Bigmac attack: Difference between revisions

From Vita Development Wiki
Jump to navigation Jump to search
m (Davee moved page Bigmac attack to Private:Bigmac attack without leaving a redirect)
No edit summary
Line 27: Line 27:
==== Result ====
==== Result ====
secure-kernel failed to load, stuck at "wait 2".
secure-kernel failed to load, stuck at "wait 2".
=== Investigation of f00d reset registers ===
==== xSleep signal response ====
The theory here is that the f00d reset would only work after responding to xSleep signal from the f00d processor. This idea was inspired from second_loader and secure_kernel always ending with a sleep loop.
==== Result ====
reset is still unavailable from ARM after f00d is sleeping.
====

Revision as of 18:18, 25 June 2018

Testing parameters for resetting the f00d processor. On normal boot ARM resets the f00d processor to load secure_kernel writing:

*REG32(0xE0010000) = 1;
*REG32(0xE0010000) = 0;

Testing this from lk after secure_kernel results in no change in state. The testing material is a f00d payload that is constantly updating a counter in DRAM. f00d state is verified by checking if this counter is updated.

Testing reset from f00d

The following is executed from f00d context:

*REG32(0xE0010000) = 1;
*REG32(0xE0010000) = 0;

Result

f00d processor stops updating CTR and bigmac no longer usable.

Testing half a reset post-secure_kernel operation from ARM

The following was executed from post-secure_kernel lk ARM context:

*REG32(0xE0010000) = 1

Result

No change in state.


Testing half a reset pre-secure_kernel operation from ARM

The following was executed from post-secure_kernel lk ARM context:

*REG32(0xE0010000) = 1

Result

secure-kernel failed to load, stuck at "wait 2".


Investigation of f00d reset registers

xSleep signal response

The theory here is that the f00d reset would only work after responding to xSleep signal from the f00d processor. This idea was inspired from second_loader and secure_kernel always ending with a sleep loop.

Result

reset is still unavailable from ARM after f00d is sleeping.

==