This folder contains a (messy) implementation of research exploiting the Magic Leap One.
The fastbooted folder contains the code that runs on the Magic Leap console.
The fastbootrs folder contains a Rust implementation of a Fastboot client, and is the code that runs on the host.
This repository contains implementations of two vulns:
- Code Execution in CBoot over Fastboot USB by smashing the stack in NVidia's SparseFS parser (
sparsehax) - Overwriting CBoot in memory using an oversized
kernel-dtbimplementation on the storage to gain persistant code execution (dtbhax)
Warning: It's your responsibility if you brick your console.
You need a siginfo blob (signed list of hashes with a small header) from a firmware update for your device (this is device unique), any partition works as long as it's for your device. Place it in fastbootrs/system-sparse-sig.bin.
Inside the fastbooted/payload directory:
- Copy
sparsehax.ldtoccplex.ld - Run
cargo build-usb-bin - Copy the generated
payload.binfile tofastbootrs/src/payload.bin
Put your ML1 console into Fastboot by powering it off, and holding the Vol-Down button whilst powering the console on.
Inside the fastbootrs directory:
- Run
cargo run --release -- exploit - Success?
If these instructions aren't clear enough, this probably is not ready for you.