Discussion Personal article on the Nintendo Swith Security research scene

Amusingly, I do not speak French, although I love your language.

It's good to see people interested in how the process for how these things go. I hope you and your friend remain interested in computer security

A few notes (though they're on a google-translated copy of your article, which may miss nuance):
* You may wish to mention that the BPMP is an ARM7TDMI processor, since you mention the CCPLEX cores are armv8.
* You seem to confuse the fusee-gelee/shofEL2 exploit (which exploits a bug in the RCM stack for arbitrary code execution) with the RCM mode itself -- RCM is, in the absence of those vulnerabilities, fine/secure. Mariko/newer ipatched switches include RCM mode, but require signed payloads and do not have the bug.
* You confuse TrustZone and TSEC -- TSEC is an isolated microprocessor with its own IMEM/DMEM, TZRAM is for the TrustZone execution context on the main CPU processor.
* Your timeline is a little strange -- you present bootromhax and webkit as though they were done simultaneously, when in fact bootrom came much later.

For reference, a timeline of the Switch getting hacked:
* March 3, 2017: Switch releases
* March 4 2017: Web browser hacked via "pegasus" vulnerability, pegaswitch development starts.
* April 5, 2017: hexkyz discovers "nvhax", memory corruption bug in nvservices. Not exploitable yet, because no information leak/no code dump.
* ~April 2017: plutoo discovers "pl:utoohax" (oob read in pl:u font service), dumps NS system module code.
* ~April 2017: hexkyz/plutoo find infoleak in nvservices, compromise the nvservices system module.
* ~June 2017: smhax is discovered, arbitrary service access obtained on system version <= 3.0.0
* June 24, 2017: multiple ways of killing loader discovered, access to "fsp-ldr" gained, code for all other system modules dumped.
* July 2017: derrek glitches the bootrom, dumps switch keys for switchbrew. Kernel + trustzone code available to switchbrew.
* July/August 2017: yellows8 discovers that japanese "puyo puyo tetris demo" includes a way to launch the web browser. I order a copy of it to see if this can be used on 1.0.0.
* August 2017: andeor glitches bootrom on Jetson TX1, dumps bootrom code for ReSwitched.
* ~October 2017: hexkyz/I successfully obtain physical memory DMA using the GPU, compromising all non-FIRM system modules.
* November 2017: My japanese puyo puyo tetris arrives, I implement pegaswitch + nvhax + gpu dma on 1.0.0. Dumps of FIRM system modules obtained.
* November 21, 2017: hthh and I notice kernel structures in physical memory on 1.0.0, we successfully compromise + dump the kernel.
* Early December, 2017: motezazer and I working together discover jamais vu, and compromise + dump TrustZone (and the 1.0.0 keys).
* December, 2017: motezazer/I discover and exploit the warmboot bootrom arbitrary write, gaining bootrom code execution and dumping all keys (permanently compromising the cryptosystem).
* December, 2017: Many groups independently find the RCM exploit, allowing for coldboot hax.

 

This is actually really cool.