869
edits
Changes
no edit summary
! Timeframe this was discovered
! Timeframe this was discovered
! Discovered by
! Discovered by
|-
| Missing verification-block for the 9.6 keys
| Starting with [[9.6.0-24|9.6.0-X]] a new set of NAND-based keys were introduced. However, they forgot to add a verification block to verify that the new key read from NAND is correct.
Thus, by writing an incorrect key to NAND you can make arm9loader decrypt ARM9 kernel as garbage and then jump to it.
This allows an hardware-based NAND-attack where you can boot into an older exploited firmware, fill all memory with NOP sleds/jump-instructions, and then reboot into executing garbage. By automating this process eventually (I approximated within 1-10 days) you'll find some garbage that jumps to your code.
This should give you very early ARM9 code execution (pre-ARM9 kernel). For example, you can dump RSA keyslots with this and calculate the 6.x [[Savegames#6.0.0-11_Savegame_keyY|save]], and 7.x [[NCCH]] keys.
| Recovery of 6.x [[Savegames#6.0.0-11_Savegame_keyY|save key]]/7.x [[NCCH]] key
| None
| [[9.6.0-24|9.6.0-X]]
| March, 2015
| plutoo
|-
|-
| Uncleared New3DS keyslot 0x11
| Uncleared New3DS keyslot 0x11