Hardware Nintendo Switch's ARM TrustZone explanation by yifanlu


Well-Known Member
Feb 27, 2010
Taipei, Taiwan
United States
I figured it would be interesting for others to read about this. This is an educational material for others to read.

The Nintendo Switch has ARM TrustZone, confirmed from this site here.

Here's a more detailed explanation to the ARM TrustZone here.

And here's the official documentation on ARM7TDMI mentioned in the following chat log.

Please enjoy.

[14:43] <@yellows8> yifanlu: TZ & EL3 are basically same thing right?
[14:43] <kazuma_> heh
[14:43] <yifanlu> Ehh it's kinda complicated
[14:43] <kazuma_> $100 to $20,000 is the reward and "Nintendo does not disclose how the reward amount is calculated."
[14:43] <yifanlu> In short TZ is an arch for a secure execution environment
[14:43] <kazuma_> kernal takeover, here haz $100
[14:43] <nec> LOL
[14:44] <yifanlu> Including ARMv7 security extensions support with defined the NS bit and other stuff that is Secure Mode
[14:44] <nec> hack their amiibo and watch them cry
[14:44] <nec> that cashcow has been funding them for years
[14:44] <yifanlu> It also includes secure devices. Additions to AMBA etc
[14:44] <yifanlu> All that together is referred to in marketing terms as "TrustZone"
[14:45] <yifanlu> In armv8, they added the terms "exception level" and "privilege level"
[14:45] <yifanlu> And retrofitted "Secure Mode" to be PL2/EL2
[14:45] <nec> where does root fall
[14:45] <nec> in these levels
[14:45] <wedr> I think it's kernel land?
[14:45] <yifanlu> And "Monitor Mode" as PL3/EL3
[14:45] <nec> on android root doesnt always have kernel axx
[14:45] <yifanlu> This has nothing to do with sw
[14:45] <yifanlu> Kernel
[14:45] <yifanlu> Etc
[14:45] <wedr> oh
[14:45] <yifanlu> I'm talking about hw arch
[14:45] <nec> ah
[14:46] <yifanlu> Software is an abstraction that works on top of the arch
[14:46] <nec> i understand now yes yes
[14:46] <yifanlu> To make things more confusing EL3 is mostly unused
[14:46] <yifanlu> It's really there for servers and stuff
[14:46] <yifanlu> To make use of multiple virtual machines in one chip
[14:47] <nec> hehe
[14:47] <yifanlu> However, many system developers use EL2 as a hypervisor
[14:47]  * wedr shhhh
[14:47] <yifanlu> So what you'll very likely see on switch is
[14:47] <yifanlu> A 3ds like microkernel
[14:47] <nec> PREDICTION: september 2017 the first major switch homebrew will be released... as a switch emulator running as a virtual machine on the switch!
[14:47] <yifanlu> That's EL1
[14:47] <yifanlu> A hypervisor in "trustzone"
[14:48] <wedr> nec: Quiet, we're listening to professor yifanlu here.
[14:48] <yifanlu> Which does crypto--likely through a separate hardware device
[14:48] <yifanlu> That's EL2
[14:48] <yifanlu> No EL3
[14:48]  * nec puts his hand down
[14:48] <kazuma_> the great yiffypoo speaks
[14:48] <yifanlu> And then there's the BPMP, a separate arm7 CPU used by nvidia Tegra devices
[14:48] <yifanlu> Where the bootrom resides
[14:49] <yifanlu> And where the trust begins
[14:49] <@yellows8> *armv7?
[14:49] <yifanlu> No docs say ARM7TDMI
[14:49] <Kyubnyan> heard someone say that somewhere
[14:49] <yifanlu> So it has a DS chip in there (not really) lol
[14:50] <Kyubnyan> very reliable source, I know
[14:50] <dreadylei> tDmi ?
[14:50] <Kyubnyan> ds games for one screen
[14:50] <Kyubnyan> nice
[14:50] <wedr> Kyubnyan: No, that's just an abstraction.
[14:50] <yifanlu> ARMv7 is an arch (ISA + extras). ARM7 is a processor name which I believe runs the ARMv6 arch lol
[14:51] <WntrMute> http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.faqs/ka8631.html
[14:51] <Kyubnyan> IK, I was joking
[14:51] <yifanlu> It's more confusing that windows 10 = windows 6.3 or whatever
[14:52] <wedr> Kyubnyan: You jest, but we're in a learning environment here.
[14:52] <@derrek> yifanlu, arm7 is actually based on armv5 iirc
[14:52] <WntrMute> v4
[14:52] <yifanlu> Okay that makes more sense ;)
[14:52] <GeekShado> A project idea before a web browser is released : use a Rpi Zero with Wi-Fi to store ebooks and read on the go ;) (hotspot + charging using USB-C)
[14:52] <@derrek> armv3-armv5
[14:53] <WntrMute> arm9 is v5
[14:53] <yifanlu> Anyways the point is that I'm not going to buy ida for armv8 so please let me know when you dump BPMP
[14:54] <@derrek> "dump BPMP" you mean the bootrom, right?
[14:54] <yifanlu> Yes or the firmware running there
[14:54] <yifanlu> Hopefully it's nvidia relevantly unmodified
[14:55] <yifanlu> I think all BPMP stuff is considered "board support package"
[14:55] <yifanlu> So Nintendo wouldn't be hugely rewriting it
[14:56] <@derrek> http://www.cnx-software.com/2015/11/11/nvidia-jetson-tx1/ <- are there any tegra x1 dev boards that are less expensive?
[14:56] <yifanlu> I think nintendo's trusted code starts in the CCPLEX and anything below that is nvidia code
[14:56] <@derrek> yeah i guess
[14:56] <yifanlu> No but I have a $300 education discount that Ive offered here
[14:56] <yifanlu> To anyone who will buy it to dump rom
[14:57] <@derrek> i'm not from the us :/
[14:57] <yifanlu> If you're interested I can redirect the package
[14:57] <wedr> >  $300 education discount   <-----------  Talk about tuition fees.  :(
[14:57] <WntrMute> ?
[14:58] <wedr> WntrMute: Basically, you're getting a free lecture from yifanlu on ARM TrustZone.
[14:58] <dreadylei> thats like 50% off ? neat
General chit-chat
Help Users
  • No one is chatting at the moment.
    SG854 @ SG854: I think I figured out why manualasparkles talks the way she does. Is because she's like 6 or 7...