3DS System Flaws: Difference between revisions

Myria (talk | contribs)
m Process9: Added "seedminer" label
Riley (talk | contribs)
rip twl_firm downgrade => cmd9fail
Line 347: Line 347:
|  
|  
| ?
| ?
|-
| Anti-downgrade list did not include all system titles initially
| The anti-downgrade list did not include legacy FIRMs until [[11.8.0-41|11.8.0-X]]. Therefore, legacy FIRMs could still be downgraded.
| Downgrading legacy FIRMs; allowing to exploit bugs in older legacy FIRMs (of which at least one exists, see below).
| [[11.8.0-33|11.8.0]]
| [[11.8.0-33|11.8.0]]
| ?
| Wiki: August 5, 2018
| Everyone
|-
| TWL_FIRM cmd-9 unchecked offset
| In [[1.0.0-0|1.0.0-X]]'s TWL_FIRM, cmds 8 and 9 were not stubbed (whereas in the corresponding NATIVE_FIRM, they were).
Command 8 does the Process9 initialisation for NTR carts if an NTR cart is inserted (NTR, not TWL, judged by chipid).
Command 9 takes (u32 offset_read, u32 offset_write, u32 offset_read_end), and basically just copies (offset_read_end - offset_read) bytes starting at (offset_read) of [NTR cart header in arm9mem, NTR secure area in fcram, TWL secure area in fcram], to 0x18001000 + offset_write + offset_read.
offset_write is not checked at all, thus this leads to ARM9 code execution as long as any NTR cart, including flashcarts that would normally be blocked by TWL_FIRM, is inserted.
In [[2.0.0-2|2.0.0-X]] TWL_FIRM, those commands were stubbed out.
| ARM9 code execution
| [[2.0.0-2|2.0.0-X]]
| [[2.0.0-2|2.0.0-X]]
| January 2018
| Wiki: August 5, 2018
| [[User:Riley|Riley]]
|-
|-
| FAT FS code null-deref
| FAT FS code null-deref