Changes

1,351 bytes added ,  16:01, 5 August 2018
rip twl_firm downgrade => cmd9fail
Line 347: Line 347:  
|  
 
|  
 
| ?
 
| ?
 +
|-
 +
| Anti-downgrade list did not include all system titles initially
 +
| The anti-downgrade list did not include legacy FIRMs until [[11.8.0-41|11.8.0-X]]. Therefore, legacy FIRMs could still be downgraded.
 +
| Downgrading legacy FIRMs; allowing to exploit bugs in older legacy FIRMs (of which at least one exists, see below).
 +
| [[11.8.0-33|11.8.0]]
 +
| [[11.8.0-33|11.8.0]]
 +
| ?
 +
| Wiki: August 5, 2018
 +
| Everyone
 +
|-
 +
| TWL_FIRM cmd-9 unchecked offset
 +
| In [[1.0.0-0|1.0.0-X]]'s TWL_FIRM, cmds 8 and 9 were not stubbed (whereas in the corresponding NATIVE_FIRM, they were).
 +
Command 8 does the Process9 initialisation for NTR carts if an NTR cart is inserted (NTR, not TWL, judged by chipid).
 +
 +
Command 9 takes (u32 offset_read, u32 offset_write, u32 offset_read_end), and basically just copies (offset_read_end - offset_read) bytes starting at (offset_read) of [NTR cart header in arm9mem, NTR secure area in fcram, TWL secure area in fcram], to 0x18001000 + offset_write + offset_read.
 +
 +
offset_write is not checked at all, thus this leads to ARM9 code execution as long as any NTR cart, including flashcarts that would normally be blocked by TWL_FIRM, is inserted.
 +
 +
In [[2.0.0-2|2.0.0-X]] TWL_FIRM, those commands were stubbed out.
 +
| ARM9 code execution
 +
| [[2.0.0-2|2.0.0-X]]
 +
| [[2.0.0-2|2.0.0-X]]
 +
| January 2018
 +
| Wiki: August 5, 2018
 +
| [[User:Riley|Riley]]
 
|-
 
|-
 
| FAT FS code null-deref
 
| FAT FS code null-deref
39

edits