3DS System Flaws: Difference between revisions
No edit summary |
No edit summary |
||
| Line 47: | Line 47: | ||
! Timeframe this was discovered | ! Timeframe this was discovered | ||
! Discovered by | ! Discovered by | ||
|- | |||
| Missing verification-block for the 9.6 keys | |||
| Starting with [[9.6.0-24|9.6.0-X]] a new set of NAND-based keys were introduced. However, they forgot to add a verification block to verify that the new key read from NAND is correct. | |||
Thus, by writing an incorrect key to NAND you can make arm9loader decrypt ARM9 kernel as garbage and then jump to it. | |||
This allows an hardware-based NAND-attack where you can boot into an older exploited firmware, fill all memory with NOP sleds/jump-instructions, and then reboot into executing garbage. By automating this process eventually (I approximated within 1-10 days) you'll find some garbage that jumps to your code. | |||
This should give you very early ARM9 code execution (pre-ARM9 kernel). For example, you can dump RSA keyslots with this and calculate the 6.x [[Savegames#6.0.0-11_Savegame_keyY|save]], and 7.x [[NCCH]] keys. | |||
| Recovery of 6.x [[Savegames#6.0.0-11_Savegame_keyY|save key]]/7.x [[NCCH]] key | |||
| None | |||
| [[9.6.0-24|9.6.0-X]] | |||
| March, 2015 | |||
| plutoo | |||
|- | |- | ||
| Uncleared New3DS keyslot 0x11 | | Uncleared New3DS keyslot 0x11 | ||