BrokenPit is a primary exploit for the "Nintendo DSi Camera"!
This exploit's PoC will demonstrate a change of color splash screens from the touch screen.
Buffer overflow via unchecked header size
The Camera app loads the pit.bin file from the SD card to load images. However, the header size at offset 0x16 is unchecked, so a big enough header size value can exceed boundaries and cause the buffer to overwrite and jump to unsigned code.
- Any Nintendo DSi/3DS System on any System Firmware.
- Regions supported: USA, EUR, and JPN (Unsure about other regions).
- An SD Card (Any size).
- Download the "BrokenPitv0.zip" archive from the latest release and read the instructions from the `instructions.txt" file.
- Tap the
SD Cardoption on the top right of your touch screen. - Tap
Album.
- Q: What's the purpose of this exploit?
- A: To run simple unsigned custom code from the DSi Camera App and to understand the process of shutterbug2000's MemoryPit.
- Q: My DSi crashes when I attempt to trigger the exploit.
- A: You most likely have a different version of the DSi Camera Application which affect the addresses to run a payload. You can try shutterbug2000's MemoryPit or zoogie's edition to launch into the NDS-HBMenu.
- Q: How do I uninstall this exploit?
- A: Delete the
pit.binfile from your SD Card that's located atprivate/ds/app/484E494A.
- A: Delete the
- zoogie: Assisting me to locate and calculate the WRAM Address for the pointers
- shutterbug2000: Originally Exploited the DSi Camera System Applet (MemoryPit)
- DSiBrew.org: Documentation of the
pit.binfile. (https://dsibrew.org/wiki/Private/ds/app/484E94*/pit.bin)