-
If you can achieve a stable length starting counter at CE deassert it's (probably) done, otherwise...
Imho isn't the best way.
I haven't done many(and accurate) tests on it, so the best advice i can give you is to try.
Ultima modifica di DrSchottky; 07-11-2015 alle 14:36
-
Junior Member
thx. I also did several tests that time, but reading & rsa time did vary a lot, so I decided to search post bus, or some other signal closer to check.
unfortunately post bus is disabled somehow (I still think it can be enabled), and there is no other activity except NAND reading...
anyways I have no much time for this now (job stuff), so it will be great if somebody join the research...
-
Me=job+study+lack of hardware.
And honestly i prefer to spend free time reversing code instead of working with CPLDs...
Maybe i'll go back to Winchesters tomorrow, maybe next year, maybe never. Who knows.
Atm i haven't plans nor interest.
Ultima modifica di DrSchottky; 07-11-2015 alle 15:04
-
Junior Member
okay
you can reverse SMC and find where it sends the nand data exchange confirmation
-
It isn't the way i would choose.
-
Senior Member
Dear @15432, DrSchottky doesn't seem very interested to these cursed winchesters, but I have an idea and maybe it can help you.
I'm not very expert about chain of trust, but, from what I know, winchester mobo are very similar to corona v6 with winbond ram, because in both hardware init code is in CB_B instead CB_A. So...
... I can take a corona v6 with winbond ram (therefore obviously glitchable), I put a glitchip on it; then I take a winchester (therefore not glitchable), I put another glitchip on it, and I connect the POST_OUT1 (on the postfix adapter) of corona v6 with the POST_OUT point of glitchip on winchester.
Then I find a way to power up both (corona v6 and winchester) in the same moment. When the corona v6 reaches the POST CODE D8, the glitchip (on winchester mobo) will send a slowdown pulse on winchester, and when the corona v6 reaches the POST CODE DA, the glitchip will send a reset pulse to the winchester CPU.
So, theorically, when the corona v6 manages to reach the glitch, also the winchester should glitch. Am I wrong?
If this is possible, now the main problem should be: how to dump cpukey after glitch? But all this is only an hypothesis.
Ultima modifica di ninocervasio; 07-11-2015 alle 15:45
-
Originariamente Scritto da
ninocervasio
Dear @15432, DrSchottky doesn't seem very interested to these cursed winchesters, but I have an idea and maybe it can help you.
I'm not very expert about chain of trust, but, from what I know, winchester mobo are very similar to corona v6 with winbond ram, because in both hardware init code is in CB_B instead CB_A. So...
... I can take a corona v6 with winbond ram (therefore obviously glitchable), I put a glitchip on it; then I take a winchester (therefore not glitchable), I put another glitchip on it, and I connect the POST_OUT1 (on the postfix adapter) of corona v6 with the POST_OUT point of glitchip on winchester.
Then I find a way to power up both (corona v6 and winchester) in the same moment. When the corona v6 reaches the POST CODE D8, the glitchip (on winchester mobo) will send a slowdown pulse on winchester, and when the corona v6 reaches the POST CODE DA, the glitchip will send a reset pulse to the winchester CPU.
So, theorically, when the corona v6 manages to reach the glitch, also the winchester should glitch. Am I wrong?
If this is possible, now the main problem should be: how to dump cpukey after glitch? But all this is only an hypothesis.
Nino, ti prego....
-
Senior Member
Ok, ci ho provato XD
Ho quest'idea in testa da diversi giorni, pensavo fosse fattibile, ma se dici che è una stupidaggine, come non detto.
(Ok, I tried XD
I have this idea in my head for several days, I thought it was practicable, but if you say it's bullshit, forget it.)
-
Junior Member
-_- I heard the same thing many times.
Why people think if they power on two different xboxes at the same time, everything will be executed there simultaneously with the nanoseconds precision?
Even the same Xbox boots differently every time. It's just silly to use another console's post bus, it shows the state of donor xbox, not the ours!
-
Post Thanks / Like - 1 Likes, 1 Thanks, 0 Dislikes
zeruel85 Ha dato un "mi piace" per questo post
-
Junior Member
hello, apparently no solution for winchester
Segnalibri