de_Fuse, the One True Pwn

Original Post:
de_Fuse, the One True Pwn
We discussed this vulnerability during Episode 204 on 11 April 2023

This article is about glitching the Wii-U’s read of One-Time Programmable (OTP) fuses into registers for verifying the boot process. Under normal circumstances, the boot ROM will verify the firmware stored in the NAND storage against a hash stored in fuses. However, if these fuses are all zeroes, it will disable the verification and just boot. So there is great incentive here to glitch the boot process to interpret these fuses as zero for both homebrew and brick recovery purposes incase the NAND degrades and the system can no longer boot due to failing the hash check.

Glitching was done by a combined power + reset glitch attack. By holding reset and inserting a very small reset pulse at a delayed offset, they could trigger a partial reset. This initially didn’t yield too much, the signature check could be bypassed but the boot would fail to continue executing. But by also under-volting the chip and tweaking with glitch parameters, they were able to brownout the OTP fuse read and get it read as zeroes.

This can allow for a homebrew boot1, which the author is looking to take advantage of to kickstart an open-source modchip project.