3dbrew

Changes

3DS System Flaws (edit)

Revision as of 11:38, 30 December 2016

1,028 bytes added ,  11:38, 30 December 2016
no edit summary
Line 88: Line 88:     
== ARM9 software ==
 
== ARM9 software ==
 +
=== boot9 ===
 +
{| class="wikitable" border="1"
 +
!  Summary
 +
!  Description
 +
!  Fixed with hardware model/revision
 +
!  Newest hardware model/revision this flaw was checked for
 +
!  Timeframe this was discovered
 +
!  Discovered by
 +
|-
 +
| Incorrect padding check
 +
| The FIRM signature is using PKCS #1 padding, which mandates that the padding is all 0xFF bytes. This is not checked correctly, because it only checks whether none of the bytes in the padding are 0x00. This allows a signature to be crafted more easily (sighax)
 +
| N/A
 +
| New3DS
 +
| Summer 2015
 +
| derrek and/or nedwill
 +
|-
 +
| No bound checks inside of ASN.1 parser
 +
| The hash inside of the signature is stored in an ASN.1 structure. However the length fields are not bounds-checked, allowing one to point the header hash to the hash the 3DS calculated before verification. This and because of the aforementioned bug, you can brute-force a signature that will always work easily, as essentially only a few bytes need to be valid.
 +
| N/A
 +
| New3DS
 +
| Summer 2015
 +
| derrek and/or nedwill
 +
|}
 
=== arm9loader ===
 
=== arm9loader ===
 
{| class="wikitable" border="1"
 
{| class="wikitable" border="1"
Mtgxyz
3

edits

Retrieved from "https://www.3dbrew.org/wiki/Special:MobileDiff/19080"