Hacking Launch Fusee gelee on Shield tv

[Man4]

Hello,

After reading a comment from Kate about the validity of the vulnerability found in Tegra X1 shared by several devices:

"Yeah, fusee.bin drives to panel and not the HDMI output. You'll need a custom payload for that. I think someone's working on a proof-of-concept for it."

I was wondering what are the knowledge and steps necessary to start adapting some code to make this work. Can someone tell me what is the way to go?

My knowledge is limited but my illusion is not, so, taking advantage of the fact that the source code is open, I have started by looking at the fusee code, to start with something, inside t210.h there is a base address for video, but how do we make the information go through the HDMI output and not the internal panel as it happens in the Switch ?.


Any suggestions / help is welcome.

P.d: I have a bricked bootloader 2015 Shield Tv (pid 0x7721) that I wish to return from death ... some day ... first: step 0 ;-).

 

[Mr. Wizard]

https://www.pdf-archive.com/2018/02/03/tegrax1/

 

[Man4]

Thank you!

I had already started with that document but I have not yet seen a direct relationship between what I read and the initialization code of the hardware found in Fusee or other payloads, for example the relation of that base address:
#define DISPLAY_A_BASE 0x54200000
I am aware that the community is now very focused on switch but what I read would be many common things.

I will continue investigating ...

 

[Mr. Wizard]

So basically what you are looking for is the SDK for the switch to compare?

 

[CTCaer]

Careful with the pinmuxing. You can fry parts of shield tv if you use the same as hekate's hwinit (basically switch's hw init).

Most things remain the same. For example DISPLAY_A_BASE remains the same because it's the mmio base addr for display A.

It's better to read TX1 TRM to understand what the registers do.

What changes is mostly where everything is connected on the SoC (pads/pins/gpios/sfios/etc).

EDIT:
Check shield's tv linux kernel sources also. You will find the most board configs there.

 

[Man4]

No, i think sdk will be very "switch specific", i try to understand the code and adapt to the shield tv. My first goal is to be able to launch a fusee on shield and see some feedback on the screen (hdmi output).
I started with fusee because i think is the simplest payload of all (as far as i know).

Thanks CTCaer! I admire your work. I will follow your advice.
I thought that the switch was working in low demand (relative to the shield) and that using those adjustments I was in a safe working area.
Apart from what I find here and there, does the community of the scene have some reference documents? for example, how the hardware part is initialized ... although I suppose that is the talent part of each one, the construction of its own documentation and notes.

 

[CTCaer]

If you by low demand you are talking about voltages, that's not the case.
It's ok for the SoC and other parts of it.
But you need to know what is connected where.

For example the pmic pin that powers sth else in switch, may power sth other in shield. These are vendor implementation specific. The exploit works, but the hw bring up is different.

It's better to take parts from shield's kernel and try to use them in a payload. And research a lot for it's I/O configuration.

The biggest and most complete reference for switch is switchbrew.org.

 

[Man4]

So before try anything more, better to now what's going on inside hardware part deeply.

I wonder also how similar to Jetson TX1 can be, not only shield, switch also.

Ok, i have a lot of things to check, smells good ;-).

Thanks!.