Hacking Question How did Nintendo patch the RCM exploit?

Joined
Jan 8, 2015
Messages
227
Trophies
0
Location
Ready? GO!
XP
326
Country
United States
I'd like to know how it worked in the first place and what they did to fix it

I'd also like to know how SX's chip works, what is it doing to the Switch?

And is there hope for an exploit similar to the RCM exploit in the future? I'm guessing the answer is no but I'll ask anyway

If anyone has research documents it'd be nice to have them or if someone can provide a very technical explanation that'd be nice too
 
Last edited by MiguelinCrafter, , Reason: More typos
  • Like
Reactions: cearp

thla

Active Member
Newcomer
Joined
Jul 30, 2017
Messages
36
Trophies
0
XP
647
Country
Denmark
For the first question, read up on this article and its sources:
https://arstechnica.com/gaming/2018...makes-every-current-nintendo-switch-hackable/

Basically, on the T210 (original Tegra) they revised a fix for it and updated the bootrom, but that can only be done at the factory, so that's why every version prior to the fix will always be vulnerable. With the T214 (Mariko) they had just fixed it from the beginning.

For the second question, I haven't followed, but I think the general consensus is that they use glitching which is a form of fault-injection in a physical manner, the idea is that if you can control these faults precise enough and know when to do it, you can affect execution in a way that may, for example, prevent the CPU's security features from being set during boot.

For the last question, I think it would be unlikely to happen because it appears the root cause is fixed, so they would need to have done a poor job of patching it or have several ways to get data from USB which seems unlikely.
 

smf

Well-Known Member
Member
Joined
Feb 23, 2009
Messages
5,208
Trophies
1
XP
3,791
Country
United Kingdom
I'd like to know how it worked in the first place and what they did to fix it

The write up is available here.

https://web.archive.org/web/20191204111041/https://misc.ktemkin.com/fusee_gelee_nvidia.pdf

I haven't seen the exact fix, but there is a proposed fix in the pdf which gives a rough idea.

Basically, on the T210 (original Tegra) they revised a fix for it and updated the bootrom,

My understanding is that it's a new set of ipatches, so chips already in nintendo inventory wouldn't have to be thrown away. But as far as we know, applying ipatches is a one time thing (otherwise it would be possible to downgrade to an earlier set).

the idea is that if you can control these faults precise enough and know when to do it, you can affect execution in a way that may, for example, prevent the CPU's security features from being set during boot.

I do hope someone reverse engineers it eventually. I assumed it was something simple like skipping over a branch when a signature check fails. My understanding is they had this exploit before fusee gelee, but held onto it and switched to fusee gelee rather than burning their own prematurely. Which is 100% the right thing to do.
 
Last edited by smf,

Diamedic

Member
Newcomer
Joined
Jun 27, 2018
Messages
12
Trophies
0
Age
34
XP
34
Country
United States
The easiest way to explain it would be. Every device phones etc have a recovery mode just incase you screw up the internal software or an update bricks your device for some reason . You or some worker at the company can then press a certain key combination like hold the power button and press left 2 times(something to that effect) then you can put in some code to fix your device. Well game consoles patch out recovery modules so that people don't use it to put in unauthorized code that can crack there console, Anyway Nintendo uses The NVidia Tegra chip That was used for other devices before being put into the switch. Since it was used for other devices it was bound to have a security flaw since it wasn't exclusively used by Nintendo products. Nintendo asked them to take out the recovery mode but NVidia did a suuuuper shitty job patching it out on a hardware level. You need an button extra button that the switch doesn't have to get into recovery mode. The function is hold Volume Up+Power+ ? button. Luckily you can emulate the ? button by shorting to pins in the right controller rail of the switch. Then bam you are in recovery mode and can put unauthorized code into the switch via recovery mode. It what crackers would call a back door. Now you have an exploit which is honestly the "easy" part. Then a bunch of awesome coders have a starting point to use custom written code to get access to the nand and kernel which is pretty much holds the systems security and permissions access and the Operating system. I am not entirely sure how the teamexecuter mode chip works though. My guess would be after Nintendo completely patched out the recovery mode(properly this time) Team Ex just wrote the recovery to a chip and piggy backed it onto the tega chip and switched around the boot access by soldering the nand chip to different parts of the board. Emulating the original recovery access of the v1 switches. Which I imagine was about difficult as hell. I hope this helped I tried to dumb it down the best I could.
 

ZachyCatGames

Well-Known Member
Member
Joined
Jun 19, 2018
Messages
3,250
Trophies
1
Location
Hell
XP
3,296
Country
United States
The easiest way to explain it would be. Every device phones etc have a recovery mode just incase you screw up the internal software or an update bricks your device for some reason . You or some worker at the company can then press a certain key combination like hold the power button and press left 2 times(something to that effect) then you can put in some code to fix your device. Well game consoles patch out recovery modules so that people don't use it to put in unauthorized code that can crack there console, Anyway Nintendo uses The NVidia Tegra chip That was used for other devices before being put into the switch. Since it was used for other devices it was bound to have a security flaw since it wasn't exclusively used by Nintendo products. Nintendo asked them to take out the recovery mode but NVidia did a suuuuper shitty job patching it out on a hardware level. You need an button extra button that the switch doesn't have to get into recovery mode. The function is hold Volume Up+Power+ ? button. Luckily you can emulate the ? button by shorting to pins in the right controller rail of the switch. Then bam you are in recovery mode and can put unauthorized code into the switch via recovery mode. It what crackers would call a back door. Now you have an exploit which is honestly the "easy" part. Then a bunch of awesome coders have a starting point to use custom written code to get access to the nand and kernel which is pretty much holds the systems security and permissions access and the Operating system. I am not entirely sure how the teamexecuter mode chip works though. My guess would be after Nintendo completely patched out the recovery mode(properly this time) Team Ex just wrote the recovery to a chip and piggy backed it onto the tega chip and switched around the boot access by soldering the nand chip to different parts of the board. Emulating the original recovery access of the v1 switches. Which I imagine was about difficult as hell. I hope this helped I tried to dumb it down the best I could.
That's not it at all.
RCM is intentionally enabled and N officially uses it at the factory and during repair, and it's suppose to be secured and does have signature checks, it's also still present and fully functional on Mariko and patched systems.
The issue is Nvidia's bootrom is shitty and the USB2 software stack has some copy operation has no limit on how much data can be copied, allowing one to overwrite some shit that they shouldn't be able to thus gaining arbitrary code execution.
This was fixed on Erista by switching the device to xUSB mode (which doesn't have the issue) via a fuse or the use of an irom patch that limits how much data can be copied, depending on when it was manufactured. Mariko always uses xUSB, so the flaw doesn't exist there.

The Gateway/TX modchip glitches the SoC during the bct signature check to trick the bootrom into thinking their own bct/bootloader is valid, it doesn't involve any recovery shit.
 
General chit-chat
Help Users
    kenenthk @ kenenthk: Very happy indeed thanks for asking