Ah, I see. Well, let's hope! It would make reimplementation a bit easier to be able to decompile it. If not, it'd be easiest to reference Spacecraft-NX and Starlink-FI to create a glitch firmware.I said that the firmware was provided to me by Heinrich_frei and I have already published it here. I wrote to him about it, whether he succeeds or not, I don't know.
My guess would be that it just watches the traffic to see when boot0 has been fully loaded from the eMMC, then starts a timer (the "trained" timing offset) where it attempts to cut voltage to the core right before the completed signature check returns as failed. I don't know how tight that timing is, it could be that it works for the period of time while the signature is being calculated, or it could be as narrow as a single cycle if the boot coprocessor is running at only a few hundred MHz.I am halfway through watching the first ccc video where the speaker explains how the glitch is performed.
He got lucky glitching the emmc and subsequently dumping the bootrom as his timings were based on the reset signal which are not accurate enough to time the attack. He kept resetting the chip to perform the badly timed glitch and eventually he glitched at a correct time.
He did mention that it is possible to time the glitch better by "sniffing the emmc". Perhaps he is referring to a timing based on a combination of the emmc CLK, reset and something else?
He doesn't explain this further as he goes into the rcm and paperclip bug.
I think it is worth hooking up the logic analyser again to record the training process and the initial bootloader write to the emmc. This will give us a better understanding of the timings.
OK, I’m all in.
Picked up a junker Switch Lite w/ a bad screen on flea bay. The screen is cracked and the joysticks are shot.
View attachment 349609
Going to put this one piece screen on it and a pair of those garbage Gulikit Hall Effect sticks on it and call it good.
https://www.aliexpress.us/item/3256804496995627.html
Grabbing a HWFLY lite kit…just in case this all turns out to be much ado about nothing.
View attachment 349618
At worst I can resell it on flea bay as a fully modded switch lite for $200 and get my money back.
Let’s go!
"sniffing the emmc" is kinda itI am halfway through watching the first ccc video where the speaker explains how the glitch is performed.
He got lucky glitching the emmc and subsequently dumping the bootrom as his timings were based on the reset signals which are not accurate enough to time the attack. He kept resetting the cpu to perform the badly timed glitch and eventually he glitched at a correct time.
He did mention that it is possible to time the glitch better by "sniffing the emmc". Perhaps he is referring to a timing glitch based on a combination of the emmc CLK, dat0 and reset timings?
He doesn't explain which emmc lines to use as an anchor as he goes into the rcm and paperclip bug.
I think it is worth hooking up the logic analyser again to record the training process and the initial bootloader write to the emmc. This will give us a better understanding of the timings.
@zakwarrior any chance you could help us?Can you ask the person who analysed the signals if he also recorded the reset signal line?
The width of the glitch line on the previously posted image is how tight the timing is. I think that is a good starting point as it is a known working variable.I don't know how tight that timing is, it could be that it works for the period of time while the signature is being calculated, or it could be as narrow as a single cycle if the boot coprocessor is running at only a few hundred MHz.
I'm pretty sure i saw them in the thread right? @heinrich_frei is there any chance you could throw us a bone?the firmware was provided to me by Heinrich_frei
~52mHz. Need use CMD, CLK, D0 pins.I am halfway through watching the first ccc video where the speaker explains how the glitch is performed.
He got lucky glitching the emmc and subsequently dumping the bootrom as his timings were based on the reset signals which are not accurate enough to time the attack. He kept resetting the cpu to perform the badly timed glitch and eventually he glitched at a correct time.
He did mention that it is possible to time the glitch better by "sniffing the emmc". Perhaps he is referring to a timing glitch based on a combination of the emmc CLK, dat0 and reset timings?
He doesn't explain which emmc lines to use as an anchor as he goes into the rcm and paperclip bug.
I think it is worth hooking up the logic analyser again to record the training process and the initial bootloader write to the emmc. This will give us a better understanding of the timings.
My favorite length of bone.preferably a 64 bit bone
If it would help, i have an LA and an HWFLY. If somebody can tell me which points to sniff I’d be happy to work on grabbing some better data.Who was the person who ran the logic analyser?
There should be a difference in logic when the emmc bootloader is written for the first time, when the modchip is training and when the modchip is in normal operation.
This will give us a clear image about which anchors to use for the timings.
Oh…is that it? It looked like many more channels.~52mHz. Need use CMD, CLK, D0 pins.
OK, I’ll give it a shot and see what I can see.You would have to repeat this a few times.
1. You should probe it with the stock bootloader and the HWfly chip attached to it so you can record the whole training process.
2. You should probe a normal boot with glitch after the bootloader has been written.
3. For good measure reset the HWfly chip and probe it again.
No, the original dev doesn't care. The dev that was working on the clone is the one who was bothered by the community.
These are the labels used on a hwfly:where are all these bad boys on a HWFLY 4.2?
View attachment 350266
The OLED has them marked. V2 Switch they just say clip this to that and you’re good to go!