Changes

672 bytes added ,  05:56, 29 September 2018
no edit summary
Line 524: Line 524:  
| Knowing the keyY of a given 3ds allows for modification of DSiWare export contents, and chained with several other public vulns, ultimately arm9 execution.
 
| Knowing the keyY of a given 3ds allows for modification of DSiWare export contents, and chained with several other public vulns, ultimately arm9 execution.
 
| None.
 
| None.
| 11.6.0-X
+
| 11.8.0-X
 
| December 2017
 
| December 2017
 
| January 2018
 
| January 2018
Line 533: Line 533:  
| This allows embedding older, exploitable DSiWare titles in completely different, unexploitable DSiWare titles. Since DSiWare has raw NAND RW, this can result in arm9 control through FIRM known-plaintext and sighax attacks.
 
| This allows embedding older, exploitable DSiWare titles in completely different, unexploitable DSiWare titles. Since DSiWare has raw NAND RW, this can result in arm9 control through FIRM known-plaintext and sighax attacks.
 
| None.
 
| None.
| 11.6.0-X
+
| 11.8.0-X
 
| 2015?
 
| 2015?
 
| December 2016
 
| December 2016
 
| Everyone
 
| Everyone
 +
|-
 +
| DSiWare import/export functions allow TWL system titles as arguments
 +
| AM ImportTwlBackup/ExportTwlBackup unnecessarily allow TWL system titles such as DS Download Play to import/export from userland (only am:sys is needed). This is difficult to abuse for dsihax injection because no TWL system title has a save file, and any import with a save included will result in FS err C8804464. However, there is at least one dsihax primary that can load a payload from a non-NAND source, and not error if it can't access its public.sav (JPN Flipnote Studio v0).
 +
| When combined with other public vulns, arm9 code execution.
 +
| None.
 +
| 11.8.0-X
 +
| May 2018
 +
| Sept 2018
 +
| zoogie
 
|-
 
|-
 
| [[Gamecard_Services_PXI]] unchecked REG_CTRCARDCNT transfer-size
 
| [[Gamecard_Services_PXI]] unchecked REG_CTRCARDCNT transfer-size
48

edits