11.0.0-33: Difference between revisions

Line 25:

Two functions were updated for calling a new function for exheader handling.

This new function at L_101cfc immediately returns when the input programID isn't a CTR title / Cubic Ninja(USA/EUR/JPN uniqueID). This function removes all services in the exheader service-access-control which match services from a blacklist stored in pm-module. This blacklist contains two services: "http:C" and "soc:U".

This new function at L_101cfc immediately returns when the input programID isn't a CTR title / Cubic Ninja (USA/EUR/JPN uniqueID). This function removes all services in the exheader service-access-control which match services from a blacklist stored in pm-module. This blacklist contains two services: "http:C" and "soc:U".

This breaks QR-code ninjhax with the version available at the time of sysupdate release, since the QR-code build downloads the payload via HTTPC.

====ARM11-kernel====

57 functions were updated, 47 of these are the actual functions used for handling SVCs(see below). The lone function updated with v10.4 was updated with this version again.

57 functions were updated, 47 of these are the actual functions used for handling SVCs (see below). The lone function updated with v10.4 was updated with this version again.

3 new functions used for validation with memory management were added (kernelpanic() on failure). This is a new security feature for the kernel heaps. By adding a MAC to the kernel heap [[~~Memory_Management~~#MemoryBlockHeader|memchunkhdr]] they can detect when it is modified by an outside DMA device ([[~~3DS_System_Flaws~~|gspwn]]).

3 new functions used for validation with memory management were added (kernelpanic() on failure). This is a new security feature for the kernel heaps. By adding a MAC to the kernel heap [[Memory Management#MemoryBlockHeader|memchunkhdr]] they can detect when it is modified by an outside DMA device ([[3DS System Flaws|gspwn]]).

The MAC itself is custom based on xor-rot-sub-mul, and is calculated as follows (pseudo-code):

u32* crypto_state = (u32*) r4; // Safe kernel memory. This is actually the [[~~Memory_Management~~#RegionDescriptor|RegionDescriptor]].

u32* crypto_state = (u32*) r4; // Safe kernel memory. This is actually the [[Memory Management#RegionDescriptor|RegionDescriptor]].

u32* data_ptr = (u32*) lr; // Unsafe FCRAM pointer.

Line 60:

The function which initializes a memalloc heap had a major update (used for FCRAM memregions and the SlabHeap container). It generates a random MAC key based on svcGetSystemTick, like this:

crypto_state[16/4] = 0 //This is actually the [[~~Memory_Management~~#RegionDescriptor|RegionDescriptor]].

crypto_state[16/4] = 0 //This is actually the [[Memory Management#RegionDescriptor|RegionDescriptor]].

crypto_state[20/4] = 0

crypto_state[24/4] = 0

Line 140:

|-

| svcGetHandleInfo

| The code which clears the variables that get written into the output 8-byte buffer, was moved to before the code which checks the input type value(previously this was only executed for type 0x32107).

| The code which clears the variables that get written into the output 8-byte buffer, was moved to before the code which checks the input type value (previously this was only executed for type 0x32107).

|-

| svcGetSystemInfo

Line 231:

====Process9====

Various data was moved around in the .data section(.data is 0x99C-bytes smaller than before).

Various data was moved around in the .data section (.data is 0x99C-bytes smaller than before).

Before installing titles, including NATIVE_FIRM, AMPXI will now check the version of the title to install against a hard-coded list of (titleID, minimumVersionRequired) pairs. This applies to MSET, Home Menu, spider, ErrDisp, SKATER, NATIVE_FIRM, and every retail system module.

@@ Line 25: / Line 25: @@
 Two functions were updated for calling a new function for exheader handling.
-This new function at L_101cfc immediately returns when the input programID isn't a CTR title / Cubic Ninja(USA/EUR/JPN uniqueID). This function removes all services in the exheader service-access-control which match services from a blacklist stored in pm-module. This blacklist contains two services: "http:C" and "soc:U".
+This new function at L_101cfc immediately returns when the input programID isn't a CTR title / Cubic Ninja (USA/EUR/JPN uniqueID). This function removes all services in the exheader service-access-control which match services from a blacklist stored in pm-module. This blacklist contains two services: "http:C" and "soc:U".
 This breaks QR-code ninjhax with the version available at the time of sysupdate release, since the QR-code build downloads the payload via HTTPC.
 ====ARM11-kernel====
-functions were updated, 47 of these are the actual functions used for handling SVCs(see below). The  lone function updated with v10.4 was updated with this version again.
+functions were updated, 47 of these are the actual functions used for handling SVCs (see below). The lone function updated with v10.4 was updated with this version again.
-new functions used for validation with memory management were added (kernelpanic() on failure). This is a new security feature for the kernel heaps. By adding a MAC to the kernel heap [[Memory_Management#MemoryBlockHeader|memchunkhdr]] they can detect when it is modified by an outside DMA device ([[3DS_System_Flaws|gspwn]]).
+new functions used for validation with memory management were added (kernelpanic() on failure). This is a new security feature for the kernel heaps. By adding a MAC to the kernel heap [[Memory Management#MemoryBlockHeader|memchunkhdr]] they can detect when it is modified by an outside DMA device ([[3DS System Flaws|gspwn]]).
 The MAC itself is custom based on xor-rot-sub-mul, and is calculated as follows (pseudo-code):
-  u32* crypto_state = (u32*) r4; // Safe kernel memory. This is actually the [[Memory_Management#RegionDescriptor|RegionDescriptor]].
+  u32* crypto_state = (u32*) r4; // Safe kernel memory. This is actually the [[Memory Management#RegionDescriptor|RegionDescriptor]].
   u32* data_ptr = (u32*) lr; // Unsafe FCRAM pointer.
@@ Line 60: / Line 60: @@
 The function which initializes a memalloc heap had a major update (used for FCRAM memregions and the SlabHeap container). It generates a random MAC key based on svcGetSystemTick, like this:
-  crypto_state[16/4] = 0 //This is actually the [[Memory_Management#RegionDescriptor|RegionDescriptor]].
+  crypto_state[16/4] = 0 //This is actually the [[Memory Management#RegionDescriptor|RegionDescriptor]].
   crypto_state[20/4] = 0
   crypto_state[24/4] = 0
@@ Line 140: / Line 140: @@
 |-
 | svcGetHandleInfo
-| The code which clears the variables that get written into the output 8-byte buffer, was moved to before the code which checks the input type value(previously this was only executed for type 0x32107).
+| The code which clears the variables that get written into the output 8-byte buffer, was moved to before the code which checks the input type value (previously this was only executed for type 0x32107).
 |-
 | svcGetSystemInfo
@@ Line 231: / Line 231: @@
 ====Process9====
-Various data was moved around in the .data section(.data is  0x99C-bytes smaller than before).
+Various data was moved around in the .data section (.data is  0x99C-bytes smaller than before).
 Before installing titles, including NATIVE_FIRM, AMPXI will now check the version of the title to install against a hard-coded list of (titleID, minimumVersionRequired) pairs. This applies to  MSET, Home Menu, spider, ErrDisp, SKATER, NATIVE_FIRM, and every retail system module.