Hacking Nintendo Switch bootrom dumped.

[oMiKeY]

@TheCyberQuake how you get a spanish domain?

 

[wownmnpare]

but when will we be we be able to load gaems from sd???

I'm very happy that people want to dedicate their precious time into helping the community, and reverse engineering is always difficult.

Tomorrow. I'll make it happen

 

[TotalInsanity4]

So if I can my Switch's trust can I get mah bakups?
How do I do so, do I take my Switch to dinner or to the movies first?

But in all seriousness though:

Wouldn't we be able to still play online if we have the original cart of the game while still having the emus in the system?
I assume the online blacklist would only apply if Nintendo detects something odd with the backup you are playing with.

To defeat the Trustzone, one must first break out of the Friendzone

 

[Selver]

The certificate key data is stored encrypted using keydata only available to TrustZone. ... The SSL module retrieves [console-unique cert] on boot, passes it through TrustZone (through SPL), and its decrypted ....

Hi V-Temp,

Your posts have been technically informative, thank you. Can you help me confirm my understanding (based on your descriptions, switchbrew.org, and ARM manuals)?

Are the following stored in memory accessible by trusted world (TZ)?

1. Each session-specific key used to wrap the KEK?
2. Each specific, unencrypted KEK?
3. The underlying AES/RSA keys?

If I had to guess, I would say the first two answers would be yes. I'm less sure of the last answer, thinking it may be locked to hardware, such that no software (not even TZ trusted worlds) can access the actual keys.

What (if any) peripherals can access the trusted world (TZ) memory? As examples (some of which are mutually exclusive):

1. can the network card just access physical memory addresses directly?
2. can the network card write to or DMA to memory mapped only in trusted world?
3. is the network card only able to access memory via a memory controller that has some concept of security controls?

If I had to guess, I would say that the NIC firmware can access physical memory directly, and thus can bypass the normal protections (e.g., via DMA).

Switchbrew.org is a great resource for the software, but overall hardware architecture is a little more difficult to divine, so please welcome any knowledge in this area you have!

 

[Frysenberg]

To defeat the Trustzone, one must first break out of the Friendzone

Well, I guess that's never happening.

 

[Chelsea_Fantasy]

5,4,3,2,1...........

 

[TheCyberQuake]

@TheCyberQuake how you get a spanish domain?

I don't understand the question.

 

[Jayro]

A bit too quick, the 3ds took 4-5 years to get the bootrom, or was it actually kept private ?

It was kept private, but the dumpers told us exactly how to dump it, and it eventually leaked out from someone. I'm so excited the bootrom of the Tegra 210 was dumped, this is fantastic.

 

[V-Temp]

Are the following stored in memory accessible by trusted world (TZ)?

If I had to guess, I would say the first two answers would be yes. I'm less sure of the last answer, thinking it may be locked to hardware, such that no software (not even TZ trusted worlds) can access the actual keys.

The first, if I understood your question, is easy to answer as its actually documented: http://switchbrew.org/index.php?title=SMC Control-F: "overall concept" (as this is what SciresM and I were discussing yesterday, to some degree!).

What (if any) peripherals can access the trusted world (TZ) memory?

I don't have an immediate answer for what can outright bypass TZ and not be forced through a handshake at some level with encryptions along the way, it non-obvious to me unless I am drawing a blank on it.

 

[Deleted User]

Wait, was it the Switch bootROM or the Tegra's bootROM? or are they the same?

 

[SciresM]

I don't have an immediate answer for what can outright bypass TZ and not be forced through a handshake at some level with encryptions along the way, it non-obvious to me unless I am drawing a blank on it.

I do: the boot processor that goes to sleep when TZ gets loaded and which can't be taken over later, and nothing else.

So...nothing meaningful.

 

[V-Temp]

I do: the boot processor that goes to sleep when TZ gets loaded and which can't be taken over later, and nothing else.

So...nothing meaningful.

I wouldn't have even considered that, hah! I was looking for something later in the chain and trying to think of where you could bypass TZ.

 

[PikaFan123]

https://twitter.com/SciresM/status/919405532515000321
View attachment 102770

Nice! Its just so cool to see how far we are right now

 

[mendezagus]

Funnily enough, in the months we've been with this scene and how fast its been "moving", we're 'catching up' to the PS4's 1.76 and that mess of a firmware and its fiery kernel. I sort of find the whole "wow already" posts really funny in light of how fast these things have usually gone, I guess no one notices.

wait, so this exact "bootrom dump" situation also happend on the PS4??? how come there was never piracy on PS4 then? were there even emulators?

 

[Deleted User]

wait, so this exact "bootrom dump" situation also happend on the PS4??? how come there was never piracy on PS4 then? were there even emulators?

Apparently PS4 Piracy is in the making.

 

[kublai]

Apparently PS4 Piracy is in the making.

I hate piracy, it kills me cause I have to go out and spend money on hard drives.

 

[Deleted User]

I hate piracy, it kills me cause I have to go out and spend money on hard drives.

You will need to buy an harddrive anyway for update installation.

 

[V-Temp]

wait, so this exact "bootrom dump" situation also happend on the PS4??? how come there was never piracy on PS4 then? were there even emulators?

For example: PS4 had license duping years ago.

Its not about the exact same thing occurring. Its about having other failpaths in your security like cloning your NAND with all of its license permissions.

 

[mendezagus]

Apparently PS4 Piracy is in the making.

Great, now i can´t update neither of my consoles!!!





Just joking, i only care for a switch hack. I like it better and sacrificing online doesn´t mean that much in comparison to PS4.

--------------------- MERGED ---------------------------

For example: PS4 had license duping years ago.

Its not about the exact same thing occurring. Its about having other failpaths in your security like cloning your NAND with all of its license permissions.

So the bootrom dump happened on PS4 but no significant failpath (vulnerability?) was found, right? I mean, the hackers could never replicate a NAND with all the permissions.

 

[Selver]

The first, if I understood your question, is easy to answer as its actually documented: http://switchbrew.org/index.php?title=SMC Control-F: "overall concept" (as this is what SciresM and I were discussing yesterday, to some degree!).

Hi V-Temp,

I enjoyed following that discussion between yourself and SciresM, and reviewed the SMC call documentation on SwitchBrew.

I'm sure my question isn't clear. Switchbrew says that "userspace stores... AES(Ksession, AES(Kkek, K...))", presumably referring to non-trusted userspace memory, and is very clear that the underlying key material (K...) is never exposed to the non-trusted world.

Switchbrew also says:
"This means: Plaintext kek keys never leave TrustZone. Further, this means: Actual AES/RSA keys never leave TrustZone".

But, it's not clear from this quote if plaintext kek keys are accessible in TrustZone, or if it's just confirmed that they are definitely not accessible when not in TrustZone. (Sorry for the double-negative, seemed needed.)

In other words, are Ksession and Kkek also locked into a hardware keyslot (or calculated using a hardware keyslot), or just stored in "normal" memory locked down to TrustZone world?

If the question is still unclear, I take all blame; just say so and I'll go away a while...