Line 381: |
Line 381: |
| | Wiki: August 5, 2018 | | | Wiki: August 5, 2018 |
| | [[User:Riley|Riley]] | | | [[User:Riley|Riley]] |
| + | |- |
| + | | FIRM launch doesn't check target FIRM version |
| + | | When executing a FIRM launch, Process9 doesn't validate that the target FIRM isn't an old version. This allows booting an exploitable FIRM from a newer FIRM, if you can get the exploitable FIRM installed. ([[11.0.0-33|11.0.0-X]] now prevents installing old versions of system titles, but this doesn't affect titles already installed.) |
| + | |
| + | This had a use after [[9.6.0-24|9.6.0-X]]: on a compromised 3DS running 9.2.0, you could install the 9.6.0 NATIVE_FIRM to FIRM0/FIRM1, but avoid putting it into the NATIVE_FIRM title. This would boot the 9.2.0 system software but with the 9.6.0 Process9 and Kernel11. With a user-mode exploit in a sufficiently-privileged application (e.g. mset), you could trigger a FIRM launch back to NATIVE_FIRM, which would load the 9.2.0 Process9 and Kernel11. |
| + | |
| + | 9.6.0's keyslots 0x15 and 0x16 are unknown to 9.2.0, so 9.2.0 would not clear them. You then could do firmlaunchhax against 9.2.0 to get ARM9 access with keyslots 0x15 and 0x16 set to their proper 9.6.0 values, allowing decrypting 9.6.0's encrypted titles. Once the New3DS keystore was dumped, this became moot. |
| + | | Decrypting 9.6.0 NCCH files without dumping New3DS keystore |
| + | | None (but now moot) |
| + | | [[9.6.0-24|9.6.0-X]] |
| + | | March 2015 |
| + | | August 12, 2018 |
| + | | [[User:Yellows8|Yellows8]], [[User:Myria|Myria]] |
| |- | | |- |
| | FAT FS code null-deref | | | FAT FS code null-deref |