3DS System Flaws: Difference between revisions
No edit summary |
WulfyStylez (talk | contribs) A note on usefulness of arm9loader hax |
||
| Line 60: | Line 60: | ||
This allows an hardware-based NAND-attack where you can boot into an older exploited firmware, fill all memory with NOP sleds/jump-instructions, and then reboot into executing garbage. By automating this process eventually you'll find some garbage that jumps to your code. | This allows an hardware-based NAND-attack where you can boot into an older exploited firmware, fill all memory with NOP sleds/jump-instructions, and then reboot into executing garbage. By automating this process eventually you'll find some garbage that jumps to your code. | ||
This should give you very early ARM9 code execution (pre-ARM9 kernel). For example, you can dump RSA keyslots with this and calculate the 6.x [[Savegames#6.0.0-11_Savegame_keyY|save]], and 7.x [[NCCH]] keys. | This should give you very early ARM9 code execution (pre-ARM9 kernel). For example, you can dump RSA keyslots with this and calculate the 6.x [[Savegames#6.0.0-11_Savegame_keyY|save]], and 7.x [[NCCH]] keys. This cannot be used to recover keys initialized by arm9loader itself. This is due to it wiping the area used for its stack during NAND sector decryption and keyslot init. | ||
| Recovery of 6.x [[Savegames#6.0.0-11_Savegame_keyY|save key]]/7.x [[NCCH]] key | | Recovery of 6.x [[Savegames#6.0.0-11_Savegame_keyY|save key]]/7.x [[NCCH]] key | ||
| None | | None | ||