I wrote a blog post about the security of the STM32H730 microcontroller used in the Nintendo Alarmo. There's a vulnerability that allows dumping the protected secure bootloader of the STM32H730.
You can read more about it here: garyodernichts.blogspot.com/2025/11/priv...
now with sound!!!!!
I had to change the audio amplifier's config to make it run at 32KHz (instead of the standard 48KHz). heh
here's a framebuffer graphics demo (this has no practical purpose and I can't prove I'm not just like, playing a youtube video or something)
I spoke too soon heh...
Nintendo released a new Alarmo update a few hours ago. The new update contains a new 2ndloader where the signature is properly checked in USB mode. If you want to modify your Alarmo without soldering, stay on v2.0.0!
Thanks for the support!
Nintendo is still shipping Alarmos without signature checks in the 2ndloader. I assumed they might do something for the wide retail release, but it looks like they don't really care (for now).
If you set the bLength field of an interface or endpoint descriptor to zero, the parser will get stuck in an endless loop.
This causes the entire console to freeze when encountering a malformed configuration. Also not a big issue, but this was one of the things which lead me to discovering UDPIH :P
When reading multiple configurations, UHS doesn't change the size of the next configuration to be read.
So the initial read of the next configuration ends up being the full size of the previous configuration.
In practice this also isn't an issue, the device will simply respond with a short packet.
wIndex contains the Language ID for string descriptors.
This causes UHS to retrieve the first configuration multiple times if the device has multiple configurations.
In practice this is not a big issue though, most devices only have a single configuration and UHS will only use the first one anyway.
Screenshot of the USB 2.0 specification. Shows the "Get Descriptor" section which mentions that wValue contains the "Descriptor Type" and "Descriptor Index". wIndex should be zero or contain the Language ID for string descriptors.
A USB device can have multiple configurations, which are retrieved using the GET_DESCRIPTOR request.
The index of the descriptor to be retrieved is stored in the lower byte of the wValue field.
UHS keeps this field as 0 and uses the wIndex field instead to retrieve multiple configurations.
Wii U fun facts:
While reverse engineering the Wii U's USB Host Stack (UHS) I noticed several fun quirks in their descriptor code.
One of them was even exploitable (UDPIH), but there are some others that I have never mentioned before. This thread contains some of the minor ones I still remember.
Hey, sorry I just saw this. I've replied to the issue and updated the script.
Hi, feel free to send a DM. My DMs should be open now.
The source code and instructions can be found here: github.com/GaryOderNich...
Big shoutout to STM32Doom and Chocolate Doom for making this possible!
There's currently no audio support. To avoid the USB loader memory size restrictions, the .wad needs to be compressed and then uncompressed to external memory on boot.
However, it's possible to load the shareware version of Doom entirely from USB, without modifying the Alarmo.
After my last post, it was pretty clear what everyone wanted to see on the Alarmo. So, here it is - Doom running on the Nintendo Alarmo!
It's possible to run custom code on the Nintendo Alarmo via USB - without opening it up!
More details in the blog post here: garyodernichts.blogspot.com/2024/10/look...
#nintendo #hacking
All content files on the Alarmo eMMC are stored as 'CIPH'-files. These files are AES-128-CTR encrypted and have a RSA-2048 signature (PKCS#1 v1.5 with SHA256) at the end.
Diagram which shows the Nintendo Alarmo boot process
Here's a simplified overview of what I figured out about the Nintendo Alarmo boot process so far.
I kind of forgot about Bluesky and now I have over 50 followers out of nowhere. I guess I should start posting some more things over here!
Ever wanted to exploit DNS response parsing on the Wii U? I have just released DNSpresso!
You can find the technical write-up here: garyodernichts.blogspot.com/2023/10/expl...
wii u
