Hacking Can someone help me with this?

[olec04]

I need to find a way to get into arm9 ram anyone know something?

 

[cearp]

next time add more info in your title, so we don't have to enter your thread.

 

[olec04]

Ok lord cearp

 

[Deleted User]

I need to find a way to get into arm9 ram anyone know something?

Why do you need to?

 

[olec04]

Possible exploit for 11.0

 

[Boogieboo6]

My feels

Spoiler: Feels

 

[olec04]

?

--------------------- MERGED ---------------------------

I just want to know?

--------------------- MERGED ---------------------------

Ignored

 

[Swiftloke]

Oh? Do tell. What is the vulnerability you found? I would think getting into arm9 RAM would already make an exploit.

 

[olec04]

Its on 3dbrew system flaws wait I'll go find it (it says code execution

 

[Swiftloke]

Its on 3dbrew system flaws wait I'll go find it (it says code execution

Well, if it's publicly documented, don't you think someone would've taken advantage of it if possible already? -_-

 

[olec04]

"it's unknown if anyone actually exploited this successfully at the time of writing"
ARM9's and ARM11's exception vectors are hardcoded to point at the CPU's internal memory (0x08000000 region for ARM9, AXIWRAM for ARM11). While the bootrom does set them up to point to an endless loop at some point during boot, it does not do so immediately. As such, a carefully-timed fault injection (via hardware) to trigger an exception (such as an invalid instruction) will cause execution to fall into ARM9 RAM.

Since RAM isn't cleared on boot (see below), one can immediately start execution of their own code here to dump bootrom, OTP, etc. The ARM9 bootrom does the following at reset: reset vector branches to another instruction, then branches to bootrom+0x8000. Hence, there's no way to know for certain when exactly the ARM9 exception-vector data stored in memory gets initialized.

 

[Swiftloke]

Thing is that's not going to lead to an exploit most (if any) people would use because A. It needs existing access to arm9 RAM (which would probably turn into an exploit in itself) and B. It's a hardware exploit, which means practically nobody will use it, and an extremely timing-sensitive one at that. The only thing it would be useful for is dumping the bootrom.

 

[olec04]

And it states dumping otp

 

[Swiftloke]

True, but you can dump OTP via software making this exploit useless for that

 

[Boogieboo6]

What about the bootrom dumping part? Wouldn't that be useful?

 

[olec04]

But that exploit was not patched yet so people with a hardmod can dump otp on 11.0

--------------------- MERGED ---------------------------

What about the bootrom dumping part? Wouldn't that be useful?

Possibly

 

[Roomsaver]

Can you please stop making extra threads and post to the Noob's Paradise? I don't mean to be rude but it's getting out of hand now...