A reference implementation launcher for the Fusée Gelée Tegra X1 bootROM exploit
Go to file
2018-05-18 13:39:29 -07:00
report Remove trailing whitespace 2018-04-25 19:56:07 -04:00
.editorconfig Add EditorConfig 2018-05-08 13:16:47 -04:00
fusee-launcher.py Added -r argument, to have fusee-launcher.py listen for USB communication back from the target device, after the stack is smashed. This is to support the text output from https://github.com/rajkosto/biskeydump 2018-05-18 13:39:29 -07:00
intermezzo.bin Minor documentation changes atop trisz404's PR. 2018-05-07 00:45:18 -06:00
intermezzo.lds accelerate the timeline a little ( ͡° ͜ʖ ͡°) 2018-04-23 09:11:57 -06:00
intermezzo.S Restruct the payload, so it can fit more code 2018-05-02 16:10:51 +02:00
libusbK.py Add Windows support with libusbK 2018-05-17 02:12:59 -04:00
LICENSE Relicense under the terms of the GPLv2 2018-05-17 00:59:30 -04:00
Makefile Restruct the payload, so it can fit more code 2018-05-02 16:10:51 +02:00
modchipd.sh accelerate the timeline a little ( ͡° ͜ʖ ͡°) 2018-04-23 09:11:57 -06:00
README.md Add a few more instructions to the readme 2018-05-09 12:51:46 -04:00
requirements.txt Added pyusb as a pip requirement. 2018-04-27 20:28:59 +02:00

Fusée Gelée

                                      *     .--.
                                           / /  `
                          +               | |
                                 '         \ \__,
                             *          +   '--'  *
                                 +   /\
                    +              .'  '.   *
                           *      /======\      +
                                 ;:.  _   ;
                                 |:. (_)  |
                                 |:.  _   |
                       +         |:. (_)  |          *
                                 ;:.      ;
                               .' \:.    / `.
                              / .-'':._.'`-. \
                              |/    /||\    \|
                            _..--"""````"""--.._
                      _.-'``                    ``'-._
                    -'                                '-
             __      __                 _ _       _              _
            / /      \ \               (_) |     | |            | |
           | |_ __ ___| |  _____      ___| |_ ___| |__   ___  __| |
          / /| '__/ _ \\ \/ __\ \ /\ / / | __/ __| '_ \ / _ \/ _` |
          \ \| | |  __// /\__ \\ V  V /| | || (__| | | |  __/ (_| |
           | |_|  \___| | |___/ \_/\_/ |_|\__\___|_| |_|\___|\__,_|
            \_\      /_/

Fusée Launcher

The Fusée Launcher is a proof-of-concept arbitrary code loader for a variety of Tegra processors, which takes advantage of CVE-2018-6242 ("Fusée Gelée") to gain arbitrary code execution and load small payloads over USB.

The vulnerability is documented in the 'report' subfolder; more details and guides are to follow! Stay tuned...

Use Instructions

The main launcher is "fusee-launcher.py". Linux and macOS are natively supported with Windows support coming Soon™.

With a Tegra device in RCM and connected via USB, invoke the launcher with the desired payload as an argument, e.g. ./fusee-launcher.py payload.bin. Linux systems currently require either that the Tegra device be connected to an XHCI controller (used with blue USB 3 ports) or that the user has patched their EHCI driver.

Credits            

Fusée Gelée (CVE-2018-6242) was discovered and implemented by Kate Temkin (@ktemkin); its launcher is developed and maintained by Mikaela Szekely (@Qyriad) and Kate Temkin (@ktemkin).

Credit goes to:

  • Qyriad -- maintainership and expansion of the code
  • SciresM, motezazer -- guidance and support
  • hedgeberg, andeor -- dumping the Jetson bootROM
  • TuxSH -- help with a first pass of bootROM RE
  • the ReSwitched team

Love / greetings to:

  • Levi / lasersquid
  • Aurora Wright
  • f916253
  • MassExplosion213
  • Schala

CVE-2018-6242 was also independently discovered by fail0verflow member shuffle2 as the "shofEL2" vulnerability-- so that's awesome, too.