3DS System Flaws: Difference between revisions
safefirmhax 1.1 description |
|||
| Line 251: | Line 251: | ||
The fix for firmlaunch-hax was only applied to NATIVE_FIRM in [[9.5.0-22|9.5.0-X]], leaving SAFE_FIRM exploitable. With ARM11-kernel execution, one can trigger FIRM-launch in to SAFE_FIRM, do Kernel9 <=> Kernel11 sync, PXI sync and then repeat the original attack on SAFE_FIRM instead. | The fix for firmlaunch-hax was only applied to NATIVE_FIRM in [[9.5.0-22|9.5.0-X]], leaving SAFE_FIRM exploitable. With ARM11-kernel execution, one can trigger FIRM-launch in to SAFE_FIRM, do Kernel9 <=> Kernel11 sync, PXI sync and then repeat the original attack on SAFE_FIRM instead. | ||
| ARM9 code execution | | ARM9 code execution | ||
| [[11.3.0-36|11.3.0-X]] | | [[11.3.0-36|11.3.0-X]] | ||
| | | | ||
| 2012-2013? | | 2012-2013? | ||
| Wiki: January 2, 2017 | | Wiki: January 2, 2017 | ||
| Everyone | |||
|- | |||
| safefirmhax 1.1 | |||
| Nintendo's original safefirmhax fix was flawed -- they added a global boolean that got set to true whenever a non-sysmodule title got launched (except for a hardcoded repair title id), and panic()'d if that boolean was true to prevent launching safefirm after hax was active. However, because the boolean was initially false after firmlaunch -- With ARM11-kernel execution, one could FIRM-launch into NATIVE_FIRM, and then immediately FIRM-launch again into SAFE_FIRM early in NATIVE_FIRM boot before the boolean got set to true to repeat the safehax attack. | |||
This was fixed by adding additional CFG9_BOOTENV checks to firmlaunch code in 11.4. | |||
| ARM9 code execution | |||
| [[11.4.0-36|11.4.0-X]] | |||
| | |||
| safefirmhax fix | |||
| Wiki: April 10, 2017 | |||
| Everyone | | Everyone | ||
|- | |- | ||