48
edits
Changes
Jump to navigation
Jump to search
Line 2:
Line 2: − + − − * Someone (who will remain unnamed) has released CFW and CIA installers, all of which is copied from the work of others, or copyrighted material. Line 127:
Line 125: − + Line 224:
Line 222: − + Line 246:
Line 244: − + − + + Line 299:
Line 298: − + − + Line 306:
Line 305: + + + + + + + + + + + + + + + Line 380:
Line 394: + + + + + + + + + + + + + Line 486:
Line 513: − + Line 495:
Line 522: − + Line 504:
Line 531: − + + + + + + + + + + Line 569:
Line 605: − + − + Line 914:
Line 950: + + + + + + + + + +
no edit summary
=Stale / Rejected Efforts=
=Stale / Rejected Efforts=
* Neimod has been working on a RAM dumping setup for a little while now. He's de-soldered the 3DS's RAM chip and hooked it and the RAM pinouts on the 3DS' PCB up to a custom RAM dumping setup. A while ago he published photos showing his setup to be working quite well, with the 3DS successfully booting up. However, his flickr stream is now private along with most of his work.
* In the early days of 3DS hacking, Neimod was working on a RAM dumping setup for a while. He has de-soldered the 3DS's RAM chip and hooked it and the RAM pinouts on the 3DS' PCB up to a custom RAM dumping setup. He ''has'' published photos showing his setup to be working quite well, with the 3DS successfully booting up, but however, his flickr stream is now private along with most of his work and this method has been unreleased. RAM dumping can be done through homebrew now, making this method obsolete regardless.
==Tips and info==
==Tips and info==
|-
|-
| New3DS has same boot ROM as Old3DS
| New3DS has same boot ROM as Old3DS
| The New3DS has the exact same boot ROM as the Old3DS. This means, among other things, that all the same boot ROM flaws are present. Also, this meant that it is possible to boot Old3DS firmware on New3DS (see "CFG_SYSPROT9 bit1 not set by Kernel9").
| The New3DS has the exact same boot ROM as the Old3DS. This means, among other things, that all the same boot ROM flaws are present. Also, this meant that it is possible to boot Old3DS firmware on New3DS (see "CFG9_SYSPROT9 bit1 not set by Kernel9").
| None
| None
| New3DS
| New3DS
| [[User:Yellows8|Yellows8]]
| [[User:Yellows8|Yellows8]]
|-
|-
| Missing verification-block for the 9.6 keys (arm9loaderhax)
| arm9loaderhax: Missing verification block for the 9.6 keys
| Starting with [[9.6.0-24|9.6.0-X]] a new set of NAND-based keys were introduced. However, no verification block was added to verify that the new key read from NAND is correct. This was technically an issue from [[9.5.0-22|9.5.0-X]] with the original sector+0 keydata, however the below is only possible with [[9.6.0-24|9.6.0-X]] since keyslots 0x15 and 0x16 are generated from different 0x11 keyXs.
| Starting with [[9.6.0-24|9.6.0-X]] a new set of NAND-based keys were introduced. However, no verification block was added to verify that the new key read from NAND is correct. This was technically an issue from [[9.5.0-22|9.5.0-X]] with the original sector+0 keydata, however the below is only possible with [[9.6.0-24|9.6.0-X]] since keyslots 0x15 and 0x16 are generated from different 0x11 keyXs.
| None
| None
| [[11.3.0-36|11.3.0-X]]
| [[11.3.0-36|11.3.0-X]]
| March 2015
| Sometime in 2015
| [[User:Plutooo|plutoo]] first, probably
|
| [[User:Plutooo|plutoo]] presumably
|-
|-
| Uncleared New3DS keyslot 0x11
| Uncleared New3DS keyslot 0x11
|-
|-
| Factory firmware is vulnerable to sighax
| Factory firmware is vulnerable to sighax
| During the 3DS's development, presumably boot9 was written (including the sighax) vulnerability. This vulnerability is also present in factory firmware (and earlier, including 0.11). This was fixed in version 1.0.0-0.
| During the 3DS's development, presumably boot9 was written (including the sighax vulnerability). This vulnerability is also present in factory firmware (and earlier, including 0.11). This was fixed in version 1.0.0-0.
| Deducing the mechanics of the sighax vulnerability in boot9 without having boot9 prot. Arm9 code execution on factory/earlier firmware.
| Deducing the mechanics of the sighax vulnerability in boot9 without having a dump of protected boot9. ARM9 code execution on factory/earlier firmware.
| [[1.0.0-0|1.0.0-X]]
| [[1.0.0-0|1.0.0-X]]
| [[1.0.0-0|1.0.0-X]]
| [[1.0.0-0|1.0.0-X]]
| May 19, 2017
| May 19, 2017
| [[User:SciresM|SciresM]], [[User:Myria|Myria]]
| [[User:SciresM|SciresM]], [[User:Myria|Myria]]
|-
| twlhax: Corrupted SRL header leads to memory overwrite
| During TWL_FIRM boot, the ARM11 process TwlBg puts launcher.srl, the DSi bootloader, into FCRAM. TWL_FIRM Process9 then parses the [http://dsibrew.org/wiki/NDS_Format SRL header] to place launcher.srl's code where DSi mode can execute it.
DSi-mode memory is in FCRAM, but interleaved. Each byte of DSi-mode memory also exists at some address in 3DS FCRAM space.
Process9 does not validate the RSA signature on launcher.srl, unlike SRLs loaded from cartridge or NAND (DSiWare). A compromised ARM11 can, in a manner similar to firmlaunchhax, send a launcher.srl with a modified SRL header. By setting the SRL header's ARM7/ARM9 load addresses and sizes carefully, accounting for the different memory map and for DSi mode's interleaved memory, it is possible to overwrite part of Process9's stack and take control with a ROP chain.
Fixed in 11.8.0-X by... (fill me in)
| ARM9 code execution (whilst still in 3DS mode)
| [[11.8.0-41|11.8.0-X]]
| [[11.8.0-41|11.8.0-X]]
|
| August 11, 2018
| smea
|-
|-
| safefirmhax
| safefirmhax
| Wiki: August 5, 2018
| Wiki: August 5, 2018
| [[User:Riley|Riley]]
| [[User:Riley|Riley]]
|-
| FIRM launch doesn't check target FIRM version
| When executing a FIRM launch, Process9 doesn't validate that the target FIRM isn't an old version. This allows booting an exploitable FIRM from a newer FIRM, if you can get the exploitable FIRM installed. ([[11.0.0-33|11.0.0-X]] now prevents installing old versions of system titles, but this doesn't affect titles already installed.)
This had a use after [[9.6.0-24|9.6.0-X]]: on a compromised 3DS running 9.2.0, you could install the 9.6.0 NATIVE_FIRM to FIRM0/FIRM1, but avoid putting it into the NATIVE_FIRM title. This would boot the 9.2.0 system software but with the 9.6.0 Process9 and Kernel11. With a user-mode exploit in a sufficiently-privileged application (e.g. mset), you could trigger a FIRM launch back to NATIVE_FIRM, which would load the 9.2.0 Process9 and Kernel11.
9.6.0's keyslots 0x15 and 0x16 are unknown to 9.2.0, so 9.2.0 would not clear them. You then could do firmlaunchhax against 9.2.0 to get ARM9 access with keyslots 0x15 and 0x16 set to their proper 9.6.0 values, allowing decrypting 9.6.0's encrypted titles. Once the New3DS keystore was dumped, this became moot.
| Decrypting 9.6.0 NCCH files without dumping New3DS keystore
| None (but now moot)
| [[9.6.0-24|9.6.0-X]]
| March 2015
| August 12, 2018
| [[User:Yellows8|Yellows8]], [[User:Myria|Myria]]
|-
|-
| FAT FS code null-deref
| FAT FS code null-deref
| When the movable.sed keyY for the target 3DS is known and the target 3DS CTCert private-key is unknown, importing of modified DSiWare SD .bin files.
| When the movable.sed keyY for the target 3DS is known and the target 3DS CTCert private-key is unknown, importing of modified DSiWare SD .bin files.
| None.
| None.
| 11.6.0-X
| 11.8.0-X
| April 2013
| April 2013
|
|
| Knowing the keyY of a given 3ds allows for modification of DSiWare export contents, and chained with several other public vulns, ultimately arm9 execution.
| Knowing the keyY of a given 3ds allows for modification of DSiWare export contents, and chained with several other public vulns, ultimately arm9 execution.
| None.
| None.
| 11.6.0-X
| 11.8.0-X
| December 2017
| December 2017
| January 2018
| January 2018
| This allows embedding older, exploitable DSiWare titles in completely different, unexploitable DSiWare titles. Since DSiWare has raw NAND RW, this can result in arm9 control through FIRM known-plaintext and sighax attacks.
| This allows embedding older, exploitable DSiWare titles in completely different, unexploitable DSiWare titles. Since DSiWare has raw NAND RW, this can result in arm9 control through FIRM known-plaintext and sighax attacks.
| None.
| None.
| 11.6.0-X
| 11.8.0-X
| 2015?
| 2015?
| December 2016
| December 2016
| Everyone
| Everyone
|-
| DSiWare import/export functions allow TWL system titles as arguments
| AM ImportTwlBackup/ExportTwlBackup unnecessarily allow TWL system titles such as DS Download Play to import/export from userland and System Settings -> Data Management (only am:sys is needed for userland). This is difficult to abuse for dsihax injection because no TWL system title has a save file, and any import with a save included will result in FS err C8804464. However, there is at least one dsihax primary that can load a payload from a non-NAND source, and not error if it can't access its public.sav (JPN Flipnote Studio v0).
| When combined with other public vulns, arm9 code execution.
| None.
| 11.8.0-X
| May 2018
| Sept 2018
| zoogie
|-
|-
| [[Gamecard_Services_PXI]] unchecked REG_CTRCARDCNT transfer-size
| [[Gamecard_Services_PXI]] unchecked REG_CTRCARDCNT transfer-size
! Discovered by
! Discovered by
|-
|-
| [[CONFIG Registers#CFG_SYSPROT9|CFG_SYSPROT9]] bit1 not set by Kernel9
| [[CONFIG Registers#CFG9_SYSPROT9|CFG9_SYSPROT9]] bit1 not set by Kernel9
| Old versions of Kernel9 never set bit1 of [[CONFIG Registers#CFG_SYSPROT9|CFG_SYSPROT9]]. This leaves the [[OTP Registers|0x10012000]]-region unprotected (this region should be locked early during boot!). Since it's never locked, you can dump it once you get ARM9 code execution.
| Old versions of Kernel9 never set bit1 of [[CONFIG Registers#CFG9_SYSPROT9|CFG9_SYSPROT9]]. This leaves the [[OTP Registers|0x10012000]]-region unprotected (this region should be locked early during boot!). Since it's never locked, you can dump it once you get ARM9 code execution.
From [[3.0.0-5|3.0.0-X]] this was fixed by setting the bit in Kernel9 after poking some registers in that region. On New3DS arm9loader sets this bit instead of Kernel9, which is exploitable through a hardware + software vulnerability (see arm9loaderhax / description).
From [[3.0.0-5|3.0.0-X]] this was fixed by setting the bit in Kernel9 after poking some registers in that region. On New3DS arm9loader sets this bit instead of Kernel9, which is exploitable through a hardware + software vulnerability (see arm9loaderhax / description).
! Timeframe this was added to wiki
! Timeframe this was added to wiki
! Discovered by
! Discovered by
|-
| [[Config_Services|CFG]]:CreateConfigInfoBlk integer underflow
| When creating a new block it checks the size of the block is <= 0x8000, but it doesn't check that the block size is less than the remaining space. This induces an integer underflow (remaining_space-block_size), the result is then used for another check (buf_start+current_offset+constant <= remaining_space-block_size) and then in a mempcy call (dest = buf_start+(u16)(remaining_space-block_size), size =block_size). This allow for writing past the buffer, however because of the u16 cast in the memcpy call memory has to be mapped from buf_start to buf_start+0x10000 (cannot write backward).
| Theoritically ROP under CFG services, but BSS section is to small (size <= 0x10000) so it only results in a crash.
| None
| [[11.8.0-41]]
| November, 2018
| November 24, 2018
| [[User:Nba_Yoh|MrNbaYoh]]
|-
|-
|-
| [[MP:SendDataFrame]] missing input array index validation
| [[MP:SendDataFrame]] missing input array index validation