Ah, I see. Well, let's hope! It would make reimplementation a bit easier to be able to decompile it. If not, it'd be easiest to reference Spacecraft-NX and Starlink-FI to create a glitch firmware.
I am halfway through watching the first ccc video where the speaker explains how the glitch is performed.
He got lucky glitching the emmc and subsequently dumping the bootrom as his timings were based on the reset signals which are not accurate enough to time the attack. He kept resetting the cpu to perform the badly timed glitch and eventually he glitched at a correct time.
He did mention that it is possible to time the glitch better by "sniffing the emmc". Perhaps he is referring to a timing glitch based on a combination of the emmc CLK, dat0 and reset timings?
He doesn't explain which emmc lines to use as an anchor as he goes into the rcm and paperclip bug.
I think it is worth hooking up the logic analyser again to record the training process and the initial bootloader write to the emmc. This will give us a better understanding of the timings.
He got lucky glitching the emmc and subsequently dumping the bootrom as his timings were based on the reset signals which are not accurate enough to time the attack. He kept resetting the cpu to perform the badly timed glitch and eventually he glitched at a correct time.
He did mention that it is possible to time the glitch better by "sniffing the emmc". Perhaps he is referring to a timing glitch based on a combination of the emmc CLK, dat0 and reset timings?
He doesn't explain which emmc lines to use as an anchor as he goes into the rcm and paperclip bug.
I think it is worth hooking up the logic analyser again to record the training process and the initial bootloader write to the emmc. This will give us a better understanding of the timings.
Last edited by FruithatMods,
My guess would be that it just watches the traffic to see when boot0 has been fully loaded from the eMMC, then starts a timer (the "trained" timing offset) where it attempts to cut voltage to the core right before the completed signature check returns as failed. I don't know how tight that timing is, it could be that it works for the period of time while the signature is being calculated, or it could be as narrow as a single cycle if the boot coprocessor is running at only a few hundred MHz.
Who was the person who ran the logic analyser?
There should be a difference in logic when the emmc bootloader is written for the first time, when the modchip is training and when the modchip is in normal operation.
This will give us a clear image about which anchors to use for the timings.
There should be a difference in logic when the emmc bootloader is written for the first time, when the modchip is training and when the modchip is in normal operation.
This will give us a clear image about which anchors to use for the timings.
I’ve moved from wishful thinking to reality.
The screen is definitely in need of replacement.
It’s OK, the new one will be here in (/me checks AliExpress)
It’s OK, guys. We just have a little more time is all. :-)
"sniffing the emmc" is kinda it
I haven't watched this video in a while, but I think he explains it pretty well
Gotta watch all these videos again
Writing programs in C is not enough. You need to understand how to work with the controller and be able to write working code. Unfortunately, I'm not that good at this. In addition, you will have to debug it, A LOT OF DEBUGING, and not only software, but also hardware
- Joined
- Dec 26, 2022
- Messages
- 95
- Trophies
- 0
- Location
- your router's unprotected root shell
- XP
- 170
- Country
agreed, we're all acting like it's a walk in the park or something.
Post automatically merged:
@zakwarrior any chance you could help us?
The width of the glitch line on the previously posted image is how tight the timing is. I think that is a good starting point as it is a known working variable.
- Joined
- Dec 26, 2022
- Messages
- 95
- Trophies
- 0
- Location
- your router's unprotected root shell
- XP
- 170
- Country
I'm pretty sure i saw them in the thread right? @heinrich_frei is there any chance you could throw us a bone?
- Joined
- Dec 26, 2022
- Messages
- 95
- Trophies
- 0
- Location
- your router's unprotected root shell
- XP
- 170
- Country
My favorite length of bone.preferably a 64 bit bone
If it would help, i have an LA and an HWFLY. If somebody can tell me which points to sniff I’d be happy to work on grabbing some better data.
Post automatically merged:
Oh…is that it? It looked like many more channels.
Last edited by binkinator,
You will need to probe the reset line, dat0, CLK, CMD and the glitch line at the very least.
What the previous person has done was to also probe the spi line between the Gd32 chip and the fpga but that doesn't appear to give a lot of clues and you would need to solder extra points to the modchip if you would like to do that.
What the previous person has done was to also probe the spi line between the Gd32 chip and the fpga but that doesn't appear to give a lot of clues and you would need to solder extra points to the modchip if you would like to do that.
where are all these bad boys on a HWFLY 4.2?
The OLED has them marked. V2 Switch they just say clip this to that and you’re good to go!
The OLED has them marked. V2 Switch they just say clip this to that and you’re good to go!
You would have to repeat this a few times.
1. You should probe it with the stock bootloader and the HWfly chip attached to it so you can record the whole training process.
2. You should probe a normal boot with glitch after the bootloader has been written.
3. For good measure reset the HWfly chip and probe it again.
1. You should probe it with the stock bootloader and the HWfly chip attached to it so you can record the whole training process.
2. You should probe a normal boot with glitch after the bootloader has been written.
3. For good measure reset the HWfly chip and probe it again.
OK, I’ll give it a shot and see what I can see.
These are the labels used on a hwfly:
CLK is D
CMD is A
Dat0 is C
Reset is B
The glitch line is on the ribbon cable. I don't know if there is a testpad for the glitch line next to the ribbon connector on the HWfly. You could use a multimeter to find it.
The spi signals are signals on the pcb of the HWfly between the fpga and the Gd32 but I don't think you will need these necessarily.
Post automatically merged:
Don't forget to enhance!
Similar threads
- No one is chatting at the moment.
-
-
-
-
-
-
-
-
-
-
@
Xdqwerty:
@realtimesave, hey there buddy chum pal friend buddy pal chum bud friend fella bruther amigo pal buddy friend chummy chum chum pal -
@
Xdqwerty:
@realtimesave, hey there buddy chum pal friend buddy pal chum bud friend fella bruther amigo pal buddy friend chummy chum chum pal
-
-
-
-
-
-
-
-
-
-
-
@
Sicklyboy:
@Xdqwerty, Osu! Tatakae! Ouendan! is the Japanese version of the game, different settings/characters/songs but otherwise identical mechanics. I played that before I knew about Elite Beat Agents lol. Both fantastic games https://en.wikipedia.org/wiki/Osu!_Tatakae!_Ouendan+1 -
-
-
