Changes

5 bytes added ,  05:14, 21 August 2018
m
CFG_SYSPROT9 -> CFG9_SYSPROT9 to match CONFIG Registers page
Line 127: Line 127:  
|-
 
|-
 
| New3DS has same boot ROM as Old3DS
 
| New3DS has same boot ROM as Old3DS
| The New3DS has the exact same boot ROM as the Old3DS.  This means, among other things, that all the same boot ROM flaws are present.  Also, this meant that it is possible to boot Old3DS firmware on New3DS (see "CFG_SYSPROT9 bit1 not set by Kernel9").
+
| The New3DS has the exact same boot ROM as the Old3DS.  This means, among other things, that all the same boot ROM flaws are present.  Also, this meant that it is possible to boot Old3DS firmware on New3DS (see "CFG9_SYSPROT9 bit1 not set by Kernel9").
 
| None
 
| None
 
| New3DS
 
| New3DS
Line 598: Line 598:  
!  Discovered by
 
!  Discovered by
 
|-
 
|-
| [[CONFIG Registers#CFG_SYSPROT9|CFG_SYSPROT9]] bit1 not set by Kernel9
+
| [[CONFIG Registers#CFG9_SYSPROT9|CFG9_SYSPROT9]] bit1 not set by Kernel9
| Old versions of Kernel9 never set bit1 of [[CONFIG Registers#CFG_SYSPROT9|CFG_SYSPROT9]]. This leaves the [[OTP Registers|0x10012000]]-region unprotected (this region should be locked early during boot!). Since it's never locked, you can dump it once you get ARM9 code execution.
+
| Old versions of Kernel9 never set bit1 of [[CONFIG Registers#CFG9_SYSPROT9|CFG9_SYSPROT9]]. This leaves the [[OTP Registers|0x10012000]]-region unprotected (this region should be locked early during boot!). Since it's never locked, you can dump it once you get ARM9 code execution.
    
From [[3.0.0-5|3.0.0-X]] this was fixed by setting the bit in Kernel9 after poking some registers in that region. On New3DS arm9loader sets this bit instead of Kernel9, which is exploitable through a hardware + software vulnerability (see arm9loaderhax / description).
 
From [[3.0.0-5|3.0.0-X]] this was fixed by setting the bit in Kernel9 after poking some registers in that region. On New3DS arm9loader sets this bit instead of Kernel9, which is exploitable through a hardware + software vulnerability (see arm9loaderhax / description).
119

edits