The inspiration here was getting root on the Switch 2. Getting root in Linux was the POC. The goal was not demonstrating some fundamental security vulnerability that's practically exploitable, but instead for reclaiming actual ownership of one's own hardware without breaking TPM or game ring 0 anti-cheat.
I like this. Upshot - electrostatic bit flip on memory read or write, which with solder can deterministically get a 'safe' pointer mutated into your own evil pointer.
Generally the historical perspective on physical access was: "once they have it, game over." TPM and trusted execution environments have shifted this security perspective to "we can trust certain operations inside the enclave even if the user has physical access."
His next steps are most interesting to me -- can you get something (semi-) reliable without soldering stuff? My guess is it's going to be a lot harder. Lots of thought already goes into dealing with electrical interference. On the other hand, maybe? if you flip one random bit of a 64 bit read every time you click your lighter, and your exploit can work with one of say 4 bit flips, then you don't need that many tries on average. At any rate, round 2 of experimentation should be interesting.
> if you flip one random bit of a 64 bit read every time you click your lighter
Without the antenna it would be hard to limit it to a single bit getting flipped. At least that’s what I suspect.
On the flip-side (heh) flipping multiple bits at once should make it possible to bypass ECC
You'd likely take an exception for a multi-bit error and the handler would likely just retry the read. Single-bit errors are often just corrected on the fly by ECC logic as you mention.
If you can induce enough correct errors (yes that is contradicting), the ECC won’t be able to detect the error because the modified data is correct again. The ECC schemes I’ve seen used can correct 1 bit and detect 2 bit error, so 3 flips at the right position would be enough to get new data that would be valid again.
we need a tinfoil waveguide clearly
This was very well written and an amazing challenge but my brain is wired to that "hacking common sense" that if you have physical access then it's already over... the first thing that came to my mind was that, if you have physical access, then you can reflash the BIOS, install a driver backdoor, you can boot a live OS and then it's just a matter of tampering /etc/{passwd,shadow,groups, etc} ...
but I remembered that most of the physical access hacks would not be possible if the disk is encrypted.. which then makes this kind of hack enormously attractive.
The antenna idea can be extended to be a piece of hardware with the interference device built-in (piezo or whatever) which communicates with the external world with any wireless medium and then the attacker can trigger the interference remotely. This, plus a website controlled by the hacker which the victim is scammed to visit can be enough to make it viable.
The motivation in the introduction is rooting/jailbreaking a handheld game console. I think this is a perfectly plausible situation where you have physical access but still want to obtain "unauthorized" access.
AFAIC, reflashing BIOS won't give you anything, you need to sign it first with proper private key which is checked by the CPU hardware before execution begins. This EMI trick fools CPU itself and I cannot see how it can be fixed, unless new paging algorithm is invented.
This specifically is trivially defeated by ECC, though it wouldn't be that much harder to instead flip 3 bits and ECC would be unable to help. ECC has very poor penetration outside the server world though, so we're still safe. For now.
> I remembered that most of the physical access hacks would not be possible if the disk is encrypted..
Only if you have not booted into your system through using a keyfile or a passphrase to decrypt the data, i.e. if your PC is shut down. I have full disk encryption, and when I boot into my system, it uses the keyfile with which it would perform the decryption, and boom, I have my PC ready to be accessed physically.
My immediate thought was that this was a post about how someone got root access to a cigarette lighter and I was totally ready to believe it.
My parents oven gets regular software updates so I didn’t even question whether the cigarette lighter was “smart.”
From the title I half expected an incendiary version of rubber hose cryptography.
ooh i want a smart lighter, so i can use my phone in one hand to light the lighter in the other hand :O
Sell pyromaniacs this product, find the lighter two months later in a burned-out building, use it to identify which phone did it, catch perp.
This reminds me of exploits we used to do to arcade cabinets back in Sydney in the 80's and 90s. The school gas heaters used to have what we called "clickers", piezoelectric ignition devices you could remove from the heaters.
You then took that clicker to your local arcade, and clicked one of the corners of the CRT, that would send a shock through the system and add credits to your game. I believe this was because the CRT was grounded on the same ground lines that the mechanism for physically checking a coin had gone through the system.
Suffice to say, they caught onto this over time, and added some form of an alarm into it. But up until then... Those were truly the best times.
We did the exact same thing early 80's except that we used the clicker found in disposal lighters.
We did it for a couple of years until they figured it out and started to conver the arcade cabinets with transparent plastic.
At the same time they also drilled holes at the back of the machine for ventilation as the rest of the case now was sealed in plastic.
We found out that using a bamboo stick you could press the lever that register when a coin has been paid into the slot.
That made them relocate the holes for the ventilation to the top of the case instead of the back so we couldn't get the lever anymore. Or so they thought. haha
We discovered that by pressing a coin up the return slot — the one where you get your coin back if it isn’t accepted — you could also trigger the lever for coin registration and the free gaming continued.
Eventually they put in sharp screws into that coin return box so you would cut your finges.
After that we got a SEGA. Was great fun :)
I always wondered why arcade cabinets were covered in plastic. Till now i thought it was for spills or something.
At what point does the arcade just kick you out? I can't imagine them seeing you continuously tamper with their equipment to circumvent paying and think, "the best way to handle this is to keep modifying our machines."
Arcades were big dark noisy rooms, and quite often had only one or two people on staff who were usually either busy dealing with other customers and were paid far too little to care about the owners' profit margins. They were basically there to hand out prizes to little kids for the ticket machines and make sure nobody walked out with Dig Dug on a hand cart.
Maybe the staff at the arcade, aren't the owners of the place, so they don't personally care that much. They'd rather be friends with everyone, than to be the "angry police"? (And I'm guessing the tampering players were nice people to have around)
And the technicians "improving" the machines -- maybe they had a good time too, I'm wondering. @TowerTall and friends made their job more interesting / fun?
If you kick someone out, you lose them as a customer, and they'll tell all their friends about the free play trick out of spite, so you'll have to patch the machine anyway.
You're making me wonder what the stats are for how many people try to abuse arcade machines in a country like Japan versus the United States. (Not that people in any country are gonna be entirely honest, but the entitlement to break the system and the comfort to brag about it seems cultural.)
In fact, that could be why some of the machines weren't better protected against that stuff in the first place, right?
There are some great scenes in Rebels of the Neon God [1992] by Tsai Ming-Liang (Taiwanese filmmaker) where the main characters steal the main pcbs from some arcade machines and try to resell them to the arcade owner lol. Wonderful film, recommend it - some great scenes in those arcades.
Reminds me of an arcade machine a friend would get behind, turn it off and back on, and it would give you a free token. Maybe its designed that way so the employee can test it for free, not sure. But he climbed behind it, and proceeded to play for free.
Those who lived in USSR remembers soda vending machines (they poured your drink in a glass cup; you were expected to wash it before using by pressing on a cup, which stood upside down on plastic plate with holes, kinda inverted shower head; very unhygienic, I know). Well it had a button behind that let you have a free drink. You could also "upgrade" pure carbonated water (1 kopeyek) to a sweet soft drink (3 kopeyek) by pressing another button. needless to say schoolchildren would abuse the hell out of this "feature".
> you were expected to wash it before using by pressing on a cup, which stood upside down on plastic plate with holes, kinda inverted shower head; very unhygienic, I know
Those systems are occasionally used in bars in the US, though they've dropped the whole plate and it's usually just arms where the holes are.
To my understanding, at least in the US, they aren't used for deep-cleaning anything. That happens with soap and water in the back still. The upside-down-showers are used to clean out the dregs of someone's glass when they get a refill (you give them a glass, they give it a quick rinse, refill it and hand it back), and as a quick rinse for new glasses to clean up water stains/detergent residue and anything that might have fallen in since they were cleaned (hair, dust, etc).
Yes right, the key difference that the were used to clean between uses by different customers; this is clearly insufficient; at least because a good deal of customers - drunks, children, people with mental issues would not wash at all before use, a good vector for disease spread. Late USSR I happen to remember always had problems with hepatitis spread, which is considerably less of a problem today, due to adoption of disposable food containers/utensils.
Its been a long time since I worked in a bar, but in the front-of-house we used a three-sink station where the sinks were: soap, water, sanitizing-solution. Then you sit the glasses to drip-dry.
Actually here is a link explaining it: https://www.webstaurantstore.com/article/620/three-compartme...
I've seen something like this in the Netherlands, although even more disgusting: They take the used glass, dunk it in a bucket that has brushes all around and in the middle and is full of soapwater, rotate the glass three times against the glass, take it out, and pour the beer in the glass.
Yes, the glass's sides are still full of the disgusting soapwater from the bucket that's now basically 95% other people's drink dregs.
I think for beer there's a reason of bringing the glass to a colder temperature, which (from what I've heard) should reduce the amount of foam (not sure that's the exact term) in the glass.
Oh, are the lines refrigerated or otherwise thermally controlled? I always presumed it was regular tapwater; i.e. probably slightly below room temp, but not much.
Mileage obviously varies, but the "beer nerd/snob" bars I've been to simply don't re-use glasses without a full wash. They'd rather just charge a little more to hire more dishwashers and be able to absolutely guarantee that there's no leftover beer/water in your glass when they refill it, and that the glass is refrigerated if that's something they want.
I've always heard the head/foam had more to do with how you pour the beer (more impact/movement = more foam), but it makes sense that temperature affects it as well. There's some kind of official course on how to pour Guinness to get the correct head on it. I don't remember the whole thing, but it was something about holding the glass the correct distance from the tap and tilting it so that the beer "slides" down the side of the glass rather than a direct perpendicular impact with the beer already in the glass (which makes more foam).
> pressing on a cup, which stood upside down on plastic plate with holes, kinda inverted shower head
I think they still use these in bars
I believe some of those early arcade games were more electrical engineering than software engineering, so perhaps it was easier to set it up that way?
To my understanding some of those early arcade games also had jumpers to control some of the behavior. It could be that a tech set the "free credit on reboot" jumper and forgot to reset it when they were done.
This also worked in the USA. By the 1990s most arcades operated on proprietary tokens rather than coin currency. Many had skill-gambling machines that had sliding rows covered in tokens, that you would try to dislodge with your own tokens and keep what was displaced.
The "Jungle Jive" version of this would dispense tokens out the opposite side of the machine if the electric ignition of a cigarette lighter was used to lightly shock the metal intake slot. If you clicked it too much too quickly it would go into an alert mode. While this could be accomplished solo, the ideal MVP setup was a team of three: one scout to watch for employees, one to click, and one to collect.
This brings back a vague memory of smacking the side of a pinball machine just right and getting a free game. I bet it was the same concept.
I imagine (with zero research) that the mechanism for adding credit would be the coin goes through a slot, and either itself completed a circuit, or the coin as it travels moves some lever to complete a circuit. So I imagine if you hit the machine just right, you'd also move that lever.
Just like The Fonz.
Henry Winkler is actually just as cool as the character he played!
You were likely causing the spring-loaded mechanism that detects a coin insertion to make physical contact.
Yup - the first few minutes of one of Technology Connections' videos on electromechanical pinball machines shows this mechanism in action:
I remember reading about this in this book, about the hacker named Pengo who was known for adding credits to arcade games in the same manner.
https://www.amazon.com/CYBERPUNK-Outlaws-Hackers-Computer-Fr...
This trick worked in Telefonica's phone booths in Spain in the 90s too :-)
I remember when Verizon phone booths in the US started accepting the credit cards, for a while they would accept any 16-digit number with a valid IIN that passed the Luhn check.
Toronto’s parking meter boxes were like this. They just had GPRS so they’d do an overnight dump (possibly a part of their data deal with the telecom back when data was actually saturated during the day).
So people were using cancelled or empty prepaid visa/mastercards.
Initially they’d just push out blacklists.
Once they really caught on, they did a firmware upgrade to do online verification and it took fooooreeeeveeeeerrrrr to do a credit card purchase.
I vaguely remember (sometime in the 80s) sticking a straightened paperclip into a small hole on the face of a payphone to avoid having to drop a dime / quarters, and being able to call anywhere.
If I recall, you’d stick the straightened paperclip into one of the holes on the mouthpiece and touch the other end of the paperclip to some metal part on main phone body.
War Games used a pull tab from an aluminum can to a similar effect?
(It’s been a while.)
how did you stumble across this one?
super cool
Not only is it a fun exploit, this is also a cool mini-introduction to how caching works for CPUs.
I remember a year ago or so there was a submission here which detailed how computers work and are build starting at the tiniest part: starting with logic gates, IIRC. Anybody remember what that website was?
Do you mean nand2tetris? https://www.nand2tetris.org/course
Hmm, no but similar. This was about full-scale personal computers.
Can someone explain why the EMI would cause a Bitflip and not always a high read? Why would a pulse invert the signal that’s read? Don’t the voltages effectively get added?
It depends on how the analog signal is encoded. In some protocols, a 1 is encoded as high-then-low and 0 is encoded as low-then-high.
Ah good point, I was assuming simple TTL where signal level is the bit that’s transferred, RAM is probably using something more complex
You need to think of EMI as having a magnitude and a direction. Half the time you are adding a negative voltage.
Since he’s using a Piezo lighter, shouldn’t it be just a single DC pulse like discharging a capacitor?
I was confused on the lighter type so I deleted that part of my response. I think you're correct but I can't say for sure.
I followed him on mastodon, the article is cool too. On Mastodon, there is a video of the root access where one can see the screen.
"It's just one resistor (15 ohms) and one wire, soldered to DQ26. The wire acts like an antenna, picking up any nearby EM interference and dumping it straight onto the data bus."
really neat hack. using the lighter to create EM interference. better go light up next to my DDR bus and see what happens :)
I thought OP was going to do this without soldering anything.
But I feel like soldering something is no different than just like splicing a telephone cable in half and putting your own headset in the middle…
Except instead of putting a headset, you crudely use a lighter…
When I saw the title, I was expecting this to be about hacking a modern car with one of those USB-C cigarette lighter devices.
Sure, if you solder an antenna to your memory first :-)
But good and thorough write-up about how to actually exploit such a glitch.
And you could also use the cigarette lighter for hanging out at the data center back door and wait until the admin comes for a smoke.
> This should theoretically work with bit-flips in any bit position between 29 [...] and 12 [...] Therefore, soldering the antenna wire perhaps isn't totally necessary, if you can generate strong enough electromagnetic interference
Mentioned elsewhere in this thread, but you need not only "strong" but "highly directed" electromagnetic interference. Each of those pins is ~0.5mm, flipping a single bit "wirelessly" is probably impossible, as your inference will cause issues in many more places than just your target.
Maybe that unlocks different and exciting hacks, maybe it just melts your machine.
Down in the "practical use" section, one use case is bypassing copy protection on consoles.
You know when your employee quits how you have to block all their accounts? Now imagine they have access to the server room!
I find the idea of being escorted out of the building after giving notice a bit insulting. I’ve been interviewing for weeks, I’ve probably been holding this piece of paper since last night when I printed it out at home.
I’ve had plenty of time to fuck with things before I told you I was leaving. You’re just screwing over my coworkers by taking access to me away with zero notice.
And that's why server rooms should have proper physical security.
And why “they’ve got physical access, so all bets are off” isn’t an excuse to stop trying
I don't follow; isn't this proof that physical access does trump everything else?
And be wrapped in tinfoil.
This kind of work can't be done under pressure at least not a PoC.
I read it as "Can you get A root with only a cigarette lighter?"
Depends how desperate for a smoke the other person is.
I thought this was about getting the root password by burning the sysadmin with a cigarette lighter (https://xkcd.com/538/)
reminds me of using a modified milty zerostat to use the spark gap to induce emp for glitching.
Just burned my sysadmin with a lighter. The root passwrod is "OWWhAThtefuck'.
>I only want glitches to happen on-demand, not all the time.
>My injected ELF also flushes the page cache
The difference between a padawan and a jedi
Amazing write up and bonus points for the reproducibility of this creativity.
Just wanted to say it was an amazing write-up.
Three men on a boat.
With four cigarettes, but no lighter.
How are they going to smoke?
they throw 1 cigarette overboard :-)
That’s worse than the elephant joke.
fun read. wonder if someone can do it with one of those lemon batteries, u know.. when life gives u lemons... get root!
I can get root with only a spoon!
However, I'm not sure the kind of root you want unless you're into horticulture.
Next, a balloon and carpet!
socks! and kickng device thru the room!
Back in the day of analog electronic locks a piezo zap into the lock case would unlock 4 out of 5 apartment building locks, root access IRL.
...
"Finally, I'd like to thank JEDEC for paywalling all of the specification documents that were relevant to conducting this research."
I read this wrong.
I’m gonna do one with “ Can You Get Root With Only my bare hands?”
Nice trick, now do it with cosmic rays!
I reckon you can get a root with just a cigarette lighter if you hang around outside the right bars in Australia
And worst case there is always the rubber hose.
I think you misunderstood the Australian slang. That person was not referring to the XKCD concept. They were referring to another meaning of the word "root."
Ha! Thanks for the elucidation. My assumptions around the GP did include the assumption of sex, but it was more in a honeypot context rather than as an end in an of itself.
...or a $5 wrench
>Can You Get Root with Only a Cigarette Lighter?
No, you can't. That long lead to couple your ersatz pulse generator defeats all the engineering put into making the computer reliable and quiet in the EMI sense.
Circuit bending is fun stuff, but it's not a remote exploit.
Where in the article does he say this is a remote exploit?
The old saying of "if you've got physical access, game over", is where this applies.
This guy literally got root using a cigarette lighter, and your attempt to debunk it is to suggest that physical exploits don't count?
If you only care about remote exploits, fine, but don't go scolding others for accomplishing things you can't.
Do it without the precisely connected wire, and then you can say "only a cigarette lighter" as mentioned in the title, otherwise it's click-bait