Can you get root with only a cigarette lighter? (2024)
185 points by HeliumHydride 4 days ago | 38 comments
  • rkagerer a day ago |
    > Finally, I'd like to thank JEDEC for paywalling all of the specification documents that were relevant to conducting this research.
  • b00ty4breakfast a day ago |
    my prediction before reading is that they're using the piezo sparker to beat the DUT over the head with a big EMF spike

    Edit: Nailed it!

    • grufkork a day ago |
      I thought they were going to just heat a chip to increase the overall error rate
      • throwawayqqq11 a day ago |
        Be it eletric or thermal, i came here for fried hardware and left disappointed. Now i have to wrangle my curiosity to what happens when you lighter-spark a usb port for the rest of the day.
    • 4gotunameagain a day ago |
      Yeah but the devil is in the details ;)

      It's not like you can randomly spike stuff and achieve an exploit

      • b00ty4breakfast 18 hours ago |
        but of course
  • ted_dunning a day ago |
    Uh... yeah.

    Just hold the sysadmins hand over the lighter until they tell you the password.

    Never forget the easy way in ... the humans.

    • quietbritishjim a day ago |
      Like the classic xkcd on security

      https://xkcd.com/538/

    • debugnik a day ago |
      Good luck hacking a Switch using that method and getting away with it.
  • haunter a day ago |
    Yeah but can you light a cigarette with only a laptop? Checkmate atheists! /s
    • mirekrusin a day ago |
      If it's intel, you can fry an egg for sure.
      • LoganDark a day ago |
        The ol' Black MacBook Cooktop...
        • hi-im-buggy a day ago |
          In combination with a weighing scale (https://github.com/KrishKrosh/TrackWeight), you have everything you could ask for in a portable food processor.
          • LoganDark 17 hours ago |
            I would love a black MacBook with Force Touch.
    • thenthenthen 5 hours ago |
      Short the battery!
  • slj a day ago |
    Yes. We do this in Australia, around the bars and pubs getting a root with only a cigarette lighter is a classic move.
    • karmakurtisaani a day ago |
      I feel like getting root privileges means something else in Australia.
      • defrost a day ago |
        Still only a third of the full wombat trifecta.
    • CTOSian a day ago |
      also free arcade credits :}
    • RugnirViking 21 hours ago |
      I had an australian colleague who found it endlessly funny that we pronounced "router" as "rooter" instead of their "rowter". statements like "If that happens the system will root the packets via the rooter first" was met with much giggling
      • kjkjadksj 17 hours ago |
        We americans call it rowter too. Well, really raoter.
  • Retr0id a day ago |
    Answers to some of the questions at the end, from future me:

    - It also works on LPDDR5, LPDDR4

    - Yes, it works on ARM platforms (at least, the ones I tried).

    - The simplest way to trigger similar faults electronically is via a high-speed mux IC, as described in https://stefan-gloor.ch/ddr5 (chipshouter also works, but is less elegant imho!)

    - Yes, you can get webkit addrof/fakeobj primitives like this, although I didn't write an end-to-end exploit.

    - You can pwn nintendo switch kernel with an adjusted exploit strategy, but the same adjusted strategy does not work on Switch 2, due to memory encryption (one bitflip corrupts a whole cache line). But other strategies may be possible? (notably, it is possible to block a whole write operation from happening at all - see also https://rdist.root.org/2010/01/27/how-the-ps3-hypervisor-was... )

    • Retr0id a day ago |
      I also spent a long time trying to do the glitching with a mosfet, but never got it to work. I couldn't get enough drive strength to actually glitch anything, without messing with the delicate capacitance+impedance tolerances of the bus.
  • nom 21 hours ago |
    pfff, root, back in my day we hacked a vending machine with a lighter and got free coke.

    No idea who discovered it, but the machine back at my school had an infrared interface for servicing, and you could trigger an interrupt with the flash of the flintstone of a lighter. Because it's just some 90s microcontroller, it would simply reset after failing to receive a valid command and forget what it was doing previously.

    All you had to do was order a coke, and right when it drops out, before it subtracts the amount, you flash the lighter in front of the IR port like a magician, say the magic words and bam - free coke!

    • limit35 18 hours ago |
      I used a saline glitch trick in the 90s. I cannot remember the exact sequence of events, but one injected saline into the coin or bill receptacle, which made the sensor believe money was being continuously inserted into the machine. This method had the benefit of clearing the machine of change after purchase since it registered the candy bar was bought with a substantial amount of money.
      • thatguy0900 18 hours ago |
        Clearing the machine of money it already had sounds way more likely to get you into trouble than getting a free coke, I'm not so sure that's a benifit
    • chrisBob 18 hours ago |
      We just unplugged our vending machine with similar timing.
    • kjkjadksj 18 hours ago |
      Wow. We were like cave men in comparison shaking the machine with 2-3 people to knock a can out of the racking.
      • bdjdjdndndb 3 hours ago |
        Brave ... Those things can kill
    • jibal 17 hours ago |
      We used to get free phone calls in phone booths by sticking an unwound paper clip into the earpiece and touching the other end to the coin box.
      • devmor 17 hours ago |
        You could do the same by wearing wool socks and shuffling around for a minute before touching the coin slot!
        • ssl-3 7 hours ago |
          That doesn't work very well on a humid day outside in the summer.

          And the payphones in the city I grew up in didn't operate using ground-start signalling, so the paper clip/safety pin/pull-tab/static trick didn't work there at all.

          But an innocuous walkman with a cassette tape that had some red box tones on it, with a bonus of having the rest of the cassette available for music to listen to? That worked great.

          • jibal 5 hours ago |
            This was in the late 1950's for me, in the San Fernando Valley where summertime humidity was very low. But a few years later the phone company put shields in the headsets so you could no longer puncture the foil.
            • ssl-3 4 hours ago |
              Fair.

              I'm old enough to remember payphones being completely ubiquitous (with whole banks of them inside of each entrance for one large department store, usually with one or two more outside), but I'm not old enough to remember the 1950s. :)

              I did find one old phone at a state park not too far out that could be tricked by grounding it, but that was in GTE territory instead of the Ohio Bell BOC that I was more familiar with.

    • charcircuit 16 hours ago |
      That is not free, that is stealing. It's like going to a grocery store and calling it a hack that you can walk around the registers and leave without paying.
      • 12_throw_away 14 hours ago |
        True. So sad to think that hackers are exploiting - and yes, there can be no doubt, this is EXPLOITATION - weaknesses in coin-operated services. I weep to think how far has this once-noble vocation has strayed from its roots ...
        • Cpoll 6 hours ago |
          John Draper and his fellow hackers were EXPLOITING coin-operated payphones and switchboards in the 60s, so I'm not sure how far back you have to go to reach the noble vocation you describe.
          • 12_throw_away 5 hours ago |
            whoosh