Hacking Some wild speculations (Tegra usb recovery)

[blue-]

So this is full of a lot of uneducated guesses, but i think it makes up a good story.

Some Facts
- The exploited vulnerability is in the bootrom
- It needs a simple hardware mod if no software exploit chain is available
- We are supposed to have a usb cable ready
- The vulnerability is not switch specific (but for many Tegra devices)

The Tegra Boot Flow documentation (please google, i can't post links yet) states that there is a usb recovery mode (NOT the same as Switch Recovery Mode or Maintanence Mode!). I guess this recovery mode is part of the bootrom. It can be triggered by several ways:

1. "If no valid BCT can be found"
2. "A recovery mode strap exists. If this is asserted, recovery mode will be entered unconditionally. This would usually be asserted by the user pressing a button, or some system management controller asserting the strap."
3. "If Tegra PMC register scratch0 bit 2 is set at power-up, recovery mode will be entered. This register bit is not cleared when Tegra resets, so any software may set this bit, then reboot, to request recovery mode."

While i have no clue what a "recovery mode strap" is, this could mean some kind of input to the tegra chip. So to trigger recovery mode it may be possible to use 1. or 2. with hardware modifications or 3. from a software exploit.

In recovery mode you can upload an run arbitray code if either

1. security is off
2. you have the keys to encrypt and sign the messages you are sending via usb

As this is the switch 1. should be pretty much off the table. Does ReSwitched have the keys for 2.? Maybe, but those keys would just not work for other Tegra devices and i don't think they would like to release anything that needs any keys.
So, what's left? Well the recovery mode software reads and interpretes whatever you send to it via usb. No clue if the usb stack is software or hardware, but the data has to be interpreted somewhere.
So my guess is that there is a vulnerability somewhere in tegra recovery mode data interpretation that can be exploited via usb.

So what do you need modchips for? Well with a modchip you could trigger recovery mode only conditionally and maybe there is a way to insert usb data or whatever that is converted to (uart?) inside of the switch. Or you just have a usb dongle modchip (solderless tx?) that just sends some exploit data to over usb to the recovery mode.

Does anyone know how to trigger Tegra usb recovery mode in the switch? Probably most of the hardware is uninitialized so screen would be blank and you would only notice that there is something on the usb port.

 

[Falo]

If you remove the eMMC (Nand) module from the Switch, it enters DFU (Device Firmware Update) mode (https://www.theiphonewiki.com/wiki/DFU_Mode).

[theory]
Technically you could then reprogram something via usb.
The console unique keys to do this should be dumpable and decryptable via Nand dumping, since we already have all the needed keys to do this.
[/theory]

 

[blue-]

What you describe is case 1) from my post.

1. "If no valid BCT can be found"

I bet you could trigger it by shortening some datalines of the eMMC than. That might just be the "simpel Hardware Mod".

 

[Crazy-S]

I am no programmer BUT I was googling a bit and Tegra gets into USB Recovery mode, when it thinks the bootrom is invalid or non existent. Maybe this can be achieved by bridging or bypassing those ominous Pins @ktemkin mentioned. https://http.download.nvidia.com/tegra-public-appnotes/tegra-boot-flow.html States it

The boot ROM processes the BCT as follows:

• If no valid BCT can be found, enters USB recovery mode (RCM).
  
  
• Re-programs the boot memory controller according to the parameters specified in the BCT.
  
  
• (If the BCT contains SDRAM configuration parameters): Programs the SDRAM controller according to the data specified in the BCT. This is the first point at which SDRAM can be accessed.
  
  
• Reads the bootloader from boot memory into RAM, and validates the image.
  
  
• If no valid bootloader could be found, enters USB recovery mode (RCM).
  
  
• Jumps to the bootloader entry point.

Oh and also maybe this helps too? https://github.com/NVIDIA/tegrarcm
Heres a Switch compatible version of tegrarcm https://github.com/pgarba/tegrarcm


Hope that this may be useful

EDIT:
Seems that the Tegra X1 can be forced to Recovery via press of a button (On the Jetson Board). Maybe reading about this button and how it works can be helpful.
Also:

Spoiler: Force Recovery Nvidia

Please put your device to Force USB Recovery Mode, when your are ready, press Enter key
To place system in Force USB Recovery Mode:
1. Power down the device. If connected, remove the AC adapter from the device. The device MUST be powered OFF, not in a suspend or sleep state.
2. Connect the Micro-B plug on the USB cable to the Recovery (USB Micro-B) Port on the device and the other end to an available USB port on the host PC.
3. Connect the power adapter to the device.
4. Press and release the POWER button to power on device. Press and hold the FORCE RECOVERY button: while pressing the FORCE RECOVERY button, press and release the RESET button; wait two seconds and release the FORCE RECOVERY button.;
5. When device is in recovery mode, lsusb command on host will list a line of "NVidia Corp"

 

[ZiggyDeer]

I was having a look over at NVIDIA's BCT Overview, and found that the BCT is considered invalid if the predefined hash used to validate its integrity doesn't match up.

The BCT contains a cryptographic hash or signature of the overall BCT itself, and each individual copy of the bootloader. This allows the boot ROM to validate that the BCT, and later the bootloader, has been successfully located, and read from boot memory without corruption or tampering.

-snip-

For this reason, whenever the bootloader is modified, the BCT must be re- generated and re-programmed, so that the bootloader hash is up-to-date.

This got me thinking. If we can somehow overwrite the cryptographic hash in the BCT using a kernel exploit, preferably with TrustZone privileges, then in theory, the BCT will be considered invalid (and thus, unbootable) and the console will fallback to DFU (or, as you said, USB) recovery mode.

Just something to think about.

 

[Kazalber]

Very very very peculiar and interesting way your mind thinks I would have never thought of researching about this

 

[ZiggyDeer]

Very very very peculiar and interesting way your mind thinks I would have never thought of researching about this

I don't know if you were talking about me, but I like my idea because it doesn't actually make the BCT or bootloader unbootable. It just makes the system think it is.

EDIT: That being said, we first need to have a kernel exploit to do this, and none are currently available (I think?)

 

[ScarletDreamz]

TWRP on the Switch... lol, for all we know, on a far future we can have"

• TWRP
• CWM
• Ubuntu Mobile
• Windows RT

Who Know..

 

[SciresM]

The console unique keys to do this should be dumpable and decryptable via Nand dumping, since we already have all the needed keys to do this.

No-go -- the key used to sign messages for RCM is the same one used to sign firmware. If you had it, you could just sign your own bootloader -- nobody but Nintendo will ever have it.

 

[Deleted User]

I am no programmer BUT I was googling a bit and Tegra gets into USB Recovery mode, when it thinks the bootrom is invalid or non existent. Maybe this can be achieved by bridging or bypassing those ominous Pins @ktemkin mentioned. https://http.download.nvidia.com/tegra-public-appnotes/tegra-boot-flow.html States it
Oh and also maybe this helps too? https://github.com/NVIDIA/tegrarcm
Heres a Switch compatible version of tegrarcm https://github.com/pgarba/tegrarcm


Hope that this may be useful

EDIT:
Seems that the Tegra X1 can be forced to Recovery via press of a button (On the Jetson Board). Maybe reading about this button and how it works can be helpful.
Also:

Is this Force Recovery also inside the Switch ?

 

[Crazy-S]

Is this Force Recovery also inside the Switch ?

Seems to me, that the force recovery mode is in every Tegra X1 Chip and so it can be triggered by shorting something somewhere, so that the Tegra thinks it gets no or invalid data.
The Switch doesn't have a force recovery button, but that does not mean you can't force the recovery mode

 

[Deleted User]

http://developer.download.nvidia.co...VIDIA_Jetson_TX1_Developer_Kit_User_Guide.pdf

--------------------- MERGED ---------------------------

Seems to me, that the force recovery mode is in every Tegra X1 Chip and so it can be triggered by shorting something somewhere, so that the Tegra thinks it gets no or invalid data.
The Switch doesn't have a force recovery button, but that does not mean you can't force the recovery mode

angeblich sollte man nur etwas kürzen müssen (cap something)

 

[jimmyj]

No-go -- the key used to sign messages for RCM is the same one used to sign firmware. If you had it, you could just sign your own bootloader -- nobody but Nintendo will ever have it.

What if say.. I worked at Nintendo and leaked this key? What would happen then ? Instant cfw? Obviously I don't work at Nintendo,just a theory

 

[FaL0xxo]

cut to 3 years time where you can install with a carefully placed magnet and sd card...

 

[guily6669]

What if say.. I worked at Nintendo and leaked this key? What would happen then ? Instant cfw? Obviously I don't work at Nintendo,just a theory

Everyone know if you could sign your own FW you wouldn't need exploiting, but you just won't have the master key...

Even if someone released the key all websites with it would keep closing every day and they will do everything to get to the leakage person and put him\her in jail...

Nintendo doesn't do much to piracy downloading sites, but if they hear the key is leaked is like a nuclear bomb.


It won't just happen.

 

[blue-]

I was having a look over at NVIDIA's BCT Overview, and found that the BCT is considered invalid if the predefined hash used to validate its integrity doesn't match up.



This got me thinking. If we can somehow overwrite the cryptographic hash in the BCT using a kernel exploit, preferably with TrustZone privileges, then in theory, the BCT will be considered invalid (and thus, unbootable) and the console will fallback to DFU (or, as you said, USB) recovery mode.

Just something to think about.

Actually you don't need to overwrite anything. "If Tegra PMC register scratch0 bit 2..." this sound like it can just be set in software (probably need a exploit chain to kernel or trustzone) and then just reboot the console -> instant recovery mode, no harm done
So this might be the way with the private exploit chains for firmware up to 4.2.

 

[blue-]

Sooo... my speculation was actually spot on. Vulnerability in the USB Stack of Tegra Recovery Mode.

 

[Dr.doom]

Change the bct pointer bam rcm .