Hacking Discussion Personal article on the Nintendo Swith Security research scene

Aeredren

Aeredren

Well-Known Member
OP
Newcomer
Level 3
Joined
Nov 12, 2019
Messages
75
Trophies
0
Age
25
Website
txti.es
XP
291
Country
France
Hello there !

This year I had a course about "Systems and Networks Security" and we had to write articles about anything we want ! (related to the course's subject of course)
Me and a friend of me wrote about the research process of discovering vulnerabilities with the Nintendo Switch as an use of case. (link at the end)

I thought I'll post it here to gather critics and let you enjoy. The article is in french but I might translate it and publish it as a blog post here at GBAtemp if enough people are interest.

I speak about "coldboot + fusée gelé" AND "webkit exploit + warmboot" and I'll be glad to gather critics from people which worked on those :) (@SciresM if you have time to spare ^^)

Here it is (it's a medium blogpost because medium was imposed by the university)
 
  • Like
Reactions: peteruk and godreborn
SciresM

SciresM

Developer
Developer
Level 19
Joined
Mar 21, 2014
Messages
973
Trophies
3
Age
33
XP
8,294
Country
United States
Aeredren said:
(@SciresM if you have time to spare ^^)
Click to expand...

Amusingly, I do not speak French, although I love your language.

It's good to see people interested in how the process for how these things go. I hope you and your friend remain interested in computer security :)

A few notes (though they're on a google-translated copy of your article, which may miss nuance):
* You may wish to mention that the BPMP is an ARM7TDMI processor, since you mention the CCPLEX cores are armv8.
* You seem to confuse the fusee-gelee/shofEL2 exploit (which exploits a bug in the RCM stack for arbitrary code execution) with the RCM mode itself -- RCM is, in the absence of those vulnerabilities, fine/secure. Mariko/newer ipatched switches include RCM mode, but require signed payloads and do not have the bug.
* You confuse TrustZone and TSEC -- TSEC is an isolated microprocessor with its own IMEM/DMEM, TZRAM is for the TrustZone execution context on the main CPU processor.
* Your timeline is a little strange -- you present bootromhax and webkit as though they were done simultaneously, when in fact bootrom came much later.

For reference, a timeline of the Switch getting hacked:
* March 3, 2017: Switch releases
* March 4 2017: Web browser hacked via "pegasus" vulnerability, pegaswitch development starts.
* April 5, 2017: hexkyz discovers "nvhax", memory corruption bug in nvservices. Not exploitable yet, because no information leak/no code dump.
* ~April 2017: plutoo discovers "pl:utoohax" (oob read in pl:u font service), dumps NS system module code.
* ~April 2017: hexkyz/plutoo find infoleak in nvservices, compromise the nvservices system module.
* ~June 2017: smhax is discovered, arbitrary service access obtained on system version <= 3.0.0
* June 24, 2017: multiple ways of killing loader discovered, access to "fsp-ldr" gained, code for all other system modules dumped.
* July 2017: derrek glitches the bootrom, dumps switch keys for switchbrew. Kernel + trustzone code available to switchbrew.
* July/August 2017: yellows8 discovers that japanese "puyo puyo tetris demo" includes a way to launch the web browser. I order a copy of it to see if this can be used on 1.0.0.
* August 2017: andeor glitches bootrom on Jetson TX1, dumps bootrom code for ReSwitched.
* ~October 2017: hexkyz/I successfully obtain physical memory DMA using the GPU, compromising all non-FIRM system modules.
* November 2017: My japanese puyo puyo tetris arrives, I implement pegaswitch + nvhax + gpu dma on 1.0.0. Dumps of FIRM system modules obtained.
* November 21, 2017: hthh and I notice kernel structures in physical memory on 1.0.0, we successfully compromise + dump the kernel.
* Early December, 2017: motezazer and I working together discover jamais vu, and compromise + dump TrustZone (and the 1.0.0 keys).
* December, 2017: motezazer/I discover and exploit the warmboot bootrom arbitrary write, gaining bootrom code execution and dumping all keys (permanently compromising the cryptosystem).
* December, 2017: Many groups independently find the RCM exploit, allowing for coldboot hax.
 
Last edited by SciresM,
  • Like
Reactions: scandal_uk, ZachyCatGames, ly0koS and 10 others
Draxzelex

Draxzelex

Well-Known Member
Member
Level 23
Joined
Aug 6, 2017
Messages
19,012
Trophies
2
Age
29
Location
New York City
XP
13,394
Country
United States
Aeredren said:
Hello there !

This year I had a course about "Systems and Networks Security" and we had to write articles about anything we want ! (related to the course's subject of course)
Me and a friend of me wrote about the research process of discovering vulnerabilities with the Nintendo Switch as an use of case. (link at the end)

I thought I'll post it here to gather critics and let you enjoy. The article is in french but I might translate it and publish it as a blog post here at GBAtemp if enough people are interest.

I speak about "coldboot + fusée gelé" AND "webkit exploit + warmboot" and I'll be glad to gather critics from people which worked on those :) (@SciresM if you have time to spare ^^)

Here it is (it's a medium blogpost because medium was imposed by the university)
Click to expand...
This is actually really cool.
 
  • Like
Reactions: peteruk

Site & Scene News

Go to forum More news

Popular threads in this forum

Hacking Misc  Getting the MIG Switch to load an XCI dump without its original Initial Data

Emulation Homebrew  duckstation for Switch

Can you trade in a banned switch for an unbanned one?

Why is Atmosphere so dominant?

Crosscode Hacking thread

Hacking  Loader.kip for AMS 1.7.0 with FW 17.0.1 - sys-clk error ??

Migswitch backups without certificate files

Hacking Hardware  Picofly on "old" Samsung EMMC glitching fails sometimes

General chit-chat
Help Users
  • No one is chatting at the moment.
    The Real Jdbye @ The Real Jdbye: you can fap to your favorite character without it being gay