Making Magic Leap past Nvidia's secure bootchain and breaking Tesla Autopilots
4 months ago
- #exploit
- #hardware
- #security
- Magic Leap disabled activation servers for TX2-based XR headsets, turning them into e-waste.
- Discovered vulnerabilities in NVIDIA's Fastboot implementation: 'sparsehax' (SparseFS unpacking) and 'dtbhax' (kernel DTB loading).
- Used fault injection to dump BootROM from Tegra X2 devkit, revealing a USB recovery mode vulnerability.
- Exploited the BootROM vulnerability to gain highest privilege level execution, despite challenges.
- Demonstrated exploit also works on Tesla's autopilot hardware.