Writing programs in C is not enough. You need to understand how to work with the controller and be able to write working code. Unfortunately, I'm not that good at this. In addition, you will have to debug it, A LOT OF DEBUGING, and not only software, but also hardware
I also studied this firmware before. There is a presentation of how the switch glitching. As I understand it, the success flag is a request to read a specific address from memory. The FPGA is just for eMMC r/w and mosfet control based on pulse width and offset relative to something that are...
It's not a problem to brute force the ID. The ID is already there. Problem with decryption algorithm. Is it a standard, known algorithm or proprietary?
The first thing the startup code does is initialize the hardware, copy the contents of flash memory into RAM, and start the main function. We get the identifier of the flash memory. The chip voltage rises and the clock frequency rises to 333 MHz. In this mode, we can no longer work with flash...
Do you think it's so easy to replace the bootloader? The main code is encrypted, as is the bootloader code. I think you can put your bootloader in emmc через hekate? Will the chip load a custom bootloader in the switch?
Well. I successfully connected the debugger. The container is not checked for integrity, but any modification of the firmware will reset the chip into firmware download mode. Perhaps there are some checks during the execution of the firmware. But after doing something, I was able to start...
This is the goal. I mean, you can't just patch one place by changing the ID. But, is it possible to make the get ID function return the same set of bytes? Sounds like a dirty patch, but can work as a temporary security bypass solution ))
1674203370
The encrypted firmware is located at 1000297C...
No
No! You need encrypt 2nd stage firmware with new key (generated with unique Flash ID)
1674125195
I'm still trying to enable debugging. I'm sure it's possible to patch the firmware and allow the debugger to connect, but I don't know how. This is my first arm debugging experience, never had...
What about SWD disabling in firmware. How to enable debugging?
1674110606
I found xref to encrypted data and, maybe, decryptor code. But i cant connect to target via swd port )
Hello! I need to patch code in system module. Main executable file already decrypted and loaded in IDA Pro, i know which bytes and at which offset I need to replace.
How can I do this without packaging and replacing the package in the firmware? I saw in the atmosphere support for IPS patches...
I feel like school, back when I was actually in school, was more entertaining though, because of how much I get to interact with people, hang out with friends, and other stuff like that. All I get to talk to at work is my boring coworkers lol