Line 300: |
Line 300: |
| |- | | |- |
| | Factory firmware is vulnerable to sighax | | | Factory firmware is vulnerable to sighax |
− | | During the 3DS's development, presumably boot9 was written (including the sighax) vulnerability. This vulnerability is also present in factory firmware (and earlier, including 0.11). This was fixed in version 1.0.0-0. | + | | During the 3DS's development, presumably boot9 was written (including the sighax vulnerability). This vulnerability is also present in factory firmware (and earlier, including 0.11). This was fixed in version 1.0.0-0. |
− | | Deducing the mechanics of the sighax vulnerability in boot9 without having boot9 prot. Arm9 code execution on factory/earlier firmware. | + | | Deducing the mechanics of the sighax vulnerability in boot9 without having a dump of protected boot9. ARM9 code execution on factory/earlier firmware. |
| | [[1.0.0-0|1.0.0-X]] | | | [[1.0.0-0|1.0.0-X]] |
| | [[1.0.0-0|1.0.0-X]] | | | [[1.0.0-0|1.0.0-X]] |
Line 307: |
Line 307: |
| | May 19, 2017 | | | May 19, 2017 |
| | [[User:SciresM|SciresM]], [[User:Myria|Myria]] | | | [[User:SciresM|SciresM]], [[User:Myria|Myria]] |
| + | |- |
| + | | twlhax: Corrupted SRL header leads to memory overwrite |
| + | | During TWL_FIRM boot, the ARM11 process TwlBg puts launcher.srl, the DSi bootloader, into FCRAM. TWL_FIRM Process9 then parses the [http://dsibrew.org/wiki/NDS_Format SRL header] to place launcher.srl's code where DSi mode can execute it. |
| + | |
| + | DSi-mode memory is in FCRAM, but interleaved. Each byte of DSi-mode memory also exists at some address in 3DS FCRAM space. |
| + | |
| + | Process9 does not validate the RSA signature on launcher.srl, unlike SRLs loaded from cartridge or NAND (DSiWare). A compromised ARM11 can, in a manner similar to firmlaunchhax, send a launcher.srl with a modified SRL header. By setting the SRL header's ARM7/ARM9 load addresses and sizes carefully, accounting for the different memory map and for DSi mode's interleaved memory, it is possible to overwrite part of Process9's stack and take control with a ROP chain. |
| + | |
| + | Fixed in 11.8.0-X by... (fill me in) |
| + | | ARM9 code execution (whilst still in 3DS mode) |
| + | | [[11.8.0-41|11.8.0-X]] |
| + | | [[11.8.0-41|11.8.0-X]] |
| + | | |
| + | | August 11, 2018 |
| + | | smea |
| |- | | |- |
| | safefirmhax | | | safefirmhax |