346
edits
Changes
Jump to navigation
Jump to search
Line 150:
Line 150: − + Line 158:
Line 158: + + + + + +
→Espresso Boot ROM: espresso mode hack
|-
|-
| Binary is not reverified before launching
| Binary is not reverified before launching
| The [[Espresso Boot ROM]] does not check for modifications to the binary in main memory before launching it. By changing the first instruction from the [[Hardware/Starbuck|Starbuck]], the [[Espresso]] can be sent anywhere.
| The [[Espresso boot ROM]] does not check for modifications to the binary in main memory before launching it. By changing the first instruction from the [[Hardware/Starbuck|Starbuck]], the [[Espresso]] can be sent anywhere.
| Arbitrary Espresso code booting
| Arbitrary Espresso code booting
| Unknown
| Unknown
| The Espresso Boot ROM keeps an infinite loop at the reset vector to prevent unexpected code from executing. Most of the time, this is in the L2 cache, which prevents the Starbuck from overwriting it. Toward the end, it is no longer in the cache, so a custom jump can be done, before ROM access is disabled.
| The Espresso Boot ROM keeps an infinite loop at the reset vector to prevent unexpected code from executing. Most of the time, this is in the L2 cache, which prevents the Starbuck from overwriting it. Toward the end, it is no longer in the cache, so a custom jump can be done, before ROM access is disabled.
| Espresso Boot ROM can be dumped
| Espresso Boot ROM can be dumped
| Unknown
| marcan
|-
| [[WiiMode]] flag is not set here
| In WiiMode, the [[ancast image|ancast images]] themselves are responsible for lowering the clock speed. If one of the above hacks is used to take control, it becomes possible to execute code in full [[Espresso]] mode.
| WiiUMode privileges within the Espresso
| Unknown
| Unknown
| marcan
| marcan