orivej has joined #nixos-aarch64
h0m1 has quit [Quit: WeeChat 2.7]
h0m1 has joined #nixos-aarch64
orivej has quit [Ping timeout: 272 seconds]
rajivr___ has joined #nixos-aarch64
<
samueldr>
clever: what a weird way to share the url
<
samueldr>
I knew about all that
<
samueldr>
I started working on nixos on HAC (the switch's product name)
<
samueldr>
but never really started
<
samueldr>
I got all the tooling ready, verified it was possible... then never got the time
<
clever>
~5mins into the video, it looks like they havent cracked the trust chain on bootup
<
clever>
so, you must force it into recovery mode on every boot, and then side-load some code to force untrusted code to run
<
clever>
if you dont do that, it will try to boot the original switch OS
<
samueldr>
uh, not really
<
samueldr>
it's a bit more involved
<
samueldr>
it's not even "recovery as we know it"
<
clever>
they mention a custom usb-c dongle, that can automate it
<
samueldr>
and
*that* only works because of a security issue in that program
<
samueldr>
the issue also affects tesla cars
<
samueldr>
in fact, a bunch of Tegra using hardware!
<
clever>
ah, then the payload is exploiting a bug in the recovery feature of the mask rom?
<
clever>
not android recovery, but maskrom recovery
<
samueldr>
pretty much well put
<
clever>
something similar exists in the rpi4
<
clever>
if the SPI chip fails validation, it will go into usb device mode
<
clever>
and you can push a recovery.bin type file over the usb-c port
<
samueldr>
the actual trust chain is not (publicly?) broken
<
samueldr>
the actual intended*
<
clever>
and somebody ive talked to, has found 2 mode override modes in the rpi4
<
clever>
you can program the OTP, so any gpio pin, can be used to disable either the sdcard or spi flash
<
clever>
once burnt, you can temporarily disable the SPI booting, by holding a gpio at the right level
<
clever>
you choose what the "right" level is, and which pin
<
clever>
then it always goes to usb device mode
<
clever>
if you align your choices with the default pullup config, it will enable SD and SPI by default
<
clever>
and thats basically the same as the 3 magic "button" recovery on the switch
<
clever>
your just bypassing the stock bootloader
<
clever>
55 bit 0-5: boot pin 0 (eMMC/flash boot disable)
<
clever>
58 bit 8-13: boot pin 1 (disable onboard devices)
<
clever>
59 bit 14: polarity (0: active HIGH, 1: active LOW)
<
clever>
57 bit 7: enable
<
clever>
56 bit 6: polarity (0: active HIGH, 1: active LOW)
<
clever>
60 bit 15: enable
<
clever>
61 bit 24-31: flash start address bits 8-23
<
clever>
samueldr: the lower 8bits allow you to disable recovery.bin on the SD card, the next 8 bits can disable the SPI firmware
<
clever>
6 bits to say which pin, 1 bit for the polarity that makes it disable, and 1 bit to make that disabling actually disable things
h0m1 has quit [Ping timeout: 248 seconds]
h0m1 has joined #nixos-aarch64
<
clever>
they also mention that the mask rom has been patched, around mid 2018, so it wont work on newer models
wavirc22 has joined #nixos-aarch64
orivej has joined #nixos-aarch64
orivej has quit [Ping timeout: 255 seconds]
orivej has joined #nixos-aarch64
t184256 has left #nixos-aarch64 [#nixos-aarch64]
ryantrinkle has quit [Ping timeout: 258 seconds]
orivej has quit [Ping timeout: 272 seconds]
zupo has joined #nixos-aarch64
zupo has quit [Quit: My MacBook has gone to sleep. ZZZzzz…]
syd has joined #nixos-aarch64
syd has quit [Remote host closed the connection]
zupo has joined #nixos-aarch64
LnL has joined #nixos-aarch64
LnL has joined #nixos-aarch64
LnL has quit [Changing host]
wavirc22 has quit [Ping timeout: 272 seconds]
tilpner has quit [Remote host closed the connection]
tilpner has joined #nixos-aarch64
orivej has joined #nixos-aarch64
zupo has quit [Quit: My MacBook has gone to sleep. ZZZzzz…]
zupo has joined #nixos-aarch64
v0|d has quit [Remote host closed the connection]
zupo has quit [Quit: My MacBook has gone to sleep. ZZZzzz…]
zupo has joined #nixos-aarch64
t184256 has joined #nixos-aarch64
zupo has quit [Quit: My MacBook has gone to sleep. ZZZzzz…]
samrose has quit [Ping timeout: 258 seconds]
zupo has joined #nixos-aarch64
zupo has quit [Ping timeout: 265 seconds]
zupo has joined #nixos-aarch64
v0|d has joined #nixos-aarch64
zupo has quit [Quit: My MacBook has gone to sleep. ZZZzzz…]
bennofs has quit [Quit: No Ping reply in 180 seconds.]
bennofs has joined #nixos-aarch64
t184256 has left #nixos-aarch64 [#nixos-aarch64]
t184256 has joined #nixos-aarch64
ryantrinkle has joined #nixos-aarch64
ryantrinkle1 has joined #nixos-aarch64
ryantrinkle has quit [Ping timeout: 258 seconds]
ryantrinkle1 has quit [Ping timeout: 255 seconds]
zupo has joined #nixos-aarch64
zupo_ has joined #nixos-aarch64
zupo has quit [Ping timeout: 258 seconds]
ryantrinkle has joined #nixos-aarch64
zupo_ has quit [Quit: My MacBook has gone to sleep. ZZZzzz…]
zupo has joined #nixos-aarch64
v0|d has quit [Remote host closed the connection]
zupo has quit [Ping timeout: 240 seconds]
zupo has joined #nixos-aarch64
v0|d has joined #nixos-aarch64
v0|d has quit [Remote host closed the connection]
v0|d has joined #nixos-aarch64
Thra11 has quit [Quit: WeeChat 2.7]
zarel_ has quit [Ping timeout: 255 seconds]
zupo has quit [Quit: My MacBook has gone to sleep. ZZZzzz…]
zarel has joined #nixos-aarch64