Attacking the Nintendo 3DS Boot ROMs

نویسندگان

  • Michael Scire
  • Melissa Mears
  • Devon Maloney
  • Matthew Norman
  • Shaun Tux
  • Phoebe Monroe
چکیده

We demonstrate attacks on the boot ROMs of the Nintendo 3DS in order to exfiltrate secret information from normally protected areas of memory and gain persistent early code execution on devices which have not previously been compromised. The attack utilizes flaws in the RSA signature verification implementation of one of the boot ROMs in order to overflow ASN.1 length fields and cause invalid firmware images to appear valid to the signature parser. This is then used to load a custom firmware image which overwrites the data-abort vector with a custom data abort handler, then induces a dataabort exception in order to reliably redirect boot ROM code flow at boot time. This executes a payload which, due to its reliable early execution by a privileged processor, is able to function as a persistent exploit of the system in order to exfiltrate secret information (such as encryption keys) from normally protected areas of memory.

برای دانلود متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید

ثبت نام

اگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید

منابع مشابه

Dynamic accommodative response to different visual stimuli (2D vs 3D) while watching television and while playing Nintendo 3DS console.

PURPOSE The aim of the present study was to compare the accommodative response to the same visual content presented in two dimensions (2D) and stereoscopically in three dimensions (3D) while participants were either watching a television (TV) or Nintendo 3DS console. METHODS Twenty-two university students, with a mean age of 20.3 ± 2.0 years (mean ± S.D.), were recruited to participate in the...

متن کامل

Keyshuffling Attack for Persistent Early Code Execution in the Nintendo 3DS Secure Bootchain

We demonstrate an attack on the secure bootchain of the Nintendo 3DS in order to gain early code execution. The attack utilizes the block shuffling vulnerability of the ECB cipher mode to rearrange keys in the Nintendo 3DS’s encrypted keystore. Because the shuffled keys will deterministically decrypt the encrypted firmware binary to incorrect plaintext data and execute it, and because the devic...

متن کامل

Interactive 3D models – From 3ds max to VRML

Producing 3D interactive models is becoming a greater challenge every day. Choosing the right tool to handle the modelling process is essential if the final product is to be a VRML world, which can satisfy the user’s desire for both interactivity and realism. 3ds max offers a potentially excellent development environment for creating high quality 3D models. This paper discusses how the tools an...

متن کامل

Texture Mapping with Mudbox and 3ds Max

Texture Mapping with Mudbox and 3ds Max Joshua Holland Graphic Communication Department, December 2011 Advisor: Kevin Cooper The purpose of this study was to determine the intuitiveness of texture mapping and compressibility of files generated using Autodesk 3ds Max 2012 versus Autodesk Mudbox 2012. This will be used by anyone starting to learn how to texture map and who is comparing programs t...

متن کامل

A Study of the Status of “Trench”, “Boot” and “Plaque” in Hormozgan’s Poetry of Resistance

Abstract Literature of Resistance speaks of human beings’ resistance against military aggression of aliens which lead to war. In such literature, combatants become friends with their trenches, tighten their boots’ braces, and prepare themselves for confronting the enemies with their plaques as their code of entity. In the poets versified in the literature of resistance, “plaque” is the martyr ...

متن کامل

ذخیره در منابع من


  با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید

برای دانلود متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید

ثبت نام

اگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید

عنوان ژورنال:
  • CoRR

دوره abs/1802.00359  شماره 

صفحات  -

تاریخ انتشار 2018