112
edits
Changes
Jump to navigation
Jump to search
Add DNSpresso write-up link
Line 14:
Line 14:
| None
| None
| [[User:marcan|marcan]]
| [[User:marcan|marcan]]
+|-
+| eFuse readout counter is not reset with NRST (de_Fuse)
+| In order to accommodate eFuse-based JTAG lockout (and due to other considerations), eFuse bits must be buffered into a register file immediately following NRST, before the internal reset can be released. The eFuse sense state machine latches at a rate of 4 bits per cycle, directly off the 27MHz XTALCLK. Every other rising edge, a byte is written into the register file, starting from the least significant byte of the current u32.
+
+An internal counter is used to keep track of the remaining bytes to be read into the register file. While the eFuse register file is reset to zero with NRST, the internal counter is not: By asserting NRST after N bytes have been read, only 0x400-N bytes will be read on the subsequent boot.
+
+By asserting NRST just before the final byte has been read (1830 cycles), all eFuses will read entirely zero, including the JTAG lockout fuse. This allows trivial, unsigned and unencrypted boot1 execution, with no SEEPROM anti-rollback.
+
+Additionally, because SRAM is not cleared on reboot, and because boot1 verifies over the encrypted payload, the boot1 key can be extracted. By asserting NRST after 176 cycles and walking the delay width down cycle-by-cycle, code execution can be used to gather 16 failed decryptions of boot1: A zerokey-decrypted boot1, and 15 others with one more byte present in its boot1 key than the last. This allows a straightforward bruteforce of the boot1 key.
+| Trivial arbitrary code execution as boot1;
+boot1 AES key extraction;
+Recovery of SEEPROM-bricked Wii Us
+| None
+| [[User:shinyquagsire23|shinyquagsire23]]
|}
|}
Line 149:
Line 163:
| IOS-NET uses a modified version of NicheStack which is affected by [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25928 CVE-2020-25928]. Unlike described by the CVE, the IOS-NET implementation has an additional check for DNS PTR answers, which ensures the data isn't copied past the end of the buffer.
| IOS-NET uses a modified version of NicheStack which is affected by [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25928 CVE-2020-25928]. Unlike described by the CVE, the IOS-NET implementation has an additional check for DNS PTR answers, which ensures the data isn't copied past the end of the buffer.
For additional PTR records pointing at the first answer name <code>dnc_set_answer</code> is still called without checking the response data length field though.
For additional PTR records pointing at the first answer name <code>dnc_set_answer</code> is still called without checking the response data length field though.
−| Out-of-bounds heap write. Might be possible to exploit.
+| Out-of-bounds heap write. Can lead to ROP, see [https://garyodernichts.blogspot.com/2023/10/exploiting-dns-response-parsing-on-wii-u.html this post].
| None
| None
| [[User:GaryOderNichts|GaryOderNichts]]
| [[User:GaryOderNichts|GaryOderNichts]]