Changes

Jump to navigation Jump to search

3DS System Flaws (edit)

Revision as of 00:54, 30 March 2015

1,005 bytes added ,  00:54, 30 March 2015
no edit summary
Line 47: Line 47:  
!  Timeframe this was discovered
 
!  Timeframe this was discovered
 
!  Discovered by
 
!  Discovered by
 +
|-
 +
| Missing verification-block for the 9.6 keys
 +
| Starting with [[9.6.0-24|9.6.0-X]] a new set of NAND-based keys were introduced. However, they forgot to add a verification block to verify that the new key read from NAND is correct.
 +
 +
Thus, by writing an incorrect key to NAND you can make arm9loader decrypt ARM9 kernel as garbage and then jump to it.
 +
 +
This allows an hardware-based NAND-attack where you can boot into an older exploited firmware, fill all memory with NOP sleds/jump-instructions, and then reboot into executing garbage. By automating this process eventually (I approximated within 1-10 days) you'll find some garbage that jumps to your code.
 +
 +
This should give you very early ARM9 code execution (pre-ARM9 kernel). For example, you can dump RSA keyslots with this and calculate the 6.x [[Savegames#6.0.0-11_Savegame_keyY|save]], and 7.x [[NCCH]] keys.
 +
| Recovery of 6.x [[Savegames#6.0.0-11_Savegame_keyY|save key]]/7.x [[NCCH]] key
 +
| None
 +
| [[9.6.0-24|9.6.0-X]]
 +
| March, 2015
 +
| plutoo
 
|-
 
|-
 
| Uncleared New3DS keyslot 0x11
 
| Uncleared New3DS keyslot 0x11
Retrieved from "https://www.3dbrew.org/wiki/Special:MobileDiff/12163"

Navigation menu