Making some pretty good progress ripping apart the #BSB #BSBACM firmware. No idea what the nonlinear function looks like (yet) but I've a pretty good idea what's missing from @fsphil's programme now/next data stream.

Original post on digipres.club

Slow but steady progress on the #BSBACM this evening. Stumbled on two commands in the secure processor firmware which had the same handler code - $0A and $0B.
Turns out they're encryption and decryption functions for IPPV. A 56bit key and 64bit data block go in, a 64bit data block falls out […]

Which pad is which? #BSBACM edition.
First we trace out the power pads...

There are 52 bond pads and 48 pins, so 4 of those pads need to double up...

Answer: it's either a ring oscillator or a pulse-shaping network. Probably a ring oscillator.
This is in the #BSBACM ASIC, between the secure processor and the cryptoprocessor and UART. Seems like glitching the cryptoprocessor is a non-starter then.

Sent off a couple of sets of BSB chips for decapping and delayering. Hopefully by the end of this I'll have a copy of most/all of the ACM secure ROM to poke at.