jamais vu - a 1.0.0 TrustZone Code Execution Exploit for Nintendo Switch
- On 1.0.0, code execution at the highest possible privilege level. TrustZone is only responsible for cryptography, but because jamais vu results in our controlling the entire contents of TZRAM when the system is booting back up, we're in an ideal position to "reboot" into our own, patched version of the OS.
- We can dump keys from "write-only" keyslots. Nintendo's cryptosystem relies on TrustZone receiving only two keys: a shared master key, and a console-unique device key. Newer firmwares can change the master keywhen a fuse is burnt, but we can dump the 1.0.0 master key and our console's device key and perform all encryption a 1.0.0 to 2.3.0 console knows how to do at runtime on our PCs.
- We've peeled back another layer of security, and can analyze and understand Nintendo's cryptosystem. That's the real victory
Source
Ongoing Discussion