3dbrew

3DS System Flaws: Difference between revisions

← Older editNewer edit →
Kynex7510 (talk | contribs)
99 edits
GSP behaviour
Kynex7510 (talk | contribs)
99 edits
mNo edit summary
Line 1,317: Line 1,317:
|-
|-
| [[GSP_Services|GSP]] client management failures
| [[GSP_Services|GSP]] client management failures
| Shared memory of GSP clients is all on the same page, this allows any GSP client to craft custom GX commands for other clients.
| Shared memory of GSP clients is all on the same page, this allows any GSP client to craft custom GX commands for other clients. Additionally, [[GSPGPU:TriggerCmdReqQueue]] does not check if the calling client has rendering rights.


When a process with memtype != APPLICATION acquires rights, the FCRAM cutoff is increased to 0x26800000 (O3DS) / 0x2D000000 (N3DS). Meanwhile, [[GSPGPU:TriggerCmdReqQueue]] does not check if the calling client has rendering rights. This allows any process to access most of the SYSTEM region by crafting DMA commands for the [[Home Menu]] (a non-APPLICATION process which is always a client of GSP) and jumping to it so that GSP updates the cutoff, while triggering queue processing from a separate thread.
These two flaws can be used to craft DMA/Transfer Engine commands within a different GSP client to issue reads/writes to both physical (akin to gspwn) and virtual memory of said client.
| Access to most of the SYSTEM memory region.
| Arbitrary RW from and into a client process.
| None
| None
| [[11.17.0-50|11.17.0-50]]
| [[11.17.0-50|11.17.0-50]]
Retrieved from "https://www.3dbrew.org/wiki/3DS_System_Flaws"