Switch System Flaws: Difference between revisions
→Hardware: Hekate implemented this in https://github.com/CTCaer/hekate/commit/8b8f3c564c686db6e4ed7210114547c70d8a2fde |
bad sdram parsing is a single bug, elaborate on other arb writes some. |
||
| Line 68: | Line 68: | ||
The code that parses these parameters does if (params->EmcBctSpareN) *params->EmcBctSpareN = params->EmcBctSpareNPlusOne for most N, without validating either the address or value written to it. | The code that parses these parameters does if (params->EmcBctSpareN) *params->EmcBctSpareN = params->EmcBctSpareNPlusOne for most N, without validating either the address or value written to it. | ||
There are other arbitrary writes in this code, as well. | There are other arbitrary writes in this code, as well (e.g. BootromPatch parameters intended for patching MISC registers do not check a relative offset to 0x7000000, etc). | ||
This allows a user with access to the PMC registers (via pre-sleep bpmp execution, or otherwise) to gain arbitrary bootrom code execution. | This allows a user with access to the PMC registers (via pre-sleep bpmp execution, or otherwise) to gain arbitrary bootrom code execution. | ||