Conversation

Want to own the SMU coprocessor in your AMD CPU/APU/possibly GPU? Extract the firmware signing HMAC key from the bootrom? Pre-Zen only, since its based on LM32 architecture features while Zen and later switched to Xtensa cores for their SMUs.

github.com

GitHub - jevinskie/amd-lm32-smu-exploit: Generic exploit for all version 7 (maybe others) LM32-ba...

Generic exploit for all version 7 (maybe others) LM32-based AMD SMU's used in APUs (and probably works on GPUs too) - GitHub - jevinskie/amd-lm32-smu-exploit: Generic exploit for all versio...

148

Richy Rich

@ThEyALLgOnE

May 29

So this affects ps4 and Xbox one?

Jevin Sweval

@jevinskie

I don’t own an Xbox One and haven’t tested there. PS4’s APU/SMU has some oddities that prevents this attack In its current form (or I’m just making a stupid mistake somewhere).

6:10 AM · May 29, 2023

5,895

Views

Oh you found a common design flaw have you figured out all niches concerning the exploit? Or there's still a bit to explore?

Jevin Sweval

@jevinskie

May 29

Exploit lets you read/write to x86 DRAM physical and use the serial port. That would allow a 4 wire “modchip” (some uC with VCC, GND, RX, TX) to talk over UART to stubs injected in a patched SMU FW that perform patches usually done from a userland/WebKit kexploit.

Show replies

Richy Rich

@ThEyALLgOnE

May 29

I'm sure lots of people are already trying on Xbox one. I have an xbox onez but wouldn't even know where to start to see if it works

Jevin Sweval

@jevinskie

May 29

From what I’ve heard at least some models of Xbox One include a PSP so that could make a coldboot SMU based attack impossible. Though there has been some excellent work on breaking PSP’s security model already done: