Changes

765 bytes added ,  03:22, 11 April 2017
safefirmhax 1.1 description
Line 251: Line 251:  
The fix for firmlaunch-hax was only applied to NATIVE_FIRM in [[9.5.0-22|9.5.0-X]], leaving SAFE_FIRM exploitable. With ARM11-kernel execution, one can trigger FIRM-launch in to SAFE_FIRM, do Kernel9 <=> Kernel11 sync, PXI sync and then repeat the original attack on SAFE_FIRM instead.
 
The fix for firmlaunch-hax was only applied to NATIVE_FIRM in [[9.5.0-22|9.5.0-X]], leaving SAFE_FIRM exploitable. With ARM11-kernel execution, one can trigger FIRM-launch in to SAFE_FIRM, do Kernel9 <=> Kernel11 sync, PXI sync and then repeat the original attack on SAFE_FIRM instead.
 
| ARM9 code execution
 
| ARM9 code execution
| [[11.3.0-36|11.3.0-X]] (?)
+
| [[11.3.0-36|11.3.0-X]]
 
|  
 
|  
 
| 2012-2013?
 
| 2012-2013?
 
| Wiki: January 2, 2017
 
| Wiki: January 2, 2017
 +
| Everyone
 +
|-
 +
| safefirmhax 1.1
 +
| Nintendo's original safefirmhax fix was flawed -- they added a global boolean that got set to true whenever a non-sysmodule title got launched (except for a hardcoded repair title id), and panic()'d if that boolean was true to prevent launching safefirm after hax was active. However, because the boolean was initially false after firmlaunch -- With ARM11-kernel execution, one could FIRM-launch into NATIVE_FIRM, and then immediately FIRM-launch again into SAFE_FIRM early in NATIVE_FIRM boot before the boolean got set to true to repeat the safehax attack.
 +
 +
This was fixed by adding additional CFG9_BOOTENV checks to firmlaunch code in 11.4.
 +
| ARM9 code execution
 +
| [[11.4.0-36|11.4.0-X]]
 +
|
 +
| safefirmhax fix
 +
| Wiki: April 10, 2017
 
| Everyone
 
| Everyone
 
|-
 
|-
29

edits