Just off memory isn't this the same shite tx did when they first released their chip. It cleared the keys lots so other cfw wouldn't boot?
SX OS is based on atmo, so this wouldnt work. Also SX OS is a big mess. Emunand for Mariko units is flawed, updating sysnand to 11+ for some people resulted in not working emunand even if they'd 11 or lower. So why bother and loosing time for this?guy, just an idea.
Create an emmumc
Downgrade the emmumc with firmware compatible sx os
And try to boot on picofly with cfw sx os ?
Eveybody try atmosphere but maybe sxos can work.
I know sx os work on oled, I have already test.
So I know you can downgrade a switch with a firmware lower than build in factory if the firmware is on emunand.
Like sx os is a different firmware maybe that can work, someone for test ?
ThisJust off memory isn't this the same shite tx did when they first released their chip. It cleared the keys lots so other cfw wouldn't boot?
Port /dev/ttyACM0, 12:00:47
Press CTRL-A Z for help on special keys
Unique identifier: 11 22 33 44 55 66 77 88
Unique identifier: 11 22 33 44 55 66 77 88
Unique identifier: 11 22 33 44 55 66 77 88
Welcome to minicom 2.8
OPTIONS: I18n
Port /dev/ttyACM0, 11:53:41
Press CTRL-A Z for help on special keys
Unique identifier: e6 61 1c b7 1f 32 68 29
**************************************************************
* FUNCTION *
**************************************************************
undefined call_by_id_statico(void)
undefined r0:1 <RETURN>
undefined4 Stack[-0x20]:4 local_20 XREF[1]: 10002642(W)
undefined4 Stack[-0x30]:4 local_30 XREF[2]: 10002636(W),
1000264e(W)
call_by_id_statico XREF[1]: Get_Id_Statico:1000260c(c)
10002628 30 b5 push {r4,r5,lr}
1000262a 00 25 movs r5,#0x0
1000262c 89 b0 sub sp,#0x24
1000262e 04 00 movs r4,r0
10002630 09 22 movs r2,#0x9
10002632 00 21 movs r1,#0x0
10002634 01 a8 add r0,sp,#0x4
10002636 00 95 str r5,[sp,#0x0]=>local_30
10002638 ff f7 8c fe bl FUN_10002354 undefined FUN_10002354()
1000263c 09 22 movs r2,#0x9
1000263e 00 21 movs r1,#0x0
10002640 05 a8 add r0,sp,#0x14
10002642 04 95 str r5,[sp,#local_20]
10002644 ff f7 86 fe bl FUN_10002354 undefined FUN_10002354()
10002648 4b 23 movs r3,#0x4b
1000264a 6a 46 mov r2,sp
1000264c 68 46 mov r0,sp
1000264e 13 70 strb r3,[r2,#0x0]=>local_30
10002650 04 a9 add r1,sp,#0x10
10002652 0d 22 movs r2,#0xd
10002654 00 f0 30 f9 bl FUN_100028b8 undefined FUN_100028b8()
10002658 15 21 movs r1,#0x15
1000265a 08 22 movs r2,#0x8
1000265c 20 00 movs r0,r4
1000265e 69 44 add r1,sp
10002660 ff f7 7e fe bl call_by_id undefined call_by_id(void)
10002664 09 b0 add sp,#0x24
10002666 30 bd pop {r4,r5,pc}
Done everything on RPzero now, cleaner code, double checked ID and memory reading.
I would also like to ask @IgraBIT1 if he can also double check if the ID he provided is correct
converted without picotoolUsed picotool to flash?
Blue -> red LED?
Welcome to minicom 2.8
OPTIONS: I18n
Port /dev/ttyACM0, 13:35:20
Press CTRL-A Z for help on special keys
======= THIS SOFTWARE WAS STOLEN =======
This software will not run on this board
======= THIS SOFTWARE WAS STOLEN =======
This software will not run on this board
------------------------------------------
Welcome to minicom 2.8
OPTIONS: I18n
Port /dev/ttyACM0, 13:51:11
Press CTRL-A Z for help on special keys
This software is for this board
This software is for this board
This software is for this board
Or, maybe, there is a another check in firmware.So maybe the ID that user provided with firmware is not correct OR something else
Will try to modify flash_send_cmd function then, but yeah you are right since this function is referenced in another function aswellOr, maybe, there is a another check in firmware.
I also recently reversed and patched this firmware (although I just rewrote function 0x1002608 instead of jmping the written function further). It seems to me that the id is the primary decryption of both the payload and further code. I could not find write accesses to pins 15 and 28, nor could I find the code that makes the onboard led white. So it seems to me that inside the encrypted payload there is more code, which also probably makes a direct system call with 4b, which, in fact, does not allow to simply swap the id.
you can leave the get id as is and inject your id into the other functionWill try to modify flash_send_cmd function then, but yeah you are right since this function is referenced in another function aswell