Jibo-Revival-Group/JiboViteDocs
8
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
f135c7dda6690693d6cde04e0e10abb0bf875632
JiboViteDocs/docs/uart/vectors/hardexp.md

39 lines
2.0 KiB
Markdown
Executable File
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# Hardware and Tegra Exploitation
## Overview
So jibos brain is powered by an [[NVIDIA Tegra K1 (T124) Soc]] To gain full control over the device and bypass the "original jibo servers", we are attempting to achieve code execution at the bootloader level via **RCM (Recovery Mode)**.
- - -
## Device Identification
When Jibo is put into RCM, it identifies itself as an NVIDIA APX device. Note that the Product ID (PID) may shift after an initial handshake or reboot as it did with mine , but i haven't seen any other documented cases of this behavior.
| Parameter | Value | Notes |
| ----------------- | ------ | ------------------------------------------------------------------------------- |
| Vendor ID (VID) | 0x0955 | Standard NVIDIA Corp. |
| Product ID (PID) | 0x7740 | Confirmed Tegra T124 <- **==This is the one that should be used in any case==** |
| Alternative (PID) | 0x9134 | Observer on initial RCM |
- - -
## Current Exploitation Status
### 1. The ShofEL2 Attempt
I am currently adapting [[ShofEL2 - Fusée Gelée Exploit]] to work with the **T124** architecture.
- **Progress:** Modified the USB declarations in `include/t124.h` (Lines 4-9) to match Jibos specific PID/VID.
- **Result:** The exploit initializes but **hangs** before executing the payload. We are currently auditing the source code to determine if the memory offsets for the T124 stack buffer overflow differ from the standard T210 implementation.
### 2. C# Payload Loader
A custom loader has been developed by (Community Member : Jaked) in **C#** to interface with the Tegra USB stack.
- **Status:** The loader successfully "talks" to the APX interface.
- **Blocker:** We lack a functional **Payload Binary** that the Tegra chip accepts. Most generic payloads fail to return debug info, making it difficult to map the internal memory.
Reference in New Issue View Git Blame Copy Permalink