3DS System Flaws: Difference between revisions
was going to wait until march-april, but N apparently confirmed to someone that there will be no more 3DS firmware updates ( https://nitter.net/RoseSilicon/status/1720635007788552396#m ) |
More RO stuff |
||
| (4 intermediate revisions by 2 users not shown) | |||
| Line 1,315: | Line 1,315: | ||
| | | | ||
| smea, [[User:Yellows8|Yellows8]]/others before then | | smea, [[User:Yellows8|Yellows8]]/others before then | ||
|- | |||
| [[GSP_Services|GSP]]: client management failures | |||
| Shared memory of GSP clients is all on the same page, this allows any GSP client to craft custom GX commands for other clients. Additionally, [[GSPGPU:TriggerCmdReqQueue]] does not check if the calling client has rendering rights. | |||
These two flaws can be used to craft DMA/Transfer Engine commands within a different GSP client to issue reads/writes to both physical (akin to gspwn) and virtual memory of said client. | |||
| Arbitrary RW from and into a client process. | |||
| None | |||
| [[11.17.0-50|11.17.0-50]] | |||
| May 2025 | |||
| May 2025 | |||
| [[User:kynex7510|kynex7510]], probably others | |||
|- | |||
| [[GSP_Services|GSP]]: unbound DMA | |||
| GSP doesn't really care what process handle is passed to [[GSPGPU:AcquireRight]]. Hence, it's possible to craft DMA commands to read/write within that process virtual address space. | |||
| Arbitrary RW within any process. | |||
| None | |||
| [[11.17.0-50|11.17.0-50]] | |||
| June 2025 | |||
| June 2025 | |||
| [[User:kynex7510|kynex7510]] | |||
|- | |- | ||
| rohax | | rohax | ||
| Line 1,326: | Line 1,346: | ||
| | | | ||
| smea, [[User:Plutooo|plutoo]] joint effort | | smea, [[User:Plutooo|plutoo]] joint effort | ||
|- | |||
| [[RO_Services|RO]]: custom CRO mapping into any process | |||
| RO stores pointers to previously loaded CRRs in internal state, however it doesn't keep track to which process they belong to. Thus pointers can be reused among different processes, and since CRR verification only happens on load this bypasses it. | |||
Granted a handle to the target process is available, the following strategy can be used to load a custom CRO into any process: | |||
* Map valid CRS, CRR into the current application, and initialize RO normally; | |||
* Write custom CRR, CRO into the target process at the same addresses (process handle can be used with GSP DMA capabilities for read/write operations, see above); | |||
* Load CRO into the target process using its handle. | |||
| Code execution in the target process. | |||
| None | |||
| [[11.17.0-50|11.17.0-50]] | |||
| June 2025 | |||
| June 2025 | |||
| [[User:kynex7510|kynex7510]] | |||
|- | |||
| [[RO_Services|RO]]: target process patching | |||
| A custom CRS file can be used to apply relocation patches anywhere in the target process, and since all pages are mapped as RW, this includes executable pages aswell. | |||
A possible exploitation strategy takes advantage of relocation type 2 (R_ARM_ABS32), where the payload data is encoded as a series of import patches, each encoding 4 bytes of data in the "addend" field. | |||
| Arbitrary write in the target process bypassing page protections, hence code execution. | |||
| None | |||
| [[11.17.0-50|11.17.0-50]] | |||
| June 2025 | |||
| July 2025 | |||
| [[User:kynex7510|kynex7510]] | |||
|- | |- | ||
| Region free | | Region free | ||
| Line 1,420: | Line 1,467: | ||
Wiki: November 20, 2023. | Wiki: November 20, 2023. | ||
| [[User:Riley|Riley]]} | | [[User:Riley|Riley]] | ||
|} | |||