19
edits
Changes
Jump to navigation
Jump to search
Line 1:
Line 1: − + Line 12:
Line 12: − + Line 37:
Line 37: + + + + + + + + − + Line 54:
Line 62: − + Line 61:
Line 69: − +
memchunkhax2 status clarification
The Old3DS+New3DS 10.4.0-29 system update was released on January 18, 2016. This Old3DS update was released for the following regions: USA, EUR, JPN, CHN, KOR, and TWN. This New3DS update was released for the following regions: USA, EUR, JPN, CHN, and KOR.
The Old3DS+New3DS 10.4.0-29 system update was released on January 18, 2016. This Old3DS update was released for the following regions: USA, EUR, JPN, CHN, KOR, and TWN. This New3DS update was released for the following regions: USA, EUR, JPN, CHN, and KOR.
Security flaws fixed: <fill this in manually later, see the updatedetails page from the ninupdates-report page(s) once available for now>.
Security flaws fixed: yes, see below.
Old3DS/New3DS browserhax and menuhax were not fixed(the Old3DS browser wasn't even updated).
Old3DS/New3DS browserhax and menuhax were not fixed(the Old3DS browser wasn't even updated).
===NATIVE_FIRM===
===NATIVE_FIRM===
[[3DS_System_Flaws#Kernel11|memchunkhax2]] was fixed by reading the [[MemoryBlockHeader]] next pointer before it is mapped to userland. Only ''one'' function was changed in arm11kernel.
[[3DS_System_Flaws#Kernel11|memchunkhax2]] was partially fixed by reading the [[MemoryBlockHeader]] next pointer before it is mapped to userland, but it can still be exploited using GPU. Only ''one'' function was changed in arm11kernel.
The only updated FIRM sysmodules were fs and loader, for fs only a version-field in .code was updated used with a debug NOP-instruction.
The only updated FIRM sysmodules were fs and loader, for fs only a version-field in .code was updated used with a debug NOP-instruction.
This is an attempt at randomizing the layout of physmem .text, due to gspwn.
This is an attempt at randomizing the layout of physmem .text, due to gspwn.
====ARM9====
There were no New3DS-only changes in Process9, the arm9loader wasn't changed either.
There were exactly 4 updated functions in Process9, all of these involve NTRCARD:
* The first two functions had code added which clears a certain state field to 0 around the beginning of the function.
* The third function now passes value 0x1000 as inr2 when calling the fourth function.
* The fourth and last function, this is the function used for reading the card header. A buffer-overflow check was added in the NTRCARD reading loop: "if(out_bufpos >= inr2)<skip over copying the word to output>".
===NS===
===NS===
NS added [[APT:IsTitleAllowed|a new APT command]] used by Home Menu which now checks whether IronFall is on the latest version before launching; if it is on an exploitable version and the function is called to launch IronFall the system will reboot. This check is done again before launching the title, throwing an error if it fails.
NS added [[APT:IsTitleAllowed|a new APT command]] used by Home Menu which now checks whether IronFall is on the latest version before launching; if it is on an exploitable version and the function is called to launch IronFall the system will refuse to launch the title(it's unknown what exactly caused a "reboot" here). This check is done again before launching the title, throwing an error if it fails.
All [[NS]] code changes:
All [[NS]] code changes:
** Then it loads the uniqueid from the input struct, for determining which entry to use from a table in .rodata. The uniqueid is compared with hard-coded constants in the function code itself, even though the table contains the uniqueids too. The code looks like: "if(uniqueid == constant0) {entryptr = addr0} else if ...". When no entry is found, this immediately returns 1.
** Then it loads the uniqueid from the input struct, for determining which entry to use from a table in .rodata. The uniqueid is compared with hard-coded constants in the function code itself, even though the table contains the uniqueids too. The code looks like: "if(uniqueid == constant0) {entryptr = addr0} else if ...". When no entry is found, this immediately returns 1.
** Lastly, if input_version_value is <= u16 entry+4, this returns 0, otherwise 1 is returned.
** Lastly, if input_version_value is <= u16 entry+4, this returns 0, otherwise 1 is returned.
* L_10df40(prev ver at L_10ddd4): This appears to be the main function used by NS for launching titles in general. Code was added for calling L_10d598() in two locations. The version value passed to L_10d598 here is the title NCCH remaster-version.
* L_10df40(prev ver at L_10ddd4): This appears to be the main function used by NS for launching titles in general(minus [[NSS:LaunchTitle]] used by the *hax payloads). Code was added for calling L_10d598() in two locations. The version value passed to L_10d598 here is the title NCCH remaster-version. When that function returns <blocked>, this code returns error 0xC8A0CC04.
See [[APT:IsTitleAllowed|here]] regarding the contents of that table.
See [[APT:IsTitleAllowed|here]] regarding the contents of that table.
The code changes for Home Menu appear to be just title/AM related / GUI.
The code changes for Home Menu appear to be just title/AM related / GUI.
Code was implemented for using [[APT:IsTitleAllowed]] mentioned above, when that returns 0 when you try launching an application Home Menu will display a message using the following text from new message-strings:
Code was implemented for using [[APT:IsTitleAllowed]] mentioned above. This is only done after VersionList handling(for example when one tries to launch the app without updating), prior to doing the actual application launch. When that returns 0, Home Menu will display a message using the following text from new message-strings:
You need to update this
You need to update this
software before you can
software before you can