3dbrew

Changes

3DS System Flaws (edit)

Revision as of 21:37, 29 December 2015

911 bytes added ,  21:37, 29 December 2015
→‎Process9
Line 185: Line 185:  
| March 2015
 
| March 2015
 
|  
 
|  
 +
| [[User:Yellows8|Yellows8]]
 +
|-
 +
| [[AMPXI:ValidateDSiWareSectionMAC]] [[AES_Registers|AES]] keyslot reuse
 +
| When the input DSiWare section index is higher than <max number of DSiWare sections supported by this FIRM>, Process9 uses keyid 0x40 for calculating the AESMAC, which translates to keyslot 0x40. The result is that the keyslot is left at whatever was already selected before, since the AES selectkeyslot code will immediately  return when keyslot is >=0x40. However, actually exploiting this is difficult: the calculated AESMAC is never returned, this command just compares the calculated AESMAC with the input AESMAC(result-code depends on whether the AESMACs match). It's unknown whether a timing attack would work with this.
 +
This is basically a different form of the pxips9 keyslot vuln, except with AESMAC etc.
 +
| See description.
 +
| None
 +
| [[10.2.0-28|10.2.0-X]]
 +
| March 15, 2015
 +
| December 29, 2015
 
| [[User:Yellows8|Yellows8]]
 
| [[User:Yellows8|Yellows8]]
 
|-
 
|-
Retrieved from "https://www.3dbrew.org/wiki/Special:MobileDiff/15093"