3DS System Flaws: Difference between revisions
→Hardware: sighax |
Boot9 code execution via MMIO and sighax + factory firmware vulnerable to sighax |
||
| Line 127: | Line 127: | ||
| November 2015 | | November 2015 | ||
| [[User:Derrek|derrek]] | | [[User:Derrek|derrek]] | ||
|- | |||
| Boot9 FIRM loading doesn't blacklist memory-mapped I/O | |||
| [[Bootloader|Boot9]]'s FIRM loading blacklists Boot9 data regions, but forgets to do other important regions, including Memory-mapped I/O. Combined with sighax, by loading a malicious FIRM section to MMIO, one can get Boot9/Boot11 code execution. | |||
| None | |||
| New3DS | |||
| 2015(?) | |||
| [[User:Derrek|derrek]] (2015?), [[User:Normmatt|Normmatt]] and [[User:SciresM|SciresM]] independently (January 2017). | |||
|} | |} | ||
| Line 258: | Line 265: | ||
| January 20, 2016 | | January 20, 2016 | ||
| [[User:Jakcron|jakcron]] | | [[User:Jakcron|jakcron]] | ||
|- | |||
| Factory firmware is vulnerable to sighax | |||
| During the 3DS's development, presumably boot9 was written (including the sighax) vulnerability. This vulnerability is also present in factory firmware (and earlier, including 0.11). This was fixed in version 1.0.0-0. | |||
| Deducing the mechanics of the sighax vulnerability in boot9 without having boot9 prot. Arm9 code execution on factory/earlier firmware. | |||
| [[1.0.0-0|1.0.0-X]] | |||
| [[1.0.0-0|1.0.0-X]] | |||
| May 9, 2017 | |||
| May 19, 2017 | |||
| [[User:SciresM|SciresM]], [[User:Myria|Myria]] | |||
|- | |- | ||
| safefirmhax | | safefirmhax | ||