DSiBrew

Changes

DSi system flaws (view source)

Revision as of 20:20, 18 December 2022

893 bytes added ,  20:20, 18 December 2022
ARM9 ROM dump mechanism
Line 1: Line 1:  
== Undefined instruction/abort exception handler backed by RAM not cleared on reset ==
 
== Undefined instruction/abort exception handler backed by RAM not cleared on reset ==
Much like the 3DS boot0, some of the DSi's exception handlers are backed by RAM which isn't immediately cleared on a reset. Using fault injection, it is possible to cause an undefined instruction exception before the clearing happens, making the CPU jump to code remaining in RAM from the previous boot cycle. This only works on the ARM7, as on the ARM9, it is backed by main memory, which is only initialized by [[boot1]].
+
 
 +
Much like the 3DS boot0, some of the DSi's exception handlers are backed by RAM which isn't immediately cleared on a reset. Using fault injection, it is possible to cause an undefined instruction exception before the clearing happens, making the CPU jump to code remaining in RAM from the previous boot cycle. This only works on the ARM7, as on the ARM9, it is backed by main memory, which is only initialized by [[stage2]].
    
Discovered in June 2016 by {{User|Nocash}}, Normmatt, dark_samus, ApacheThunder (first successful exploit: {{User|PoroCYon}}, March 2021)
 
Discovered in June 2016 by {{User|Nocash}}, Normmatt, dark_samus, ApacheThunder (first successful exploit: {{User|PoroCYon}}, March 2021)
 +
 +
== ARM7 ROM controls lockout of both boot ROMs ==
 +
 +
After the execution of both boot ROMs, and right before jumping to stage2, the ARM7 locks out both boot ROMs using the SCFG registers, while the ARM9 waits for this lockout (as a synchronization mechanism). By using the above exploit to take control of the ARM7, it is possible to, in the exploit payload, mimic the ARM7 ROM execution such that it performs all the loading steps, but "forgets" to lock out the ROMs. By then injecting _another_ fault, it is possible to break the ARM9 out of the waiting loop, booting the system into the System Menu (or Unlaunch) with both boot ROMs still enabled, allowing one to dump the ARM9 boot ROM.
 +
 +
Theorized to be possible by {{User|PoroCYon}} in 2021, first successful exploit by stuckpixel and Normmatt early November 2022, then exploited successfully two weeks later again by {{User|PoroCYon}}.
    
== Poor [[System Menu]] [[TMD]] size check ==
 
== Poor [[System Menu]] [[TMD]] size check ==
PoroCYon
75

edits

Retrieved from "https://dsibrew.org/wiki/Special:MobileDiff/2099671"