Switch System Flaws: Difference between revisions
RIP part 2 |
→Hardware: Hekate implemented this in https://github.com/CTCaer/hekate/commit/8b8f3c564c686db6e4ed7210114547c70d8a2fde |
||
| Line 62: | Line 62: | ||
| April 9, 2018 | | April 9, 2018 | ||
| [[User:SciresM|SciresM]], almost surely others (independently). | | [[User:SciresM|SciresM]], almost surely others (independently). | ||
|- | |||
| Poor validation of bootrom SDRAM configuration parameters leads to arbitrary writes in bootrom | |||
| | |||
The Tegra X1 bootrom supports saving SDRAM parameters to scratch registers, and using the saved configuration to enable DRAM during warmboot. | |||
The code that parses these parameters does if (params->EmcBctSpareN) *params->EmcBctSpareN = params->EmcBctSpareNPlusOne for most N, without validating either the address or value written to it. | |||
There are other arbitrary writes in this code, as well. | |||
This allows a user with access to the PMC registers (via pre-sleep bpmp execution, or otherwise) to gain arbitrary bootrom code execution. | |||
| None | |||
| HAC-001 (Tegra210) | |||
| 2017 | |||
| December 16, 2018 | |||
| Everyone (independently). | |||
|} | |} | ||