I wrote a blog post about the security of the STM32H730 microcontroller used in the Nintendo Alarmo. There's a vulnerability that allows dumping the protected secure bootloader of the STM32H730.
You can read more about it here: https://garyodernichts.blogspot.com/2025/11/privileged-arbitrary-code-execution-on.html

Nintendo is still shipping Alarmos without signature checks in the 2ndloader. I assumed they might do something for the wide retail release, but it looks like they don't really care (for now).

Wii U fun facts:
While reverse engineering the Wii U's USB Host Stack (UHS) I noticed several fun quirks in their descriptor code.
One of them was even exploitable (UDPIH), but there are some other funny quirks that I have never mentioned before. This post contains some of the minor ones I still remember.
**1.**
A USB device can have multiple configurations, which are retrieved using the GET_DESCRIPTOR request.
According to the USB specification, the index of the descriptor to be retrieved is stored in the lower byte of the wValue field.
UHS keeps this field as 0 and uses the wIndex field instead to retrieve multiple configurations.
wIndex contains the Language ID for string descriptors, and is supposed to be zero for configuration descriptors.
This causes UHS to retrieve the first configuration multiple times if the device has multiple configurations.
In practice this is not a big issue though, most devices only have a single configuration and UHS will only use the first one anyway.
**2.**
When reading multiple configurations, UHS doesn't change the size of the next configuration to be read.
So the initial read of the next configuration ends up being the full size of the previous configuration.
In practice this also isn't an issue, the device will simply respond with a short packet.
**3.**
If you set the bLength field of an interface or endpoint descriptor to zero, the parser will get stuck in an endless loop, since it will increment the loop offset with this value.
This causes the entire console to freeze when encountering a malformed configuration. Also not a big issue, but this was one of the things which lead me to discovering UDPIH :P

After my last post, it was pretty clear what everyone wanted to see on the Alarmo. So, here it is - Doom running on the Nintendo Alarmo!

It's possible to run custom code on the Nintendo Alarmo via USB - without opening it up!
More details in the blog post here: https://garyodernichts.blogspot.com/2024/10/looking-into-nintendo-alarmo.html