Answers to some of the questions at the end, from future me:
- It also works on LPDDR5, LPDDR4
- Yes, it works on ARM platforms (at least, the ones I tried).
- The simplest way to trigger similar faults electronically is via a high-speed mux IC, as described in https://stefan-gloor.ch/ddr5 (chipshouter also works, but is less elegant imho!)
- Yes, you can get webkit addrof/fakeobj primitives like this, although I didn't write an end-to-end exploit.
- You can pwn nintendo switch kernel with an adjusted exploit strategy, but the same adjusted strategy does not work on Switch 2, due to memory encryption (one bitflip corrupts a whole cache line). But other strategies may be possible? (notably, it is possible to block a whole write operation from happening at all - see also https://rdist.root.org/2010/01/27/how-the-ps3-hypervisor-was... )
I also spent a long time trying to do the glitching with a mosfet, but never got it to work. I couldn't get enough drive strength to actually glitch anything, without messing with the delicate capacitance+impedance tolerances of the bus.
pfff, root, back in my day we hacked a vending machine with a lighter and got free coke.
No idea who discovered it, but the machine back at my school had an infrared interface for servicing, and you could trigger an interrupt with the flash of the flintstone of a lighter. Because it's just some 90s microcontroller, it would simply reset after failing to receive a valid command and forget what it was doing previously.
All you had to do was order a coke, and right when it drops out, before it subtracts the amount, you flash the lighter in front of the IR port like a magician, say the magic words and bam - free coke!
Be it eletric or thermal, i came here for fried hardware and left disappointed. Now i have to wrangle my curiosity to what happens when you lighter-spark a usb port for the rest of the day.
I had an australian colleague who found it endlessly funny that we pronounced "router" as "rooter" instead of their "rowter". statements like "If that happens the system will root the packets via the rooter first" was met with much giggling
- It also works on LPDDR5, LPDDR4
- Yes, it works on ARM platforms (at least, the ones I tried).
- The simplest way to trigger similar faults electronically is via a high-speed mux IC, as described in https://stefan-gloor.ch/ddr5 (chipshouter also works, but is less elegant imho!)
- Yes, you can get webkit addrof/fakeobj primitives like this, although I didn't write an end-to-end exploit.
- You can pwn nintendo switch kernel with an adjusted exploit strategy, but the same adjusted strategy does not work on Switch 2, due to memory encryption (one bitflip corrupts a whole cache line). But other strategies may be possible? (notably, it is possible to block a whole write operation from happening at all - see also https://rdist.root.org/2010/01/27/how-the-ps3-hypervisor-was... )
No idea who discovered it, but the machine back at my school had an infrared interface for servicing, and you could trigger an interrupt with the flash of the flintstone of a lighter. Because it's just some 90s microcontroller, it would simply reset after failing to receive a valid command and forget what it was doing previously.
All you had to do was order a coke, and right when it drops out, before it subtracts the amount, you flash the lighter in front of the IR port like a magician, say the magic words and bam - free coke!
Edit: Nailed it!
It's not like you can randomly spike stuff and achieve an exploit
Just hold the sysadmins hand over the lighter until they tell you the password.
Never forget the easy way in ... the humans.
https://xkcd.com/538/