Changes

Jump to navigation Jump to search
171 bytes added ,  09:39, 6 April 2015
A note on usefulness of arm9loader hax
Line 60: Line 60:  
This allows an hardware-based NAND-attack where you can boot into an older exploited firmware, fill all memory with NOP sleds/jump-instructions, and then reboot into executing garbage. By automating this process eventually you'll find some garbage that jumps to your code.
 
This allows an hardware-based NAND-attack where you can boot into an older exploited firmware, fill all memory with NOP sleds/jump-instructions, and then reboot into executing garbage. By automating this process eventually you'll find some garbage that jumps to your code.
   −
This should give you very early ARM9 code execution (pre-ARM9 kernel). For example, you can dump RSA keyslots with this and calculate the 6.x [[Savegames#6.0.0-11_Savegame_keyY|save]], and 7.x [[NCCH]] keys.
+
This should give you very early ARM9 code execution (pre-ARM9 kernel). For example, you can dump RSA keyslots with this and calculate the 6.x [[Savegames#6.0.0-11_Savegame_keyY|save]], and 7.x [[NCCH]] keys. This cannot be used to recover keys initialized by arm9loader itself. This is due to it wiping the area used for its stack during NAND sector decryption and keyslot init.
 
| Recovery of 6.x [[Savegames#6.0.0-11_Savegame_keyY|save key]]/7.x [[NCCH]] key
 
| Recovery of 6.x [[Savegames#6.0.0-11_Savegame_keyY|save key]]/7.x [[NCCH]] key
 
| None
 
| None
96

edits

Navigation menu