3DS System Flaws: Difference between revisions
| Line 570: | Line 570: | ||
! Timeframe this was added to wiki | ! Timeframe this was added to wiki | ||
! Discovered by | ! Discovered by | ||
|- | |||
| [[NIM_Services|NIM]]: Downloading old title-versions from eShop | |||
| Multiple NIM service commands(such as [[NIMS:StartDownload]]) use a title-version value specified by the user-process, NIM does not validate that this input version matches the latest version available via SOAP. Therefore, when combined with AM(PXI) [[#Process9|title-downgrading]] via deleting the target eShop title with System Settings Data Management(if the title was already installed), this allows downloading+installing any title-version from eShop ''if'' it's still available from CDN. | |||
The easiest way to exploit this is to just patch the eShop system-application code using these NIM commands(ideally the code which loads the title-version). | |||
Originally this was tested with a debugging-system via modded-FIRM, eventually smea implemented it in HANS for the 32c3 release. | |||
| Downloading old title-versions from eShop | |||
| None | |||
| [[10.0.0-27|10.0.0-X]] | |||
| October 24, 2015 (Unknown when exactly the first eShop title downgrade was actually tested, maybe November) | |||
| January 7, 2015 (Same day Ironfall v1.0 was removed from CDN via the main-CXI files) | |||
| [[User:Yellows8|Yellows8]] | |||
|- | |- | ||
| [[SPI_Services|SPI]] service out-of-bounds write | | [[SPI_Services|SPI]] service out-of-bounds write | ||