Changes

From [[3.0.0-5|3.0.0-X]] this was fixed by setting the bit in Kernel9 after poking some registers in that region. On New3DS arm9loader sets this bit instead of Kernel9.

From [[3.0.0-5|3.0.0-X]] this was fixed by setting the bit in Kernel9 after poking some registers in that region. On New3DS arm9loader sets this bit instead of Kernel9.

This flaw resurged when it gained a new practical use for retrieving the OTP data for a New3DS console, in order to generate the keydata used in arm9loader. This was performed by downgrading to a vulnerable system version and installing the relevant Old3DS firmware to NAND. By accounting for differences in CTR-NAND crypto (see partition encryption types [[Flash_Filesystem#NAND_structure|here]]) it is possible to boot a New3DS in this state, and retrieve the required OTP data.

This flaw resurged when it gained a new practical use: retrieving the OTP data for a New3DS console in order to decrypt the key data used in arm9loader. This was performed by downgrading to a vulnerable system version. By accounting for differences in CTR-NAND crypto (see partition encryption types [[Flash_Filesystem#NAND_structure|here]]), it is possible to boot a New3DS using Old3DS firmware 1.0-2.x, and retrieve the required OTP data using this flaw.

| Dumping of the [[OTP Registers|OTP]] area

| Dumping of the [[OTP Registers|OTP]] area

| [[3.0.0-5|3.0.0-X]]

| [[3.0.0-5|3.0.0-X]]