Posts by pcy@icosahedron.website
 (DIR) Post #A5GzOsdIqHL1gZVtxY by pcy@icosahedron.website
       2021-03-16T14:18:31Z
       
       0 likes, 1 repeats
       
       All the Lovebyte 2021 seminars are put online to be rewatched, you can find all my 256sec seminars about getting started with sizecoding on a number of platforms here:Linux: https://invidious.snopyta.org/watch?v=cvsH_rXlMKgSNES: https://invidious.snopyta.org/watch?v=MkuZLnmbs_8T-8x (Z80): https://invidious.snopyta.org/watch?v=RXo9zRicaSoGamecube: https://invidious.snopyta.org/watch?v=OEJB4COMqLcGameboy: https://invidious.snopyta.org/watch?v=nVQIn0MUCxQGameboy Advance: https://invidious.snopyta.org/watch?v=djT1YWz7egUSlide sources are here: https://git.titandemo.org/PoroCYon/lvb21-seminars ; PDFs here: https://pcy.be/tmp/priv/lvb21-pcy.zip
       
 (DIR) Post #A5ukGupCxqAiQYzocC by pcy@icosahedron.website
       2021-04-04T20:40:41Z
       
       2 likes, 0 repeats
       
       @cjd I'm in the user camp but,* do NOT flag myself as nopass, EVER* run specific, non-user things as their separate user. also hard to make this mistake when you have multiple admins
       
 (DIR) Post #A7wQRfvWcnsavvH744 by pcy@icosahedron.website
       2021-03-11T18:32:06Z
       
       1 likes, 0 repeats
       
       And, to get some misunderstandings out of the way:Back when those huge Ninty source code leaks happened, press releases often claimed that this cointained the DSi boot ROMs as well.This is not true. It only contains the *second*-stage boot ROM, which can be read out trivially (it's in the eMMC).
       
 (DIR) Post #A7wQRhQ34ntDYsZ0HQ by pcy@icosahedron.website
       2021-03-11T19:26:17Z
       
       1 likes, 1 repeats
       
       Oh, and, if you're interested in how the software side of this looks, here's all the code that ran on the DSi for this: the payload, the payload installer, etc.:https://git.titandemo.org/PoroCYon/dsi-bios-payload
       
 (DIR) Post #A9zjHrrFQbvpKXxrXs by pcy@icosahedron.website
       2021-08-04T21:55:31Z
       
       0 likes, 2 repeats
       
       ok I did it
       
 (DIR) Post #ACyRo1Oy4NQMMAqP3Y by pcy@icosahedron.website
       2021-11-02T00:32:57Z
       
       0 likes, 1 repeats
       
       does anyone have a broken DSi or 3DS, or a Wii Fit U Meter they'd be willing to donate? or just anything that has a 78k0, 78K0R or RL78 chip"broken" being the screen hinge broke, a badly corrupted flash, etc, it still kinda needs to bootcontext: I'm trying to get the firmware out of the DSi BPTWL chip and maybe also the 3DS MCU, and also the fit meter because why not, as these are very similar chips. except they all differ in small ways in their in-circuit flashing interface and bootrom (which implements the former) so that I need to sample a number of them. also the RL78 debug interface has been semidocumented by fail0verflow and I want to try to expand that to the other chip types. access to this debug interface, even when disabled by the firmware, would make it much easier to recover the flash using voltage glitching (lower complexity exploit)yes I know the 3DS MCU firmware has been obtained already but that chip is in the middle between the 78k0 and RL78, making it useful
       
 (DIR) Post #AE6Imo4XtB0e8frgUi by pcy@icosahedron.website
       2021-12-01T18:17:03Z
       
       0 likes, 0 repeats
       
       @nilsding in a derogatory way, or in a horny way?
       
 (DIR) Post #AEuj12OIzCJGSFefVg by pcy@icosahedron.website
       2021-12-30T01:09:52Z
       
       0 likes, 0 repeats
       
       @Truck is this as in "must be part of the curriculum" or is an after-class optional thing included as well? because I learned it through the latter
       
 (DIR) Post #AEuj5Jpm4ijziBXqcK by pcy@icosahedron.website
       2021-12-30T01:13:57Z
       
       0 likes, 0 repeats
       
       @Truck ah I see... so should I select "yes (non-US school)" or "no (non-US school)", then?
       
 (DIR) Post #AILhvsYFXuzvIGU35k by pcy@icosahedron.website
       2022-04-11T19:21:43Z
       
       0 likes, 0 repeats
       
       @pixel "italy and belgium are also france" is a pretty bold statement
       
 (DIR) Post #AOf9ToxXtbQXTDM1Y0 by pcy@icosahedron.website
       2022-10-17T15:00:22Z
       
       1 likes, 0 repeats
       
       So, the DSi ARM9 boot ROM, huh?
       
 (DIR) Post #AOzrE5gOwSPLV57d1k by pcy@icosahedron.website
       2022-10-27T15:00:07Z
       
       1 likes, 0 repeats
       
       EMFI probes: *causes emc issues*me: :surprised_pikachu:
       
 (DIR) Post #APOlS3ZF7vMbDO0yf2 by pcy@icosahedron.website
       2022-11-08T14:07:37Z
       
       0 likes, 0 repeats
       
       @bonf coward, it's clearly [γiθɦyb̪]
       
 (DIR) Post #APj2ycLB54yQEQDQJ6 by pcy@icosahedron.website
       2022-11-18T10:40:28Z
       
       2 likes, 2 repeats
       
       DSi ARM9 bootrom dumped!SHA512 = 8449d45215f28a6cebd9557ec0ed5180ba4d8474454c3ef300644e2a4bb4654d766a9075cc13b5d74fbaa75b3de8cf5604ed35a6aad6c39d40fe097483322b1c
       
 (DIR) Post #APlYCeUHNj0hq5Z4pU by pcy@icosahedron.website
       2022-03-04T17:42:14Z
       
       0 likes, 0 repeats
       
       I've dumped the firmware of the Wii Fit U Meter, using fail0verflow's RL78 on chip debug exploit.The SHA256 sum of the dump (65536 bytes) is 8d8f0301acec2d6fdd254f5bb23d8830e70710709cb8217e6f075388c0e897b6I haven't yet analyzed this firmware, so I don't know if it has any vulnerabilities in there to dump it using a software-only exploit, so I'm not going to publish the dump yet (no need to if it turns out to be easily dumpable). Either way, this only needed a cheap microcontroller and a single MOSFET, so it shouldn't be too hard to replicate.My next step will be to (try to) backport this exploit to the 78K0R and 78K0 lines of chips, used resp. in the 3DS and DSi, for resp. the UC CTR and BPTWL power management controllers. (For this, I need to wait for parts as I need a level shifter, these chips use 1.8V IO, while the Pico speaks 3.3V.)(Note: read the alt text of the images for an explanation of what's going on.)
       
 (DIR) Post #APlYCf6Z5NdRkpTeVM by pcy@icosahedron.website
       2022-03-04T17:51:37Z
       
       0 likes, 0 repeats
       
       Quick notes on the setup: the WFUM is basically a Pokéwalker, but with an R5F101EE (RL78/G13) microcontroller instead of the H8/300H. You can find the basic explanation of the exploit here: https://fail0verflow.com/blog/2018/ps4-syscon/ . Nintendo used a debugger password of all-zeros (as done in all Renesas example code... change your default passwords!), so the second part of the exploit wasn't needed. I've used a Raspberry Pico as controller/glitcher, and a Nexperia PSMN017-30PL MOSFET as crowbar to glitch the REGC pin on the microcontroller. Most of the work was actually implementing the RL78 flashing/debugging protocol properly using PIO, and waiting for parts. I first developed this exploit against an R5F1054 (RL78/G11), so it is probably very widely applicable.
       
 (DIR) Post #APlYCfg0xZzXWm3xlA by pcy@icosahedron.website
       2022-03-04T21:48:33Z
       
       0 likes, 0 repeats
       
       oh, and in case someone wants to add it to the No-Intro database:the CRC32 is a732b424 , the MD5 is ad767d1e92eb368cc17c01361284cb36 , and the SHA1 is 1770f2d7ed602d73cee87620ccb1527b6cd31eab
       
 (DIR) Post #APlYCgDgwMvjDDorFg by pcy@icosahedron.website
       2022-11-19T15:30:58Z
       
       1 likes, 0 repeats
       
       Also, for reference, this is what a Wii Fit U meter looks like, compared to a Pokéwalker:
       
 (DIR) Post #AQfvnghPGS108Qv36e by pcy@icosahedron.website
       2022-12-16T20:05:50Z
       
       1 likes, 0 repeats
       
       preparing some presentation slides
       
 (DIR) Post #AS1M0QTU9SCNqKUIHA by pcy@icosahedron.website
       2023-01-26T02:22:51Z
       
       0 likes, 1 repeats
       
       @mmu_man ah yes, Pulse Code Modulation Central Intelligence Agency,