|
|
|
|
|
|
by bri3d
2981 days ago
|
|
|
This has reasonable parallels to the PSP "Pandora's Battery" exploit, which put the device into DFU mode using a battery that emulated the factory service mode jig, and then exploited an issue in the trust chain verification in the first-stage (mask-ROM) bootloader. Similarly fixable with hardware only, which came soon after the exploit. This bootloader bug is much sillier (IMO) than Sony's, though. Sony's was a series of crypto mistakes in the trust chain verification: it decrypted blocks in place and there was an issue in the checksum code that left it vulnerable to a timing attack, so a very, very small valid-but-colliding block had to be constructed and the rest of the bootloader was then freely-injectable. This nVidia/Nintendo mistake is an even sillier basic protocol issue. I think the main lesson here is not to put complex protocol code in your immutable first-stage mask ROM, and if you do, to limit the surface area as much as possible, ensure memory safety, and audit the hell out of it. |
|
|