Changes

Jump to navigation Jump to search
734 bytes added ,  07:56, 1 February 2018
no edit summary
Line 426: Line 426:  
| [[DSiWare_Exports]] [[CTCert]] verification
 
| [[DSiWare_Exports]] [[CTCert]] verification
 
| Just like DSi originally did, 3DS verifies the APCert for DSiWare on SD with the CTCert also in the DSiWare .bin. On DSi this was fixed with with system-version 1.4.2 by verifying with the actual console-unique cert instead(stored in NAND), while on 3DS it's still not(?) fixed.
 
| Just like DSi originally did, 3DS verifies the APCert for DSiWare on SD with the CTCert also in the DSiWare .bin. On DSi this was fixed with with system-version 1.4.2 by verifying with the actual console-unique cert instead(stored in NAND), while on 3DS it's still not(?) fixed.
On 3DS however this is rather useless, due to the entire DSiWare .bin being encrypted with the console-unique movable.sed keyY.
+
On 3DS however this is useless, unless one can obtain the console-unique movable.sed keyY which encrypts the entire DSiWare .bin.
 
| When the movable.sed keyY for the target 3DS is known and the target 3DS CTCert private-key is unknown, importing of modified DSiWare SD .bin files.
 
| When the movable.sed keyY for the target 3DS is known and the target 3DS CTCert private-key is unknown, importing of modified DSiWare SD .bin files.
 
| Unknown, probably none.
 
| Unknown, probably none.
Line 433: Line 433:  
|  
 
|  
 
| [[User:Yellows8|Yellows8]]
 
| [[User:Yellows8|Yellows8]]
 +
|-
 +
| movable.sed keyY vulnerable to brute-force
 +
| Half of the movable.sed keyY's 128 bits are leaked through the LFCS, which is available in userland and below. The LFCS itself also leaks almost half of the remaining bits by following the ratio: u32 keyY[3]=1/5(LFCS). The remaining keyY[3] uncertainty of about ±2000 can be greatly reduced by plotting expected error margins with several keyYs. This results in a final uncertainty of about 2^40, easily within practical brute force range of an average modern PC.
 +
| Knowing the keyY of a given 3ds allows for modification of dsiware export contents, and chained with several other public vulns, ultimately arm9 execution.
 +
| None.
 +
| 11.6.0-X
 +
| December 2017
 +
| January 2018
 +
| zoogie
 
|-
 
|-
 
| [[Gamecard_Services_PXI]] unchecked REG_CTRCARDCNT transfer-size
 
| [[Gamecard_Services_PXI]] unchecked REG_CTRCARDCNT transfer-size
48

edits

Navigation menu