XRSI May Have Lie About Gaining Root Access The Quest 2
We recently found XRSI, through their now-removed blog site post, claiming to have root access to Oculus Quest 2, a Virtual Reality game platform. New information from a Reddit user question if XRSI gained root access and the truthfulness of their claims. Since we published their claim, we thought it appropriate to also review what the Reddit user found. User “not_xrsi” claimed to have insider knowledge of the issue. They posted how an XRSI researcher may have fooled others into believing he has a rooted Quest 2 device and possibly used a VM to simulate access.
For verification of root access, XRSI made claims to a 3rd party they had root access, but later said they lost access due to an update. For someone who has the capabilities to root a Quest 2, we find this puzzling. It sounds unlikely that you would lose root access unless Oculus knows of the vulnerability. We also find it unlikely they would allow an update on the device before verification of the exploit. Further issues with the XRSI claim came from them saying they installed Windows XP on the Oculus Quest 2. Quest 2 uses an ARM–based instruction set, making it incompatible with programs compiled for x86 instruction set. Since Microsoft never released Windows XP compiled for an ARM–based processor, you can’t install Windows XP on a bare ARM–based system. Meaning, Windows XP won’t run on the Quest 2 outside a Virtual Machine. We don’t see how they could possibly do this.
Based on what “not_xrsi” posted, we suspect XRSI either lied about what they found, or if they worked with another researcher, they didn’t properly research the exploit. Security of the Oculus Quest and Quest 2 comes from the trust we have in those making the devices, Facebook, and security researchers who review the product. If the Reddit user posted the truth, this removes trust from security researchers – something we have worked so hard to gain after years of classifying us as just “hackers.” In a curious coincidence, XRSI blog account tweeted a quote from George Orwell right before they tweeted about gaining root access to the Quest 2. We hope they take his advice.
其他一些参考信息:
此,XRSI 一直在监控 VR Liberation Fund 最初聊天中发现的越狱事件,并删除了所有日志。
从那以后,我建立了一个单独的服务器,我们一直在那里进行漏洞利用,并试图根据当前的安全补丁找出我们可以去的地方,但一切都无济于事。
我们真的需要帮助,因为我们必须找到偏移量并深入内核以找到漏洞利用;感觉应该有一种更简单的方法来完成这一切。下面链接的新 Discord 中有一些非常有希望的东西。您可以在#quest-escape-reloaded 中找到我们的聊天记录
大家好,看到了这个论坛帖子,考虑到它是建立在 android 之上的,Facebook 关闭了他们的设备并提供引导加载程序代码,这有点令人讨厌。
这里有一些有趣的事情,特别是它基于 Android 7.1.1。并且它位于安全补丁 2017-10-05 上,截至下面链接的 XDA 论坛端口。
有没有人对可用于在我的设备(我付费购买的设备)上获得 root 权限的潜在漏洞有任何建议?
似乎即使有一个漏洞可以绕过被锁定的引导加载程序,它仍然需要 Oculus 来签署任何闪存到设备的软件。我会看看 Saurik 过去是如何用 iPhone 解决这个问题的,但如果没有相当繁琐的解决方法或仅适用于特定更新的东西,它看起来并不乐观。如果我的想法是正确的,它基本上需要一个 0day 才能在任何时间段内保持可持续;但又是美国国家安全局,所以它可能存在于某处。
在 Quest Escape Research 中指出,有一个关于如何获取引导加载程序代码的线索,因为它曾经面向公众并且可能是一个 API 调用来获取代码;在引导加载程序菜单 (Vol - & Home) 中还有一个选项可用于“启用旁加载更新”<- 可能对打包允许访问 root 并充当木马程序的映像很有用。
公共测试频道提供早期更新。
我的设备上出现了奇怪的行为,我将其置于恢复模式,但在此模式下它经常尝试重新启动 USB 连接。有趣的。
我觉得 SuperSU 或 Magisk 的某些东西实际上可能是可能的,但如果有“反root”软件可以解决这个问题,我也不会感到惊讶。Magisk 将是这里的最佳选择,因为它可以选择将自己隐藏在系统的其余部分之外,尽管我过去从未能够让它在 android 手机上正确触发。
现在可能可以使用 android 与 oculus 图像的较大差异来查看重叠。因为尽管没有解锁的引导加载程序会很困难,但是一旦有了自定义恢复,您就离开了,但是 IDK 两个操作系统上的重叠程度已经足以让您一目了然。我仍然想要一个可用的设备,而解除软砖的方法仍然不清楚。
在此处添加有用的链接:
DK2 的潜在根源(可作为灵感):https : //forums.oculusvr.com/community/discussion/22146/edit-found-root-wddm-2-0-support-win10-black-screen
在早期的开发阶段,Oculus 最初与三星合作,似乎代码库中有很多交叉。Issues - AC3 - Root - Conversions Please help - Oculus Community - 320040
解释如何旁加载更新的视频。https://youtu.be/4pEUIx-Sp1E?t=189
XDA 开发者起点:https : //forum.xda-developers.com/mobile-vr/oculus-quest/mods-customization-snapdragon-835-t3932649/page2
手动更新:https : //www.reddit.com/r/oculusquest/wiki/guides/manualupdate
强制固件更新:https : //www.reddit.com/r/OculusQuest/comments/eyre4t/i_forced_my_quest_to_firmware_12_via_bootloader/
绕过证书的修补程序检查?https://support.oculus.com/217157135500529/
Oculus 内核的 Git:https : //github.com/facebookincubator/oculus-linux-kernel
Quest Escape 研究链接:https : //github.com/QuestEscape
SuperSU 与 GearVR oculus 应用程序配合使用:https ://forum.xda-developers.com/galaxy-s6/general/root-universal-root-method-s6-s6-edge-t3267486
编辑:主要是格式化和添加链接。今天,CBA 将继续深入这个兔子洞。
NGL 我现在被困住了,可以用一些 hep 解析所有这些信息。
扫一扫
1619
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
