- Joined
- Nov 15, 2011
- Messages
- 5,210
- Trophies
- 0
- Age
- 40
- Location
- Deep in GBAtemp addiction
- Website
- gbadev.googlecode.com
- XP
- 1,709
- Country
Curious, what part of the bootROM security would you be talking about here? Are you wanting to write to the bootROM (probably impossible but you never know without trying, I guess), find an exploit in it's code to send it a phony ancast image and gain control before it finishes, or something else?
Actually, now that you mention boot ROM exploits, given that they said that boot0 (IIRC) could take a signed recovery image (off of SD, hopefully) if there was some exploit in the boot0 code that reads that there would be NO way to patch it and you would have absolutely FULL control over the console (boot1 keys and all)
... I'd assume they would have been REALLY careful about that step in the process (especially if they had the confidence of just letting you flip the bit to look at their code) but one can always dream
How so? Marcan has the keys and can find other exploits. Smp processors in general are prone to racing attacks. Marcan is obviously expert. Can cpu revision shut down hacks? Can keys be changed?
Edit: the blog and responses by f0f is top notch. It clarifies my questions and what others asked (seems that way). Have to respect the disclosure. I have a different question. Is the Wii U vulnerable to a reset glitch hack? A way to avoid many of the issues and possibly even have more options?
Edit: the blog and responses by f0f is top notch. It clarifies my questions and what others asked (seems that way). Have to respect the disclosure. I have a different question. Is the Wii U vulnerable to a reset glitch hack? A way to avoid many of the issues and possibly even have more options?
If they talk about the espresso bootrom, it should be the code that runs when the espresso is reset. It's the code that decrypts the ancast images.
We don't even know if that code is part of the espresso cpu itself.
I started to look at the description of the decapped cpu, but couldn't find someone describing a section that was marked as being some sort of mask rom.
Just 1K (128 Bytes * 8) Efuses that are used to store the keys.
They might always be able to patch newer console by changing hardware (like the cpu) but this is a very expensive procedure.
The could for instance make the espresso hard reset edge triggered instead of level triggered.
There is another level of being patchable, which is firmware updates. Maybe with unpatchable they mean that it can't be patched with a firmware upgrade
on the consoles now on the market.
Boot0 -> Boot1 ... isn't espresso. It's arm. They said at 30C3 that they hadn't found an exploitable bug in that Boot0.
It looks like some things are writable. Didn't comex call a function and managed to brick his wiiu with it? Maybe he changed one of the key values?
On xbox 360, Efuses could only be set from 1 to 0 (or the other way around). You needed to add a special programming voltage before you could program them.
Maybe the extra voltage isn't needed anymore and the wiiu has buildin functions to program the keys in the efuses.
(Older flash chips also needed a 12V programming voltage)
If espresso bootrom isn't part of the cpu, it could be the arm loading the bootcode into memory.
If that proces could be exploited you might be able to run something else instead of the ancast decryptor.
Be aware there are a lot of if statements in this...
We don't even know if that code is part of the espresso cpu itself.
I started to look at the description of the decapped cpu, but couldn't find someone describing a section that was marked as being some sort of mask rom.
Just 1K (128 Bytes * 8) Efuses that are used to store the keys.
They might always be able to patch newer console by changing hardware (like the cpu) but this is a very expensive procedure.
The could for instance make the espresso hard reset edge triggered instead of level triggered.
There is another level of being patchable, which is firmware updates. Maybe with unpatchable they mean that it can't be patched with a firmware upgrade
on the consoles now on the market.
Boot0 -> Boot1 ... isn't espresso. It's arm. They said at 30C3 that they hadn't found an exploitable bug in that Boot0.
It looks like some things are writable. Didn't comex call a function and managed to brick his wiiu with it? Maybe he changed one of the key values?
On xbox 360, Efuses could only be set from 1 to 0 (or the other way around). You needed to add a special programming voltage before you could program them.
Maybe the extra voltage isn't needed anymore and the wiiu has buildin functions to program the keys in the efuses.
(Older flash chips also needed a 12V programming voltage)
If espresso bootrom isn't part of the cpu, it could be the arm loading the bootcode into memory.
If that proces could be exploited you might be able to run something else instead of the ancast decryptor.
Be aware there are a lot of if statements in this...
I thought Comex messed with an ios and bricked? Your post reminded me of a hilarious mistake. Some might know mattlgroff (correct name?) from Android scene. In a chat room I spent time with he and samuraihl who wrote some great noon tools. Matt tried writing an engineering build file to the stock Bionic and bricked. Bricked it so bit could not be repaired. Some claimed a recovery existed but it was proven to not work. "Omap flash."
People bricked hard and we would joke about omap flash utility. The guys hated that joke. I'd say, "Just omap flash.". Already fubar, lol, give it a shot;-)
People bricked hard and we would joke about omap flash utility. The guys hated that joke. I'd say, "Just omap flash.". Already fubar, lol, give it a shot;-)
I'm beginning to doubt that the Wii U will ever have homebrew of any kind. We just lack the skills and there's no existing way to gain them fast enough to matter, and finding someone who has interest and is capable of doing this is almost certainly impossible. GG, Nintendo wins.
First of all, what does GG mean?
Second of all, we can always hardmod the Wii U but I'm assuming that'll lead to piracy right?
Sure, sure we can use a roadmap to define the Current Focus Step, but what's the Current Focus Step number we're on now and are we going to use a roadmap that f0f would use for every Step?
P.S. When I say Step I am referring to the sequenced numbers on Maxternal's starting post.
- Joined
- Nov 15, 2011
- Messages
- 5,210
- Trophies
- 0
- Age
- 40
- Location
- Deep in GBAtemp addiction
- Website
- gbadev.googlecode.com
- XP
- 1,709
- Country
All those numbered steps are done. Now the trick is just getting Linux to make use of the extra cores we're sending it.
Then add that Step to your starting post and number it. Are we going to use f0f's mindset to go about doing it? By the way I have a Wii U now.
Also by the way how is your experimenting on on your regular Wii going? Is it going to help this thread in any way?
- Joined
- Nov 15, 2011
- Messages
- 5,210
- Trophies
- 0
- Age
- 40
- Location
- Deep in GBAtemp addiction
- Website
- gbadev.googlecode.com
- XP
- 1,709
- Country
So it has efuses? "Fuse bank"? The info is awesome. More use to Maxternal and obcd it seems (in this thread). Nintendo games have a soul. Gamepad is great and my son loves it. Wife still needs to. Only Windwaker hd and Mario 3d so far but they are great. Raw power is not always better. The hardware has potential. The information is awesome. Skilled people should have enough to get started.
Where is Hermes when you need him? I'm gonna reach out to some of the best developers I know and ask them of their interest in a project such as this. No guarantees they will even be interested but it's worth a shot. One guy in particular comes to mind, I well send him a message tonight but I know he has much larger and profitable projects he is working on so don't get excited just yet. Anyway, sorry for wasting space in the forum, just wanted to throw it out there. BTW, good luck guys. I commend your efforts on this.
Similar threads
-
- Article
- No one is chatting at the moment.
-
-
-
-
-
-
@
Psionic Roshambo:
I think I have convinced them that multiplexing a polarized Lazer for fiber optic networking is a good idea lol -
-
-
-
-
-
-
-
@
a_username_that_is_cool:
Happy early birthday (we need a word for the day before someones birthday)+1 -
-
-
-
-
-
-
-
-
-
-
