![]() ![]()
Hence, there's no way to know for certain when exactly the ARM9 exception-vector data stored in memory gets initialized. The ARM9 bootrom does the following at reset: reset vector branches to another instruction, then branches to bootrom+0x8000. Since RAM isn't cleared on boot (see below), one can immediately start execution of their own code here to dump bootrom, OTP, etc. As such, a carefully-timed fault injection (via hardware) to trigger an exception (such as an invalid instruction) will cause execution to fall into ARM9 RAM. While the bootrom does set them up to point to an endless loop at some point during boot, it does not do so immediately. Newest hardware model/revision this flaw was checked forĪRM9/ARM11 bootrom vectors point at uninitialized RAMĪRM9's and ARM11's exception vectors are hardcoded to point at the CPU's internal memory (0x08000000 region for ARM9, AXIWRAM for ARM11). SD card extdata and SD savegames can be attacked, for consoles where the console-unique d was dumped(accessing SD data is far easier by running code on the target 3DS however). From ROP one could then exploit system flaw(s), see below. A usable userland exploit would still be useful: you could only do return-oriented-programming with it initially. There's no official way from applications to enable executable permission for memory containing arbitrary unsigned code(there's a SVC for this, but only RO-module has access to it). The 3DS uses the XN feature of the ARM11 processor. RAM dumping can be done through homebrew now, making this method obsolete regardless. He has published photos showing his setup to be working quite well, with the 3DS successfully booting up, but however, his flickr stream is now private along with most of his work and this method has been unreleased. He has de-soldered the 3DS's RAM chip and hooked it and the RAM pinouts on the 3DS's PCB up to a custom RAM dumping setup.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |