qyriad / fusee-launcher Goto Github PK

A reference implementation launcher for the Fusée Gelée Tegra X1 bootROM exploit

License: GNU General Public License v2.0

Makefile 4.98% Python 90.47% Assembly 3.48% Shell 0.22% JavaScript 0.85%

fusee-launcher's Introduction

Fusée Gelée

                                      *     .--.
                                           / /  `
                          +               | |
                                 '         \ \__,
                             *          +   '--'  *
                                 +   /\
                    +              .'  '.   *
                           *      /======\      +
                                 ;:.  _   ;
                                 |:. (_)  |
                                 |:.  _   |
                       +         |:. (_)  |          *
                                 ;:.      ;
                               .' \:.    / `.
                              / .-'':._.'`-. \
                              |/    /||\    \|
                            _..--"""````"""--.._
                      _.-'``                    ``'-._
                __             __                   _   __
               / _|           /_/                  | | /_/
              | |_ _   _ ___  ___  ___    __ _  ___| | ___  ___
              |  _| | | / __|/ _ \/ _ \  / _` |/ _ \ |/ _ \/ _ \
              | | | |_| \__ \  __/  __/ | (_| |  __/ |  __/  __/
              |_|  \__,_|___/\___|\___|  \__, |\___|_|\___|\___|
                                          __/ |
                                          |___/

Fusée Launcher

The Fusée Launcher is a proof-of-concept arbitrary code loader for a variety of Tegra processors, which takes advantage of CVE-2018-6242 ("Fusée Gelée") to gain arbitrary code execution and load small payloads over USB.

The vulnerability is documented in the 'report' subfolder; more details and guides are to follow! Stay tuned...

Use Instructions

The main launcher is "fusee-launcher.py". Windows, Linux, macOS and FreeBSD are all natively supported! Instructions for Windows specifically can be found on the wiki.

With a Tegra device in RCM and connected via USB, invoke the launcher with the desired payload as an argument, e.g. ./fusee-launcher.py payload.bin. Linux systems currently require either that the Tegra device be connected to an XHCI controller (used with blue USB 3 ports) or that the user has patched their EHCI driver.

Credits

Fusée Gelée (CVE-2018-6242) was discovered and implemented by Kate Temkin (@ktemkin); its launcher is developed and maintained by Mikaela Szekely (@Qyriad) and Kate Temkin (@ktemkin).

Credit goes to:

Qyriad -- maintainership and expansion of the code
SciresM, motezazer -- guidance and support
hedgeberg, andeor -- dumping the Jetson bootROM
TuxSH -- help with a first pass of bootROM RE
the ReSwitched team

Love / greetings to:

Levi / lasersquid
Aurora Wright
f916253
MassExplosion213

CVE-2018-6242 was also independently discovered by fail0verflow member shuffle2 as the "shofEL2" vulnerability-- so that's awesome, too.

fusee-launcher's People

Contributors

Stargazers

Watchers

Forkers

smeat al3x10m bkerler sepalod techlord-rce okaytherebud geowatsons magicseb alinanova21 keldren fourks fuji97 theexpertnoob phrohdoh joncampbell123 mjacquote2 shimakiui davidfreyna davidjoyce-okta spacekitteh pixelc-linux truewangming griest024 rexploit superhighfives bogsen izogain cometruer aarono fa-dx stuff2600 varunnagpaal joelsymoens ckdur mattlk13 shadyproject ilucaslee 5up3rc pranavpaharia rodrigolmonteiro goofwear lingnet startrail seasonsfx superokazaki nabz0r logon84 mgp25 ryuseisuke1992 khalilgharbaoui trisz404 huangya90 hackofthewild moozlee mpalpha dreadpiratepj annsanns valpackett kichetof jonesmith518 ctcaer petermesh crubalcaba ry0m43ch1z3n darknet element18592 simon-cn jchaos sidealice tiliarou rdmrocha dna64 komen720 s-you goodenoughdev davidsonsns aveao m0rph3us1987 boyliang jsyuxiang zxf969175364 kangdjoker xgnosisx hydpublic faithstudio jevinskie hariharan-m denise-amiga ihaveamac mannycooper noahbechtel wmetryka rebelmx4 ootyoo jianwang119 tckm1977 mewbak dylonalley26 unixtreme onlyctonly

fusee-launcher's Issues

where to place files?

right so i get that we have to open the joycon, touch pin 9/10, hold the volume button on boot, but where do i place the files for usb stacking?

usb.core.USBError: [Errno None] Other error

full stack trace

Identified a macOS system; setting up the appropriate backend.
Traceback (most recent call last):
  File "./fusee-launcher.py", line 606, in <module>
    raise e
  File "./fusee-launcher.py", line 601, in <module>
    device_id = switch.read_device_id()
  File "./fusee-launcher.py", line 543, in read_device_id
    return self.read(16)
  File "./fusee-launcher.py", line 500, in read
    return self.backend.read(length)
  File "./fusee-launcher.py", line 118, in read
    return bytes(self.dev.read(0x81, length, 1000))
  File "/usr/local/lib/python3.7/site-packages/usb/core.py", line 975, in read
    intf, ep = self._ctx.setup_request(self, endpoint)
  File "/usr/local/lib/python3.7/site-packages/usb/core.py", line 102, in wrapper
    return f(self, *args, **kwargs)
  File "/usr/local/lib/python3.7/site-packages/usb/core.py", line 216, in setup_request
    self.managed_claim_interface(device, intf)
  File "/usr/local/lib/python3.7/site-packages/usb/core.py", line 102, in wrapper
    return f(self, *args, **kwargs)
  File "/usr/local/lib/python3.7/site-packages/usb/core.py", line 167, in managed_claim_interface
    self.backend.claim_interface(self.handle, i)
  File "/usr/local/lib/python3.7/site-packages/usb/backend/libusb1.py", line 811, in claim_interface
    _check(self.lib.libusb_claim_interface(dev_handle.handle, intf))
  File "/usr/local/lib/python3.7/site-packages/usb/backend/libusb1.py", line 595, in _check
    raise USBError(_strerror(ret), ret, _libusb_errno[ret])
usb.core.USBError: [Errno None] Other error

using the command sudo python3 ./fusee-launcher.py ./biskeydump_usb.bin

Qyriad

Typo in the fusee-launcher.py script ?!

https://github.com/reswitched/fusee-launcher/blob/433077ab727e41052bdd17693648a71087d8ac29/fusee-launcher.py#L546

Shouldn't
switch.get_current_buffer_address()
be
self.get_current_buffer_address()
?

Im a little confused about ehci vs xhci

I have an older machine with no usb3 How would i patch my driver? (the documentation was vague abuot that)

No longer able to access homebrew menu with firmware 5.1.0

The new firmware causes a black screen instead of the homebrew menu when you select the album

No TegraRCM device found

Problem on Macbook Pro 2017 with Type C Adapter.

RCM with jig. It worked on windows

trying to make it work under openwrt

Hi, I'm trying to make fusee gelee to work on Openwrt. My device, a Linksys Ea8500 router, has an USB3 port (blue color) so I'm using it in order to avoid problems. At first, when running fusee_gelee I was given this message:
"This device needs to be on a supported backend. Usually that means plugged into a blue/USB 3.0 port! . Bailing out."

After spending some time understanding things in the python program, I solved this by modifying
the SUPPORTED_USB_CONTOLLERS as follows:
SUPPORTED_USB_CONTROLLERS = ['pci/drivers/xhci_hcd', 'platform/drivers/dwc_otg', '../devices/platform/soc/soc:usb30@0/11000000.dwc3']

That's becasue under openwrt, the path for usb stuff changes against an standard linux. From there, you can reach busnum of connected Nintendo switch (running 'cat /sys/devices/platform/soc/soc:usb30@0/11000000.dwc3/xhci-hcd.0.auto/usb1/1-1/idProduct' returns '7321' so its ok, switch is detected. )

After this modification, fusee_gelee executes correctly:
`
root@OpenWrt:/opt/usr/sbin/fusee_gelee# ./fusee_launcher.py -w payload.bin

Important note: on desktop Linux systems, we currently require an XHCI host controller.
A good way to ensure you're likely using an XHCI backend is to plug your
device into a blue 'USB 3' port.

Identified a Linux system; setting up the appropriate backend.
Found a Tegra with Device ID: REMOVED'

Setting ourselves up to smash the stack...
Uploading payload...
Smashing the stack...
The USB device stopped responding-- sure smells like we've smashed its stack. :)
Launch complete!`

But on the nintendo switch, the screen remains black and I have to reset it in order to boot it in RCM mode again. Is there something possible to do in order to debug what is happening? Thank you

EDIT: To be clear, my switch is vulnerable, I launch payloads in it everyday with fusee_launcher in my linux laptop :)

'No backend available'?

Hey this is the ERROR (what is wrong?):

Attempting to run the demo results in a successful lockup, but doesn't display anything

I've managed to get into the mode for running the launcher, on a system capable of it (Debian buster 64-bit) but even though it runs successfully (and doesn't brick the switch, holding the power button brings it back to the regular OS) it doesn't result in anything on the screen.

Method to enter recovery is shorting pin 10 to the headphone ground with a wire.
Yes, it is plugged into a 3.0 port.
using an A to C 2.0 cable (oneplus DASH charging cable)
Model on the back is "HAC-001"
OS version is 4.1.0 (yes, I know it's not supported for homebrew at this time)
sha256 of the payload I'm using is 1681ff0bb4f7ebe657d23954e81d2b83a23372360ae05ec7dabc478ad25f18aa
sha1: 6a7f9b8660ba5df614d00e469b3cefbf0c7cb2f8

Output of fusee-gelee.py:

Important note: on desktop Linux systems, we currently require an XHCI host controller.
A good way to ensure you're likely using an XHCI backend is to plug your
device into a blue 'USB 3' port.

Identified a Linux system; setting up the appropriate backend.
Found a Tegra with Device ID: [redacted]

Setting ourselves up to smash the stack...
Uploading payload...
Smashing the stack...
The USB device stopped responding-- sure smells like we've smashed its stack. :)
Launch complete!

Are Tegra 4 SoC affected?

Hi,

would an Android Tablet with Tegra 4 SoC be also affected?
What are the risks?

Launcher rarely reports launch completed when that doesn't seem to be the case

I've had some reports of Fusée Launcher reporting launch complete but, for example, when launching a payload that should show output, seemingly nothing happens on the Switch. I have experienced this myself. It seems to be extremely intermittent.

Issues Exploiting a T124 device

Hello,

I am trying to run this exploit on my Shield Tabled a t124 based device. I think that I manage to enter in the right mode by pressing vol up and power on, lsusb reports "0955:7f40" but the function read_device_id returns "device is bussy".

On the other hand I have tried to run the special GET_STATUS directly but I only can see on the return buffer a 0x82 followed by many 0's. Does this mean that this device boot rom is fixed? this device is older than the discovery of the bug so that would be weird.

I see in your report that you manage to perform an special GET_STATUS on a t124 I would be really grateful if you could provide more info about how did you do it.

I would like to use this exploit to get the boot keys to use nvflash and do some experimentation with this tablet.

Please help.. Error during install of payload

via a 2017 rMBP

Python 3 installed via homebrew, pyusb and libusb installed using: pip3 install

$ sudo python3 fusee-launcher.py fusee.bin
Alias tip: _ python3 fusee-launcher.py fusee.bin
Traceback (most recent call last):
  File "fusee-launcher.py", line 594, in <module>
    pid=arguments.pid, os_override=arguments.platform, override_checks=arguments.skip_checks)
  File "fusee-launcher.py", line 466, in __init__
    self.dev = self._find_device(vid, pid)
  File "fusee-launcher.py", line 496, in _find_device
    return self.backend.find_device(vid, pid)
  File "fusee-launcher.py", line 135, in find_device
    self.dev = usb.core.find(idVendor=vid, idProduct=pid)
  File "/usr/local/lib/python3.6/site-packages/usb/core.py", line 1263, in find
    raise NoBackendError('No backend available')
usb.core.NoBackendError: No backend available

Error when injecting payload on linux

When I try to inject a payload I get this error. I am running Ubuntu 18.04.2

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "fusee-launcher.py", line 606, in <module>
    raise e
  File "fusee-launcher.py", line 601, in <module>
    device_id = switch.read_device_id()
  File "fusee-launcher.py", line 543, in read_device_id
    return self.read(16)
  File "fusee-launcher.py", line 500, in read
    return self.backend.read(length)
  File "fusee-launcher.py", line 118, in read
    return bytes(self.dev.read(0x81, length, 1000))
  File "/home/tyler/.local/lib/python3.6/site-packages/usb/core.py", line 975, in read
    intf, ep = self._ctx.setup_request(self, endpoint)
  File "/home/tyler/.local/lib/python3.6/site-packages/usb/core.py", line 102, in wrapper
    return f(self, *args, **kwargs)
  File "/home/tyler/.local/lib/python3.6/site-packages/usb/core.py", line 215, in setup_request
    intf, ep = self.get_interface_and_endpoint(device, endpoint_address)
  File "/home/tyler/.local/lib/python3.6/site-packages/usb/core.py", line 102, in wrapper
    return f(self, *args, **kwargs)
  File "/home/tyler/.local/lib/python3.6/site-packages/usb/core.py", line 225, in get_interface_and_endpoint
    for intf in self.get_active_configuration(device):
  File "/home/tyler/.local/lib/python3.6/site-packages/usb/core.py", line 102, in wrapper
    return f(self, *args, **kwargs)
  File "/home/tyler/.local/lib/python3.6/site-packages/usb/core.py", line 236, in get_active_configuration
    self.managed_open()
  File "/home/tyler/.local/lib/python3.6/site-packages/usb/core.py", line 102, in wrapper
    return f(self, *args, **kwargs)
  File "/home/tyler/.local/lib/python3.6/site-packages/usb/core.py", line 120, in managed_open
    self.handle = self.backend.open_device(self.dev)
  File "/home/tyler/.local/lib/python3.6/site-packages/usb/backend/libusb1.py", line 786, in open_device
    return _DeviceHandle(dev)
  File "/home/tyler/.local/lib/python3.6/site-packages/usb/backend/libusb1.py", line 643, in __init__
    _check(_lib.libusb_open(self.devid, byref(self.handle)))
  File "/home/tyler/.local/lib/python3.6/site-packages/usb/backend/libusb1.py", line 595, in _check
    raise USBError(_strerror(ret), ret, _libusb_errno[ret])
usb.core.USBError: [Errno 13] Access denied (insufficient permissions)

Where is 'smash_buffer' defined?

https://github.com/reswitched/fusee-launcher/blob/master/fusee-launcher.matcheshash.py#L112-L116

Operation timed out

after patching ehci successfully and putting the switch into RCM, the payload gives an error:

❱ sudo python3 ./fusee-launcher.py ../../payloads/fusee-primary.bin

Important note: on desktop Linux systems, we currently require an XHCI host controller.
A good way to ensure you're likely using an XHCI backend is to plug your
device into a blue 'USB 3' port.

Identified a Linux system; setting up the appropriate backend.
Traceback (most recent call last):
  File "./fusee-launcher.py", line 606, in <module>
    raise e
  File "./fusee-launcher.py", line 601, in <module>
    device_id = switch.read_device_id()
  File "./fusee-launcher.py", line 543, in read_device_id
    return self.read(16)
  File "./fusee-launcher.py", line 500, in read
    return self.backend.read(length)
  File "./fusee-launcher.py", line 118, in read
    return bytes(self.dev.read(0x81, length, 1000))
  File "/usr/lib/python3.6/site-packages/usb/core.py", line 988, in read
    self.__get_timeout(timeout))
  File "/usr/lib/python3.6/site-packages/usb/backend/libusb1.py", line 833, in bulk_read
    timeout)
  File "/usr/lib/python3.6/site-packages/usb/backend/libusb1.py", line 936, in __read
    _check(retval)
  File "/usr/lib/python3.6/site-packages/usb/backend/libusb1.py", line 595, in _check
    raise USBError(_strerror(ret), ret, _libusb_errno[ret])
usb.core.USBError: [Errno 110] Operation timed out

i have no idea what to do, so all help would be appreciated

When device is put to sleep and memory card removed - device is soft-bricked

Found this out the hardway, if the device is put to sleep and the card is removed - device will not power back on until the battery is removed, to hard reset the device.

SyntaxError

There is an error somewhere in the Linux version, tried running it on Ubuntu 19.04 and it gave me this output:

sudo python ./fusee-launcher.py hekate_ctcaer_4.10.1.bin
[sudo] password for user:
File "./fusee-launcher2.py", line 3
SyntaxError: Non-ASCII character '\xc3' in file ./fusee-launcher.py on line 3, but no encoding declared; see http://python.org/dev/peps/pep-0263/ for details

Too much love for Windows, but no Linux Love?

#Sad :(

sudo ./fusee-launcher.py payload.bin 
Traceback (most recent call last):
  File "./fusee-launcher.py", line 594, in <module>
    pid=arguments.pid, os_override=arguments.platform, override_checks=arguments.skip_checks)
  File "./fusee-launcher.py", line 466, in __init__
    self.dev = self._find_device(vid, pid)
  File "./fusee-launcher.py", line 496, in _find_device
    return self.backend.find_device(vid, pid)
  File "./fusee-launcher.py", line 133, in find_device
    import usb
ImportError: No module named 'usb'

No module named usb

When attempting to load the fusee launcher it spits out an error saying no module named USB found. I installed pyusb 1.0.2, but I'm still having the same issue...