Hacking Can someone help me with this?

Boogieboo6

@realDonaldTrump
Member
Joined
Jul 30, 2015
Messages
965
Trophies
1
Age
23
XP
807
Country
United States
My feels
hqdefault.jpg
 

olec04

Working on Project Heaven!
OP
Banned
Joined
Apr 10, 2015
Messages
851
Trophies
0
Location
Trying to downgrade on 11.0 via AM services
XP
95
Country
United States
"it's unknown if anyone actually exploited this successfully at the time of writing"
ARM9's and ARM11's exception vectors are hardcoded to point at the CPU's internal memory (0x08000000 region for ARM9, AXIWRAM for ARM11). While the bootrom does set them up to point to an endless loop at some point during boot, it does not do so immediately. As such, a carefully-timed fault injection (via hardware) to trigger an exception (such as an invalid instruction) will cause execution to fall into ARM9 RAM.

Since RAM isn't cleared on boot (see below), one can immediately start execution of their own code here to dump bootrom, OTP, etc. The ARM9 bootrom does the following at reset: reset vector branches to another instruction, then branches to bootrom+0x8000. Hence, there's no way to know for certain when exactly the ARM9 exception-vector data stored in memory gets initialized.
 

Swiftloke

Hwaaaa!
Member
Joined
Jan 26, 2015
Messages
1,772
Trophies
1
Location
Nowhere
XP
1,516
Country
United States
Thing is that's not going to lead to an exploit most (if any) people would use because A. It needs existing access to arm9 RAM (which would probably turn into an exploit in itself) and B. It's a hardware exploit, which means practically nobody will use it, and an extremely timing-sensitive one at that. The only thing it would be useful for is dumping the bootrom.
 
  • Like
Reactions: olec04

Site & Scene News

Popular threads in this forum

General chit-chat
Help Users
    SylverReZ @ SylverReZ: @K3Nv2, If only the inventor who made AC created the first sucking machine.