3dbrew

3DS System Flaws: Difference between revisions

← Older editNewer edit →
APcert infoleak
Hardware: be more precise about the fault timing requirements
Line 24: Line 24:
The ARM9 bootrom does the following at reset:  reset vector branches to another instruction, then branches to bootrom+0x8000. Hence, there's no way to know for certain when exactly the ARM9 exception-vector data stored in memory gets initialized.
The ARM9 bootrom does the following at reset:  reset vector branches to another instruction, then branches to bootrom+0x8000. Hence, there's no way to know for certain when exactly the ARM9 exception-vector data stored in memory gets initialized.


This requires *very* *precise* timing for triggering the hardware fault.
The vulnerable timing range is about 100 CPU cycles after they start (which happens after the PLLs have stabilized after power-up). A glitch needs to be injected during one of these 100 cycles for the attack to succeed.


It has been exploited by derrek to dump the ARM9 bootrom as of Summer 2015.
It has been exploited by derrek to dump the ARM9 bootrom as of Summer 2015.
Retrieved from "https://www.3dbrew.org/wiki/3DS_System_Flaws"