Can you get root with only a cigarette lighter? (2024)

6 comments

• Retr0id 1 hour ago
  Answers to some of the questions at the end, from future me:

  - It also works on LPDDR5, LPDDR4

  - Yes, it works on ARM platforms (at least, the ones I tried).

  - The simplest way to trigger similar faults electronically is via a high-speed mux IC, as described in https://stefan-gloor.ch/ddr5 (chipshouter also works, but is less elegant imho!)

  - Yes, you can get webkit addrof/fakeobj primitives like this, although I didn't write an end-to-end exploit.

  - You can pwn nintendo switch kernel with an adjusted exploit strategy, but the same adjusted strategy does not work on Switch 2, due to memory encryption (one bitflip corrupts a whole cache line). But other strategies may be possible? (notably, it is possible to block a whole write operation from happening at all - see also https://rdist.root.org/2010/01/27/how-the-ps3-hypervisor-was... )

  [-]
  • Retr0id 1 hour ago
    I also spent a long time trying to do the glitching with a mosfet, but never got it to work. I couldn't get enough drive strength to actually glitch anything, without messing with the delicate capacitance+impedance tolerances of the bus.
• b00ty4breakfast 5 hours ago
  my prediction before reading is that they're using the piezo sparker to beat the DUT over the head with a big EMF spike

  Edit: Nailed it!

  [-]
  • grufkork 5 hours ago
    I thought they were going to just heat a chip to increase the overall error rate
    [-]
    • throwawayqqq11 4 hours ago
      Be it eletric or thermal, i came here for fried hardware and left disappointed. Now i have to wrangle my curiosity to what happens when you lighter-spark a usb port for the rest of the day.
  • 4gotunameagain 1 hour ago
    Yeah but the devil is in the details ;)

    It's not like you can randomly spike stuff and achieve an exploit
• ted_dunning 5 hours ago
  Uh... yeah.

  Just hold the sysadmins hand over the lighter until they tell you the password.

  Never forget the easy way in ... the humans.

  [-]
  • quietbritishjim 3 hours ago
    Like the classic xkcd on security

    https://xkcd.com/538/
  • debugnik 2 hours ago
    Good luck hacking a Switch using that method and getting away with it.
• rkagerer 6 hours ago
  > Finally, I'd like to thank JEDEC for paywalling all of the specification documents that were relevant to conducting this research.
• slj 5 hours ago
  Yes. We do this in Australia, around the bars and pubs getting a root with only a cigarette lighter is a classic move.
  [-]
  • karmakurtisaani 4 hours ago
    I feel like getting root privileges means something else in Australia.
    [-]
    • defrost 4 hours ago
      Still only a third of the full wombat trifecta.
  • CTOSian 4 hours ago
    also free arcade credits :}
• haunter 5 hours ago
  Yeah but can you light a cigarette with only a laptop? Checkmate atheists! /s
  [-]
  • mirekrusin 5 hours ago
    If it's intel, you can fry an egg for sure.
    [-]
    • LoganDark 3 hours ago
      The ol' Black MacBook Cooktop...
      [-]
      • hi-im-buggy 2 hours ago
        In combination with a weighing scale (https://github.com/KrishKrosh/TrackWeight), you have everything you could ask for in a portable food processor.