It's circuit bending, or Fritzing, not finding a clever exploit in DRAM. Even an ECC module isn't going to help you if it's on the CPU data bus.
I just hope we don't all end up suffering through yet another 50% slowdown in patches to the Kernel to avoid this nonsense because someone buys the BS and now it has to be "fixed", like the row hammer software fixes, instead of just fixing the dam DRAM modules, and better hardware.
</rant>
Another analogy:
It's like when a brain surgeon probes your cerebellum and suddenly you smell strawberry or hear Brahms. The surgeon certainly doesn't know what reaction you have unless you tell them.
You wouldn't go around later saying "Dr Jones made me smell strawberries, on a whim, certainly he's a G*d"
> I'm exploring this because I think it might be useful for console hacking - where you have physical access, and the ability to execute sandboxed code (say, inside a web browser)
ID: @retr0id@retr0.id (they ask not to link to their fedi instance).
So if we don't have the addition of the antenna wire, is the usual case shielding sufficient or do we just need larger/intense pulses, more of them, or somewhere in between? is like to try this at home, but not if I have to solder a wire on the already small RAM traces.
If you try it on a desktop system, the RAM is likely going to be in through-hole DIMM slots, so the soldering will be a lot more managable than in a laptop
<rant value="verbose">
It's circuit bending, or Fritzing, not finding a clever exploit in DRAM. Even an ECC module isn't going to help you if it's on the CPU data bus.
I just hope we don't all end up suffering through yet another 50% slowdown in patches to the Kernel to avoid this nonsense because someone buys the BS and now it has to be "fixed", like the row hammer software fixes, instead of just fixing the dam DRAM modules, and better hardware.
</rant>
Another analogy:
It's like when a brain surgeon probes your cerebellum and suddenly you smell strawberry or hear Brahms. The surgeon certainly doesn't know what reaction you have unless you tell them.
You wouldn't go around later saying "Dr Jones made me smell strawberries, on a whim, certainly he's a G*d"
If there is no unpredictable ASLR then in this case it is as if the surgeon knows exactly where to probe to make you smell strawberries.
Some context from the author’s fedi account:
> I'm exploring this because I think it might be useful for console hacking - where you have physical access, and the ability to execute sandboxed code (say, inside a web browser)
ID: @retr0id@retr0.id (they ask not to link to their fedi instance).
This is some low level hacking right here
Do I need a lighter or the matrix soundtrack to accomplish this hack.
Either.
[0] https://devblogs.microsoft.com/oldnewthing/20220816-00/?p=10...
So if we don't have the addition of the antenna wire, is the usual case shielding sufficient or do we just need larger/intense pulses, more of them, or somewhere in between? is like to try this at home, but not if I have to solder a wire on the already small RAM traces.
I’m not sure how you would limit the incoming interference to a single bit, unless you’re very good at beam forming antennas.
If you try it on a desktop system, the RAM is likely going to be in through-hole DIMM slots, so the soldering will be a lot more managable than in a laptop
Yet again, I wish we all had ECC ram!
Here's the code: https://github.com/DavidBuchanan314/dram_emfi/blob/main/linu... -- the basic idea is
> Hardware setup: This time I put the "antenna" wire on DQ25, which will fault 64-bit values to +/-32MiB
> Exploit strat: We fill up as much of physical memory as possible with page tables.
> When we fault a PTE read, we have a good chance of landing on a page table, giving us R/W access to a page table from userspace.
I remember kids using these things into Street Fighter II machines to get free credits.
Impressive! And a music track like that should be standard for all progress bars.