Changes

Jump to navigation Jump to search
267 bytes added ,  00:37, 11 May 2016
Line 33: Line 33:     
3 new functions used for validation with memory management were added (kernelpanic() on failure). This is a new security feature for the kernel heaps. By adding a MAC to the kernel heap [[Memory_Management#MemoryBlockHeader|memchunkhdr]] they can detect when it is modified by an outside DMA device ([[3DS_System_Flaws|gspwn]]).
 
3 new functions used for validation with memory management were added (kernelpanic() on failure). This is a new security feature for the kernel heaps. By adding a MAC to the kernel heap [[Memory_Management#MemoryBlockHeader|memchunkhdr]] they can detect when it is modified by an outside DMA device ([[3DS_System_Flaws|gspwn]]).
  −
The function which initializes a memalloc heap had a major update (used for FCRAM memregions and the SlabHeap container). It is unknown precisely what this does, but presumably it generates a random MAC key based on svcGetSystemTick.
      
The MAC itself is custom based on xor-rot-sub-mul, and is calculated as follows (pseudo-code):
 
The MAC itself is custom based on xor-rot-sub-mul, and is calculated as follows (pseudo-code):
Line 58: Line 56:  
  if(data_ptr[5] != (r0 ^ r1)) {
 
  if(data_ptr[5] != (r0 ^ r1)) {
 
     kernel_panic()
 
     kernel_panic()
 +
}
 +
 +
The function which initializes a memalloc heap had a major update (used for FCRAM memregions and the SlabHeap container). It generates a random MAC key based on svcGetSystemTick, like this:
 +
 +
crypto_state[16/4] = 0
 +
crypto_state[20/4] = 0
 +
crypto_state[24/4] = 0
 +
crypto_state[28/4] = 0
 +
 +
u32* key = &crypto_state[16/4];
 +
 +
for(size_t i=0; i<0x40; i++) {
 +
    for(size_t j=0; j<4; j++) {
 +
        r0 = key[j] - GetSystemTick()
 +
        key[j] = r0 ^ ((r0 >>> 7) - (key[(i+j) % 4] >>> 17))
 +
    }
 
  }
 
  }
  

Navigation menu