Changes

Jump to navigation Jump to search
23 bytes removed ,  05:29, 19 January 2016
m
→‎Kernel9: Better wording.
Line 360: Line 360:  
From [[3.0.0-5|3.0.0-X]] this was fixed by setting the bit in Kernel9 after poking some registers in that region. On New3DS arm9loader sets this bit instead of Kernel9.
 
From [[3.0.0-5|3.0.0-X]] this was fixed by setting the bit in Kernel9 after poking some registers in that region. On New3DS arm9loader sets this bit instead of Kernel9.
   −
This flaw resurged when it gained a new practical use for retrieving the OTP data for a New3DS console, in order to generate the keydata used in arm9loader. This was performed by downgrading to a vulnerable system version and installing the relevant Old3DS firmware to NAND. By accounting for differences in CTR-NAND crypto (see partition encryption types [[Flash_Filesystem#NAND_structure|here]]) it is possible to boot a New3DS in this state, and retrieve the required OTP data.
+
This flaw resurged when it gained a new practical use: retrieving the OTP data for a New3DS console in order to decrypt the key data used in arm9loader. This was performed by downgrading to a vulnerable system version. By accounting for differences in CTR-NAND crypto (see partition encryption types [[Flash_Filesystem#NAND_structure|here]]), it is possible to boot a New3DS using Old3DS firmware 1.0-2.x, and retrieve the required OTP data using this flaw.
 
| Dumping of the [[OTP Registers|OTP]] area
 
| Dumping of the [[OTP Registers|OTP]] area
 
| [[3.0.0-5|3.0.0-X]]
 
| [[3.0.0-5|3.0.0-X]]
119

edits

Navigation menu