Difference between revisions of "DSi system flaws"
Jump to navigation
Jump to search
m (→ARM7 ROM controls lockout of both boot ROMs: formatting syntax fix) |
(Use wiki tables.) |
||
Line 1: | Line 1: | ||
− | == | + | = Hardware = |
+ | Flaws in this category pertain to the underlying hardware that powers the DSi. This includes [[Stage1]], [[AES_Engine]], etc. | ||
− | Much like the 3DS boot0, some of the DSi's exception handlers are backed by RAM which isn't immediately cleared on a reset. Using fault injection, it is possible to cause an undefined instruction exception before the clearing happens, making the CPU jump to code remaining in RAM from the previous boot cycle. This only works on the ARM7, as on the ARM9, it is backed by main memory, which is only initialized by [[stage2]]. | + | {| class="wikitable" border="1" |
+ | ! Summary | ||
+ | ! Description | ||
+ | ! Fixed with hardware model/revision | ||
+ | ! Newest hardware model/revision this flaw was checked for | ||
+ | ! Timeframe this was discovered | ||
+ | ! Public disclosure timeframe | ||
+ | ! Discovered by | ||
+ | |- | ||
+ | | Undefined instruction/abort exception handler backed by RAM not cleared on reset | ||
+ | | Much like the 3DS boot0, some of the DSi's exception handlers are backed by RAM which isn't immediately cleared on a reset. Using fault injection, it is possible to cause an undefined instruction exception before the clearing happens, making the CPU jump to code remaining in RAM from the previous boot cycle. This only works on the ARM7, as on the ARM9, it is backed by main memory, which is only initialized by [[stage2]]. | ||
+ | | | ||
+ | | | ||
+ | | June 2016 | ||
+ | | | ||
+ | | {{User|Nocash}}, Normmatt, dark_samus, ApacheThunder (first successful exploit: {{User|PoroCYon}}, March 2021) | ||
+ | |- | ||
+ | | ARM7 ROM controls lockout of both boot ROMs | ||
+ | | After the execution of both boot ROMs, and right before jumping to stage2, the ARM7 locks out both boot ROMs using the SCFG registers, while the ARM9 waits for this lockout (as a synchronization mechanism). By using the above exploit to take control of the ARM7, it is possible to, in the exploit payload, mimic the ARM7 ROM execution such that it performs all the loading steps, but "forgets" to lock out the ROMs. By then injecting <i>another</i> glitch, it is possible to break the ARM9 out of the waiting loop, booting the system into the System Menu (or Unlaunch) with both boot ROMs still enabled, allowing one to dump the ARM9 boot ROM. | ||
+ | | | ||
+ | | | ||
+ | | 2021-2022 | ||
+ | | | ||
+ | | Theorized to be possible by {{User|PoroCYon}} in 2021, first successful exploit by stuckpixel and Normmatt early November 2022, then exploited successfully two weeks later again by {{User|PoroCYon}}. | ||
+ | |} | ||
− | + | = Software = | |
+ | == Stage2 == | ||
+ | Flaws in this category pertain to [[Stage2]]. There is no known updated version of Stage2 post-launch. | ||
− | == | + | {| class="wikitable" border="1" |
+ | ! Summary | ||
+ | ! Description | ||
+ | ! Fixed with system version | ||
+ | ! Newest system version this flaw was checked for | ||
+ | ! Timeframe this was discovered | ||
+ | ! Public disclosure timeframe | ||
+ | ! Discovered by | ||
+ | |- | ||
+ | | Poor [[System Menu]] [[TMD]] size check | ||
+ | | [[Stage2]] loads the System Menu's TMD for verification and loading, and it attempts to check the size. However, instead of checking if <code>size > capacity</code>, it checks if <code>size > size</code>, which is always false, resulting in a buffer overflow. | ||
+ | | None | ||
+ | | | ||
+ | | August 2017 | ||
+ | | | ||
+ | | {{User|Nocash}} | ||
+ | |} | ||
− | + | == System Menu == | |
+ | Flaws in this category pertain to [[System Menu]]. | ||
− | + | {| class="wikitable" border="1" | |
+ | ! Summary | ||
+ | ! Description | ||
+ | ! Fixed with system version | ||
+ | ! Newest system version this flaw was checked for | ||
+ | ! Timeframe this was discovered | ||
+ | ! Public disclosure timeframe | ||
+ | ! Discovered by | ||
+ | |- | ||
+ | | DS games are not patched to verify overlays | ||
+ | | While the System Menu checks all cartridge overlays to prevent unauthorized software, no such check exists when the overlays are actually loaded, despite an [https://wiibrew.org/wiki/MIOS MIOS]-like patcher being possible to implement. By changing the overlay after it is checked, it is possible to run arbitrary code. | ||
+ | | | ||
+ | | | ||
+ | | January 2010 | ||
+ | | | ||
+ | | Datel, and {{User|blasty}} by reverse engineering Datel's [[Action Replay]] | ||
+ | |} | ||
− | == | + | == Applications == |
− | [[ | + | Flaws in this category pertain to applications launched by [[System Menu]]. See also [[DSi_exploits]]. |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− |
Revision as of 19:34, 19 December 2022
Hardware
Flaws in this category pertain to the underlying hardware that powers the DSi. This includes Stage1, AES_Engine, etc.
Summary | Description | Fixed with hardware model/revision | Newest hardware model/revision this flaw was checked for | Timeframe this was discovered | Public disclosure timeframe | Discovered by |
---|---|---|---|---|---|---|
Undefined instruction/abort exception handler backed by RAM not cleared on reset | Much like the 3DS boot0, some of the DSi's exception handlers are backed by RAM which isn't immediately cleared on a reset. Using fault injection, it is possible to cause an undefined instruction exception before the clearing happens, making the CPU jump to code remaining in RAM from the previous boot cycle. This only works on the ARM7, as on the ARM9, it is backed by main memory, which is only initialized by stage2. | June 2016 | Nocash, Normmatt, dark_samus, ApacheThunder (first successful exploit: PoroCYon, March 2021) | |||
ARM7 ROM controls lockout of both boot ROMs | After the execution of both boot ROMs, and right before jumping to stage2, the ARM7 locks out both boot ROMs using the SCFG registers, while the ARM9 waits for this lockout (as a synchronization mechanism). By using the above exploit to take control of the ARM7, it is possible to, in the exploit payload, mimic the ARM7 ROM execution such that it performs all the loading steps, but "forgets" to lock out the ROMs. By then injecting another glitch, it is possible to break the ARM9 out of the waiting loop, booting the system into the System Menu (or Unlaunch) with both boot ROMs still enabled, allowing one to dump the ARM9 boot ROM. | 2021-2022 | Theorized to be possible by PoroCYon in 2021, first successful exploit by stuckpixel and Normmatt early November 2022, then exploited successfully two weeks later again by PoroCYon. |
Software
Stage2
Flaws in this category pertain to Stage2. There is no known updated version of Stage2 post-launch.
Summary | Description | Fixed with system version | Newest system version this flaw was checked for | Timeframe this was discovered | Public disclosure timeframe | Discovered by |
---|---|---|---|---|---|---|
Poor System Menu TMD size check | Stage2 loads the System Menu's TMD for verification and loading, and it attempts to check the size. However, instead of checking if size > capacity , it checks if size > size , which is always false, resulting in a buffer overflow.
|
None | August 2017 | Nocash |
System Menu
Flaws in this category pertain to System Menu.
Summary | Description | Fixed with system version | Newest system version this flaw was checked for | Timeframe this was discovered | Public disclosure timeframe | Discovered by |
---|---|---|---|---|---|---|
DS games are not patched to verify overlays | While the System Menu checks all cartridge overlays to prevent unauthorized software, no such check exists when the overlays are actually loaded, despite an MIOS-like patcher being possible to implement. By changing the overlay after it is checked, it is possible to run arbitrary code. | January 2010 | Datel, and blasty by reverse engineering Datel's Action Replay |
Applications
Flaws in this category pertain to applications launched by System Menu. See also DSi_exploits.