body { -ms-overflow-style: scrollbar; overflow-y: scroll; overscroll-behavior-y: none; } .errorContainer { background-color: #FFF; color: #0F1419; max-width: 600px; margin: 0 auto; padding: 10%; font-family: Helvetica, sans-serif; font-size: 16px; } .errorButton { margin: 3em 0; } .errorButton a { background: #1DA1F2; border-radius: 2.5em; color: white; padding: 1em 2em; text-decoration: none; } .errorButton a:hover, .errorButton a:focus { background: rgb(26, 145, 218); } .errorFooter { color: #657786; font-size: 80%; line-height: 1.5; padding: 1em 0; } .errorFooter a, .errorFooter a:visited { color: #657786; text-decoration: none; padding-right: 1em; } .errorFooter a:hover, .errorFooter a:active { text-decoration: underline; } #placeholder, #react-root { display: none !important; } body { background-color: #FFF !important; }

JavaScript is not available.

We’ve detected that JavaScript is disabled in this browser. Please enable JavaScript or switch to a supported browser to continue using twitter.com. You can see a list of supported browsers in our Help Center.

Terms of Service Privacy Policy Cookie Policy Imprint Ads info © 2023 X Corp.

Conversation

Want to own the SMU coprocessor in your AMD CPU/APU/possibly GPU? Extract the firmware signing HMAC key from the bootrom? Pre-Zen only, since its based on LM32 architecture features while Zen and later switched to Xtensa cores for their SMUs.

GitHub - jevinskie/amd-lm32-smu-exploit: Generic exploit for all version 7 (maybe others) LM32-ba...

Generic exploit for all version 7 (maybe others) LM32-based AMD SMU's used in APUs (and probably works on GPUs too) - GitHub - jevinskie/amd-lm32-smu-exploit: Generic exploit for all versio...

2

43

148

So this affects ps4 and Xbox one?

1

2

I don’t own an Xbox One and haven’t tested there. PS4’s APU/SMU has some oddities that prevents this attack In its current form (or I’m just making a stupid mistake somewhere).

3

4

16

Oh you found a common design flaw have you figured out all niches concerning the exploit? Or there's still a bit to explore?

1

Exploit lets you read/write to x86 DRAM physical and use the serial port. That would allow a 4 wire “modchip” (some uC with VCC, GND, RX, TX) to talk over UART to stubs injected in a patched SMU FW that perform patches usually done from a userland/WebKit kexploit.

1

2

There’s not enough SRAM to hold all the patches needed, thus the requirement of a uC talking to SMU proxy stubs. Through limited testing (it’s a PITA compared to just using Linux on a PC) on the PS4, the writes to some of the SMU BP regs are ignored/blocked. Maybe AMD got wise?

1

2

But we have the PS4 SMU bootrom and FW dumped via other means and can analyze it for other vulns that might allow code execution. I’m also working on a PCIe MITM like marcan did to better understand the boot process of PS4 over PCIe instead of the normal read from SPI flash.

10:19 PM · May 29, 2023

202

Views