Hello,
I am trying to exploit a Nvidia Shield using this method. I would like to see if I can recover the RCM keys to have a way to unbrick my device in order to perform some experiments that I would like to do with the bootloader.
After some peak and poke I have manage to progress a little bit with this. Using your code and ktemkin code I have manage to write a small script that collect the RCM ID using the EP1 and perform some Get Status calls to collect some info.
Looks like your code uses a GetStatus to collect some info from the device and perform a sanity check. When this sanity check is run on the T124 it fails. The parameters that are check are the SP and the USB buffer 2 address. I am supposing that since this is a different device these address could be different, hence I have modified the sanity check to match the returned values: 0x40008000 and 0x4000dcf4.
After a quick check on the values returned by the sanity GetStatus I found that there was a value of 0x40004000, I suppose that this could be the address for USB buffer 1.
Also I have succeed to execute a GetStatus for a big amount of data , hence I'am supposing that this call must be bugged and the exploit is running correctly.
However I have not succeed to load any payload to EP1. As soon as I try to write more than 0x1000 bytes to EP1 it stops to allow me to write more data (I have tried sending different amounts for the length field).
On the other hand as soon as I write any amount of data to EP1 (even if it is less than 0x1000, EP0 stops to answer.
I would say that the code that handles the RCM mode on the T124 is different and as soon as I send the first package it fails some validation that prevents to send anything else to the interface on both EPs.
Does anyone has any idea about how can I proceed? Is there any dump of the T124 iROM available?
Hello,
I am trying to exploit a Nvidia Shield using this method. I would like to see if I can recover the RCM keys to have a way to unbrick my device in order to perform some experiments that I would like to do with the bootloader.
After some peak and poke I have manage to progress a little bit with this. Using your code and ktemkin code I have manage to write a small script that collect the RCM ID using the EP1 and perform some Get Status calls to collect some info.
Looks like your code uses a GetStatus to collect some info from the device and perform a sanity check. When this sanity check is run on the T124 it fails. The parameters that are check are the SP and the USB buffer 2 address. I am supposing that since this is a different device these address could be different, hence I have modified the sanity check to match the returned values: 0x40008000 and 0x4000dcf4.
After a quick check on the values returned by the sanity GetStatus I found that there was a value of 0x40004000, I suppose that this could be the address for USB buffer 1.
Also I have succeed to execute a GetStatus for a big amount of data , hence I'am supposing that this call must be bugged and the exploit is running correctly.
However I have not succeed to load any payload to EP1. As soon as I try to write more than 0x1000 bytes to EP1 it stops to allow me to write more data (I have tried sending different amounts for the length field).
On the other hand as soon as I write any amount of data to EP1 (even if it is less than 0x1000, EP0 stops to answer.
I would say that the code that handles the RCM mode on the T124 is different and as soon as I send the first package it fails some validation that prevents to send anything else to the interface on both EPs.
Does anyone has any idea about how can I proceed? Is there any dump of the T124 iROM available?