A team of hackers probably has irreparable access to the security chip of the Nintendo Switch. The root keys can also be routed out.
Several hackers and developers seem to have finally cracked the hardware security of the Nintendo Switch and thus also the security of the Nvidia SoC called Tegra X1, which serves as the basis of the console. Already in 2018, it was possible to bypass the protection of the boot ROM used via a quite trivial bug. However, even the clever patch for this problem from Nvidia and Nintendo seems to be completely overcome now.
The problem with the first hack three years ago was that the boot ROM chip cannot be patched easily. The corresponding vulnerable commands are hardcoded, so a patch against the attacks seemed rather unlikely in devices that were already sold at the time. And already before, it was possible to execute own code on the Switch and even read the console's keys.
However, as Switch hacker Plutooo now writes, a "clever guy" had pointed out a separate security chip to the manufacturers, which is present on the X1 and had not been used until then. With the 6.2.0 update for the Switch firmware, Nintendo then actually made use of it and completely revamped the startup process with the help of this chip called TSEC.
"Nintendo apparently did the impossible: A) got its secure boot back and B) introduced new key material." So the old hack was worthless with the new firmware. Unsurprisingly, the Switch hackers then turned their attention to the TSEC chip and continued to find numerous bugs, which now just probably cannot be changed for all devices sold with the chip so far. And probably not even for new devices without a major hardware revision.
As Plutooo itself writes, it does not exploit these vulnerabilities in its current attack. Rather, the hacker is once again able to influence the information flow on the chip. Already in 2017, those involved used so-called glitching to read the keys.
In a document now published on Github, Plutooo writes that a similar attack is now also possible for the Switch, as it was already demonstrated for the Playstation Vita. This is the so-called differential fault attack on the AES keys themselves. Plutooo writes: "If you get 1-2 bitflips in the last two rounds (of AES, editor's note), you can resolve after the key."
It goes on to say, "I just collected a few thousand samples of corrupted AES samples, (...) and all the keys fell out". As proof, Plutooo has published the SHA256 hash values of all 64 key registers of the TSEC chip that secures the boot process. In particular, the following keys are also said to be in there: the signature key as well as the encryption key for TSEC code itself, and also Nintendo's OEM key.
However, the access to the important keys is probably also possible via a pure software attack, which does not require the relatively complex glitching.
Nvidia's TSEC chip completely hacked
So, more or less independently of these glitch attempts, the hackers Hexkyz and SciresM have taken on the TSEC chip with a lot of support from other developers such as the Nouveau team, which writes free Linux graphics drivers for Nvidia GPUs. The TSEC chip, in turn, consists of a Falcon chip, which Nvidia uses extensively in its GPUs, and another security chip called SCP, which handles cryptographic operations.
The very detailed blog post describes the chips, their functions and their interaction in detail. In addition, the team also addresses numerous security vulnerabilities in the firmware of this system, which has been an integral part of the switch boot since firmware version 6.2.0.
Through a chain of several gaps and thanks to an extreme amount of reverse engineering of the cryptosystem's functionality, the team finally managed to obtain the signature key for Nvidia's TSEC without glitching. As the blog post states, the team managed to use direct memory accesses to overwrite part of the stack, which also contains the return address for page probing. An ROP attack eventually leads to the part of the chip ROM that compares signatures, it said. A compare operation where two registers and the signature are all zeros eventually leads to access to the heavy secure mode.
The attack could be further improved to execute arbitrary custom code with the signature in the so-called heavy secure mode of the TSEC chip. This completely breaks the TSEC's security model, the hackers write.
Translated with Deepl
Source:
golem.de/news/nvidia-falcon-boot-security-der-nintendo-switch-wohl-endgueltig-geknackt-2111-161324.html
Several hackers and developers seem to have finally cracked the hardware security of the Nintendo Switch and thus also the security of the Nvidia SoC called Tegra X1, which serves as the basis of the console. Already in 2018, it was possible to bypass the protection of the boot ROM used via a quite trivial bug. However, even the clever patch for this problem from Nvidia and Nintendo seems to be completely overcome now.
The problem with the first hack three years ago was that the boot ROM chip cannot be patched easily. The corresponding vulnerable commands are hardcoded, so a patch against the attacks seemed rather unlikely in devices that were already sold at the time. And already before, it was possible to execute own code on the Switch and even read the console's keys.
However, as Switch hacker Plutooo now writes, a "clever guy" had pointed out a separate security chip to the manufacturers, which is present on the X1 and had not been used until then. With the 6.2.0 update for the Switch firmware, Nintendo then actually made use of it and completely revamped the startup process with the help of this chip called TSEC.
"Nintendo apparently did the impossible: A) got its secure boot back and B) introduced new key material." So the old hack was worthless with the new firmware. Unsurprisingly, the Switch hackers then turned their attention to the TSEC chip and continued to find numerous bugs, which now just probably cannot be changed for all devices sold with the chip so far. And probably not even for new devices without a major hardware revision.
As Plutooo itself writes, it does not exploit these vulnerabilities in its current attack. Rather, the hacker is once again able to influence the information flow on the chip. Already in 2017, those involved used so-called glitching to read the keys.
In a document now published on Github, Plutooo writes that a similar attack is now also possible for the Switch, as it was already demonstrated for the Playstation Vita. This is the so-called differential fault attack on the AES keys themselves. Plutooo writes: "If you get 1-2 bitflips in the last two rounds (of AES, editor's note), you can resolve after the key."
It goes on to say, "I just collected a few thousand samples of corrupted AES samples, (...) and all the keys fell out". As proof, Plutooo has published the SHA256 hash values of all 64 key registers of the TSEC chip that secures the boot process. In particular, the following keys are also said to be in there: the signature key as well as the encryption key for TSEC code itself, and also Nintendo's OEM key.
However, the access to the important keys is probably also possible via a pure software attack, which does not require the relatively complex glitching.
Nvidia's TSEC chip completely hacked
So, more or less independently of these glitch attempts, the hackers Hexkyz and SciresM have taken on the TSEC chip with a lot of support from other developers such as the Nouveau team, which writes free Linux graphics drivers for Nvidia GPUs. The TSEC chip, in turn, consists of a Falcon chip, which Nvidia uses extensively in its GPUs, and another security chip called SCP, which handles cryptographic operations.
The very detailed blog post describes the chips, their functions and their interaction in detail. In addition, the team also addresses numerous security vulnerabilities in the firmware of this system, which has been an integral part of the switch boot since firmware version 6.2.0.
Through a chain of several gaps and thanks to an extreme amount of reverse engineering of the cryptosystem's functionality, the team finally managed to obtain the signature key for Nvidia's TSEC without glitching. As the blog post states, the team managed to use direct memory accesses to overwrite part of the stack, which also contains the return address for page probing. An ROP attack eventually leads to the part of the chip ROM that compares signatures, it said. A compare operation where two registers and the signature are all zeros eventually leads to access to the heavy secure mode.
The attack could be further improved to execute arbitrary custom code with the signature in the so-called heavy secure mode of the TSEC chip. This completely breaks the TSEC's security model, the hackers write.
Translated with Deepl
Source:
golem.de/news/nvidia-falcon-boot-security-der-nintendo-switch-wohl-endgueltig-geknackt-2111-161324.html
