jamais vu - a 1.0.0 TrustZone Code Execution Exploit for Nintendo Switch

Discussion in 'GBAtemp & Scene News' started by Scarlet, Jan 20, 2018.

Thread Status:
Not open for further replies.
  1. Scarlet
    OP

    Scarlet Self-Inflicted Achromatic

    pip Contributor
    11
    GBAtemp Patron
    Scarlet is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    Jan 7, 2015
    United Kingdom
    Middleish North-Left
    SwitchS.png
    A joint effort of ReSwitched developer SciresM and motezazer, jamais vu (French for "never seen") allows for code execution at the highest possible privilege level on the Nintendo Switch. Quoting from the writeup on Reddit, practical applications include:
    • On 1.0.0, code execution at the highest possible privilege level. TrustZone is only responsible for cryptography, but because jamais vu results in our controlling the entire contents of TZRAM when the system is booting back up, we're in an ideal position to "reboot" into our own, patched version of the OS.
    • We can dump keys from "write-only" keyslots. Nintendo's cryptosystem relies on TrustZone receiving only two keys: a shared master key, and a console-unique device key. Newer firmwares can change the master keywhen a fuse is burnt, but we can dump the 1.0.0 master key and our console's device key and perform all encryption a 1.0.0 to 2.3.0 console knows how to do at runtime on our PCs.
    • We've peeled back another layer of security, and can analyze and understand Nintendo's cryptosystem. That's the real victory :)
    You can find the writeup below, as well as the ongoing discussions on GBAtemp.

    :arrow: Source
    :arrow: Ongoing Discussion
     
    CatmanFan, nkdx, jt_1258 and 45 others like this.
Loading...
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice