Line 124: |
Line 124: |
| | April 29, 2018 | | | April 29, 2018 |
| | [[User:Hexkyz|hexkyz]] | | | [[User:Hexkyz|hexkyz]] |
| + | |- |
| + | | pk1ldrhax |
| + | | Package1ldr decrypts and verifies the keyblob inside of the current BCT in order to get the package1 key, and then uses the package1 key to decrypt package1. It then validates package1 before jumping to it by checking the PK11 magic number, and that the section sizes sum to the expected size (and are individually less than the expected size). |
| + | |
| + | However, package1ldr does not actually validate the package1 key against a fixed vector (much like kernel9loader forgot to do so on the 3ds). This would normally not matter, as keyblobs are validated -- however, with bootrom code execution one can dump SBK and forge keyblobs, and thus control the package1 key. |
| + | |
| + | Thus ('''in theory, but not in practice due to the size of the brute force required''') one can replace the package1 key with garbage, causing package1 to decrypt into garbage, and hope that this garbage passes validation checks and that package1ldr jumping into the garbage will do something useful. |
| + | |
| + | This was fixed incidentally in [[6.2.0]], as pk1ldr does not use keyblob data to decrypt package1 any more. |
| + | |
| + | | With a large enough brute force: arbitrary package1 code execution from coldboot. |
| + | |
| + | However, a usable brute force is on the order of >= ~2^80, so '''this is almost certainly not actually usable in any meaningful context'''. |
| + | | [[6.2.0]] |
| + | | [[6.2.0]] |
| + | | Early 2017 (as soon as plaintext package1ldr was first dumped) |
| + | | November 20, 2018 |
| + | | Everyone |
| |- | | |- |
| |} | | |} |