869
edits
Changes
Jump to navigation
Jump to search
→ARM11-kernel
Line 33:
Line 33:
The function which initializes a memalloc heap had a major update (used for FCRAM memregions and the SlabHeap container). It is unknown precisely what this does, but presumably it generates a random MAC key based on svcGetSystemTick.
+
+
3 new functions used for validation with memory management were added (kernelpanic() on failure). This is a new security feature for the kernel heaps. By adding a MAC to the kernel heap [[Memory_Management#MemoryBlockHeader|memchunkhdr]] they can detect when it is modified by an outside DMA device ([[3DS_System_Flaws|gspwn]]).
3 new functions used for validation with memory management were added (kernelpanic() on failure). This is a new security feature for the kernel heaps. By adding a MAC to the kernel heap [[Memory_Management#MemoryBlockHeader|memchunkhdr]] they can detect when it is modified by an outside DMA device ([[3DS_System_Flaws|gspwn]]).
−The MAC itself is custom based on xor-rot-sub-mul, and is calculated as follows (pseudo-code):
The MAC itself is custom based on xor-rot-sub-mul, and is calculated as follows (pseudo-code):
Line 58:
Line 56:
if(data_ptr[5] != (r0 ^ r1)) {
if(data_ptr[5] != (r0 ^ r1)) {
kernel_panic()
kernel_panic()
+ }
+
+The function which initializes a memalloc heap had a major update (used for FCRAM memregions and the SlabHeap container). It generates a random MAC key based on svcGetSystemTick, like this:
+
+ crypto_state[16/4] = 0
+ crypto_state[20/4] = 0
+ crypto_state[24/4] = 0
+ crypto_state[28/4] = 0
+ u32* key = &crypto_state[16/4];
+ for(size_t i=0; i<0x40; i++) {
+ for(size_t j=0; j<4; j++) {
+ r0 = key[j] - GetSystemTick()
+ key[j] = r0 ^ ((r0 >>> 7) - (key[(i+j) % 4] >>> 17))
+ }
}
}