API tools faq
paste
Guest User

Tegra X1 Bug (Nintendo Switch)

a guest
Apr 23rd, 2018
31,726
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 0.62 KB | None | 0 0
raw download clone embed print report
  1. And because hacking is easy; the Tegra X1 Bug.
  2.  
  3. Tegra X1 RCM forgets to limit wLength field of 8 byte long Setup Packet in some USB control transfers. Standard Endpoint Request GET_STATUS (0x00) can be used to do arbitrary memcpy from malicious RCM command and smash the Boot ROM stack before signature checks and after Boot ROM sends UID. Need USB connection and way to enter RCM (Switch needs volume up press and JoyCon pin shorted).
  4.  
  5. To:
  6. ReSwitched
  7. fail0verflow
  8. SwitchBrew
  9. BBB
  10. Team Xecuter
  11. Team SALT
  12.  
  13. Reminder: Real hackers hack in silence. You all suck.
  14.  
  15.  
  16. "Game Over."
  17.  
  18.  
  19. F8001BE1190CAED74BBDDAD78667877C84D1A128
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!