Changes

Jump to navigation Jump to search
472 bytes added ,  02:38, 28 September 2016
Undo revision 18311 by Shinyquagsire23 (talk) I don't agree, using AES ECB is an implementation vulnerability.
Line 97: Line 97:  
!  Public disclosure timeframe
 
!  Public disclosure timeframe
 
!  Discovered by
 
!  Discovered by
 +
|-
 +
| Rearrangable keys in the NAND keystore
 +
| Due to the keystore being encrypted with AES-ECB, one can rearrange blocks and still have the NAND keystore decrypt in a deterministic way. Combining this with the arm9loaderhax and uncleared hash keydata vulnerabilities, one can achieve arm9loaderhax without downgrading to a system version that exposes the OTP data, or using a hardware method. The NAND keystore must be encrypted with console-unique data; therefore, this is not achievable on Old 3DS or 2DS.
 +
| arm9loaderhax achieveable with no extra hardware and without downgrading to a system version which exposes the OTP.
 +
| None
 +
| [[11.1.0-34|11.1.0-X]]
 +
| Early 2016
 +
| 27 September 2016
 +
| Myria, [[User:Dark samus|dark_samus]]; mathieulh (independently); [[User:Plutooo|plutoo]] (independently) + others
 
|-
 
|-
 
| Uncleared OTP hash keydata in console-unique 0x11 key-generation
 
| Uncleared OTP hash keydata in console-unique 0x11 key-generation
Line 131: Line 140:     
This gives very early ARM9 code execution (pre-ARM9 kernel). As such, it is possible to dump RSA keyslots with this and calculate the 6.x [[Savegames#6.0.0-11_Savegame_keyY|save]], and 7.x [[NCCH]] keys. This cannot be used to recover keys initialized by arm9loader itself. This is due to it wiping the area used for its stack during NAND sector decryption and keyslot init.  
 
This gives very early ARM9 code execution (pre-ARM9 kernel). As such, it is possible to dump RSA keyslots with this and calculate the 6.x [[Savegames#6.0.0-11_Savegame_keyY|save]], and 7.x [[NCCH]] keys. This cannot be used to recover keys initialized by arm9loader itself. This is due to it wiping the area used for its stack during NAND sector decryption and keyslot init.  
  −
Using a 10.0 FIRM it is possible to execute ARM9 memory by rearranging the keys in the keystore, due to the nature of AES-ECB. As such the 10.0 FIRM can be written to NAND and a payload written to memory using existing ARM9 execution, with the payload to be executed post-K9L using an MCU reboot.
      
Due to FIRMs on both Old and New 3DS using the same RSA data, this can be exploited on Old3DS as well, but only if one already has the actual plaintext normalkey from New3DS NAND sector 0x96 offset-0 and has dumped the OTP area of the Old3DS.
 
Due to FIRMs on both Old and New 3DS using the same RSA data, this can be exploited on Old3DS as well, but only if one already has the actual plaintext normalkey from New3DS NAND sector 0x96 offset-0 and has dumped the OTP area of the Old3DS.
| Recovery of 6.x [[Savegames#6.0.0-11_Savegame_keyY|save key]]/7.x [[NCCH]] key, access to uncleared OTP hash keydata
+
| Recovery of 6.x [[Savegames#6.0.0-11_Savegame_keyY|save key]]/7.x [[NCCH]] key
 
| None
 
| None
 
| [[11.1.0-34|11.1.0-X]]
 
| [[11.1.0-34|11.1.0-X]]
1

edit

Navigation menu