Skip to content
work-in-progress launcher for one of the Tegra X1 bootROM exploits
Branch: master
Clone or download
1
Latest commit 265e8f3 Jul 14, 2018
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
report Remove trailing whitespace Apr 25, 2018
.editorconfig
LICENSE Relicense under the terms of the GPLv2 May 17, 2018
Makefile
README.md update readme Jul 14, 2018
fusee-launcher.py
intermezzo.S
intermezzo.bin Minor documentation changes atop trisz404's PR. May 7, 2018
intermezzo.lds accelerate the timeline a little ( ͡° ͜ʖ ͡°) Apr 23, 2018
libusbK.py
modchipd.sh accelerate the timeline a little ( ͡° ͜ʖ ͡°) Apr 23, 2018
requirements.txt

README.md

Fusée Gelée

                                      *     .--.
                                           / /  `
                          +               | |
                                 '         \ \__,
                             *          +   '--'  *
                                 +   /\
                    +              .'  '.   *
                           *      /======\      +
                                 ;:.  _   ;
                                 |:. (_)  |
                                 |:.  _   |
                       +         |:. (_)  |          *
                                 ;:.      ;
                               .' \:.    / `.
                              / .-'':._.'`-. \
                              |/    /||\    \|
                            _..--"""````"""--.._
                      _.-'``                    ``'-._
                __             __                   _   __
               / _|           /_/                  | | /_/
              | |_ _   _ ___  ___  ___    __ _  ___| | ___  ___
              |  _| | | / __|/ _ \/ _ \  / _` |/ _ \ |/ _ \/ _ \
              | | | |_| \__ \  __/  __/ | (_| |  __/ |  __/  __/
              |_|  \__,_|___/\___|\___|  \__, |\___|_|\___|\___|
                                          __/ |
                                          |___/

Fusée Launcher

The Fusée Launcher is a proof-of-concept arbitrary code loader for a variety of Tegra processors, which takes advantage of CVE-2018-6242 ("Fusée Gelée") to gain arbitrary code execution and load small payloads over USB.

The vulnerability is documented in the 'report' subfolder; more details and guides are to follow! Stay tuned...

Use Instructions

The main launcher is "fusee-launcher.py". Windows, Linux, macOS and FreeBSD are all natively supported! Instructions for Windows specifically can be found on the wiki.

With a Tegra device in RCM and connected via USB, invoke the launcher with the desired payload as an argument, e.g. ./fusee-launcher.py payload.bin. Linux systems currently require either that the Tegra device be connected to an XHCI controller (used with blue USB 3 ports) or that the user has patched their EHCI driver.

Credits            

Fusée Gelée (CVE-2018-6242) was discovered and implemented by Kate Temkin (@ktemkin); its launcher is developed and maintained by Mikaela Szekely (@Qyriad) and Kate Temkin (@ktemkin).

Credit goes to:

  • Qyriad -- maintainership and expansion of the code
  • SciresM, motezazer -- guidance and support
  • hedgeberg, andeor -- dumping the Jetson bootROM
  • TuxSH -- help with a first pass of bootROM RE
  • the ReSwitched team

Love / greetings to:

  • Levi / lasersquid
  • Aurora Wright
  • f916253
  • MassExplosion213

CVE-2018-6242 was also independently discovered by fail0verflow member shuffle2 as the "shofEL2" vulnerability-- so that's awesome, too.

You can’t perform that action at this time.