869
edits
Changes
Jump to navigation
Jump to search
Line 33:
Line 33: − − The function which initializes a memalloc heap had a major update (used for FCRAM memregions and the SlabHeap container). It is unknown precisely what this does, but presumably it generates a random MAC key based on svcGetSystemTick. Line 58:
Line 56: + + + + + + + + + + + + + + + +
→ARM11-kernel
3 new functions used for validation with memory management were added (kernelpanic() on failure). This is a new security feature for the kernel heaps. By adding a MAC to the kernel heap [[Memory_Management#MemoryBlockHeader|memchunkhdr]] they can detect when it is modified by an outside DMA device ([[3DS_System_Flaws|gspwn]]).
3 new functions used for validation with memory management were added (kernelpanic() on failure). This is a new security feature for the kernel heaps. By adding a MAC to the kernel heap [[Memory_Management#MemoryBlockHeader|memchunkhdr]] they can detect when it is modified by an outside DMA device ([[3DS_System_Flaws|gspwn]]).
The MAC itself is custom based on xor-rot-sub-mul, and is calculated as follows (pseudo-code):
The MAC itself is custom based on xor-rot-sub-mul, and is calculated as follows (pseudo-code):
if(data_ptr[5] != (r0 ^ r1)) {
if(data_ptr[5] != (r0 ^ r1)) {
kernel_panic()
kernel_panic()
}
The function which initializes a memalloc heap had a major update (used for FCRAM memregions and the SlabHeap container). It generates a random MAC key based on svcGetSystemTick, like this:
crypto_state[16/4] = 0
crypto_state[20/4] = 0
crypto_state[24/4] = 0
crypto_state[28/4] = 0
u32* key = &crypto_state[16/4];
for(size_t i=0; i<0x40; i++) {
for(size_t j=0; j<4; j++) {
r0 = key[j] - GetSystemTick()
key[j] = r0 ^ ((r0 >>> 7) - (key[(i+j) % 4] >>> 17))
}
}
}