Merry Christmas, GBAtemp! Today may be a very Merry Christmas for those that like to dig into leaked data, as the latest files from the ongoing Gigaleak--part 8, to be exact--have made their way online, supposedly. According to those who have already gotten their hands on the illegally-obtained files, within the .zips lurks a beta build for Pokemon: Let's Go Eevee as well as a major bit of data: the source code for the Mariko BootRom, with classified files straight from NVIDIA. As always, sharing these files is against GBAtemp's ToS, but feel free to discuss them!

 

[Breeze926]

The one that arguably hits them the hardest couldn't have been timed more perfectly.

 

[TerraPhantm]

I don't know.

If I was given a Windows box, told to hack it and said "fancy having source code" then all day long will I take source.

Source may well reveal things that a basic disassembly, especially if assembly skills are anything less than http://www.catb.org/jargon/html/story-of-mel.html (which is going to be most even self styled hackers these days), might well miss, though I have also caught things in assembly that I might not have spotted in source (especially if is a language or revision thereof I don't know. This also says nothing of the compiler maybe having a fault).

If it is a boot ROM then if it is the usual burned in a few hundred bytes of something at die level (which would be a sweet place to exploit as... burned into something at die level as they will likely not issue a recall for that) then that has maybe a basic power on self test, failure/recovery boot option and normal boot option guarded by basic crypto (public-private or HMAC... really does not matter) with no special bells and whistles that might lead to interesting exploits then that is the sort of thing you can pretty thoroughly vet with manual analysis of a disassembly, and as such that renders source code as cool to see but not much else.

I think the caveat is that it allows other hackers to dive in without having to figure out how to dump and disassemble the Mariko bootrom on their own. Probably nothing will come of it, but who knows for sure.

 

[smf]

Uh, yeah. You're clearly not an elite hacker. In fact you clearly aren't a hacker. In fact you clearly know very little if anything about the hacking process or writing code. No one who does would suggest that having the source code does not help in exploiting the resulting binaries.
LOL!

Source code is a double edged sword, you are going to miss out on any compiler code generator bugs if you focus on source code. If you look at both the source and binaries then a misleading comment could change how you perceive the binary.

The way it's talked about here is that source code makes it 100 times easier, when it's probably more like 10% easier. We don't even know how close it is to the released binary.

There are plenty of tools for analyzing binaries that can get a lot of the benefits of having source code.

 

[bbsan2k]

Source code is a double edged sword, you are going to miss out on any compiler code generator bugs if you focus on source code. If you look at both the source and binaries then a misleading comment could change how you perceive the binary.

The way it's talked about here is that source code makes it 100 times easier, when it's probably more like 10% easier. We don't even know how close it is to the released binary.

There are plenty of tools for analyzing binaries that can get a lot of the benefits of having source code.

Actually there are also many static code analysis tools. Without having a look at the code I‘m pretty sure though they did have something up and running to cover those issues.

Also I‘m pretty sure after the fusee gelee debacle they had someone check for stuff like out of bounds or read after free.

 

[Purple_Heart]

Remember they are illegal to share here




I doubt it but I'm no expert on the lite

yes i know it...i already accidentally got 2 warnings and i wont share any nsp here...

--------------------- MERGED ---------------------------

i have one question which dont belong here...

 

[smf]

Also I‘m pretty sure after the fusee gelee debacle they had someone check for stuff like out of bounds or read after free.

Right, anything obvious in the source code should really have been picked up in their audit.

It's very unlikely there will be anything in the source that will lead to an exploit that can't be found just as easily without the source code (and that is if there are any exploits possible at all).

The wii strcmp, ps3 non random number & switch use after free are mistakes that I doubt we will ever see repeated.

 

[bbsan2k]

Right, anything obvious in the source code should really have been picked up in their audit.

It's very unlikely there will be anything in the source that will lead to an exploit that can't be found just as easily without the source code (and that is if there are any exploits possible at all).

The wii strcmp and ps3 non random number are mistakes that I doubt we will ever see repeated.

Also I guess the whole compiler toolchain, types etc is playing a huge part in whether or not there may be an additional bug.

Also keep in mind, that NVidia is normally supporting their customers very well and they caught up with recent development concepts in the last couple of years.

 

[smf]

Also I guess the whole compiler toolchain, types etc is playing a huge part in whether or not there may be an additional bug.

Yeah, compiler bugs or unusual types (like char being unsigned by default) could allow someone writing the code to think it's secure but it's not. But then you will suffer the same problem when looking at the source.

 

[FAST6191]

The wii strcmp, ps3 non random number & switch use after free are mistakes that I doubt we will ever see repeated.

While I would not be surprised at all to find them doing proper code tests nowadays it was not exactly still the dark ages of computing that those all happened in, and weaknesses in consoles was known beforehand
https://www.kapravelos.com/teaching/csc574-f16/readings/xbox-security.pdf
That being the original xbox rather than those later devices.

Also the Nintendo that for the 3ds pokemon would broadcast in plaintext prior to confirmation/lock in the pokemon the opposing player picked.

As I linked the security presentation I am also obliged to link https://nostarch.com/xboxfree for the curious. The downloable copy of Bunnie's (as in guy responsible for some of the biggest breakthroughs for the xbox) hacking the xbox got released for free and is well worth a read for aspiring and seasoned hardware hackers alike.

 

[Jayro]

Imagine having to attend a hacker convention to hear about how your hardware you designed was getting hacked, to try and block those hacks, but you can't because you left in a backdoor. And then you're still stupid enough to leave a backdoor again on the next system that followed. Nintendo, you a dumb bitch.

 

[ZachyCatGames]

Imagine having to attend a hacker convention to hear about how your hardware you designed was getting hacked, to try and block those hacks, but you can't because you left in a backdoor. And then you're still stupid enough to leave a backdoor again on the next system that followed. Nintendo, you a dumb bitch.

They’re not stupid for including a recovery mode. RCM does check for a signature and will reject any payloads that don’t have a valid signature.
The hax is Nvidia being a galaxy brain and not having a size check in a place they should have in their bootrom USB2 stack.

 

[smf]

While I would not be surprised at all to find them doing proper code tests nowadays it was not exactly still the dark ages of computing that those all happened in,

The wii & ps3 practically were the dark ages, the gamecube & ps2 relied purely on obscure optical disc schemes.

Nvidia dropped the ball with tegra security for sure though.

 

[FAST6191]

The wii & ps3 practically were the dark ages, the gamecube & ps2 relied purely on obscure optical disc schemes.

That was my point.

If it was like the early internet where people were going on without firewalls, full services enabled... and seeing what we saw then that would be one thing. If however I look at what was being done to protect then contemporary, and even generations before, PC operating systems, PC games (even PS1 games in some cases -- that Spyro stuff speaks to some considerable sophistication back in 1999 https://www.gamasutra.com/view/feature/131439/keeping_the_pirates_at_bay.php ), and things like bank cash machines if we must assume that embedded systems are a different world to the PC (despite all the same programmers coming from all the same places with all the same qualifications) it is not like the need for robust checks were not known, vetting of security pathways and anything else you or I might employ in such a scenario to mean we are only likely to fall to something truly esoteric or from the hardware side channel attack front.
Even if they had done the moron military development route of fight the battle you fought before rather than the one coming at you now then most of those should not have happened.

 

[smf]

Spyro stuff speaks to some considerable sophistication back in 1999 https://www.gamasutra.com/view/feature/131439/keeping_the_pirates_at_bay.php )

Spyro protection is basically a throw back to the 80's/early 90's. Robocop 3 on the Amiga was similar.

 

[TheZander]

I thought mariko was hacked already . That's the one that patched the fusseee melee exploit? Then there is the lite switch and that makes 3 switch versions as of now right?

 

[smf]

I thought mariko was hacked already

Using a glitch attack, which means you need to buy hardware from the people who were arrested and are currently being prosecuted for selling the hardware.

 

[Adran_Marit]

I thought mariko was hacked already . That's the one that patched the fusseee melee exploit? Then there is the lite switch and that makes 3 switch versions as of now right?

RCM switch, ipatched and then Mariko are the new units both full size and lite

 

[KingFrak]

guys in simple English, will this leak make it possible to have CFW on a switch Lite without a modchip?

 

[weatMod]

guys in simple English, will this leak make it possible to have CFW on a switch Lite without a modchip?

doubtful ,but nobody knows
just wait til the inevitable new years super ultra mega gigaleak

 

[smf]

guys in simple English, will this leak make it possible to have CFW on a switch Lite without a modchip?

I've not downloaded it, but the mariko bootrom source is probably not going to help much.

If it contained the private signing keys then things become interesting.