When parsing an ascii title, strncpy(dst, src, 256) is used, which is safe and correct. This is sensible since it's the maximum allowed size according to the spec.
Only homebrew launcher 3ds soundhax mp4#
Then run python exp.py to generate soundhax-*.m4a.ģDS Sound mallocs a buffer of 256 bytes to hold the name of song as described in its mp4 atom tags. When you exploit it it doesn't save the fact that you've opened the app before, so closing and reopening normally seems to fix this. Locate your new song and play it to start the Homebrew Menu!įixing the annoying bird: Click through all of the bird tips then close the app normally. Insert the SD card into the 3DS and start Nintendo 3DS Sound. Save the soundhax song file and copy to the root of your SD.ĭownload the otherapp payload for your 3DS version, rename it to otherapp.bin, and copy it to the root of the SD card.ĭownload the Homebrew Menu and place boot.3dsx in the root of the SD card (if it is not there already). It can be used along pre9otherapp to launch an arm9 payload from the SD card on pre 9.0 firms (2.1 - 9.2).ĭownload the relevant soundhax-region-console-firmware.m4a file for your device.
If your box is checked, then put otherapp.bin on the root of your SD card along with soundhax.m4a and launch the song from the sound player. This bug is particularly good, because as far as I can tell it is the first ever homebrew exploit that is free, offline, and works on every version of the firmware for which the sound app is available.Īll existing versions of Nintendo 3DS Sound prior to Nintendo fixing the vulnerability are now supported. A heap overflow in tag processing leads to code execution when a specially- crafted m4a file is loaded by Nintendo 3DS Sound.