Hacking Boot security of the Nintendo Switch probably finally cracked

thishidden

New Member
OP
Newbie
Joined
May 14, 2018
Messages
4
Trophies
0
XP
172
Country
Germany
A team of hackers probably has irreparable access to the security chip of the Nintendo Switch. The root keys can also be routed out.

Several hackers and developers seem to have finally cracked the hardware security of the Nintendo Switch and thus also the security of the Nvidia SoC called Tegra X1, which serves as the basis of the console. Already in 2018, it was possible to bypass the protection of the boot ROM used via a quite trivial bug. However, even the clever patch for this problem from Nvidia and Nintendo seems to be completely overcome now.


The problem with the first hack three years ago was that the boot ROM chip cannot be patched easily. The corresponding vulnerable commands are hardcoded, so a patch against the attacks seemed rather unlikely in devices that were already sold at the time. And already before, it was possible to execute own code on the Switch and even read the console's keys.

However, as Switch hacker Plutooo now writes, a "clever guy" had pointed out a separate security chip to the manufacturers, which is present on the X1 and had not been used until then. With the 6.2.0 update for the Switch firmware, Nintendo then actually made use of it and completely revamped the startup process with the help of this chip called TSEC.

"Nintendo apparently did the impossible: A) got its secure boot back and B) introduced new key material." So the old hack was worthless with the new firmware. Unsurprisingly, the Switch hackers then turned their attention to the TSEC chip and continued to find numerous bugs, which now just probably cannot be changed for all devices sold with the chip so far. And probably not even for new devices without a major hardware revision.
As Plutooo itself writes, it does not exploit these vulnerabilities in its current attack. Rather, the hacker is once again able to influence the information flow on the chip. Already in 2017, those involved used so-called glitching to read the keys.

In a document now published on Github, Plutooo writes that a similar attack is now also possible for the Switch, as it was already demonstrated for the Playstation Vita. This is the so-called differential fault attack on the AES keys themselves. Plutooo writes: "If you get 1-2 bitflips in the last two rounds (of AES, editor's note), you can resolve after the key."

It goes on to say, "I just collected a few thousand samples of corrupted AES samples, (...) and all the keys fell out". As proof, Plutooo has published the SHA256 hash values of all 64 key registers of the TSEC chip that secures the boot process. In particular, the following keys are also said to be in there: the signature key as well as the encryption key for TSEC code itself, and also Nintendo's OEM key.

However, the access to the important keys is probably also possible via a pure software attack, which does not require the relatively complex glitching.


Nvidia's TSEC chip completely hacked
So, more or less independently of these glitch attempts, the hackers Hexkyz and SciresM have taken on the TSEC chip with a lot of support from other developers such as the Nouveau team, which writes free Linux graphics drivers for Nvidia GPUs. The TSEC chip, in turn, consists of a Falcon chip, which Nvidia uses extensively in its GPUs, and another security chip called SCP, which handles cryptographic operations.

The very detailed blog post describes the chips, their functions and their interaction in detail. In addition, the team also addresses numerous security vulnerabilities in the firmware of this system, which has been an integral part of the switch boot since firmware version 6.2.0.

Through a chain of several gaps and thanks to an extreme amount of reverse engineering of the cryptosystem's functionality, the team finally managed to obtain the signature key for Nvidia's TSEC without glitching. As the blog post states, the team managed to use direct memory accesses to overwrite part of the stack, which also contains the return address for page probing. An ROP attack eventually leads to the part of the chip ROM that compares signatures, it said. A compare operation where two registers and the signature are all zeros eventually leads to access to the heavy secure mode.

The attack could be further improved to execute arbitrary custom code with the signature in the so-called heavy secure mode of the TSEC chip. This completely breaks the TSEC's security model, the hackers write.

Translated with Deepl

Source:
golem.de/news/nvidia-falcon-boot-security-der-nintendo-switch-wohl-endgueltig-geknackt-2111-161324.html
 

ber71

Well-Known Member
Member
Joined
Apr 24, 2019
Messages
574
Trophies
0
Age
59
XP
2,533
Country
Spain
While this might lead to a coldboot cfw, it seems to be restricted to already vulnerable consoles (fusegelee or modchip),

 

Zajumino

Well-Known Member
Member
Joined
Aug 1, 2020
Messages
153
Trophies
0
Age
24
XP
937
Country
United States
Care to explain? I thought glitching is what the modchips do. In the article, they contrasted it with a pure software attack, which is why I was under the impression that it replaced some uses of a modchip.

In particular, can you tell me what the TSEC does? They don't cover this stuff in school.
 
Last edited by Zajumino,

peteruk

Well-Known Member
Member
Joined
Jun 26, 2015
Messages
3,007
Trophies
2
XP
7,420
Country
United Kingdom
Read the blog posts from hexkyz and SciresM last friday evening and found it fascinating, but didn't think it would lead to cold boot across the board as the op of this thread seems to suggest.

It would be pretty wonderful for us OLED owners to get in on the HomeBrew fun without the need for a chip but ZachyCat says this is a no go and Milenko, well Milenko just laughs :rofl2:
 

ZachyCatGames

Well-Known Member
Member
Joined
Jun 19, 2018
Messages
3,398
Trophies
1
Location
Hell
XP
4,210
Country
United States
Care to explain? I thought glitching is what the modchips do. In the article, they contrasted it with a pure software attack, which is why I was under the impression that it replaced some uses of a modchip.

In particular, can you tell me what the TSEC does? They don't cover this stuff in school.
It's the security coprocessor they use for keygeneration on newer firms and some video drm shit.
The main point of attacking it is to obtain information from what I can tell, being able to do whatever with it doesn't allow anything special on modern firmwares.

(edit: and to be clear, this is really cool stuff, it just doesn't enable anything new for regular end users)
 
  • Like
Reactions: gh0stess

Mikemk

Well-Known Member
Member
Joined
Mar 26, 2015
Messages
2,093
Trophies
1
Age
28
XP
3,161
Country
United States
Care to explain? I thought glitching is what the modchips do. In the article, they contrasted it with a pure software attack, which is why I was under the impression that it replaced some uses of a modchip.
To execute a software attack, you need to be able to execute software. Need a modchip or RCM or at least 2 more exploits which would be easily patchable.
 

NuadaXXX

Well-Known Member
Member
Joined
Apr 7, 2016
Messages
140
Trophies
0
Location
NIRVANA
XP
791
Country
Gambia, The
i think a ban safe cfw should be possible, if u use only legit cert of curse

Theoretical, horizon can be modded and send "Fake clean data" like a spoof
 
Last edited by NuadaXXX,

Site & Scene News

Popular threads in this forum

General chit-chat
Help Users
  • BakerMan @ BakerMan:
    we're cooked, possibly literally
  • BakerMan @ BakerMan:
    if you have a habitable basement, the heat shouldn't be down there and that's where you should hang out
  • Sicklyboy @ Sicklyboy:
    No, but, the air conditioner in my living room gets fuckin icy
  • Sicklyboy @ Sicklyboy:
    In a good way, not as in a "my coils are freezing" kind of way
  • K3Nv2 @ K3Nv2:
    Not everyone lives in theirs mom's basement gosh
  • BakerMan @ BakerMan:
    nah, my mom's basement is just for the weekends to check in on the family
  • BakerMan @ BakerMan:
    i usually live in your mom's basement
    +1
  • BakerMan @ BakerMan:
    saves a lot of time fr
  • Sicklyboy @ Sicklyboy:
    It's 11:30 PM here, I just took the trash out and my god is it awful outside
  • Sicklyboy @ Sicklyboy:
    This heatwave can eat my ass
    +3
  • MysticStarlight @ MysticStarlight:
    omg same, it's VERY hot here, too
  • BakerMan @ BakerMan:
    fuck this heatwave, i don't usually sleep with a fan, but i believe the fan is getting put on the bed rather than beside it
  • BakerMan @ BakerMan:
    IT'S 12:30 IN THE FUCKING MORNING AND IT'S STILL 78°, WHAT THE FUCK?
    +1
  • NinStar @ NinStar:
    78º seems abnormal for any part of the day
  • BigOnYa @ BigOnYa:
    Yea it was 96 F for the high, 78 F for the low today, in Ohio, bout same for bakerman in Michigan
  • BigOnYa @ BigOnYa:
    F- fahrenheit C-Celsius. We in USA use F as our temp ratings
  • Sicklyboy @ Sicklyboy:
    F = Freedom units
    +2
  • HiradeGirl @ HiradeGirl:
    So... C = Cum units?
    +1
  • K3Nv2 @ K3Nv2:
    Clip units
  • SylverReZ @ SylverReZ:
    @HiradeGirl, That's how they get bigger loans at the bank.
    +1
  • HiradeGirl @ HiradeGirl:
    Welp.
    HiradeGirl @ HiradeGirl: Welp.