A reference implementation launcher for the Fusée Gelée Tegra X1 bootROM exploit
Go to file
2019-04-23 01:06:15 -04:00
report Remove trailing whitespace 2018-04-25 19:56:07 -04:00
.editorconfig Add EditorConfig 2018-05-08 13:16:47 -04:00
fusee-launcher.py update readme 2018-07-13 22:47:38 -06:00
intermezzo.bin Minor documentation changes atop trisz404's PR. 2018-05-07 00:45:18 -06:00
intermezzo.lds accelerate the timeline a little ( ͡° ͜ʖ ͡°) 2018-04-23 09:11:57 -06:00
intermezzo.S Restruct the payload, so it can fit more code 2018-05-02 16:10:51 +02:00
libusbK.py Add Windows support with libusbK 2018-05-17 02:12:59 -04:00
LICENSE Relicense under the terms of the GPLv2 2018-05-17 00:59:30 -04:00
Makefile Restruct the payload, so it can fit more code 2018-05-02 16:10:51 +02:00
modchipd.sh accelerate the timeline a little ( ͡° ͜ʖ ͡°) 2018-04-23 09:11:57 -06:00
README.md One Year Anniversary 2019-04-23 01:06:15 -04:00
requirements.txt Added pyusb as a pip requirement. 2018-04-27 20:28:59 +02:00

Fusée Gelée

                                      *     .--.
                                           / /  `
                          +               | |
                                 '         \ \__,
                             *          +   '--'  *
                                 +   /\
                    +              .'  '.   *
                           *      /======\      +
                                 ;:.  _   ;
                                 |:. (_)  |
                                 |:.  _   |
                       +         |:. (_)  |          *
                                 ;:.      ;
                               .' \:.    / `.
                              / .-'':._.'`-. \
                              |/    /||\    \|
                            _..--"""````"""--.._
                      _.-'``                    ``'-._
                __             __                   _   __
               / _|           /_/                  | | /_/
              | |_ _   _ ___  ___  ___    __ _  ___| | ___  ___
              |  _| | | / __|/ _ \/ _ \  / _` |/ _ \ |/ _ \/ _ \
              | | | |_| \__ \  __/  __/ | (_| |  __/ |  __/  __/
              |_|  \__,_|___/\___|\___|  \__, |\___|_|\___|\___|
                                          __/ |
                                          |___/
  __  __     __                                    _                                    
 /_ | \ \   / /                  /\               (_)                                    
  | |  \ \_/ /__  __ _ _ __     /  \   _ __  _ __  ___   _____ _ __ ___  __ _ _ __ _   _ 
  | |   \   / _ \/ _` | '__|   / /\ \ | '_ \| '_ \| \ \ / / _ \ '__/ __|/ _` | '__| | | |
  | |    | |  __/ (_| | |     / ____ \| | | | | | | |\ V /  __/ |  \__ \ (_| | |  | |_| |
  |_|    |_|\___|\__,_|_|    /_/    \_\_| |_|_| |_|_| \_/ \___|_|  |___/\__,_|_|   \__, |
                                                                                    __/ |
                                                                                   |___/ 

Fusée Launcher

The Fusée Launcher is a proof-of-concept arbitrary code loader for a variety of Tegra processors, which takes advantage of CVE-2018-6242 ("Fusée Gelée") to gain arbitrary code execution and load small payloads over USB.

The vulnerability is documented in the 'report' subfolder; more details and guides are to follow! Stay tuned...

Use Instructions

The main launcher is "fusee-launcher.py". Windows, Linux, macOS and FreeBSD are all natively supported! Instructions for Windows specifically can be found on the wiki.

With a Tegra device in RCM and connected via USB, invoke the launcher with the desired payload as an argument, e.g. ./fusee-launcher.py payload.bin. Linux systems currently require either that the Tegra device be connected to an XHCI controller (used with blue USB 3 ports) or that the user has patched their EHCI driver.

Credits            

Fusée Gelée (CVE-2018-6242) was discovered and implemented by Kate Temkin (@ktemkin); its launcher is developed and maintained by Mikaela Szekely (@Qyriad) and Kate Temkin (@ktemkin).

Credit goes to:

  • Qyriad -- maintainership and expansion of the code
  • SciresM, motezazer -- guidance and support
  • hedgeberg, andeor -- dumping the Jetson bootROM
  • TuxSH -- help with a first pass of bootROM RE
  • the ReSwitched team

Love / greetings to:

  • Levi / lasersquid
  • Aurora Wright
  • f916253
  • MassExplosion213

CVE-2018-6242 was also independently discovered by fail0verflow member shuffle2 as the "shofEL2" vulnerability-- so that's awesome, too.