Bcm7358 full bsp mode

Hey Guys,

Please Help , I have done get access on chipset bcm7358 use power glitch but have problem
cant get full bsp access mode and have try different glitching aera x1000 also get
access but same problem not have full bsp mode

BSP this commands works:
00000017
00000018
00000019
0000001A
0000001B
0000001E
0000001F
00000026
00000027
0000002A
00000050
00000051

examples command BCMD_cmdType_eOFFLINE_OTP_READ= 0x19

CFE>
e b0328980 15a10000
*** command status = 0
CFE>
CFE> e b0328984 00000001
*** command status = 0
CFE>
CFE> e b0328988 ABCDEF00
*** command status = 0
CFE>
CFE> e b032898c E655AA19
*** command status = 0
CFE>
CFE> e b0328990 789A0004
*** command status = 0
CFE>
CFE> e b0328994 0000000f
*** command status = 0
CFE>
CFE> e b032b028 00000001
*** command status = 0
CFE>
CFE> d b032b020 00000004
b032b020 00000001 …

*** command status = 0
CFE>
CFE> e b032b010 00000001
*** command status = 0
CFE>
CFE>
d b0328c80 00000040
b0328c80 15A0145F 00000001 00000000 00000019 _…
b0328c90 00000014 00000000 026D9439 4B712FCC …9.m…/qK
b0328ca0 00000000 00000000 00000000 00000000 …
b0328cb0 00000000 00000000 00000000 00000000 …
*** command status = 0
CFE>

b0328c90 00000014 00000000 026D9439 4B712FCC << !!! IS OK


other commands give ret 00000002

example BCMD_cmdType_eSESSION_INIT_KEYSLOT = 0x1

CFE> e b0328980 15a10000
*** command status = 0
CFE>
CFE> e b0328984 00000001
*
** command status = 0
CFE>
CFE> e b0328988 ABCDEF00
*** command status = 0
CFE>
CFE> e b032898c fe55AA01
*** command status = 0
CFE>
CFE> e b0328990 789A0014
*** command status = 0
CFE>
CFE> e b0328994 0000000a
*** command status = 0
CFE>
CFE> e b0328998 00000007
*** command status = 0
CFE>
CFE> e b032899c 0000000b
*** command status = 0
CFE>
CFE> e b03289a0 00000005
*** command status = 0
CFE>
CFE> e b03289a4 00000006
*** command status = 0
CFE>

CFE> e b032b028 00000001
*** command status = 0
CFE>
CFE> d b032b020 00000004
b032b020 00000000 …
*** command status = 0
CFE>
CFE> e b032b010 00000001
*** command status = 0
CFE>
CFE>
d b0328c80 00000040
b0328c80 15A10000 00000001 00000000 00000001 …
b0328c90 00000004 00000002 00000000 00000000 …
b0328ca0 00000000 00000000 00000000 00000000 …
b0328cb0 00000000 00000000 00000000 00000000 …
*** command status = 0
CFE>

b0328c90 00000004 00000002 <<< !!! :frowning:

2 Likes

Hi,

So to confirm, you’re able to get partial access via voltage glitching, but not full access? That’s not entirely unexpected. If this chip has similar chip protection to others (aka just a value in flash, 32 bits for example, that’s read on startup), it might be set so that the default value gives partial protection like you’re seeing here. This is how the STM32F code read protection, for example, works.

Alex

2 Likes

hello greetings friend currently working in bcm7362 you have to root the firmware /etc/rc.local you have to put a delay of 15 seconds

during boot the serial console will show a message and pressing ctrl + c will have access

1 Like

ctrl+c is the rule, have same way work with me

1 Like

The problem is not getting root access, but getting master keys with glitch.
Anyway, and if filesystem is squashfs explain me how your put 15 seconds rc.local!lol

that information is private since we are talking about a third party target

until now cant get full bsp and i see guys here say can edit rc.local i dont know how it can or how can enable shell access !!!

how can get access and edit firmware /etc/rc.local it sign FW?

U-boot not is CFE!
This STB use CFE…

ِِAes ok, but key signed how hack ?, loader is signed

OTA firmware analize mod slyuk tool. H field probe + 29dbi amp get AES CBC you need ext. psw.

what board did you use it?

u dont need a shell access , since u can run cfe commands , access needed by ssh , telnet …etc when bootloader crypted by hw + signed

unsquash rootfs , find startup script and add : sleep 15s

Are you kidding ?! And the rest (crc32, signature, etc.)
Unpack is easy, hard is rebuild. :innocent:

1 Like

why guys no one try to answer about main problems all give another way will not help , i already get cfe access but cant mange it not full bsp commands working

Then maybe need run with bseck code

i load bseck and still same problem :frowning_face:

any one meet this problem i try different ways , hope someone who know bsp can guide me for fix this problem and if any one have idea i can also trying

send me pm …