RPI build

[ZenithRogue]

Would it be possible to have a build of this for easy setup on raspberry pi?

[b-]

I don't see why this wouldn't work as is on Raspberry Pi.

Just run Linux on the Pi, and treat the Pi as if it's a "Linux PC"

[natinusala]

I let you try it and report here how it goes.

[b-]

Great. I haven't tried it personally, but I know that others have had success launching fusee payloads on the Raspberry Pi. As far as I can tell, none of the stuff here/for this repo is binary/architecture-dependent except the code you put on the switch, so if you compile the launcher it should "just work."

[natinusala]

Keep in mind that it's not fusée gelée, it's shofel2. While the method and code is globally the same, shofel2 has an additional step (sending coreboot.rom).

[b-]

either way, it’s python, which is architecture-independent :)

[natinusala]

Well fusée gelée works on Mac OS and Shofel2 doesn't

[b-]

I’m intending on booting this with macOS — I stepped away from my desk for lunch, but the SD finished burning. So I’ll tell you my experience. But the author of this project claims it works on macOS. And the script is just a python script.

Try it, if nothing else it’s not going to brick your switch

[natinusala]

Shofel2 uses /proc/self/fd which doesn't exist on Mac OS

[b-]

Huh. I see that in the script. I’ll see what I can do when I get back from lunch. There isn’t a direct equivalent to `/proc` or any of its components on macOS, but there are a number of portable ways to do what it appears they are doing (get a list of file descriptors open by the calling process?). The comment above the function definition (`# lol` verbatim) suggests that f0f knows it’s a really hacky way of doing it. Regardless procfs is on any Linux system, including the Pi.

…

On Mon, May 7, 2018 at 1:15 PM Nathan S. ***@***.***> wrote: Shofel2 uses /proc/self/fd which doesn't exist on Mac OS — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#1 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AARYdRrVOiJ94_b2T1Ndq2Hd0G_6NzDuks5twIEpgaJpZM4T1PJy> .

[natinusala]

Mac OS has /dev/fd but it doesn't seem to work the same way as Linux's /proc/self/fd

[b-]

As you expected, this doesn't work on macOS out of the box, because Shofel2 is accessing /proc/self/fd which does not exist on macOS (or really much of anything besides Linux, actually…)

I also couldn't get it to work with Fusee.

That said, Fusee and Shofel2 use the same exploit, and are both written in Python. I'm going to open a new issue regarding macOS support, and I'm going to see if I have the skills to either port the coreboot payload to Fusee, or to port Shofel2 to macOS. I imagine at least one of the two shouldn't be particularly difficult…

[natinusala]

I suggest you open an issue on f0f's shofel2 repo too

[b-]

Already on it. Do me a favor and report back how the Pi works, because if it "just works" the way I expect then I imagine this issue can safely be closed :)

[natinusala]

Put your Switch in RCM mode now
File descriptor: 9
b'0081030f0000001c01532c6401101062'
entry 400168ed
throwing more
Performing hax...
Size: 0x6c68

b'820000000000686c'
b'020000000000000000000000e8757300716c000000000000000000000000000000000000000000000f0f000000'
URB address: 0x72f3f0
Traceback (most recent call last):
  File "./shofel2/shofel2.py", line 247, in <module>
    rcm.pwn()
  File "./shofel2/shofel2.py", line 205, in pwn
    s.ep0_read_unbounded(overwrite_len)
  File "./shofel2/shofel2.py", line 76, in ep0_read_unbounded
    fcntl.ioctl(s.fd, USBDEVFS_SUBMITURB, urb)
OSError: [Errno 25] Inappropriate ioctl for device

Welp.

[b-]

Try patching the kernel with this https://github.com/fail0verflow/shofel2/blob/master/linux-ehci-enable-large-ctl-xfers.patch and recompiling, like this: https://gbatemp.net/threads/fusee-gelee-with-raspberry-pi-3.502136/page-3#post-7942153