fusho v0.0.0

fusho

Tegra X1 BootROM Exploit tuned for Nintendo Switch.

Cleanroom implementation of CVE-2018-6242 (ShofEL2 / Fusée Gelée).

Tested on OSX 10.14.6 with Chrome 77 / Node 12.

Installation and Usage

For local use:

$ npm install -g fusho
$ fusho path_to_payload

NodeJS usage:

const FUSHO = require("fusho");
const usb = require("webusb").usb;
FUSHO.doit(usb, payload_buffer);

In-browser use: see index.html, live at https://switchjs.github.io/fusho

NOTE: WebUSB is not supported over HTTP outside of localhost, so for production use make sure you are serving HTTPS.

Building Relocator Binary

make and done :)

relo.js holds shared constants and has code for generating the ARM assembly relo.S. Using the gcc-arm-none-eabi toolchain, the assembler is invoked to generate relo.o, the loader generates relo.elf and objcopy generates the final relo.bin.

The utility script util/update_payload.njs updates the hardcoded relocator stub in the main fusho.js script.

Details

Both projects released writeups giving a high level overview of the exploit. The FG exploit execution was followed closely, except for the actual exploit payload.

The FG and ShofEL2 exploits both try to populate the execution stack. The space from start of DMA buffer to end of execution stack is 0x7000 bytes. In practice the execution stack is never that large, so you can theoretically insert some of the desired payload in the gap.

Relocator and script assume the following RCM payload layout:

  0x40010000 (will be copied to DMA addr 0x40009000)
    [ stub ]
    [ padding ]
  PAYLOAD_ADDR variable controlled in relo.js
    [ PAYLOAD preamble ]
  STACK_ADDR variable controlled in relo.js
    [ APPSTACK (sprayed 0x40010000 entry point) ]
  0x40017000 (will be at 0x40010000 after memcpy)
    [ PAYLOAD postamble ]

The build script ensures the relocator is consistent with the JS code.