102
edits
Changes
Jump to navigation
Jump to search
Line 23:
Line 23: − + + +
She's everything; He's just Ken
Additionally, because SRAM is not cleared on reboot, and because boot1 verifies over the encrypted payload, the boot1 key can be extracted. By asserting NRST after 176 cycles and walking the delay width down cycle-by-cycle, code execution can be used to gather 16 failed decryptions of boot1: A zerokey-decrypted boot1, and 15 others with one more byte present in its boot1 key than the last. This allows a straightforward bruteforce of the boot1 key.
Additionally, because SRAM is not cleared on reboot, and because boot1 verifies over the encrypted payload, the boot1 key can be extracted. By asserting NRST after 176 cycles and walking the delay width down cycle-by-cycle, code execution can be used to gather 16 failed decryptions of boot1: A zerokey-decrypted boot1, and 15 others with one more byte present in its boot1 key than the last. This allows a straightforward bruteforce of the boot1 key.
| Trivial arbitrary code execution as boot1, boot1 AES key extraction
| Trivial arbitrary code execution as boot1;
boot1 AES key extraction;
Recovery of SEEPROM-bricked Wii Us
| None
| None
| [[User:shinyquagsire23|shinyquagsire23]]
| [[User:shinyquagsire23|shinyquagsire23]]