27 lines
1.5 KiB
Markdown
Executable File
27 lines
1.5 KiB
Markdown
Executable File
**ShofEL2** (and its sister exploit **Fusée Gelée**) is an unpatchable hardware vulnerability found in the NVIDIA Tegra X1's USB Recovery Mode (RCM). Because the flaw exists in the **Read-Only Memory (Boot ROM)** of the SoC, it cannot be fixed via software or firmware updates by Nintendo or NVIDIA.
|
||
|
||
The exploit allows for **Unsigned Code Execution** at the highest privilege level (EL3) before the operating system even begins to load.
|
||
|
||
- - -
|
||
|
||
|
||
## How It Works (The Vulnerability)
|
||
|
||
The exploit leverages a **heap overflow** in the Tegra X1’s USB RCM stack.
|
||
|
||
1. **RCM Mode:** The Tegra X1 enters a recovery mode designed to receive factory images via USB.
|
||
|
||
2. **Control Request:** The attacker sends a massive `USB Control Request` (Get Status) with an invalid length field.
|
||
|
||
3. **Buffer Overflow:** The Boot ROM fails to properly validate the length of the data being requested. It copies more data than the internal buffer can hold, overflowing into the **execution stack**.
|
||
|
||
4. **Arbitrary Execution:** By carefully crafting the overflow (a technique known as "smashing the stack"), the attacker overwrites the return address to point to their own payload loaded in the SoC's Internal RAM (IRAM).
|
||
|
||
|
||
> [!IMPORTANT] Since the Boot ROM is "burned" into the silicon at the factory, the only way to "patch" this was for NVIDIA to release a new hardware revision (the "Mariko" / T210B01 chip found in V2 and OLED Switches).
|
||
|
||
---
|
||
|
||
> [!warning]
|
||
> The Above explanations is AI Generated, Learn more at : https://github.com/erdzan12/switch-fusee
|