39
edits
Changes
Jump to navigation
Jump to search
rip twl_firm downgrade => cmd9fail
Line 347:
Line 347:
|
|
| ?
| ?
+|-
+| Anti-downgrade list did not include all system titles initially
+| The anti-downgrade list did not include legacy FIRMs until [[11.8.0-41|11.8.0-X]]. Therefore, legacy FIRMs could still be downgraded.
+| Downgrading legacy FIRMs; allowing to exploit bugs in older legacy FIRMs (of which at least one exists, see below).
+| [[11.8.0-33|11.8.0]]
+| [[11.8.0-33|11.8.0]]
+| ?
+| Wiki: August 5, 2018
+| Everyone
+|-
+| TWL_FIRM cmd-9 unchecked offset
+| In [[1.0.0-0|1.0.0-X]]'s TWL_FIRM, cmds 8 and 9 were not stubbed (whereas in the corresponding NATIVE_FIRM, they were).
+Command 8 does the Process9 initialisation for NTR carts if an NTR cart is inserted (NTR, not TWL, judged by chipid).
+
+Command 9 takes (u32 offset_read, u32 offset_write, u32 offset_read_end), and basically just copies (offset_read_end - offset_read) bytes starting at (offset_read) of [NTR cart header in arm9mem, NTR secure area in fcram, TWL secure area in fcram], to 0x18001000 + offset_write + offset_read.
+
+offset_write is not checked at all, thus this leads to ARM9 code execution as long as any NTR cart, including flashcarts that would normally be blocked by TWL_FIRM, is inserted.
+
+In [[2.0.0-2|2.0.0-X]] TWL_FIRM, those commands were stubbed out.
+| ARM9 code execution
+| [[2.0.0-2|2.0.0-X]]
+| [[2.0.0-2|2.0.0-X]]
+| January 2018
+| Wiki: August 5, 2018
+| [[User:Riley|Riley]]
|-
|-
| FAT FS code null-deref
| FAT FS code null-deref