Administered by:
@Jhynjhiruu @marcan @sven @foone virage2 being rw on ique player lol
did anyone actually exploit that successfully?
@Jhynjhiruu @Rairii @marcan @foone wait, they had a writable storage and pretended it was OTP and stored their first stage bootloader hash, etc there? lol
@sven @Rairii @marcan@treehouse.systems @foone Essentially, yeah, though it's actually the kernel hash since there are fewer boot stages. Seems they fully intended to make it read-only, and just *forgot* to add the code to do that.
The more useful thing to overwrite is the bootrom patches, rather than the kernel hash, since with those it's trivial to just disable the hash check entirely.
@Jhynjhiruu @sven @marcan @foone yeah i was about to mention there's also a space there for code jumped to by the bootrom in about the tenth instruction after reset (after verifying the checksum)
@Rairii @sven @marcan@treehouse.systems @foone There are two sets of rompatch code that get run, one before the kernel hashing code is bootstrapped and one after. The code that runs after is more useful, since you can add a single instruction into the delay slot of the jr $t0 that the kernel checks and nop out the panic() call when the hash fails, so it falls through and boots normally.