1. MiguelinCrafter

    OP MiguelinCrafter Halt!
    Member

    Joined:
    Jan 8, 2015
    Messages:
    225
    Country:
    United States
    I'd like to know how it worked in the first place and what they did to fix it

    I'd also like to know how SX's chip works, what is it doing to the Switch?

    And is there hope for an exploit similar to the RCM exploit in the future? I'm guessing the answer is no but I'll ask anyway

    If anyone has research documents it'd be nice to have them or if someone can provide a very technical explanation that'd be nice too
     
    Last edited by MiguelinCrafter, Aug 10, 2020 - Reason: More typos
    cearp likes this.
  2. cearp

    cearp 瓜老外
    Developer

    Joined:
    May 26, 2008
    Messages:
    8,324
    Country:
    Tuvalu
    MiguelinCrafter and nero99 like this.
  3. MiguelinCrafter

    OP MiguelinCrafter Halt!
    Member

    Joined:
    Jan 8, 2015
    Messages:
    225
    Country:
    United States
    cearp likes this.
  4. thla

    thla Member
    Newcomer

    Joined:
    Jul 30, 2017
    Messages:
    36
    Country:
    Denmark
    For the first question, read up on this article and its sources:
    https://arstechnica.com/gaming/2018...makes-every-current-nintendo-switch-hackable/

    Basically, on the T210 (original Tegra) they revised a fix for it and updated the bootrom, but that can only be done at the factory, so that's why every version prior to the fix will always be vulnerable. With the T214 (Mariko) they had just fixed it from the beginning.

    For the second question, I haven't followed, but I think the general consensus is that they use glitching which is a form of fault-injection in a physical manner, the idea is that if you can control these faults precise enough and know when to do it, you can affect execution in a way that may, for example, prevent the CPU's security features from being set during boot.

    For the last question, I think it would be unlikely to happen because it appears the root cause is fixed, so they would need to have done a poor job of patching it or have several ways to get data from USB which seems unlikely.
     
  5. smf

    smf GBAtemp Psycho!
    Member

    Joined:
    Feb 23, 2009
    Messages:
    3,982
    Country:
    United Kingdom
    The write up is available here.

    https://web.archive.org/web/20191204111041/https://misc.ktemkin.com/fusee_gelee_nvidia.pdf

    I haven't seen the exact fix, but there is a proposed fix in the pdf which gives a rough idea.

    My understanding is that it's a new set of ipatches, so chips already in nintendo inventory wouldn't have to be thrown away. But as far as we know, applying ipatches is a one time thing (otherwise it would be possible to downgrade to an earlier set).

    I do hope someone reverse engineers it eventually. I assumed it was something simple like skipping over a branch when a signature check fails. My understanding is they had this exploit before fusee gelee, but held onto it and switched to fusee gelee rather than burning their own prematurely. Which is 100% the right thing to do.
     
    Last edited by smf, Aug 10, 2020
Draft saved Draft deleted
Loading...

Hide similar threads Similar threads with keywords - Nintendo, exploit, patch