6,264
edits
Changes
Jump to navigation
Jump to search
→System applets
Line 140:
Line 140:
! Discovered by
! Discovered by
|-
|-
−| [[Home Menu]] [[System_SaveData|NAND-savedata]] Launcher.dat icons
+| [[Home Menu]] sdiconhax
+| This is basically the same as nandiconhax, the vulnerable SD/NAND functions are ''identical'' minus the file-buffer offsets. Exploitation is different due to different heap-buffer location though. Unlike nandiconhax, the icon buffer for SD is located in linearmem. This is used by [[menuhax]].
+| None
+| [[11.0.0-33|11.0.0-X]]
+| Maybe v3.0?
+| July 27, 2016
+| October 23, 2015
+| [[User:Yellows8|Yellows8]]
+|-
+| [[Home Menu]] [[System_SaveData|NAND-savedata]] Launcher.dat icons (nandiconhax)
| The homemenu code processing the titleid list @ launcherdat+8 copies those titleIDs to another buffer, where the offset relative to that buffer is calculated using the corresponding s8/s16 entries. Those two values are not range checked at all. Hence, one can use this to write u64(s) with arbitrary values to before/after this allocated output buffer. See [[Home_Menu|here]] regarding Launcher.dat structure.
| The homemenu code processing the titleid list @ launcherdat+8 copies those titleIDs to another buffer, where the offset relative to that buffer is calculated using the corresponding s8/s16 entries. Those two values are not range checked at all. Hence, one can use this to write u64(s) with arbitrary values to before/after this allocated output buffer. See [[Home_Menu|here]] regarding Launcher.dat structure.