Changes

225 bytes added ,  05:33, 1 August 2018
→‎System flaws: Moved some Hardware flaws to a new Boot ROM section
Line 74: Line 74:  
| February 2015
 
| February 2015
 
| [[User:Yellows8|Yellows8]], [[User:Plutooo|plutoo]]
 
| [[User:Yellows8|Yellows8]], [[User:Plutooo|plutoo]]
|-
  −
| FIRM partitions known-plaintext
  −
| The [[Flash_Filesystem|FIRM partitions]] are encrypted with AES-CTR without a MAC. Since this works by XOR'ing data with a static (per-console in this case) keystream, one can deduce the keystream of a portion of each FIRM partition if they have the actual FIRM binary stored in it.
  −
  −
This can be paired with many exploits. For example, it allows minor FIRM downgrades (i.e. 10.4 to 9.6 or 9.5 to 9.4, but not 9.6 to 9.5).
  −
However it is most commonly used to install arbitrary FIRMs (usually boot9strap), thanks to sighax.
  −
  −
This can be somewhat addressed by having a FIRM header skip over previously used section offsets, but this would just air-gap newer FIRMs without fixing the core bug. This can also only be done a limited number of times due to the size of FIRM versus the size of the partitions.
  −
| None
  −
| New3DS
  −
|
  −
| Everyone
   
|-
 
|-
 
| RSA keyslots don't clear exponent when setting modulus
 
| RSA keyslots don't clear exponent when setting modulus
Line 99: Line 87:  
| March 2016
 
| March 2016
 
| [[User:Myria|Myria]]
 
| [[User:Myria|Myria]]
|-
  −
| Boot9 AES keyinit function issues
  −
| [[Bootloader|Boot9]] seems to have two bugs in the AES key-init function, see [[AES_Registers#AES_key-init|here]].
  −
| None
  −
| BootROM issue.
  −
| 2015
  −
| [[User:Yellows8|Yellows8]]
   
|-
 
|-
 
| [[CONFIG11_Registers#CFG11_GPUPROT|CFG11_GPUPROT]] allowing acccess to AXIWRAM/FCRAM-BASE-memregion
 
| [[CONFIG11_Registers#CFG11_GPUPROT|CFG11_GPUPROT]] allowing acccess to AXIWRAM/FCRAM-BASE-memregion
Line 114: Line 95:  
| New3DS
 
| New3DS
 
| February 7, 2017
 
| February 7, 2017
 +
| [[User:Yellows8|Yellows8]]
 +
|}
 +
 +
== Boot ROM ==
 +
{| class="wikitable" border="1"
 +
!  Summary
 +
!  Description
 +
!  Fixed with hardware model/revision
 +
!  Newest hardware model/revision this flaw was checked for
 +
!  Timeframe this was discovered
 +
!  Discovered by
 +
|-
 +
| FIRM partitions known-plaintext
 +
| The [[Flash_Filesystem|FIRM partitions]] are encrypted with AES-CTR without a MAC. Since this works by XOR'ing data with a static (per-console in this case) keystream, one can deduce the keystream of a portion of each FIRM partition if they have the actual FIRM binary stored in it.
 +
 +
This can be paired with many exploits. For example, it allows minor FIRM downgrades (i.e. 10.4 to 9.6 or 9.5 to 9.4, but not 9.6 to 9.5).
 +
However it is most commonly used to install arbitrary FIRMs (usually boot9strap), thanks to sighax.
 +
 +
This can be somewhat addressed by having a FIRM header skip over previously used section offsets, but this would just air-gap newer FIRMs without fixing the core bug. This can also only be done a limited number of times due to the size of FIRM versus the size of the partitions.
 +
| None
 +
| New3DS
 +
|
 +
| Everyone
 +
|-
 +
| Boot9 AES keyinit function issues
 +
| [[Bootloader|Boot9]] seems to have two bugs in the AES key-init function, see [[AES_Registers#AES_key-init|here]].
 +
| None
 +
| BootROM issue.
 +
| 2015
 
| [[User:Yellows8|Yellows8]]
 
| [[User:Yellows8|Yellows8]]
 
|-
 
|-
119

edits