The inspiration here was getting root on the Switch 2. Getting root in Linux was the POC. The goal was not demonstrating some fundamental security vulnerability that's practically exploitable, but instead for reclaiming actual ownership of one's own hardware without breaking TPM or game ring 0 anti-cheat.
I appreciate the sentiment, but I suppose don't understand the point. 20 years ago, when consoles were powerful computers sold at a loss or low margin, it made more sense. Now though, Nintendo sells their consoles at a profit (and the Switch 2) is likely to be the same.
This is impressive, and I'm glad people are working to preserve software freedom, but I'd rather just support the alternatives.
Why give them the perceived install base, and profit? Why not get a steam deck or one of the many other handhelds that you have - day 0 as a feature - root access on?
This was very well written and an amazing challenge but my brain is wired to that "hacking common sense" that if you have physical access then it's already over...
the first thing that came to my mind was that, if you have physical access, then you can reflash the BIOS, install a driver backdoor, you can boot a live OS and then it's just a matter of tampering /etc/{passwd,shadow,groups, etc} ...
but I remembered that most of the physical access hacks would not be possible if the disk is encrypted.. which then makes this kind of hack enormously attractive.
The antenna idea can be extended to be a piece of hardware with the interference device built-in (piezo or whatever) which communicates with the external world with any wireless medium and then the attacker can trigger the interference remotely. This, plus a website controlled by the hacker which the victim is scammed to visit can be enough to make it viable.
The motivation in the introduction is rooting/jailbreaking a handheld game console. I think this is a perfectly plausible situation where you have physical access but still want to obtain "unauthorized" access.
AFAIC, reflashing BIOS won't give you anything, you need to sign it first with proper private key which is checked by the CPU hardware before execution begins. This EMI trick fools CPU itself and I cannot see how it can be fixed, unless new paging algorithm is invented.
This specifically is trivially defeated by ECC, though it wouldn't be that much harder to instead flip 3 bits and ECC would be unable to help. ECC has very poor penetration outside the server world though, so we're still safe. For now.
I've thought a little bit more about this case and came to conclusion that to mitigate this attack paging agorimths can be improved by using redundancy and CRC checks with not too much overhead. Yet it takes a lot of work and investment, so it won't happen any time soon. Yes we are safe for now.
> I remembered that most of the physical access hacks would not be possible if the disk is encrypted..
Only if you have not booted into your system through using a keyfile or a passphrase to decrypt the data, i.e. if your PC is shut down. I have full disk encryption, and when I boot into my system, it uses the keyfile with which it would perform the decryption, and boom, I have my PC ready to be accessed physically.
I like this. Upshot - electrostatic bit flip on memory read or write, which with solder can deterministically get a 'safe' pointer mutated into your own evil pointer.
Generally the historical perspective on physical access was: "once they have it, game over." TPM and trusted execution environments have shifted this security perspective to "we can trust certain operations inside the enclave even if the user has physical access."
His next steps are most interesting to me -- can you get something (semi-) reliable without soldering stuff? My guess is it's going to be a lot harder. Lots of thought already goes into dealing with electrical interference. On the other hand, maybe? if you flip one random bit of a 64 bit read every time you click your lighter, and your exploit can work with one of say 4 bit flips, then you don't need that many tries on average. At any rate, round 2 of experimentation should be interesting.
You'd likely take an exception for a multi-bit error and the handler would likely just retry the read. Single-bit errors are often just corrected on the fly by ECC logic as you mention.
If you can induce enough correct errors (yes that is contradicting), the ECC won’t be able to detect the error because the modified data is correct again. The ECC schemes I’ve seen used can correct 1 bit and detect 2 bit error, so 3 flips at the right position would be enough to get new data that would be valid again.
If you have physical access to a device that you can solder an antenna you can compromise a TPM or anything else by sticking a custom DIMM in there that you can program from the “back side” so you can replace any part of memory with anything you want anytime you want. You don’t have to randomly flip a bit and hope for the best. You just inject your entire program.
Unless the hardware employs some variant of encrypted RAM, see cool paper by the NSA from a few months back that includes benchmarks in FPGA and silicon https://eprint.iacr.org/2024/1240
So ... a lighter with a little solar panel, and a battery, which generates sparks like a tiny taser when the lidar detects a suitably proximate cigarette or cigar. But not a finger or hot dog.
No button pushing. No lighter fluid refilling ... ever. The world waited a long time for this.
And obviously it needs a chip to run the lidar, and generate the simultaneous brilliant LED flash and fade, haptic jolt, and accompanying sound effects.
(Can some demo freak please create this? And make it look like a little revolver? But for finger and hot dog safety, you are going to have to harden the virtual memory controller...)
Well, the soldering iron I use most often has modifiable firmware running on a RISC-V SOC. (https://pine64.com/product/pinecil-smart-mini-portable-solde...) Who knew that melting lead could be that complicated. So I would totally believe an article about rooting a lighter.
This reminds me of exploits we used to do to arcade cabinets back in Sydney in the 80's and 90s. The school gas heaters used to have what we called "clickers", piezoelectric ignition devices you could remove from the heaters.
You then took that clicker to your local arcade, and clicked one of the corners of the CRT, that would send a shock through the system and add credits to your game. I believe this was because the CRT was grounded on the same ground lines that the mechanism for physically checking a coin had gone through the system.
Suffice to say, they caught onto this over time, and added some form of an alarm into it. But up until then... Those were truly the best times.
We did the exact same thing early 80's except that we used the clicker found in disposal lighters.
We did it for a couple of years until they figured it out and started to conver the arcade cabinets with transparent plastic.
At the same time they also drilled holes at the back of the machine for ventilation as the rest of the case now was sealed in plastic.
We found out that using a bamboo stick you could press the lever that register when a coin has been paid into the slot.
That made them relocate the holes for the ventilation to the top of the case instead of the back so we couldn't get the lever anymore. Or so they thought. haha
We discovered that by pressing a coin up the return slot — the one where you get your coin back if it isn’t accepted — you could also trigger the lever for coin registration and the free gaming continued.
Eventually they put in sharp screws into that coin return box so you would cut your finges.
At what point does the arcade just kick you out? I can't imagine them seeing you continuously tamper with their equipment to circumvent paying and think, "the best way to handle this is to keep modifying our machines."
Arcades were big dark noisy rooms, and quite often had only one or two people on staff who were usually either busy dealing with other customers and were paid far too little to care about the owners' profit margins. They were basically there to hand out prizes to little kids for the ticket machines and make sure nobody walked out with Dig Dug on a hand cart.
In our case the arcades was in a ajourning room to our local cinema with no staff present and no CCTV so we had plenty of time to fiddle with the machines.
Maybe the staff at the arcade, aren't the owners of the place, so they don't personally care that much. They'd rather be friends with everyone, than to be the "angry police"? (And I'm guessing the tampering players were nice people to have around)
And the technicians "improving" the machines -- maybe they had a good time too, I'm wondering. @TowerTall and friends made their job more interesting / fun?
If you kick someone out, you lose them as a customer, and they'll tell all their friends about the free play trick out of spite, so you'll have to patch the machine anyway.
You're making me wonder what the stats are for how many people try to abuse arcade machines in a country like Japan versus the United States. (Not that people in any country are gonna be entirely honest, but the entitlement to break the system and the comfort to brag about it seems cultural.)
In fact, that could be why some of the machines weren't better protected against that stuff in the first place, right?
There are some great scenes in Rebels of the Neon God [1992] by Tsai Ming-Liang (Taiwanese filmmaker) where the main characters steal the main pcbs from some arcade machines and try to resell them to the arcade owner lol. Wonderful film, recommend it - some great scenes in those arcades.
Reminds me of an arcade machine a friend would get behind, turn it off and back on, and it would give you a free token. Maybe its designed that way so the employee can test it for free, not sure. But he climbed behind it, and proceeded to play for free.
Those who lived in USSR remembers soda vending machines (they poured your drink in a glass cup; you were expected to wash it before using by pressing on a cup, which stood upside down on plastic plate with holes, kinda inverted shower head; very unhygienic, I know). Well it had a button behind that let you have a free drink. You could also "upgrade" pure carbonated water (1 kopeyek) to a sweet soft drink (3 kopeyek) by pressing another button. needless to say schoolchildren would abuse the hell out of this "feature".
> you were expected to wash it before using by pressing on a cup, which stood upside down on plastic plate with holes, kinda inverted shower head; very unhygienic, I know
Those systems are occasionally used in bars in the US, though they've dropped the whole plate and it's usually just arms where the holes are.
To my understanding, at least in the US, they aren't used for deep-cleaning anything. That happens with soap and water in the back still. The upside-down-showers are used to clean out the dregs of someone's glass when they get a refill (you give them a glass, they give it a quick rinse, refill it and hand it back), and as a quick rinse for new glasses to clean up water stains/detergent residue and anything that might have fallen in since they were cleaned (hair, dust, etc).
Yes right, the key difference that the were used to clean between uses by different customers; this is clearly insufficient; at least because a good deal of customers - drunks, children, people with mental issues would not wash at all before use, a good vector for disease spread. Late USSR I happen to remember always had problems with hepatitis spread, which is considerably less of a problem today, due to adoption of disposable food containers/utensils.
Its been a long time since I worked in a bar, but in the front-of-house we used a three-sink station where the sinks were: soap, water, sanitizing-solution. Then you sit the glasses to drip-dry.
I've seen something like this in the Netherlands, although even more disgusting: They take the used glass, dunk it in a bucket that has brushes all around and in the middle and is full of soapwater, rotate the glass three times against the glass, take it out, and pour the beer in the glass.
Yes, the glass's sides are still full of the disgusting soapwater from the bucket that's now basically 95% other people's drink dregs.
I think for beer there's a reason of bringing the glass to a colder temperature, which (from what I've heard) should reduce the amount of foam (not sure that's the exact term) in the glass.
Oh, are the lines refrigerated or otherwise thermally controlled? I always presumed it was regular tapwater; i.e. probably slightly below room temp, but not much.
Mileage obviously varies, but the "beer nerd/snob" bars I've been to simply don't re-use glasses without a full wash. They'd rather just charge a little more to hire more dishwashers and be able to absolutely guarantee that there's no leftover beer/water in your glass when they refill it, and that the glass is refrigerated if that's something they want.
I've always heard the head/foam had more to do with how you pour the beer (more impact/movement = more foam), but it makes sense that temperature affects it as well. There's some kind of official course on how to pour Guinness to get the correct head on it. I don't remember the whole thing, but it was something about holding the glass the correct distance from the tap and tilting it so that the beer "slides" down the side of the glass rather than a direct perpendicular impact with the beer already in the glass (which makes more foam).
For Weizen beer, you always give the glass a quick rinse beforehand to get rid of detergent remains, so you can actually get a foam "crown" - if there is even the tiniest amount of detergent present, the foam collapses.
I believe some of those early arcade games were more electrical engineering than software engineering, so perhaps it was easier to set it up that way?
To my understanding some of those early arcade games also had jumpers to control some of the behavior. It could be that a tech set the "free credit on reboot" jumper and forgot to reset it when they were done.
This also worked in the USA. By the 1990s most arcades operated on proprietary tokens rather than coin currency. Many had skill-gambling machines that had sliding rows covered in tokens, that you would try to dislodge with your own tokens and keep what was displaced.
The "Jungle Jive" version of this would dispense tokens out the opposite side of the machine if the electric ignition of a cigarette lighter was used to lightly shock the metal intake slot. If you clicked it too much too quickly it would go into an alert mode. While this could be accomplished solo, the ideal MVP setup was a team of three: one scout to watch for employees, one to click, and one to collect.
I imagine (with zero research) that the mechanism for adding credit would be the coin goes through a slot, and either itself completed a circuit, or the coin as it travels moves some lever to complete a circuit. So I imagine if you hit the machine just right, you'd also move that lever.
I remember when Verizon phone booths in the US started accepting the credit cards, for a while they would accept any 16-digit number with a valid IIN that passed the Luhn check.
Toronto’s parking meter boxes were like this. They just had GPRS so they’d do an overnight dump (possibly a part of their data deal with the telecom back when data was actually saturated during the day).
So people were using cancelled or empty prepaid visa/mastercards.
Initially they’d just push out blacklists.
Once they really caught on, they did a firmware upgrade to do online verification and it took fooooreeeeveeeeerrrrr to do a credit card purchase.
I vaguely remember (sometime in the 80s) sticking a straightened paperclip into a small hole on the face of a payphone to avoid having to drop a dime / quarters, and being able to call anywhere.
If I recall, you’d stick the straightened paperclip into one of the holes on the mouthpiece and touch the other end of the paperclip to some metal part on main phone body.
War Games used a pull tab from an aluminum can to a similar effect?
Children in a large group that's unsupervised is about as close to infinite monkeys on infinite typewriters as you can get. If you present them with a challenge that has some tangible reward at the other end (free games), you are guaranteed a solution at some point.
The universe's RNG just happened to roll favourably in Sydney in the 90s and the rest is history.
Reminds me of the story of the kids in Ethiopian village that were given tablets by One Laptop Per Child. The kids had figured out how to turn it on within minutes, in five days they were using 47 apps per child, in two weeks they were singing the English alphabet, and then within five months they had hacked Android. https://www.theregister.com/2012/11/01/kids_learn_hacking_an...
Not only is it a fun exploit, this is also a cool mini-introduction to how caching works for CPUs.
I remember a year ago or so there was a submission here which detailed how computers work and are build starting at the tiniest part: starting with logic gates, IIRC. Anybody remember what that website was?
If you wanted to defend a system from this, a big chunk of defence would be to choose a system with ECC, and then to halt() the whole system when an ECC error occurs.
Since the attacker is very unlikely to flip the exact right bits to make ECC match, their exploit is very likely to be detected before it succeeds. halt() is necessary so the attacker cannot have more tries at it.
Obviously you have the downside that real memory errors cause the system to crash.
Would things like AMD's "Secure encrypted virtualization" protect against this? Is the data XORed with a key (therefore letting bitflips propogate) or is the data actually encrypted (meaning a bitflip in the input leads to a totally different address)
"It's just one resistor (15 ohms) and one wire, soldered to DQ26. The wire acts like an antenna, picking up any nearby EM interference and dumping it straight onto the data bus."
really neat hack. using the lighter to create EM interference. better go light up next to my DDR bus and see what happens :)
> This should theoretically work with bit-flips in any bit position between 29 [...] and 12 [...] Therefore, soldering the antenna wire perhaps isn't totally necessary, if you can generate strong enough electromagnetic interference
Mentioned elsewhere in this thread, but you need not only "strong" but "highly directed" electromagnetic interference. Each of those pins is ~0.5mm, flipping a single bit "wirelessly" is probably impossible, as your inference will cause issues in many more places than just your target.
Maybe that unlocks different and exciting hacks, maybe it just melts your machine.
I find the idea of being escorted out of the building after giving notice a bit insulting. I’ve been interviewing for weeks, I’ve probably been holding this piece of paper since last night when I printed it out at home.
I’ve had plenty of time to fuck with things before I told you I was leaving. You’re just screwing over my coworkers by taking access to me away with zero notice.
Can someone explain why the EMI would cause a Bitflip and not always a high read? Why would a pulse invert the signal that’s read? Don’t the voltages effectively get added?
Sign matters as well as magnitude. The pulse created will have both a positive and negative part - waveform sort of like --^v-- and so you can get either direction bit flip. It's not equivalent to connecting a battery to the pin; EMI's more like AC in that it goes both directions.
Even your example of discharging a capacitor can end up with a pulse both directions, caused by the inductance of the wires.
In this specific situation, there's no common reference level, and so the induced pulse will go both directions. You can think of this as being about the edges of the pulse being the parts that actually cause radio to be transmitted, and there's both a positive-going edge and a negative-going edge on a pulse.
Cranky comment: Putting your code comments in line with the code is less readable than putting the comment on the preceding line. Most people get what you're going to talk about from the context.
This is so awesome! I just love this stuff, I hope that I can be at this level one day. Also I love how we're side-eyeing the switch 2 lmaooo thats bold considering Yuzu, Ryujinx and the 100+ YT creators Nintendo has either taken down or copyright struck this past week.
I think you misunderstood the Australian slang. That person was not referring to the XKCD concept. They were referring to another meaning of the word "root."
Ha! Thanks for the elucidation. My assumptions around the GP did include the assumption of sex, but it was more in a honeypot context rather than as an end in an of itself.
No, you can't. That long lead to couple your ersatz pulse generator defeats all the engineering put into making the computer reliable and quiet in the EMI sense.
Circuit bending is fun stuff, but it's not a remote exploit.