Bcm7358 full bsp mode

Hey Guys,

Please Help , I have done get access on chipset bcm7358 use power glitch but have problem
cant get full bsp access mode and have try different glitching aera x1000 also get
access but same problem not have full bsp mode

BSP this commands works:
00000017
00000018
00000019
0000001A
0000001B
0000001E
0000001F
00000026
00000027
0000002A
00000050
00000051

examples command BCMD_cmdType_eOFFLINE_OTP_READ= 0x19

CFE>
e b0328980 15a10000
*** command status = 0
CFE>
CFE> e b0328984 00000001
*** command status = 0
CFE>
CFE> e b0328988 ABCDEF00
*** command status = 0
CFE>
CFE> e b032898c E655AA19
*** command status = 0
CFE>
CFE> e b0328990 789A0004
*** command status = 0
CFE>
CFE> e b0328994 0000000f
*** command status = 0
CFE>
CFE> e b032b028 00000001
*** command status = 0
CFE>
CFE> d b032b020 00000004
b032b020 00000001 …

*** command status = 0
CFE>
CFE> e b032b010 00000001
*** command status = 0
CFE>
CFE>
d b0328c80 00000040
b0328c80 15A0145F 00000001 00000000 00000019 _…
b0328c90 00000014 00000000 026D9439 4B712FCC …9.m…/qK
b0328ca0 00000000 00000000 00000000 00000000 …
b0328cb0 00000000 00000000 00000000 00000000 …
*** command status = 0
CFE>

b0328c90 00000014 00000000 026D9439 4B712FCC << !!! IS OK


other commands give ret 00000002

example BCMD_cmdType_eSESSION_INIT_KEYSLOT = 0x1

CFE> e b0328980 15a10000
*** command status = 0
CFE>
CFE> e b0328984 00000001
*
** command status = 0
CFE>
CFE> e b0328988 ABCDEF00
*** command status = 0
CFE>
CFE> e b032898c fe55AA01
*** command status = 0
CFE>
CFE> e b0328990 789A0014
*** command status = 0
CFE>
CFE> e b0328994 0000000a
*** command status = 0
CFE>
CFE> e b0328998 00000007
*** command status = 0
CFE>
CFE> e b032899c 0000000b
*** command status = 0
CFE>
CFE> e b03289a0 00000005
*** command status = 0
CFE>
CFE> e b03289a4 00000006
*** command status = 0
CFE>

CFE> e b032b028 00000001
*** command status = 0
CFE>
CFE> d b032b020 00000004
b032b020 00000000 …
*** command status = 0
CFE>
CFE> e b032b010 00000001
*** command status = 0
CFE>
CFE>
d b0328c80 00000040
b0328c80 15A10000 00000001 00000000 00000001 …
b0328c90 00000004 00000002 00000000 00000000 …
b0328ca0 00000000 00000000 00000000 00000000 …
b0328cb0 00000000 00000000 00000000 00000000 …
*** command status = 0
CFE>

b0328c90 00000004 00000002 <<< !!! :frowning:

Hi,

So to confirm, you’re able to get partial access via voltage glitching, but not full access? That’s not entirely unexpected. If this chip has similar chip protection to others (aka just a value in flash, 32 bits for example, that’s read on startup), it might be set so that the default value gives partial protection like you’re seeing here. This is how the STM32F code read protection, for example, works.

Alex

hello greetings friend currently working in bcm7362 you have to root the firmware /etc/rc.local you have to put a delay of 15 seconds

during boot the serial console will show a message and pressing ctrl + c will have access

ctrl+c is the rule, have same way work with me

The problem is not getting root access, but getting master keys with glitch.
Anyway, and if filesystem is squashfs explain me how your put 15 seconds rc.local!lol