Daniel CuthbertOvjeren akaunt

Based upon his reverse engineering, this is the boot process. There are two verifications here. Boot ROM stage 0 and ECDSA verification by the stage 2 bootloaderpic.twitter.com/QHjrMkLasJ

This is bloody amazing to me, and sounds trivial but this is not easypic.twitter.com/Xq1suGscsB

The vuln is sexy too. Set the a10 register to 0 via the burned JTAG fuse and bish bash bosh.pic.twitter.com/p89QmwSf0M

Fault injection is utterly amazing as a approach to find flaws but also really hard to fix from speaking to real experts who are far more intelligent that me.pic.twitter.com/SANpPkL1X0

The one thing he struggled with was flash encryption. That's bloody hard and this was his kryptonite. Something something Yoda use the hate so he turned to the OTP/E-fuses and started to reverse these impossible to change fusespic.twitter.com/gpwkDfsX1b

The special boot mode is the target. Thing is, you can't read BLK1 or BLK2 so he wanted to use glitching to be able to dump the contents.pic.twitter.com/g3845SpVsi