2018-05-09 00:48:58 +02:00
# Fusée Gelée
2018-04-23 17:11:57 +02:00
2018-05-09 00:48:58 +02:00
```
2018-04-23 17:11:57 +02:00
* .--.
/ / `
+ | |
' \ \__,
* + '--' *
+ /\
+ .' '. *
* /======\ +
;:. _ ;
|:. (_) |
|:. _ |
+ |:. (_) | *
;:. ;
.' \:. / `.
/ .-'':._.'`-. \
|/ /||\ \|
_..--"""````"""--.._
_.-'`` ``'-._
-' '-
__ __ _ _ _ _
/ / \ \ (_) | | | | |
| |_ __ ___| | _____ ___| |_ ___ | |__ ___ __ | |
/ /| '__/ _ \\ \/ __ \ \ /\ / / | __ / __ | '_ \ / _ \/ _ ` |
\ \| | | __ // /\__ \\ V V /| | || (__| | | | __ / (_| |
| |_| \___| | |___/ \_/\_/ |_|\__\___|_| |_|\___|\__,_|
\_\ /_/
2018-05-09 00:48:58 +02:00
```
## Fusée Launcher
The Fusée Launcher is a proof-of-concept arbitrary code loader for a variety
of Tegra processors, which takes advantage of CVE-2018-6242 ("Fusée Gelée")
to gain arbitrary code execution and load small payloads over USB.
The vulnerability is documented in the 'report' subfolder; more details and
guides are to follow! Stay tuned...
### Use Instructions
2018-05-22 15:51:09 +02:00
The main launcher is "fusee-launcher.py". Windows, Linux, and macOS are all natively supported! Instructions for Windows specifically can be found on the [wiki ](https://github.com/reswitched/fusee-launcher/wiki/Instructions-(Windows )).
2018-05-09 18:51:46 +02:00
With a Tegra device in RCM and connected via USB, invoke the launcher with the desired payload as an argument, e.g. `./fusee-launcher.py payload.bin` . Linux systems currently require either that the Tegra device be connected to an XHCI controller (used with blue USB 3 ports) or that the user has patched their EHCI driver.
2018-05-09 00:48:58 +02:00
2018-05-09 00:49:29 +02:00
### Credits
2018-05-09 00:48:58 +02:00
Fusée Gelée (CVE-2018-6242) was discovered and implemented by Kate Temkin (@ktemkin);
its launcher is developed and maintained by Mikaela Szekely (@Qyriad) and Kate Temkin (@ktemkin).
Credit goes to:
2018-05-09 00:50:51 +02:00
* Qyriad -- maintainership and expansion of the code
* SciresM, motezazer -- guidance and support
* hedgeberg, andeor -- dumping the Jetson bootROM
* TuxSH -- help with a first pass of bootROM RE
* the ReSwitched team
2018-05-09 00:48:58 +02:00
Love / greetings to:
2018-05-09 00:50:51 +02:00
* Levi / lasersquid
* Aurora Wright
* f916253
* MassExplosion213
* Schala
CVE-2018-6242 was also independently discovered by fail0verflow member
shuffle2 as the "shofEL2" vulnerability-- so that's awesome, too.