19
edits
Changes
Jump to navigation
Jump to search
Line 381:
Line 381: − +
They just forgot to set the bit in SYSPROT9. They wouldn't create a hardware lock to not use it.
|-
|-
| [[CONFIG Registers#CFG_SYSPROT9|CFG_SYSPROT9]] bit1 not set by Kernel9
| [[CONFIG Registers#CFG_SYSPROT9|CFG_SYSPROT9]] bit1 not set by Kernel9
| Old versions of Kernel9 never set bit1 of [[CONFIG Registers#CFG_SYSPROT9|CFG_SYSPROT9]] and instead blocked access to the [[OTP Registers|OTP Registers]] itself, presumably under the assumption that an attacker would never gain code execution under Kernel9. This leaves the [[OTP Registers|0x10012000]]-region unprotected (this region should be locked early during boot!) to an attacker with sufficient privileges. Since it's never locked, you can dump it once you get ARM9 code execution.
| Old versions of Kernel9 never set bit1 of [[CONFIG Registers#CFG_SYSPROT9|CFG_SYSPROT9]]. This leaves the [[OTP Registers|0x10012000]]-region unprotected (this region should be locked early during boot!). Since it's never locked, you can dump it once you get ARM9 code execution.
From [[3.0.0-5|3.0.0-X]] this was fixed by setting the bit in Kernel9 after poking some registers in that region. On New3DS arm9loader sets this bit instead of Kernel9, which is exploitable through a hardware + software vulnerability (see arm9loaderhax / description).
From [[3.0.0-5|3.0.0-X]] this was fixed by setting the bit in Kernel9 after poking some registers in that region. On New3DS arm9loader sets this bit instead of Kernel9, which is exploitable through a hardware + software vulnerability (see arm9loaderhax / description).