NAND "Glitch" POC Instructions
##########
The idea behind this attack is that we short out the data pins on the NAND while the kernel is being read from the NAND flash by the bootloader, this causes U-Boot to drop into a interactive shell over UART since a valid kernel can not be read.

1.) Take apart Wink hub.
2.) Attach USB to TTL adapter to UART pins.
3.) Power On Wink Hub
4.) After U-Boot starts, as the kernel begins loading, hold a wire and run it from GND to the NAND I/O 0 pin (#29). The kernel image will fail to load, dropping the user back to a U-Boot shell.
5.) The bootloader will default to an unsecure configuration.

From here, you can alter kernel arguments, and set init=/bin/sh , booting to a root shell. This can be seen in the video below.

More Info At: http://Exploitee.rs
Follow us at: @Exploiteers