|
|
| Line 88: |
Line 88: |
|
| |
|
| == ARM9 software == | | == ARM9 software == |
| === boot9 ===
| |
| {| class="wikitable" border="1"
| |
| ! Summary
| |
| ! Description
| |
| ! Fixed with hardware model/revision
| |
| ! Newest hardware model/revision this flaw was checked for
| |
| ! Timeframe this was discovered
| |
| ! Discovered by
| |
| |-
| |
| | Incorrect padding check
| |
| | The signature has a flag byte that determines whether the padding should be checked. This makes you able to bruteforce the padding very easily, as only the flag byte has to be zero.
| |
| | N/A
| |
| | New3DS
| |
| | Summer 2015
| |
| | derrek
| |
| |-
| |
| | No bound checks inside of ASN.1 parser
| |
| | The hash inside of the signature is stored in an ASN.1 structure. However the length fields are not bounds-checked, allowing one to point the header hash to the hash the 3DS calculated before verification. This and because of the aforementioned bug, you can brute-force a signature that will always work easily, as essentially only a few bytes need to be valid.
| |
| | N/A
| |
| | New3DS
| |
| | Summer 2015
| |
| | derrek
| |
| |}
| |
|
| |
|
| === arm9loader === | | === arm9loader === |