Changes

Jump to navigation Jump to search
34 bytes removed ,  15:18, 30 March 2015
no edit summary
Line 58: Line 58:  
Thus, by writing an incorrect key to NAND you can make arm9loader decrypt ARM9 kernel as garbage and then jump to it.
 
Thus, by writing an incorrect key to NAND you can make arm9loader decrypt ARM9 kernel as garbage and then jump to it.
   −
This allows an hardware-based NAND-attack where you can boot into an older exploited firmware, fill all memory with NOP sleds/jump-instructions, and then reboot into executing garbage. By automating this process eventually (I approximated within 1-10 days) you'll find some garbage that jumps to your code.
+
This allows an hardware-based NAND-attack where you can boot into an older exploited firmware, fill all memory with NOP sleds/jump-instructions, and then reboot into executing garbage. By automating this process eventually you'll find some garbage that jumps to your code.
    
This should give you very early ARM9 code execution (pre-ARM9 kernel). For example, you can dump RSA keyslots with this and calculate the 6.x [[Savegames#6.0.0-11_Savegame_keyY|save]], and 7.x [[NCCH]] keys.
 
This should give you very early ARM9 code execution (pre-ARM9 kernel). For example, you can dump RSA keyslots with this and calculate the 6.x [[Savegames#6.0.0-11_Savegame_keyY|save]], and 7.x [[NCCH]] keys.

Navigation menu