daily pastebin goal
82%
SHARE
TWEET

Tegra X1 Bug (Nintendo Switch)

a guest Apr 23rd, 2018 23,024 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. And because hacking is easy; the Tegra X1 Bug.
  2.  
  3. Tegra X1 RCM forgets to limit wLength field of 8 byte long Setup Packet in some USB control transfers. Standard Endpoint Request GET_STATUS (0x00) can be used to do arbitrary memcpy from malicious RCM command and smash the Boot ROM stack before signature checks and after Boot ROM sends UID. Need USB connection and way to enter RCM (Switch needs volume up press and JoyCon pin shorted).
  4.  
  5. To:
  6. ReSwitched
  7. fail0verflow
  8. SwitchBrew
  9. BBB
  10. Team Xecuter
  11. Team SALT
  12.  
  13. Reminder: Real hackers hack in silence. You all suck.
  14.  
  15.  
  16. "Game Over."
  17.  
  18.  
  19. F8001BE1190CAED74BBDDAD78667877C84D1A128
RAW Paste Data
Top