1. Aeredren

    OP Aeredren Member

    Nov 12, 2019
    Hello there !

    This year I had a course about "Systems and Networks Security" and we had to write articles about anything we want ! (related to the course's subject of course)
    Me and a friend of me wrote about the research process of discovering vulnerabilities with the Nintendo Switch as an use of case. (link at the end)

    I thought I'll post it here to gather critics and let you enjoy. The article is in french but I might translate it and publish it as a blog post here at GBAtemp if enough people are interest.

    I speak about "coldboot + fusée gelé" AND "webkit exploit + warmboot" and I'll be glad to gather critics from people which worked on those :) (@SciresM if you have time to spare ^^)

    Here it is (it's a medium blogpost because medium was imposed by the university)
    peteruk and godreborn like this.
  2. SciresM

    SciresM Developer

    Mar 21, 2014
    United States
    Amusingly, I do not speak French, although I love your language.

    It's good to see people interested in how the process for how these things go. I hope you and your friend remain interested in computer security :)

    A few notes (though they're on a google-translated copy of your article, which may miss nuance):
    * You may wish to mention that the BPMP is an ARM7TDMI processor, since you mention the CCPLEX cores are armv8.
    * You seem to confuse the fusee-gelee/shofEL2 exploit (which exploits a bug in the RCM stack for arbitrary code execution) with the RCM mode itself -- RCM is, in the absence of those vulnerabilities, fine/secure. Mariko/newer ipatched switches include RCM mode, but require signed payloads and do not have the bug.
    * You confuse TrustZone and TSEC -- TSEC is an isolated microprocessor with its own IMEM/DMEM, TZRAM is for the TrustZone execution context on the main CPU processor.
    * Your timeline is a little strange -- you present bootromhax and webkit as though they were done simultaneously, when in fact bootrom came much later.

    For reference, a timeline of the Switch getting hacked:
    * March 3, 2017: Switch releases
    * March 4 2017: Web browser hacked via "pegasus" vulnerability, pegaswitch development starts.
    * April 5, 2017: hexkyz discovers "nvhax", memory corruption bug in nvservices. Not exploitable yet, because no information leak/no code dump.
    * ~April 2017: plutoo discovers "pl:utoohax" (oob read in pl:u font service), dumps NS system module code.
    * ~April 2017: hexkyz/plutoo find infoleak in nvservices, compromise the nvservices system module.
    * ~June 2017: smhax is discovered, arbitrary service access obtained on system version <= 3.0.0
    * June 24, 2017: multiple ways of killing loader discovered, access to "fsp-ldr" gained, code for all other system modules dumped.
    * July 2017: derrek glitches the bootrom, dumps switch keys for switchbrew. Kernel + trustzone code available to switchbrew.
    * July/August 2017: yellows8 discovers that japanese "puyo puyo tetris demo" includes a way to launch the web browser. I order a copy of it to see if this can be used on 1.0.0.
    * August 2017: andeor glitches bootrom on Jetson TX1, dumps bootrom code for ReSwitched.
    * ~October 2017: hexkyz/I successfully obtain physical memory DMA using the GPU, compromising all non-FIRM system modules.
    * November 2017: My japanese puyo puyo tetris arrives, I implement pegaswitch + nvhax + gpu dma on 1.0.0. Dumps of FIRM system modules obtained.
    * November 21, 2017: hthh and I notice kernel structures in physical memory on 1.0.0, we successfully compromise + dump the kernel.
    * Early December, 2017: motezazer and I working together discover jamais vu, and compromise + dump TrustZone (and the 1.0.0 keys).
    * December, 2017: motezazer/I discover and exploit the warmboot bootrom arbitrary write, gaining bootrom code execution and dumping all keys (permanently compromising the cryptosystem).
    * December, 2017: Many groups independently find the RCM exploit, allowing for coldboot hax.
    Last edited by SciresM, Nov 28, 2020
  3. Draxzelex

    Draxzelex GBAtemp Legend

    Aug 6, 2017
    United States
    This is actually really cool.
    peteruk likes this.
Draft saved Draft deleted

Hide similar threads Similar threads with keywords - Personal, Nintendo, Security