Quote Originally Posted by AlphaWolf View Post
The updates themselves are digitally signed, and then when they actually deploy they do so with binaries that have also been signed (otherwise it won't boot.)

Unless we have a way of forging RSA signatures, it's not going to happen.

Well no one needs to forge the RSA signatures, aldo they are done on bootrom on stb init, to in theory u can glitch in at precise timing on the uboot after rsa sign verification and load custom uboot at it, aldo it needs to be precise with correct speed, to be undetected

its just a order step progression

1. SOC powers up
2. calls internal ROM
3. ccore reads RSA keys from flash
4. checks its signature
5. decrypts key signature from flash
6. validates signature
7. if ok it simply goes forward, if not - reset, goto #1
8. then boot loader from flash starts.....and do its customized work

once glitched preciselly it will allow you to load your custom uboot, and play upwards from there, certain cpus allow u root level, and higher root excalate previliges on h/w levels..

its just a matter of thinking outside the box, after all most of this chips were manufactured over a decade ago, só alot of new invasive ideas and options available, of course they all require certain expensive tools,