Changes

2,497 bytes added , 17:35, 28 October 2023

Add DNSpresso write-up link

Line 14: Line 14:

| None

| [[User:marcan|marcan]]

+

|-

+

| eFuse readout counter is not reset with NRST (de_Fuse)

+

| In order to accommodate eFuse-based JTAG lockout (and due to other considerations), eFuse bits must be buffered into a register file immediately following NRST, before the internal reset can be released. The eFuse sense state machine latches at a rate of 4 bits per cycle, directly off the 27MHz XTALCLK. Every other rising edge, a byte is written into the register file, starting from the least significant byte of the current u32.

+

An internal counter is used to keep track of the remaining bytes to be read into the register file. While the eFuse register file is reset to zero with NRST, the internal counter is not: By asserting NRST after N bytes have been read, only 0x400-N bytes will be read on the subsequent boot.

+

By asserting NRST just before the final byte has been read (1830 cycles), all eFuses will read entirely zero, including the JTAG lockout fuse. This allows trivial, unsigned and unencrypted boot1 execution, with no SEEPROM anti-rollback.

+

Additionally, because SRAM is not cleared on reboot, and because boot1 verifies over the encrypted payload, the boot1 key can be extracted. By asserting NRST after 176 cycles and walking the delay width down cycle-by-cycle, code execution can be used to gather 16 failed decryptions of boot1: A zerokey-decrypted boot1, and 15 others with one more byte present in its boot1 key than the last. This allows a straightforward bruteforce of the boot1 key.

+

| Trivial arbitrary code execution as boot1;

+

boot1 AES key extraction;

+

Recovery of SEEPROM-bricked Wii Us

+

| None

+

| [[User:shinyquagsire23|shinyquagsire23]]

|}

Line 133: Line 147:

| [[User:Hykem|Hykem]]

|-

−

| BluuBomb

+

| Stack buffer overflow for received HID reports (BluuBomb)

| The Wii U doesn't check the size of received HID reports in IOS-PAD. By emulating a Wii Remote an attacker can send reports larger than 58 bytes and overflow a buffer on the stack.

More information [https://github.com/GaryOderNichts/bluubomb/blob/master/WRITEUP.md here].

Line 140: Line 154:

| [[User:GaryOderNichts|GaryOderNichts]], [[User:Yellows8|yellows8]] (independently: January 2021)

|-

−

| ~~Out of bounds byteswap~~ during USB configuration parsing

+

| Double fetch during USB configuration parsing causing out of bounds byteswap

−

| The Wii U doesn't verify the total length of the USB configuration descriptor. This allows placing endpoint descriptors outside of the allocated buffer which will be swapped.

+

| The Wii U doesn't verify that the total length of the USB configuration descriptor matches the total length used to determine the buffer size. This allows placing endpoint descriptors outside of the allocated buffer which will be swapped.

| Out of bounds byteswap in IOS-USB heap. Can lead to ROP, see [https://garyodernichts.blogspot.com/2022/06/exploiting-wii-us-usb-descriptor-parsing.html this post].

+

| None

+

| [[User:GaryOderNichts|GaryOderNichts]]

+

|-

+

| Heap buffer overflow in DNS response processing

+

| IOS-NET uses a modified version of NicheStack which is affected by [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25928 CVE-2020-25928]. Unlike described by the CVE, the IOS-NET implementation has an additional check for DNS PTR answers, which ensures the data isn't copied past the end of the buffer.

+

For additional PTR records pointing at the first answer name <code>dnc_set_answer</code> is still called without checking the response data length field though.

+

| Out-of-bounds heap write. Can lead to ROP, see [https://garyodernichts.blogspot.com/2023/10/exploiting-dns-response-parsing-on-wii-u.html this post].

| None

| [[User:GaryOderNichts|GaryOderNichts]]

GaryOderNichts

112

edits

Changes

Wii U system flaws (view source)

Revision as of 17:35, 28 October 2023

Navigation menu

Search