Changes

Jump to navigation Jump to search

3DS System Flaws (edit)

Revision as of 19:34, 14 April 2015

142 bytes added ,  19:34, 14 April 2015
no edit summary
Line 404: Line 404:  
| gspwn
 
| gspwn
 
| GSP module does not validate addresses given to the GPU. This allows a user-mode application/applet to read/write to a large part of physical FCRAM using GPU DMA. From this, you can overwrite the .text segment of the application you're running under, and gain real code-execution from a ROP-chain. Normally applets' .text([[Home Menu]], [[Internet Browser]], etc) is located beyond the area accessible by the GPU, except for [[RO_Services|CROs]] used by applets([[Internet Browser]] for example).
 
| GSP module does not validate addresses given to the GPU. This allows a user-mode application/applet to read/write to a large part of physical FCRAM using GPU DMA. From this, you can overwrite the .text segment of the application you're running under, and gain real code-execution from a ROP-chain. Normally applets' .text([[Home Menu]], [[Internet Browser]], etc) is located beyond the area accessible by the GPU, except for [[RO_Services|CROs]] used by applets([[Internet Browser]] for example).
 +
 +
The highest FCRAM address that is gspwn-able is base_region_addr - 0x800000. This translates to: 0x26400000 on Old3DS, 0x2D800000 on New3DS.
 
| User-mode code execution.
 
| User-mode code execution.
 
| None
 
| None
Retrieved from "https://www.3dbrew.org/wiki/Special:MobileDiff/12337"

Navigation menu