The inspiration here was getting root on the Switch 2. Getting root in Linux was the POC. The goal was not demonstrating some fundamental security vulnerability that's practically exploitable, but instead for reclaiming actual ownership of one's own hardware without breaking TPM or game ring 0 anti-cheat.
This was very well written and an amazing challenge but my brain is wired to that "hacking common sense" that if you have physical access then it's already over...
the first thing that came to my mind was that, if you have physical access, then you can reflash the BIOS, install a driver backdoor, you can boot a live OS and then it's just a matter of tampering /etc/{passwd,shadow,groups, etc} ...<p>but I remembered that most of the physical access hacks would not be possible if the disk is encrypted.. which then makes this kind of hack enormously attractive.<p>The antenna idea can be extended to be a piece of hardware with the interference device built-in (piezo or whatever) which communicates with the external world with any wireless medium and then the attacker can trigger the interference remotely. This, plus a website controlled by the hacker which the victim is scammed to visit can be enough to make it viable.
I like this. Upshot - electrostatic bit flip on memory read or write, which with solder can deterministically get a 'safe' pointer mutated into your own evil pointer.<p>Generally the historical perspective on physical access was: "once they have it, game over." TPM and trusted execution environments have shifted this security perspective to "we can trust certain operations inside the enclave even if the user has physical access."<p>His next steps are most interesting to me -- can you get something (semi-) reliable without soldering stuff? My guess is it's going to be a lot harder. Lots of thought already goes into dealing with electrical interference. On the other hand, maybe? if you flip one random bit of a 64 bit read every time you click your lighter, and your exploit can work with one of say 4 bit flips, then you don't need that many tries on average. At any rate, round 2 of experimentation should be interesting.
My immediate thought was that this was a post about how someone got root access to a cigarette lighter and I was totally ready to believe it.<p>My parents oven gets regular software updates so I didn’t even question whether the cigarette lighter was “smart.”
This reminds me of exploits we used to do to arcade cabinets back in Sydney in the 80's and 90s. The school gas heaters used to have what we called "clickers", piezoelectric ignition devices you could remove from the heaters.<p>You then took that clicker to your local arcade, and clicked one of the corners of the CRT, that would send a shock through the system and add credits to your game. I believe this was because the CRT was grounded on the same ground lines that the mechanism for physically checking a coin had gone through the system.<p>Suffice to say, they caught onto this over time, and added some form of an alarm into it. But up until then... Those were truly the best times.
Not only is it a fun exploit, this is also a cool mini-introduction to how caching works for CPUs.<p>I remember a year ago or so there was a submission here which detailed how computers work and are build starting at the tiniest part: starting with logic gates, IIRC. Anybody remember what that website was?
"It's just one resistor (15 ohms) and one wire, soldered to DQ26. The wire acts like an antenna, picking up any nearby EM interference and dumping it straight onto the data bus."<p>really neat hack. using the lighter to create EM interference. better go light up next to my DDR bus and see what happens :)
Sure, if you solder an antenna to your memory first :-)<p>But good and thorough write-up about how to actually exploit such a glitch.<p>And you could also use the cigarette lighter for hanging out at the data center back door and wait until the admin comes for a smoke.
Can someone explain why the EMI would cause a Bitflip and not always a high read? Why would a pulse invert the signal that’s read? Don’t the voltages effectively get added?
If you wanted to defend a system from this, a big chunk of defence would be to choose a system with ECC, and then to halt() the whole system when an ECC error occurs.<p>Since the attacker is very unlikely to flip the exact right bits to make ECC match, their exploit is very likely to be detected before it succeeds. halt() is necessary so the attacker cannot have more tries at it.<p>Obviously you have the downside that real memory errors cause the system to crash.
This is the kind of content I come to HN for, thanks OP. Really mind blowing how talented some folks are.<p>How long would it take someone to acquire these skills?
I followed him on mastodon, the article is cool too.
On Mastodon, there is a video of the root access where one can see the screen.<p><a href="https://mastodon.xyz/@retr0id@retr0.id/113252910481164528" rel="nofollow">https://mastodon.xyz/@retr0id@retr0.id/113252910481164528</a>
Apply the flame to the sysadmin's hand and get root access. I mean, it's a cool demo, but if you can solder crap to the hardware, might as well do anything that physical access provides normally. Like, you can just install the payload without the exploit.
I thought OP was going to do this without soldering anything.<p>But I feel like soldering something is no different than just like splicing a telephone cable in half and putting your own headset in the middle…<p>Except instead of putting a headset, you crudely use a lighter…
>I only want glitches to happen on-demand, not all the time.<p>>My injected ELF also flushes the page cache<p>The difference between a padawan and a jedi<p>Amazing write up and bonus points for the reproducibility of this creativity.
Would things like AMD's "Secure encrypted virtualization" protect against this? Is the data XORed with a key (therefore letting bitflips propogate) or is the data actually encrypted (meaning a bitflip in the input leads to a totally different address)
What is the purpose of the "_" in "0x100_0000"? AFAICT, it doesn't change anything.<p><pre><code> >>> 0x100_0000
16777216
>>> 0x100_0001
16777217
>>> 0x1000001
16777217
>>> 0x100000_1
16777217</code></pre>
Cranky comment: Putting your code comments in line with the code is less readable than putting the comment on the preceding line. Most people get what you're going to talk about from the context.
I thought this was about getting the root password by burning the sysadmin with a cigarette lighter (<a href="https://xkcd.com/538/" rel="nofollow">https://xkcd.com/538/</a>)
Before reading the article, my approach would be so much darker… a bit of gasoline and a lighter can do wonders for the memory of a person who “forgot” a password.<p>Might need duct tape and a chair as well.
This is so awesome! I just love this stuff, I hope that I can be at this level one day. Also I love how we're side-eyeing the switch 2 lmaooo thats bold considering Yuzu, Ryujinx and the 100+ YT creators Nintendo has either taken down or copyright struck this past week.
...<p>"Finally, I'd like to thank JEDEC for paywalling all of the specification documents that were relevant to conducting this research."
>Can You Get Root with Only a Cigarette Lighter?<p>No, you can't. That long lead to couple your ersatz pulse generator defeats all the engineering put into making the computer reliable and quiet in the EMI sense.<p>Circuit bending is fun stuff, but it's not a remote exploit.