3dbrew

Changes

3DS System Flaws (edit)

Revision as of 06:33, 1 August 2018

225 bytes added ,  06:33, 1 August 2018
β†’β€ŽSystem flaws: Moved some Hardware flaws to a new Boot ROM section
Line 74: Line 74:  
| February 2015
 
| February 2015
 
| [[User:Yellows8|Yellows8]], [[User:Plutooo|plutoo]]
 
| [[User:Yellows8|Yellows8]], [[User:Plutooo|plutoo]]
βˆ’
|-
  βˆ’
| FIRM partitions known-plaintext
  βˆ’
| The [[Flash_Filesystem|FIRM partitions]] are encrypted with AES-CTR without a MAC. Since this works by XOR'ing data with a static (per-console in this case) keystream, one can deduce the keystream of a portion of each FIRM partition if they have the actual FIRM binary stored in it.
  βˆ’
  βˆ’
This can be paired with many exploits. For example, it allows minor FIRM downgrades (i.e. 10.4 to 9.6 or 9.5 to 9.4, but not 9.6 to 9.5).
  βˆ’
However it is most commonly used to install arbitrary FIRMs (usually boot9strap), thanks to sighax.
  βˆ’
  βˆ’
This can be somewhat addressed by having a FIRM header skip over previously used section offsets, but this would just air-gap newer FIRMs without fixing the core bug. This can also only be done a limited number of times due to the size of FIRM versus the size of the partitions.
  βˆ’
| None
  βˆ’
| New3DS
  βˆ’
|
  βˆ’
| Everyone
   
|-
 
|-
 
| RSA keyslots don't clear exponent when setting modulus
 
| RSA keyslots don't clear exponent when setting modulus
Line 99: Line 87:  
| March 2016
 
| March 2016
 
| [[User:Myria|Myria]]
 
| [[User:Myria|Myria]]
βˆ’
|-
  βˆ’
| Boot9 AES keyinit function issues
  βˆ’
| [[Bootloader|Boot9]] seems to have two bugs in the AES key-init function, see [[AES_Registers#AES_key-init|here]].
  βˆ’
| None
  βˆ’
| BootROM issue.
  βˆ’
| 2015
  βˆ’
| [[User:Yellows8|Yellows8]]
   
|-
 
|-
 
| [[CONFIG11_Registers#CFG11_GPUPROT|CFG11_GPUPROT]] allowing acccess to AXIWRAM/FCRAM-BASE-memregion
 
| [[CONFIG11_Registers#CFG11_GPUPROT|CFG11_GPUPROT]] allowing acccess to AXIWRAM/FCRAM-BASE-memregion
Line 114: Line 95:  
| New3DS
 
| New3DS
 
| February 7, 2017
 
| February 7, 2017
 +
| [[User:Yellows8|Yellows8]]
 +
|}
 +
 +
== Boot ROM ==
 +
{| class="wikitable" border="1"
 +
!  Summary
 +
!  Description
 +
!  Fixed with hardware model/revision
 +
!  Newest hardware model/revision this flaw was checked for
 +
!  Timeframe this was discovered
 +
!  Discovered by
 +
|-
 +
| FIRM partitions known-plaintext
 +
| The [[Flash_Filesystem|FIRM partitions]] are encrypted with AES-CTR without a MAC. Since this works by XOR'ing data with a static (per-console in this case) keystream, one can deduce the keystream of a portion of each FIRM partition if they have the actual FIRM binary stored in it.
 +
 +
This can be paired with many exploits. For example, it allows minor FIRM downgrades (i.e. 10.4 to 9.6 or 9.5 to 9.4, but not 9.6 to 9.5).
 +
However it is most commonly used to install arbitrary FIRMs (usually boot9strap), thanks to sighax.
 +
 +
This can be somewhat addressed by having a FIRM header skip over previously used section offsets, but this would just air-gap newer FIRMs without fixing the core bug. This can also only be done a limited number of times due to the size of FIRM versus the size of the partitions.
 +
| None
 +
| New3DS
 +
|
 +
| Everyone
 +
|-
 +
| Boot9 AES keyinit function issues
 +
| [[Bootloader|Boot9]] seems to have two bugs in the AES key-init function, see [[AES_Registers#AES_key-init|here]].
 +
| None
 +
| BootROM issue.
 +
| 2015
 
| [[User:Yellows8|Yellows8]]
 
| [[User:Yellows8|Yellows8]]
 
|-
 
|-
Myria
119

edits

Retrieved from "https://www.3dbrew.org/wiki/Special:MobileDiff/20785"