48
edits
Changes
Jump to navigation
Jump to search
no edit summary
Line 524:
Line 524:
| Knowing the keyY of a given 3ds allows for modification of DSiWare export contents, and chained with several other public vulns, ultimately arm9 execution.
| Knowing the keyY of a given 3ds allows for modification of DSiWare export contents, and chained with several other public vulns, ultimately arm9 execution.
| None.
| None.
−| 11.6.0-X
+| 11.8.0-X
| December 2017
| December 2017
| January 2018
| January 2018
Line 533:
Line 533:
| This allows embedding older, exploitable DSiWare titles in completely different, unexploitable DSiWare titles. Since DSiWare has raw NAND RW, this can result in arm9 control through FIRM known-plaintext and sighax attacks.
| This allows embedding older, exploitable DSiWare titles in completely different, unexploitable DSiWare titles. Since DSiWare has raw NAND RW, this can result in arm9 control through FIRM known-plaintext and sighax attacks.
| None.
| None.
−| 11.6.0-X
+| 11.8.0-X
| 2015?
| 2015?
| December 2016
| December 2016
| Everyone
| Everyone
+|-
+| DSiWare import/export functions allow TWL system titles as arguments
+| AM ImportTwlBackup/ExportTwlBackup unnecessarily allow TWL system titles such as DS Download Play to import/export from userland (only am:sys is needed). This is difficult to abuse for dsihax injection because no TWL system title has a save file, and any import with a save included will result in FS err C8804464. However, there is at least one dsihax primary that can load a payload from a non-NAND source, and not error if it can't access its public.sav (JPN Flipnote Studio v0).
+| When combined with other public vulns, arm9 code execution.
+| None.
+| 11.8.0-X
+| May 2018
+| Sept 2018
+| zoogie
|-
|-
| [[Gamecard_Services_PXI]] unchecked REG_CTRCARDCNT transfer-size
| [[Gamecard_Services_PXI]] unchecked REG_CTRCARDCNT transfer-size