Coldboot Exploit for Tegra Devices Disclosed (NINTENDO SWITCH IS NOT VULNERABLE)

[Essasetic]

There is currently a coldboot exploit out in the wild for devices for devices that have the line of Nvidia Tegra Processors.

​

The vulnerability was disclosed by Twitter and GitHub user "@balika011" after Nvidia has weirdly ignored the bug since it's discovery in March.

The bug works by:

After checking the magic in the header, the nvtboot reads the entire TBC partition (size stored in the GPT) where LoadAddressInsecure points to. If that points to nvtboot in the memory, it's possible to overwrite it, leading to unsigned code execution on the BPMP. This can be used to load the rest of the bootchain without checking the signatures.

So devices that are vulnerable are the ones that nvtboot (like the Nvidia Shield Android TV). Unfortunately, the Nintendo Switch does not have nvtboot thus it is not vulnerable to the bug.

Still a very interesting case of NVIDIA ignoring a bug.

Source: https://github.com/balika011/selfblow

 

[Essasetic]

Ack. Spelling error in the title. Can a mod/admin fix the mispelling of "vulnerable" please? Thanks!

EDIT: Thank you.

 

[PRAGMA]

Saw this on twitter, Got my hopes up haha.
Still, very good news for Shield TV owners

 

[Deleted User]

Still a very interesting case of NVIDIA ignoring a bug.

It would be more accurate to “say overlooking a bug”. I don’t think NVIDIA noticed this bug and ignored it.

 

[AbyssalMonkey]

It would be more accurate to “say overlooking a bug”. I don’t think NVIDIA noticed this bug and ignored it.

Typically people alert companies under responsible disclosure to give the company time to fix the exploit. They then reveal it afterwards to announce to the public that their devices are vulnerable.

It's almost certain that NVidia ignored it or it got buried in emails.

 

[ganons]

Saw this on twitter, Got my hopes up haha.
Still, very good news for Shield TV owners

How would they exactly benefit? You can already do everything on shield TV without any hax anyway.

 

[reminon]

How would they exactly benefit? You can already do everything on shield TV without any hax anyway.

Custom open source bootloaders? It destroys secureboot. Right now if an update screws everything up we are stuck with the new update with no way to properly downgrade. Especially if it messes up custom recoveries "twrp" like Nvidia has been known to do in the past.

A custom bootloader could allow us to boot from other mediums like USB. Allow us to properly load linux. Take full control of the device without having to worry about efuses having us stuck in PROD mode. All of that and more, not to mention its coldboot instead of having to rely on shofel2 or fusee.

 

[chrisrlink]

nintendo mustve known why else would they not use it even on a tegra device such as the switch?

 

[reminon]

nintendo mustve known why else would they not use it even on a tegra device such as the switch?

I think it's more along the line of the switch's custom bootloader, which is completely different than nvboot " the bootloader used in other tegra devices".

They chose to use a proprietary bootloader tailored for the switch for security, and they wouldn't need any or all of the nvboot features.