1. Aeredren

    OP Aeredren Member
    Newcomer

    Joined:
    Nov 12, 2019
    Messages:
    47
    Country:
    France
    Hello there !

    This year I had a course about "Systems and Networks Security" and we had to write articles about anything we want ! (related to the course's subject of course)
    Me and a friend of me wrote about the research process of discovering vulnerabilities with the Nintendo Switch as an use of case. (link at the end)

    I thought I'll post it here to gather critics and let you enjoy. The article is in french but I might translate it and publish it as a blog post here at GBAtemp if enough people are interest.

    I speak about "coldboot + fusée gelé" AND "webkit exploit + warmboot" and I'll be glad to gather critics from people which worked on those :) (@SciresM if you have time to spare ^^)

    Here it is (it's a medium blogpost because medium was imposed by the university)
     
    peteruk and godreborn like this.
  2. SciresM

    SciresM Developer
    Developer

    Joined:
    Mar 21, 2014
    Messages:
    890
    Country:
    United States
    Amusingly, I do not speak French, although I love your language.

    It's good to see people interested in how the process for how these things go. I hope you and your friend remain interested in computer security :)

    A few notes (though they're on a google-translated copy of your article, which may miss nuance):
    * You may wish to mention that the BPMP is an ARM7TDMI processor, since you mention the CCPLEX cores are armv8.
    * You seem to confuse the fusee-gelee/shofEL2 exploit (which exploits a bug in the RCM stack for arbitrary code execution) with the RCM mode itself -- RCM is, in the absence of those vulnerabilities, fine/secure. Mariko/newer ipatched switches include RCM mode, but require signed payloads and do not have the bug.
    * You confuse TrustZone and TSEC -- TSEC is an isolated microprocessor with its own IMEM/DMEM, TZRAM is for the TrustZone execution context on the main CPU processor.
    * Your timeline is a little strange -- you present bootromhax and webkit as though they were done simultaneously, when in fact bootrom came much later.

    For reference, a timeline of the Switch getting hacked:
    * March 3, 2017: Switch releases
    * March 4 2017: Web browser hacked via "pegasus" vulnerability, pegaswitch development starts.
    * April 5, 2017: hexkyz discovers "nvhax", memory corruption bug in nvservices. Not exploitable yet, because no information leak/no code dump.
    * ~April 2017: plutoo discovers "pl:utoohax" (oob read in pl:u font service), dumps NS system module code.
    * ~April 2017: hexkyz/plutoo find infoleak in nvservices, compromise the nvservices system module.
    * ~June 2017: smhax is discovered, arbitrary service access obtained on system version <= 3.0.0
    * June 24, 2017: multiple ways of killing loader discovered, access to "fsp-ldr" gained, code for all other system modules dumped.
    * July 2017: derrek glitches the bootrom, dumps switch keys for switchbrew. Kernel + trustzone code available to switchbrew.
    * July/August 2017: yellows8 discovers that japanese "puyo puyo tetris demo" includes a way to launch the web browser. I order a copy of it to see if this can be used on 1.0.0.
    * August 2017: andeor glitches bootrom on Jetson TX1, dumps bootrom code for ReSwitched.
    * ~October 2017: hexkyz/I successfully obtain physical memory DMA using the GPU, compromising all non-FIRM system modules.
    * November 2017: My japanese puyo puyo tetris arrives, I implement pegaswitch + nvhax + gpu dma on 1.0.0. Dumps of FIRM system modules obtained.
    * November 21, 2017: hthh and I notice kernel structures in physical memory on 1.0.0, we successfully compromise + dump the kernel.
    * Early December, 2017: motezazer and I working together discover jamais vu, and compromise + dump TrustZone (and the 1.0.0 keys).
    * December, 2017: motezazer/I discover and exploit the warmboot bootrom arbitrary write, gaining bootrom code execution and dumping all keys (permanently compromising the cryptosystem).
    * December, 2017: Many groups independently find the RCM exploit, allowing for coldboot hax.
     
    Last edited by SciresM, Nov 28, 2020
  3. Draxzelex

    Draxzelex GBAtemp Legend
    Member

    Joined:
    Aug 6, 2017
    Messages:
    13,483
    Country:
    United States
    This is actually really cool.
     
    peteruk likes this.
Draft saved Draft deleted
Loading...

Hide similar threads Similar threads with keywords - Personal, Nintendo, Security