jamais vu - a 1.0.0 TrustZone Code Execution Exploit for Nintendo Switch

Discussion in 'GBAtemp & Scene News' started by Scarlet, Jan 20, 2018.

Thread Status:
Not open for further replies.

    13,235

    0
    Front-page
    SwitchS.
    A joint effort of ReSwitched developer SciresM and motezazer, jamais vu (French for "never seen") allows for code execution at the highest possible privilege level on the Nintendo Switch. Quoting from the writeup on Reddit, practical applications include:
    • On 1.0.0, code execution at the highest possible privilege level. TrustZone is only responsible for cryptography, but because jamais vu results in our controlling the entire contents of TZRAM when the system is booting back up, we're in an ideal position to "reboot" into our own, patched version of the OS.
    • We can dump keys from "write-only" keyslots. Nintendo's cryptosystem relies on TrustZone receiving only two keys: a shared master key, and a console-unique device key. Newer firmwares can change the master keywhen a fuse is burnt, but we can dump the 1.0.0 master key and our console's device key and perform all encryption a 1.0.0 to 2.3.0 console knows how to do at runtime on our PCs.
    • We've peeled back another layer of security, and can analyze and understand Nintendo's cryptosystem. That's the real victory :)
    You can find the writeup below, as well as the ongoing discussions on GBAtemp.

    :arrow: Source
    :arrow: Ongoing Discussion
     
    CatmanFan, nkdx, jt_1258 and 45 others like this.
Loading...
Thread Status:
Not open for further replies.