33
edits
Changes
mLine 30:
Line 30: − + + + Line 47:
Line 49: − + Line 233:
Line 235: − + − Before installing titles, including NATIVE_FIRM, AMPXI will now check the version of the title to install against a hard-coded list of (titleID, minimumVersionRequired) pairs. This applies to MSET, Home Menu, spider, ErrDisp, SKATER, NATIVE_FIRM, and every retail system module.+ − + + + Line 257:
Line 261: + +
no edit summary
====ARM11-kernel====
====ARM11-kernel====
57 functions were updated, 47 of these are the actual functions used for handling SVCs (see below). The lone function updated with v10.4 was updated with this version again.
57 functions were updated, 47 of these are the actual functions used for handling SVCs (see below). The lone function updated with v10.4 was updated with this version again: Checks were added to make sure all the previously allocated memchunks are actually located within the requested memory region. This was implemented with the following checks which are done for each memchunk separately - right before clearing and mapping each one to the requested vaddr.
if((region_base > memchunk_addr) || ((region_base + region_size) < (memchunk_addr + memchunk_size<<12))) { kernel_panic(); }
The actual ToCToU race has not been fixed (see [[3DS System Flaws|memchunkhax2.1]]).
3 new functions used for validation with memory management were added (kernelpanic() on failure). This is a new security feature for the kernel heaps. By adding a MAC to the kernel heap [[Memory Management#MemoryBlockHeader|memchunkhdr]] they can detect when it is modified by an outside DMA device ([[3DS System Flaws|gspwn]]).
3 new functions used for validation with memory management were added (kernelpanic() on failure). This is a new security feature for the kernel heaps. By adding a MAC to the kernel heap [[Memory Management#MemoryBlockHeader|memchunkhdr]] they can detect when it is modified by an outside DMA device ([[3DS System Flaws|gspwn]]).
for(size_t j=0; j<5; j++) {
for(size_t j=0; j<5; j++) {
r0 -= (r1 >>> 3) - data_ptr[j]
r0 -= (r1 >>> 3) - data_ptr[j]
r1 -= (r3 >>> (r2 & 0xf + 3)) ^ (r2 >>> (r0 & 0xf + 13))
r1 -= (r3 >>> ((r2 & 0xf) + 3)) ^ (r2 >>> ((r0 & 0xf) + 13))
r3 -= (r2 >>> r0) * r1
r3 -= (r2 >>> r0) * r1
r2 -= (r0 >>> r1) * r3
r2 -= (r0 >>> r1) * r3
Various data was moved around in the .data section (.data is 0x99C-bytes smaller than before).
Various data was moved around in the .data section (.data is 0x99C-bytes smaller than before).
The only actual change in .text was that only one function was updated, for the functionality described below.
The only actual change in .text was that only one function was updated. This function is only called by [[AMPXI:InstallTitlesFinish]] and [[AMPXI:InstallTitlesFinishFIRM]]. Right after the mediatype validation at the very beginning of the function, a code block was added for the functionality described below which is only executed on [[CONFIG_Registers#CFG_UNITINFO|retail]].
This AMPXI function will now check the high 6-bits of the title-version(major-version) of the title to finish-install against a hard-coded list of (titleID, minimumVersionRequired) pairs. This list is identical for Old3DS/New3DS Process9. This applies to MSET, Home Menu, spider, ErrDisp, SKATER, NATIVE_FIRM, and every retail system module. When the title-version is invalid, this returns the invalid title-version error(0xD8E08027).
This effectively prevents downgrading.
This prevents downgrading on the ARM11 side via AM-service access.
====New3DS====
====New3DS====
The arm9loader wasn't changed at all.
The arm9loader wasn't changed at all.
Nothing New3DS-only changed in Process9.
===friends-sysmodule===
===friends-sysmodule===
* [https://yls8.mtheall.com/ninupdates/reports.php?date=05-09-16_08-00-49&sys=ctr]
* [https://yls8.mtheall.com/ninupdates/reports.php?date=05-09-16_08-00-49&sys=ctr]
* [https://yls8.mtheall.com/ninupdates/reports.php?date=05-09-16_08-00-58&sys=ktr]
* [https://yls8.mtheall.com/ninupdates/reports.php?date=05-09-16_08-00-58&sys=ktr]
[[Category:Firmware Versions]]