3DS System Flaws: Difference between revisions

Line 192:

| plutoo, [[User:Yellows8|Yellows8]], maybe others(?)

|-

| [[CONFIG Registers#CFG_SYSPROT9|CFG_SYSPROT9]] bit1 not set by ~~Process9~~

| [[CONFIG Registers#CFG_SYSPROT9|CFG_SYSPROT9]] bit1 not set by Kernel9

| Old versions of ~~Process9~~ never set bit1 of [[CONFIG Registers#CFG_SYSPROT9|CFG_SYSPROT9]]. This leaves the [[OTP Registers|0x10012000]]-region unprotected (this region should be locked early during boot!). Since it's never locked, you can dump it once you get ARM9 code execution. ~~It is unknown what this region contains, but most likely per-console keys~~.

| Old versions of Kernel9 never set bit1 of [[CONFIG Registers#CFG_SYSPROT9|CFG_SYSPROT9]]. This leaves the [[OTP Registers|0x10012000]]-region unprotected (this region should be locked early during boot!). Since it's never locked, you can dump it once you get ARM9 code execution. See [[OTP Registers|here]] regarding the data stored there.

From [[3.0.0-5|3.0.0-5]] this was fixed by setting the bit in ~~Process9~~ after poking some registers in that region. On New3DS arm9loader sets this bit instead of ~~Process9~~.

From [[3.0.0-5|3.0.0-X]] this was fixed by setting the bit in Kernel9 after poking some registers in that region. On New3DS arm9loader sets this bit instead of Kernel9.

| Dumping of the [[OTP Registers|OTP]] area

| Dumping of ~~per-console keys, probably~~

| [[3.0.0-5|3.0.0-X]]

| [[3.0.0-5|3.0.0-5]]

|

| February 2015

@@ Line 192: / Line 192: @@
 | plutoo, [[User:Yellows8|Yellows8]], maybe others(?)
 |-
-| [[CONFIG Registers#CFG_SYSPROT9|CFG_SYSPROT9]] bit1 not set by Process9
+| [[CONFIG Registers#CFG_SYSPROT9|CFG_SYSPROT9]] bit1 not set by Kernel9
-| Old versions of Process9 never set bit1 of [[CONFIG Registers#CFG_SYSPROT9|CFG_SYSPROT9]]. This leaves the [[OTP Registers|0x10012000]]-region unprotected (this region should be locked early during boot!). Since it's never locked, you can dump it once you get ARM9 code execution. It is unknown what this region contains, but most likely per-console keys.
+| Old versions of Kernel9 never set bit1 of [[CONFIG Registers#CFG_SYSPROT9|CFG_SYSPROT9]]. This leaves the [[OTP Registers|0x10012000]]-region unprotected (this region should be locked early during boot!). Since it's never locked, you can dump it once you get ARM9 code execution. See [[OTP Registers|here]] regarding the data stored there.
-From [[3.0.0-5|3.0.0-5]] this was fixed by setting the bit in Process9 after poking some registers in that region. On New3DS arm9loader sets this bit instead of Process9.
+From [[3.0.0-5|3.0.0-X]] this was fixed by setting the bit in Kernel9 after poking some registers in that region. On New3DS arm9loader sets this bit instead of Kernel9.
+| Dumping of the [[OTP Registers|OTP]] area
-| Dumping of per-console keys, probably
+| [[3.0.0-5|3.0.0-X]]
-| [[3.0.0-5|3.0.0-5]]
 |
 | February 2015