mirror of https://github.com/Qyriad/fusee-launcher.git synced 2024-11-21 22:39:18 +01:00

A reference implementation launcher for the Fusée Gelée Tegra X1 bootROM exploit

Go to file

Mikaela Szekely 433077ab72 Merge pull request #15 from nchowning/master Relocator default dir matches fusee-launcher.py dir		2018-05-23 16:51:43 -04:00
report	Remove trailing whitespace	2018-04-25 19:56:07 -04:00
.editorconfig	Add EditorConfig	2018-05-08 13:16:47 -04:00
fusee-launcher.py	Merge pull request #15 from nchowning/master	2018-05-23 16:51:43 -04:00
intermezzo.bin	Minor documentation changes atop trisz404's PR.	2018-05-07 00:45:18 -06:00
intermezzo.lds	accelerate the timeline a little ( ͡° ͜ʖ ͡°)	2018-04-23 09:11:57 -06:00
intermezzo.S	Restruct the payload, so it can fit more code	2018-05-02 16:10:51 +02:00
libusbK.py	Add Windows support with libusbK	2018-05-17 02:12:59 -04:00
LICENSE	Relicense under the terms of the GPLv2	2018-05-17 00:59:30 -04:00
Makefile	Restruct the payload, so it can fit more code	2018-05-02 16:10:51 +02:00
modchipd.sh	accelerate the timeline a little ( ͡° ͜ʖ ͡°)	2018-04-23 09:11:57 -06:00
README.md	Support FreeBSD via macOS backend	2018-05-23 13:57:42 +03:00
requirements.txt	Added pyusb as a pip requirement.	2018-04-27 20:28:59 +02:00

README.md

Fusée Gelée

                                      *     .--.
                                           / /  `
                          +               | |
                                 '         \ \__,
                             *          +   '--'  *
                                 +   /\
                    +              .'  '.   *
                           *      /======\      +
                                 ;:.  _   ;
                                 |:. (_)  |
                                 |:.  _   |
                       +         |:. (_)  |          *
                                 ;:.      ;
                               .' \:.    / `.
                              / .-'':._.'`-. \
                              |/    /||\    \|
                            _..--"""````"""--.._
                      _.-'``                    ``'-._
                    -'                                '-
             __      __                 _ _       _              _
            / /      \ \               (_) |     | |            | |
           | |_ __ ___| |  _____      ___| |_ ___| |__   ___  __| |
          / /| '__/ _ \\ \/ __\ \ /\ / / | __/ __| '_ \ / _ \/ _` |
          \ \| | |  __// /\__ \\ V  V /| | || (__| | | |  __/ (_| |
           | |_|  \___| | |___/ \_/\_/ |_|\__\___|_| |_|\___|\__,_|
            \_\      /_/

Fusée Launcher

The Fusée Launcher is a proof-of-concept arbitrary code loader for a variety of Tegra processors, which takes advantage of CVE-2018-6242 ("Fusée Gelée") to gain arbitrary code execution and load small payloads over USB.

The vulnerability is documented in the 'report' subfolder; more details and guides are to follow! Stay tuned...

Use Instructions

The main launcher is "fusee-launcher.py". Windows, Linux, macOS and FreeBSD are all natively supported! Instructions for Windows specifically can be found on the wiki.

With a Tegra device in RCM and connected via USB, invoke the launcher with the desired payload as an argument, e.g. ./fusee-launcher.py payload.bin. Linux systems currently require either that the Tegra device be connected to an XHCI controller (used with blue USB 3 ports) or that the user has patched their EHCI driver.

Credits

Fusée Gelée (CVE-2018-6242) was discovered and implemented by Kate Temkin (@ktemkin); its launcher is developed and maintained by Mikaela Szekely (@Qyriad) and Kate Temkin (@ktemkin).

Credit goes to:

Qyriad -- maintainership and expansion of the code
SciresM, motezazer -- guidance and support
hedgeberg, andeor -- dumping the Jetson bootROM
TuxSH -- help with a first pass of bootROM RE
the ReSwitched team

Love / greetings to:

Levi / lasersquid
Aurora Wright
f916253
MassExplosion213
Schala

CVE-2018-6242 was also independently discovered by fail0verflow member shuffle2 as the "shofEL2" vulnerability-- so that's awesome, too.