Tegra X1 Bug (Nintendo Switch)
a guest Apr 23rd, 2018 25,066 Never
- And because hacking is easy; the Tegra X1 Bug.
- Tegra X1 RCM forgets to limit wLength field of 8 byte long Setup Packet in some USB control transfers. Standard Endpoint Request GET_STATUS (0x00) can be used to do arbitrary memcpy from malicious RCM command and smash the Boot ROM stack before signature checks and after Boot ROM sends UID. Need USB connection and way to enter RCM (Switch needs volume up press and JoyCon pin shorted).
- Team Xecuter
- Team SALT
- Reminder: Real hackers hack in silence. You all suck.
- "Game Over."
RAW Paste Data