3DS System Flaws: Difference between revisions
| Line 210: | Line 210: | ||
| None | | None | ||
| [[9.4.0-21]] | | [[9.4.0-21]] | ||
| | | | ||
|- | |- | ||
| | | rohax | ||
| Using gspwn, it is possible to overwrite a loaded [[CRO0]]/[[CRR0]] after its RSA-signature has been validated. Badly validated [[CRO0]] header leads to arbitrary read/write of memory in the ro-process. This gives code-execution in the ro module, who has access to [[SVC|syscalls]] 0x70-0x72, 0x7D. | | Using gspwn, it is possible to overwrite a loaded [[CRO0]]/[[CRR0]] after its RSA-signature has been validated. Badly validated [[CRO0]] header leads to arbitrary read/write of memory in the ro-process. This gives code-execution in the ro module, who has access to [[SVC|syscalls]] 0x70-0x72, 0x7D. | ||
| Line 219: | Line 219: | ||
| [[9.3.0-21]] | | [[9.3.0-21]] | ||
| [[9.4.0-21]] | | [[9.4.0-21]] | ||
| | | | ||
|- | |- | ||
| 3DS [[System Settings]] DS profile string stack-smash | | 3DS [[System Settings]] DS profile string stack-smash | ||