14 comments

[ 4.8 ms ] story [ 49.9 ms ] thread
> Finally, I'd like to thank JEDEC for paywalling all of the specification documents that were relevant to conducting this research.
my prediction before reading is that they're using the piezo sparker to beat the DUT over the head with a big EMF spike

Edit: Nailed it!

Uh... yeah.

Just hold the sysadmins hand over the lighter until they tell you the password.

Never forget the easy way in ... the humans.

Yeah but can you light a cigarette with only a laptop? Checkmate atheists! /s
Downvoted on Hacker News
Yes. We do this in Australia, around the bars and pubs getting a root with only a cigarette lighter is a classic move.
Answers to some of the questions at the end, from future me:

- It also works on LPDDR5, LPDDR4

- Yes, it works on ARM platforms (at least, the ones I tried).

- The simplest way to trigger similar faults electronically is via a high-speed mux IC, as described in https://stefan-gloor.ch/ddr5 (chipshouter also works, but is less elegant imho!)

- Yes, you can get webkit addrof/fakeobj primitives like this, although I didn't write an end-to-end exploit.

- You can pwn nintendo switch kernel with an adjusted exploit strategy, but the same adjusted strategy does not work on Switch 2, due to memory encryption (one bitflip corrupts a whole cache line). But other strategies may be possible? (notably, it is possible to block a whole write operation from happening at all - see also https://rdist.root.org/2010/01/27/how-the-ps3-hypervisor-was... )

pfff, root, back in my day we hacked a vending machine with a lighter and got free coke.

No idea who discovered it, but the machine back at my school had an infrared interface for servicing, and you could trigger an interrupt with the flash of the flintstone of a lighter. Because it's just some 90s microcontroller, it would simply reset after failing to receive a valid command and forget what it was doing previously.

All you had to do was order a coke, and right when it drops out, before it subtracts the amount, you flash the lighter in front of the IR port like a magician, say the magic words and bam - free coke!

I used a saline glitch trick in the 90s. I cannot remember the exact sequence of events, but one injected saline into the coin or bill receptacle, which made the sensor believe money was being continuously inserted into the machine. This method had the benefit of clearing the machine of change after purchase since it registered the candy bar was bought with a substantial amount of money.
We just unplugged our vending machine with similar timing.
Wow. We were like cave men in comparison shaking the machine with 2-3 people to knock a can out of the racking.
We used to get free phone calls in phone booths by sticking an unwound paper clip into the earpiece and touching the other end to the coin box.
That is not free, that is stealing. It's like going to a grocery store and calling it a hack that you can walk around the registers and leave without paying.