GET

Event Detail

GET /congress/2025/event/b98918cb-489e-5f5e-aa06-26753cb48418/?format=api
HTTP 200 OK
Allow: GET, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept

{
    "id": "b98918cb-489e-5f5e-aa06-26753cb48418",
    "kind": "official",
    "name": "Making the Magic Leap past NVIDIA's secure bootchain and breaking some Tesla Autopilots along the way",
    "slug": "making-the-magic-leap-past-nvidia-s-secure-bootchain-and-breaking-some-tesla-autopilots-along-the-way",
    "url": "https://api.events.ccc.de/congress/2025/event/b98918cb-489e-5f5e-aa06-26753cb48418/?format=api",
    "track": "security",
    "assembly": "ccc",
    "room": "62251a07-13e4-5a72-bb3c-8528416ee0f2",
    "location": null,
    "language": "en",
    "description": "In mid 2024, a friend approached me about Magic Leap making their TX2 based XR headsets little more than a paperweight by disabling the mandatory activation servers. I morally dislike this, companies shouldn't turn functional devices into e-waste just because they want to sell newer devices.\r\n\r\nAfter obtaining one, and poking at the Fastboot implementation, I discovered it was based off NVIDIA's Fastboot implementation, which is source available. I found a vulnerability in the NVIDIA provided source code in how it unpacks SparseFS images (named sparsehax), and successfully blindly exploited the modified implementation on the Magic Leap One. I also found a vulnerability in it that allowed gaining persistence via how it loads the kernel DTB (named dtbhax).\r\n\r\nStill unsatisfied with this, I used fault injection to dump the BootROM from a Tegra X2 devkit.\r\n\r\nIn the BootROM I discovered a vulnerability in the USB recovery mode. Exploiting this vulnerability proved difficult due to only having access to memory from the perspective of the USB controller. I will explain what was tried, why it didn't work, and how I eventually got code execution at the highest privilege level via it. \r\n\r\nAs I will demonstrate, this exploit also functions on Tesla's autopilot hardware.",
    "schedule_start": "2025-12-29T14:45:00+01:00",
    "schedule_duration": "01:00:00",
    "schedule_end": "2025-12-29T15:45:00+01:00"
}