3DS System Flaws: Difference between revisions
→Process9: Changed reference to firmlaunch-hax to be more searchable in the section about safefirmhax. |
ntrcardhax description |
||
| Line 216: | Line 216: | ||
|- | |- | ||
| ntrcardhax | | ntrcardhax | ||
| | | When reading the banner of a NTR title, Process9 relies on a hardware register to know when the banner was fully read. | ||
However that register is shared between the ARM9 and the ARM11. | |||
An attacker with k11 control can so make Process9 believe the banner continues forever and so trigger a buffer overflow. | |||
With a custom banner for a NTR flashcart, this leads to code execution in Process9. | |||
This was fixed by adding bound checks on the read data. | |||
| ARM9 code execution | | ARM9 code execution | ||
| 10.4.0-29 | | [[10.4.0-29|10.4.0-X]] | ||
| | | | ||
| March 2015 | | March 2015 | ||