Changes

99 bytes removed ,  05:41, 28 September 2016
The description still sucked. Lots of ambiguity with arm9loaderhax, OTP hash is relevant only to enhanced-arm9loaderhax and rearranging useless w/o the original arm9loaderhax flaw.
Line 99: Line 99:  
|-
 
|-
 
| Rearrangable keys in the NAND keystore
 
| Rearrangable keys in the NAND keystore
| Due to the keystore being encrypted with AES-ECB, one can rearrange blocks and still have the NAND keystore decrypt in a deterministic way. Combining this with the arm9loaderhax and uncleared hash keydata vulnerabilities, one can achieve arm9loaderhax without downgrading to a system version that exposes the OTP data, or using a hardware method. The NAND keystore must be encrypted with console-unique data; therefore, this is not achievable on Old 3DS or 2DS.
+
| Due to the keystore being encrypted with AES-ECB, one can rearrange blocks and still have the NAND keystore decrypt in a deterministic way.  
| arm9loaderhax achieveable with no extra hardware and without downgrading to a system version which exposes the OTP.
+
 
 +
Using 10.0 FIRM it is possible to rearrange keys such that ARM9 memory is executed. As such using existing ARM9 execution 10.0 FIRM can be written to NAND and a payload written to memory, with the payload to be executed post-K9L using an MCU reboot.
 +
| arm9loaderhax given existing ARM9 code execution
 
| None
 
| None
 
| [[11.1.0-34|11.1.0-X]]
 
| [[11.1.0-34|11.1.0-X]]
Line 142: Line 144:     
Due to FIRMs on both Old and New 3DS using the same RSA data, this can be exploited on Old3DS as well, but only if one already has the actual plaintext normalkey from New3DS NAND sector 0x96 offset-0 and has dumped the OTP area of the Old3DS.
 
Due to FIRMs on both Old and New 3DS using the same RSA data, this can be exploited on Old3DS as well, but only if one already has the actual plaintext normalkey from New3DS NAND sector 0x96 offset-0 and has dumped the OTP area of the Old3DS.
| Recovery of 6.x [[Savegames#6.0.0-11_Savegame_keyY|save key]]/7.x [[NCCH]] key
+
| Recovery of 6.x [[Savegames#6.0.0-11_Savegame_keyY|save key]]/7.x [[NCCH]] key, access to uncleared OTP hash keydata
 
| None
 
| None
 
| [[11.1.0-34|11.1.0-X]]
 
| [[11.1.0-34|11.1.0-X]]