|
|
|
|
|
|
by Retr0id
85 days ago
|
|
|
Answers to some of the questions at the end, from future me: - It also works on LPDDR5, LPDDR4 - Yes, it works on ARM platforms (at least, the ones I tried). - The simplest way to trigger similar faults electronically is via a high-speed mux IC, as described in https://stefan-gloor.ch/ddr5 (chipshouter also works, but is less elegant imho!) - Yes, you can get webkit addrof/fakeobj primitives like this, although I didn't write an end-to-end exploit. - You can pwn nintendo switch kernel with an adjusted exploit strategy, but the same adjusted strategy does not work on Switch 2, due to memory encryption (one bitflip corrupts a whole cache line). But other strategies may be possible? (notably, it is possible to block a whole write operation from happening at all - see also https://rdist.root.org/2010/01/27/how-the-ps3-hypervisor-was... ) |
|
|