3dbrew

3DS System Flaws: Difference between revisions

← Older editNewer edit →
Line 44: Line 44:
!  Discovered by
!  Discovered by
|-
|-
| firmlaunch-haxx: FIRM header ToCToU
| firmlaunch-hax: FIRM header ToCToU
| This can't be exploited from ARM11 userland.
| This can't be exploited from ARM11 userland.
During [[FIRM]] launch, the only FIRM header the ARM9 uses at all is stored in FCRAM, this is 0x200-bytes(the actual used FIRM RSA signature is read to the Process9 stack however). The ARM9 doesn't expect "anything" besides the ARM9 to access this data.
During [[FIRM]] launch, the only FIRM header the ARM9 uses at all is stored in FCRAM, this is 0x200-bytes(the actual used FIRM RSA signature is read to the Process9 stack however). The ARM9 doesn't expect "anything" besides the ARM9 to access this data.
With [[9.5.0-22]] the address of this FIRM header was changed from a FCRAM address, to ARM9-only address 0x01fffc00.
| ARM9 code execution
| ARM9 code execution
| None
| [[9.5.0-22]]
| [[9.3.0-21|9.3.0-X]]
|
| 2012, 3 days after [[User:Yellows8|Yellows8]] started Process9 code RE.
| 2012, 3 days after [[User:Yellows8|Yellows8]] started Process9 code RE.
| [[User:Yellows8|Yellows8]]
| [[User:Yellows8|Yellows8]]
Retrieved from "https://www.3dbrew.org/wiki/3DS_System_Flaws"