Hacking Question How did Nintendo patch the RCM exploit?

[MiguelinCrafter]

I'd like to know how it worked in the first place and what they did to fix it

I'd also like to know how SX's chip works, what is it doing to the Switch?

And is there hope for an exploit similar to the RCM exploit in the future? I'm guessing the answer is no but I'll ask anyway

If anyone has research documents it'd be nice to have them or if someone can provide a very technical explanation that'd be nice too

 

[cearp]

This page might help you do some research https://switchbrew.org/wiki/Switch_System_Flaws, but yeah I'm interested to hear/read more about it too

 

[MiguelinCrafter]

This page might help you do some research https://switchbrew.org/wiki/Switch_System_Flaws, but yeah I'm interested to hear/read more about it too

Thanks mate

 

[thla]

For the first question, read up on this article and its sources:
https://arstechnica.com/gaming/2018...makes-every-current-nintendo-switch-hackable/

Basically, on the T210 (original Tegra) they revised a fix for it and updated the bootrom, but that can only be done at the factory, so that's why every version prior to the fix will always be vulnerable. With the T214 (Mariko) they had just fixed it from the beginning.

For the second question, I haven't followed, but I think the general consensus is that they use glitching which is a form of fault-injection in a physical manner, the idea is that if you can control these faults precise enough and know when to do it, you can affect execution in a way that may, for example, prevent the CPU's security features from being set during boot.

For the last question, I think it would be unlikely to happen because it appears the root cause is fixed, so they would need to have done a poor job of patching it or have several ways to get data from USB which seems unlikely.

 

[smf]

I'd like to know how it worked in the first place and what they did to fix it

The write up is available here.

https://web.archive.org/web/20191204111041/https://misc.ktemkin.com/fusee_gelee_nvidia.pdf

I haven't seen the exact fix, but there is a proposed fix in the pdf which gives a rough idea.

Basically, on the T210 (original Tegra) they revised a fix for it and updated the bootrom,

My understanding is that it's a new set of ipatches, so chips already in nintendo inventory wouldn't have to be thrown away. But as far as we know, applying ipatches is a one time thing (otherwise it would be possible to downgrade to an earlier set).

the idea is that if you can control these faults precise enough and know when to do it, you can affect execution in a way that may, for example, prevent the CPU's security features from being set during boot.

I do hope someone reverse engineers it eventually. I assumed it was something simple like skipping over a branch when a signature check fails. My understanding is they had this exploit before fusee gelee, but held onto it and switched to fusee gelee rather than burning their own prematurely. Which is 100% the right thing to do.

 

[Diamedic]

The easiest way to explain it would be. Every device phones etc have a recovery mode just incase you screw up the internal software or an update bricks your device for some reason . You or some worker at the company can then press a certain key combination like hold the power button and press left 2 times(something to that effect) then you can put in some code to fix your device. Well game consoles patch out recovery modules so that people don't use it to put in unauthorized code that can crack there console, Anyway Nintendo uses The NVidia Tegra chip That was used for other devices before being put into the switch. Since it was used for other devices it was bound to have a security flaw since it wasn't exclusively used by Nintendo products. Nintendo asked them to take out the recovery mode but NVidia did a suuuuper shitty job patching it out on a hardware level. You need an button extra button that the switch doesn't have to get into recovery mode. The function is hold Volume Up+Power+ ? button. Luckily you can emulate the ? button by shorting to pins in the right controller rail of the switch. Then bam you are in recovery mode and can put unauthorized code into the switch via recovery mode. It what crackers would call a back door. Now you have an exploit which is honestly the "easy" part. Then a bunch of awesome coders have a starting point to use custom written code to get access to the nand and kernel which is pretty much holds the systems security and permissions access and the Operating system. I am not entirely sure how the teamexecuter mode chip works though. My guess would be after Nintendo completely patched out the recovery mode(properly this time) Team Ex just wrote the recovery to a chip and piggy backed it onto the tega chip and switched around the boot access by soldering the nand chip to different parts of the board. Emulating the original recovery access of the v1 switches. Which I imagine was about difficult as hell. I hope this helped I tried to dumb it down the best I could.

 

[ZachyCatGames]

The easiest way to explain it would be. Every device phones etc have a recovery mode just incase you screw up the internal software or an update bricks your device for some reason . You or some worker at the company can then press a certain key combination like hold the power button and press left 2 times(something to that effect) then you can put in some code to fix your device. Well game consoles patch out recovery modules so that people don't use it to put in unauthorized code that can crack there console, Anyway Nintendo uses The NVidia Tegra chip That was used for other devices before being put into the switch. Since it was used for other devices it was bound to have a security flaw since it wasn't exclusively used by Nintendo products. Nintendo asked them to take out the recovery mode but NVidia did a suuuuper shitty job patching it out on a hardware level. You need an button extra button that the switch doesn't have to get into recovery mode. The function is hold Volume Up+Power+ ? button. Luckily you can emulate the ? button by shorting to pins in the right controller rail of the switch. Then bam you are in recovery mode and can put unauthorized code into the switch via recovery mode. It what crackers would call a back door. Now you have an exploit which is honestly the "easy" part. Then a bunch of awesome coders have a starting point to use custom written code to get access to the nand and kernel which is pretty much holds the systems security and permissions access and the Operating system. I am not entirely sure how the teamexecuter mode chip works though. My guess would be after Nintendo completely patched out the recovery mode(properly this time) Team Ex just wrote the recovery to a chip and piggy backed it onto the tega chip and switched around the boot access by soldering the nand chip to different parts of the board. Emulating the original recovery access of the v1 switches. Which I imagine was about difficult as hell. I hope this helped I tried to dumb it down the best I could.

That's not it at all.
RCM is intentionally enabled and N officially uses it at the factory and during repair, and it's suppose to be secured and does have signature checks, it's also still present and fully functional on Mariko and patched systems.
The issue is Nvidia's bootrom is shitty and the USB2 software stack has some copy operation has no limit on how much data can be copied, allowing one to overwrite some shit that they shouldn't be able to thus gaining arbitrary code execution.
This was fixed on Erista by switching the device to xUSB mode (which doesn't have the issue) via a fuse or the use of an irom patch that limits how much data can be copied, depending on when it was manufactured. Mariko always uses xUSB, so the flaw doesn't exist there.

The Gateway/TX modchip glitches the SoC during the bct signature check to trick the bootrom into thinking their own bct/bootloader is valid, it doesn't involve any recovery shit.