fsebugoutzone.org:9999

       Post APlYCf6Z5NdRkpTeVM by pcy@icosahedron.website
 (DIR) More posts by pcy@icosahedron.website
 (DIR) Post #APlYCeUHNj0hq5Z4pU by pcy@icosahedron.website
       2022-03-04T17:42:14Z
       
       0 likes, 0 repeats
       
       I&#39;ve dumped the firmware of the Wii Fit U Meter, using fail0verflow&#39;s RL78 on chip debug exploit.The SHA256 sum of the dump (65536 bytes) is 8d8f0301acec2d6fdd254f5bb23d8830e70710709cb8217e6f075388c0e897b6I haven&#39;t yet analyzed this firmware, so I don&#39;t know if it has any vulnerabilities in there to dump it using a software-only exploit, so I&#39;m not going to publish the dump yet (no need to if it turns out to be easily dumpable). Either way, this only needed a cheap microcontroller and a single MOSFET, so it shouldn&#39;t be too hard to replicate.My next step will be to (try to) backport this exploit to the 78K0R and 78K0 lines of chips, used resp. in the 3DS and DSi, for resp. the UC CTR and BPTWL power management controllers. (For this, I need to wait for parts as I need a level shifter, these chips use 1.8V IO, while the Pico speaks 3.3V.)(Note: read the alt text of the images for an explanation of what&#39;s going on.)
       
 (DIR) Post #APlYCf6Z5NdRkpTeVM by pcy@icosahedron.website
       2022-03-04T17:51:37Z
       
       0 likes, 0 repeats
       
       Quick notes on the setup: the WFUM is basically a Pokéwalker, but with an R5F101EE (RL78/G13) microcontroller instead of the H8/300H. You can find the basic explanation of the exploit here: https://fail0verflow.com/blog/2018/ps4-syscon/ . Nintendo used a debugger password of all-zeros (as done in all Renesas example code... change your default passwords!), so the second part of the exploit wasn&#39;t needed. I&#39;ve used a Raspberry Pico as controller/glitcher, and a Nexperia PSMN017-30PL MOSFET as crowbar to glitch the REGC pin on the microcontroller. Most of the work was actually implementing the RL78 flashing/debugging protocol properly using PIO, and waiting for parts. I first developed this exploit against an R5F1054 (RL78/G11), so it is probably very widely applicable.
       
 (DIR) Post #APlYCfg0xZzXWm3xlA by pcy@icosahedron.website
       2022-03-04T21:48:33Z
       
       0 likes, 0 repeats
       
       oh, and in case someone wants to add it to the No-Intro database:the CRC32 is a732b424 , the MD5 is ad767d1e92eb368cc17c01361284cb36 , and the SHA1 is 1770f2d7ed602d73cee87620ccb1527b6cd31eab
       
 (DIR) Post #APlYCgDgwMvjDDorFg by pcy@icosahedron.website
       2022-11-19T15:30:58Z
       
       1 likes, 0 repeats
       
       Also, for reference, this is what a Wii Fit U meter looks like, compared to a Pokéwalker: