within the community.
FAQ
Q: Why exist, if there's no immediate benefit to precious users?
A: Memes, of course. This is menuhax 11.4+, after all :-p
Q: menuhax67? Why name it that?
A: Memes, of course. I'll leave it as an exercise for the reader to decipher what the specific meaning is ;)
Q: Why you kill parental setting? Why you hate parent?
A: There aren't a lot of config blocks that are large enough to fit an sd loading rop chain (and also get loaded by home menu), and parental controls was just big enough for that purpose. And parental controls suck, no offense to parents out there.
Q: Why did you choose Launcher.dat for the sd payload name? That erases my Gateway launcher.
A: Probably for the same reason Gateway did, to save enough space to fit a ropchain where I want. RIP your Gateway launcher but GW3DS is really dead already. Get some proper cfw for Lenny's sake.
Changelog
v.1.2
- Updated to support US 11.17
v.1.1
- Tries to detect cfw, and blocks menuhax install if user has it already. "STATUS:" will show user/cfw status.
- Removes bb3's F00D43D5.bin file if cfw installed and user selects uninstall. Just being helpful! bb3+menuhax67 could be a thing someday so just being prepared ; )
v.1.0
- Korea support added. Old3DS tested, need someone to test new3DS but it should work (tm).
v.0.0
- First Release.
- Developer tool. Not intended for general users.
- Hotfix 10/24/20: Cfg:UpdateConfigNANDSavegame header changed to cfg:s so it's guaranteed to work with both cfg:s or i. This caused issues on stock firm with hax installed only in RAM.
External links
- Github - https://github.com/zoogie/menuhax67