Just off memory isn't this the same shite tx did when they first released their chip. It cleared the keys lots so other cfw wouldn't boot?
They do several sketchy things then. Some people got problems booting Atmosphère after sxos no get updated anymore, at least there is a guide for recovery the boot0
guy, just an idea.
Create an emmumc
Downgrade the emmumc with firmware compatible sx os
And try to boot on picofly with cfw sx os ?
Eveybody try atmosphere but maybe sxos can work.
I know sx os work on oled, I have already test.
So I know you can downgrade a switch with a firmware lower than build in factory if the firmware is on emunand.
Like sx os is a different firmware maybe that can work, someone for test ?
Create an emmumc
Downgrade the emmumc with firmware compatible sx os
And try to boot on picofly with cfw sx os ?
Eveybody try atmosphere but maybe sxos can work.
I know sx os work on oled, I have already test.
So I know you can downgrade a switch with a firmware lower than build in factory if the firmware is on emunand.
Like sx os is a different firmware maybe that can work, someone for test ?
SX OS is based on atmo, so this wouldnt work. Also SX OS is a big mess. Emunand for Mariko units is flawed, updating sysnand to 11+ for some people resulted in not working emunand even if they'd 11 or lower. So why bother and loosing time for this?guy, just an idea.
Create an emmumc
Downgrade the emmumc with firmware compatible sx os
And try to boot on picofly with cfw sx os ?
Eveybody try atmosphere but maybe sxos can work.
I know sx os work on oled, I have already test.
So I know you can downgrade a switch with a firmware lower than build in factory if the firmware is on emunand.
Like sx os is a different firmware maybe that can work, someone for test ?
This
I honestly think that the "unlocked ubuntu" firmware here is doing exactly that, it's the only reason I can think of why they even bothered to create a custom SD loader / payload with a custom public/private key pair.
It would be so much simpler to just copy-paste HWFLY-NX sdloader and BCTs but the developer made the effort, so that's probably why.
Anyway, development is going slow on my part as I have work and other things to do, but at least I'm able to initialize an SD card in SDIO mode with one DAT line (this is the R/W part of my code, we need this to be able to write the BCTs and sdloader)
I know, pretty boring news but SD cards behave pretty much the same way as eMMCs, the commands are just a bit different.
I don't want to take any credit for myself, I've used https://github.com/carlk3/no-OS-FatFS-SD-SPI-RPi-Pico/blob/sdio/src/sd_driver/SDIO/rp2040_sdio.c as my code base and modified it to use one dat line only (this code uses 4 dat lines)
I'm also modifying it to be a bit simpler as this code implements FAT filesystem and the whole shtick and we don't need that. Other than that of course I'll switch it up to the eMMC protocol commands and workflow and probably I'll create a library of some sorts so people can use it with any kind of eMMC in general.
Post automatically merged:
I can also say that the Pico is awesome in general, this is my first time actually working with a microcontroller to do more than just lighting up 3 LEDs
Ok I've used "unique_board_id" pico-examples and modified it with the injection to see does the "pico_get_unique_board_id" function really retrieve the modified ID when its modified at boot and it is:
Pico is outputing this via serial so I would say that injection works.
Will modify the fm again with little better code now (I used a lot of nops when I initially created the function, maybe its adding some delay)
BTW tested also with RP-Zero from start and addresses in general (functions and memory) are the same, so it does not change from pico to pico
Code:
Port /dev/ttyACM0, 12:00:47
Press CTRL-A Z for help on special keys
Unique identifier: 11 22 33 44 55 66 77 88
Unique identifier: 11 22 33 44 55 66 77 88
Unique identifier: 11 22 33 44 55 66 77 88
Code:
Welcome to minicom 2.8
OPTIONS: I18n
Port /dev/ttyACM0, 11:53:41
Press CTRL-A Z for help on special keys
Unique identifier: e6 61 1c b7 1f 32 68 29Pico is outputing this via serial so I would say that injection works.
Will modify the fm again with little better code now (I used a lot of nops when I initially created the function, maybe its adding some delay)
BTW tested also with RP-Zero from start and addresses in general (functions and memory) are the same, so it does not change from pico to pico
Last edited by renoob,
No that function does not take ID its prepared and generated there. The function at 10002654 is "flash_send_cmd" where it queries the flash chip with command to retreive its ID (you can confirm that since in c code one of the arguments are "0x4b" which is a command for retreiving id) and then its stored in memory at static location (which I'm manipulating with)
Since I've tested unique_board_id from pico-examples with this modification and its outputing the modified ID I would say that it works. But maybe something else is the problem (user added wrong ID, some wiring etc ? just thinking out loud)
Since I've tested unique_board_id from pico-examples with this modification and its outputing the modified ID I would say that it works. But maybe something else is the problem (user added wrong ID, some wiring etc ? just thinking out loud)
Ok this time I can prove that injection works 100%
So I checked this:
https://forums.raspberrypi.com/viewtopic.php?t=336409
Guy made uf2 file when you flash it you get output "This software is for this board". Yeah all working fine
Then you dump that firmware, and flash it on different pico and you get "program is not for that board". Everything works as written here, when I did that and flash on my second pico I was getting output:
Then I did this injection, on that dump since first uf2 locks the firmware to unique id of first pico, i just injected id of the first pico into dumped one which was outputing error above on second pico... and :
It successfully runs and does not give error anymore on second pico. So my conclusion are that injection works 100% since unique_board from pico-examples outputs modified one and this example above was locked and now its unlocked after injection.
....
So maybe the ID that user provided with firmware is not correct OR something else
So I checked this:
https://forums.raspberrypi.com/viewtopic.php?t=336409
Guy made uf2 file when you flash it you get output "This software is for this board". Yeah all working fine
Then you dump that firmware, and flash it on different pico and you get "program is not for that board". Everything works as written here, when I did that and flash on my second pico I was getting output:
Code:
Welcome to minicom 2.8
OPTIONS: I18n
Port /dev/ttyACM0, 13:35:20
Press CTRL-A Z for help on special keys
======= THIS SOFTWARE WAS STOLEN =======
This software will not run on this board
======= THIS SOFTWARE WAS STOLEN =======
This software will not run on this board
------------------------------------------
Code:
Welcome to minicom 2.8
OPTIONS: I18n
Port /dev/ttyACM0, 13:51:11
Press CTRL-A Z for help on special keys
This software is for this board
This software is for this board
This software is for this board....
So maybe the ID that user provided with firmware is not correct OR something else
Last edited by renoob,
Or, maybe, there is a another check in firmware.
I also recently reversed and patched this firmware (although I just rewrote function 0x1002608 instead of jmping the written function further). It seems to me that the id is the primary decryption of both the payload and further code. I could not find write accesses to pins 15 and 28, nor could I find the code that makes the onboard led white. So it seems to me that inside the encrypted payload there is more code, which also probably makes a direct system call with 4b, which, in fact, does not allow to simply swap the id.
Similar threads
- No one is chatting at the moment.
-
-
-
@
Psionic Roshambo:
Also touch is better.... Well at least better than the launch DS, the lite one improved that a ton -
-
@
Psionic Roshambo:
I really need to dig out my USB Wii sensor bar and experiment with Wii emulation and synching Wii remotes with BT lol
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
