Just out of personal white hat interest : does anybody know a post or article on how the TX modchip actually works?
I tried to do some research of my own and I can across an article by Yifan Lu about glitching the eMMC of the PSVita :
https://www.rambus.com/blogs/fault-injection-attacks-playstation-vitas-soc/
The Switch looks very similar in that way as it also uses the same security model and also uses an eMMC.
Rumours about the TX modchip showed up a few months after this article.
Did TX just take this article and applied it to the Switch?
Looking at the pictures I see the modchip is placed in between the Tegra and the eMMC.
I presume they solder the ribbon cable to the Tegra to get the 1.8v for the eMMC communication.
Those capacitors are usually only connected to the voltage rails.
So that exciting ribbon to the cpu was maybe the easiest solution to get all required voltages.
Looking at the code of spacecraft-nx, I see some code for the STM32/GD32 to analyze what I think is the clock signal of the eMMC.
They seem to be pushing some glitch configuration data and a boot configuration table to the FPGA (Lattice ICE40LP1K-CM49).
I presume the STM32 is too slow to either do the glitching or too slow to inject the the bct data?
On the other hand, the FPGA looks too small to be able to handle all functionality of the microprocessor.
I presume the USB connection is just a failsafe method to update the modchip with improvements.
Since I don't see anything like a jtag connector to the FPGA, I presume that it can be programmed through the GD32?
It sounds unlikely that one would program it and then solder it to the board.
In case of some flaw, all boards would be useless then.
Are there any other uses for the USB port of the modchip?
Has anybody seen any additional information?
I tried to do some research of my own and I can across an article by Yifan Lu about glitching the eMMC of the PSVita :
https://www.rambus.com/blogs/fault-injection-attacks-playstation-vitas-soc/
The Switch looks very similar in that way as it also uses the same security model and also uses an eMMC.
Rumours about the TX modchip showed up a few months after this article.
Did TX just take this article and applied it to the Switch?
Looking at the pictures I see the modchip is placed in between the Tegra and the eMMC.
I presume they solder the ribbon cable to the Tegra to get the 1.8v for the eMMC communication.
Those capacitors are usually only connected to the voltage rails.
So that exciting ribbon to the cpu was maybe the easiest solution to get all required voltages.
Looking at the code of spacecraft-nx, I see some code for the STM32/GD32 to analyze what I think is the clock signal of the eMMC.
They seem to be pushing some glitch configuration data and a boot configuration table to the FPGA (Lattice ICE40LP1K-CM49).
I presume the STM32 is too slow to either do the glitching or too slow to inject the the bct data?
On the other hand, the FPGA looks too small to be able to handle all functionality of the microprocessor.
I presume the USB connection is just a failsafe method to update the modchip with improvements.
Since I don't see anything like a jtag connector to the FPGA, I presume that it can be programmed through the GD32?
It sounds unlikely that one would program it and then solder it to the board.
In case of some flaw, all boards would be useless then.
Are there any other uses for the USB port of the modchip?
Has anybody seen any additional information?
like a 250 dollar kit back when DDR4 was Intel only