-
-
Save plutooo/733318dbb57166d203c10d12f6c24e06 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
+----------------------------------------------------------------------------+ | |
| Full key extraction of NVIDIA™ TSEC | | |
+----------------------------------------------------------------------------+ | |
With the recent TSEC article by Hexkyz & SciresM [1], I thought I'd talk about | |
something I've been sitting on. While their attack(s) gives full oracle | |
access to the crypto hardware, I managed to get my hands on the underlying | |
* root keys *, and here's the story how that happened. :-) | |
+----------------------------------------------------------------------------+ | |
| Introduction | | |
+----------------------------------------------------------------------------+ | |
In 2018, Nintendo was in a rough spot. Their newest console, the Nintendo | |
Switch™, had sold millions, and each one had shipped a bootrom with a | |
trivial USB stack buffer overrun. | |
At that time, any kid could, by jamming some aluminum foil into one of the | |
joycon rails (to short a debug-mode pin), insert a USB cable and completely | |
pwn the device! | |
Furthermore, the AES root key (called the "SBK"), had been extracted earlier | |
in 2017 by me and Derrek, through a different bug in the bootrom, in the | |
"warmboot" code path, that we triggered through a chain from a WebKit exploit. | |
Anyhow, when the system was released in 2017, the original secure boot flow was | |
very simple, and it looked like this: | |
[ Chip reset ] -> [ ARM7 BootRom ] -> [ ARM7 Second BootLoader ] -> ... | |
^ | |
This got pwned | |
by many people | |
+----------------------------------------------------------------------------+ | |
| The TSEC Comeback | | |
+----------------------------------------------------------------------------+ | |
So, what could Nintendo possibly do in this situation? Their secure boot is | |
gone, the root AES keys are gone... Sure, they could fix the bootrom in new | |
consoles, but they had already shipped vulnerable units in the millions... | |
All hope was lost... | |
Well, some clever guy ;-) reminded them that the T210 chip (the main CPU) | |
has a proprietary NVIDIA "security processor" called TSEC, which has: [2] | |
(1) its own SRAM (protected from the rest of the system) | |
(2) its own "secure boot" (protected from the rest of the system) | |
(3) bus mastering capabilities | |
(4) and.. is able to DMA to ARM7's memory | |
On November 2018, Nintendo released firmware update 6.2.0. And the old boot | |
flow was gone, it had been replaced by the following stroke of genius: | |
[ Chip reset ] -> [ ARM7 BootRom ] -> [ ARM7 Second BootLoader ] -> [ .... ARM7 held in reset .............................. ] -> [ ARM7 Third BootLoader ] -> ... | |
| ^ ^ | |
v | < reset ARM7 > | < start ARM7 > | |
[ TSEC SecureBoot ] ----+---------------> [ decrypt ARM7 Third BootLoader ] ----------+ | |
^ | |
NOTE: It no longer matters if ARM7 gets pwned! | |
The TSEC will reset the ARM7 and boot the ARM7 | |
from a clean slate, no matter if the ARM7 was | |
pwned previously, or not! | |
So out-of-nowhere, by this huge hack-y BOTCH, Nintendo seemingly managed to | |
do the impossible: | |
(A) reclaim their secure boot | |
(B) introduce new key material | |
Now, this would have been the greatest comeback in video game security | |
history. And it would have been perfect if not for the many security flaws in | |
TSEC secure boot. | |
But, this article is not about that... | |
+----------------------------------------------------------------------------+ | |
| Voltage Glitching | | |
+----------------------------------------------------------------------------+ | |
A CMOS transistor has an activation voltage of about 0.6-0.7V. When a chip | |
is deprived of voltage, transistors will not switch properly. | |
On a chip, scattered inbetween gates, are patches of metal that ensure the | |
voltage supply is stable locally. They act like tiny capacitors. There are also | |
so-called "buffers", which are gates that stabilize the signal voltage. | |
If you have high entropy computing ciruit (for example AES-128), a lot of | |
energy is required to constantly switch the transistors, and as a result, the | |
local voltage will be more noisy in that neighbourhood. So you'd need a lot of | |
buffers to keep the VCC stably above 0.7V. | |
Anyway, let's step back a bit. | |
+----------------------------------------------------------------------------+ | |
| Setting the Voltage | | |
+----------------------------------------------------------------------------+ | |
Here is a simple overview of the interaction between the power management | |
chip (PMIC) and the main CPU. There are multiple voltage rails, but the only | |
interesting rail is the 1.1V main rail. | |
+--------+ 1.1v +----------+ | |
| PMIC | ---------> | MAIN CPU | | |
| | i2c | | | |
|max77620| <--------- | t210 | | |
+--------+ +----------+ | |
Voltage scaling is a feature where the main CPU can adjust its own voltage, | |
depending on its "performance mode". The main CPU can send messages to the PMIC | |
over an I2C bus to adjust the voltage. | |
As we already had code execution on the main CPU with the USB bootrom exploit, | |
I tried sending I2C messages from the CPU to glitch itself. | |
I tried setting the voltage to 0.6V, and the entire chip froze. At ~0.72V, | |
the chip was seemingly completely stable. But my TSEC ROP payload gave garbage | |
AES outputs... | |
+----------------------------------------------------------------------------+ | |
| Differential Fault Attack on AES | | |
+----------------------------------------------------------------------------+ | |
YifanLu had in 2019 extracted the Playstation Vita keys using a differential | |
fault attack [3], shorthand DFA. And that's where I first heard it from. | |
AES-128 has 10 rounds. The idea with DFA is to ignore the first 8-9 rounds, | |
and only focus on the last round and second to last. If you can get 1-2 | |
bitflips in the last two rounds, you can solve for the key. | |
Anyway, I just collected a few thousand samples of glitched AES samples, ran | |
his script, and all the keys popped out. | |
-- plutoo | |
sha256(csecret_00)=7c20cef183f6184f7c5a877040ec63fa44ad42178b1aa6af9932568fc468e426 | |
sha256(csecret_01)=43449338c1bc8ceb1b3232a611f955f9095254f492117a158528589cd16f2930 NVIDIA TSEC code signing key | |
sha256(csecret_02)=2816295b45e08837846afbe093cd4a3ab5492174798d2e1872fceeccc0463e0f | |
sha256(csecret_03)=eb06713d87ad94c9832549eb2057f014b5fd34853c0f8ce4108aecd3b23c8a58 | |
sha256(csecret_04)=7fafa6babbc8600ec42969ac81e16701320c4611e4cc910b4c51adcf14363212 | |
sha256(csecret_05)=49371c6ccb2cf64c10633164c202a3f7d03a17a0e0098ab7bcd9f84ae9a4805c | |
sha256(csecret_06)=8745f02b86bbf722654e43b1fef32ac22c740d10aa4432b93d5b2035523c2c94 NVIDIA TSEC code encryption key | |
sha256(csecret_07)=d6ecab46e243d80af83ca5f8bdf440b595459ecb39f2e083a50f793ade04822c | |
sha256(csecret_08)=8ca7cc625a593699870e11056aa52124cc5565df0d934b6431854910314b6c51 | |
sha256(csecret_09)=6836e01fce672b276e3746fac8e7a133a986c7922f2bddebd3c231fcd6a6bac5 | |
sha256(csecret_0a)=96240c628444c83b527fb8de96bbc39e3c9ef4c46952286a57f9d7efe0847ae2 | |
sha256(csecret_0b)=affa6d401592ca2ac21451064a632b6eecc72bb887d29ac93ce7c0de3e2c9212 | |
sha256(csecret_0c)=d19495a97b6dd1dac8ee099107c731cdab49c0e1ec5b3cd1b38480d70dbe7003 | |
sha256(csecret_0d)=1c081ad4d8c7da9291ec4f5de06e558177fc0faf613fb7d9ff0005ef66f63d61 | |
sha256(csecret_0e)=b2429bfb5de59191b825f9675c4320b5e1dfb5cc0e7a8161c5dab64313eb9a63 | |
sha256(csecret_0f)=34141a2aa355cfa1d14ec921db288d1cd04c810c3c30c69abb34bb1542a9966f | |
sha256(csecret_10)=678d1b92f9dd7e46bdc9bd96378896f58da01e933d5056c812c9d3a948b709b4 | |
sha256(csecret_11)=7e0aec4bfd4160035d04aec8e2aa0e7668ae769681f8a2c6ba62d31791f072aa | |
sha256(csecret_12)=641622358b351d50e7f3f2cfee6864a68fa7803a649a2bcade226a99a143918a | |
sha256(csecret_13)=86899161828e7b3ebb8b90e73261d2e34b8b5314f070f9811cf4173570024665 | |
sha256(csecret_14)=735146a321f46b7d130226b0aea05d2042363374b0674e9015d80c4eb17f6e7b | |
sha256(csecret_15)=9c90367e3b4191706f1018861f1622e233d905445e6f2463bedbdea2f4395205 | |
sha256(csecret_16)=6e607b4265f213530df9d6c9574af4a3a6d5c7282f19214144ac03cda69b68f1 | |
sha256(csecret_17)=fdc6ed08368fc2f19f8f8979fe7545f6f9136897d369045d3afd160756d82c3d | |
sha256(csecret_18)=40c4d1dfb08fb9963ad20076681651a124f325a6065db51c1b88b2efd8799d01 | |
sha256(csecret_19)=eb9b9813c0a08f7c6af56907e09c5df8e53d2d4299914038fa867578ced8b656 | |
sha256(csecret_1a)=c62e4708e163252adeac56f749cf025a8921a86f786e2cc396304ebd2e625354 | |
sha256(csecret_1b)=0bde3d9cb209d1c132d1c9e80c0ccf595e3feef411be7ee590e181af57421815 | |
sha256(csecret_1c)=a9dc5a0a27de9214909c8dd933cdd82e6df1cc2d09cb654466406e2cebad0017 | |
sha256(csecret_1d)=c58b9370c0c67dbebaf8925f734e29940a3de70d3815fd644f2835f4f0ebb106 | |
sha256(csecret_1e)=02667ae7cbe9a608a648eec9876dc66159068aceb872901a085ce6968f5d17a1 | |
sha256(csecret_1f)=2885bc4f35d01ad469997b6a36a9bfa2976d62ae5dc48a1f96ecbc73bc770528 | |
sha256(csecret_20)=14fc0140daafc49631356da9a6ef5d96ca20b8d45ce63e4227aededbcd0056bf | |
sha256(csecret_21)=5ad7845f27ea0aa7c717ff56d4cffe5d060a374d86a0e820bdc13fc5f553226b | |
sha256(csecret_22)=ab1cf064eedfeaa7f71db717bfbcfdbd73b6db7ba356e37cc299d8b731cffe24 | |
sha256(csecret_23)=81fdc5ebcd592f59a063a66155f6b08e48cc89e19c6fb8d3a2756c9ac0590f8f | |
sha256(csecret_24)=c8312de41a98f7c55c4e21184b1f34a7578145c2cbeca78a9556978dd84939e3 | |
sha256(csecret_25)=b20226d3accc9e554278f3ba7157460ebff8a88757e850d57591342b0a275542 | |
sha256(csecret_26)=cefe01c9e3eeef1a73b8c10d742ae386279b7dff30a2fbc0aabd058c1f135833 OEM key: Nintendo | |
sha256(csecret_27)=d3ade4766781a5d9862b350867c2572dcb7f513b28c3a812170cd856dfb54f95 | |
sha256(csecret_28)=73f4a07cd1f061f81c42b32e3dd1ffa0ac1114d40df92205869e60a1e537d2ac | |
sha256(csecret_29)=d97b8509b66ae9b33ed6d1e46b37449ed6f7f3e7f4bc03a59004994ff833bb71 | |
sha256(csecret_2a)=08a0edf7bf91d7fa685ca77246b8394fa4edd0e06639e53e6fa835436b09560f | |
sha256(csecret_2b)=6d3a215979ae17a947e7c2772d1efec9b0ac9b0063f4e0a64fe93f779fc70188 | |
sha256(csecret_2c)=20c358eeed4f03cc03ddbad4f9cf9e6f83a86c61fe434ee259789a63ba2178b7 | |
sha256(csecret_2d)=07923cbd0e19d3b8c81d3f5d4df8ef58ec667f94e6096897de34c1ebf878b2b0 | |
sha256(csecret_2e)=b8706c9d52b7fe020c3c833cfde328dbcda24c290be60c658b3c1784da85340b | |
sha256(csecret_2f)=e0c6273094f499180139a06133e582565cc1cd23478a6180914950a672e3bfaf | |
sha256(csecret_30)=3477d86ed721fd5112c94a566f26b4d30cd7ae78de1b047eb21a709a7934d073 | |
sha256(csecret_31)=d2bf372d3a1b652a31b0fa1264086c8fdce8ab491889dce2cfb4db71eab758b8 | |
sha256(csecret_32)=fc65d00eb14406f76a940368722c4f3b8ab11d1abf44e32499103492cf714af9 | |
sha256(csecret_33)=fa7f4a5cb39ae9205177f3da8f8c2f88ec7f8d14b8c6f75b2dbb661f30ec076d | |
sha256(csecret_34)=4aa215afd1a0ab118ab60db1fbc5ee769907a1b58813ec417e7f1519a5cc4243 | |
sha256(csecret_35)=ae64ed29f1158feee2c3e858b2868197c173b07e6d1d281dbd458449770c492b | |
sha256(csecret_36)=083bd0a21da79ae6b63c9e01035fad9334983c79a43d555dba5481c6d531b30f | |
sha256(csecret_37)=9cc2735bc70f0c756279c41b85dd558e00783dd8ec4202f4db0f6c384b43dda2 | |
sha256(csecret_38)=90483d58fc3e7c298b353f3d9295d8a81d8bb9f5182bcfcf3c8c60e9b6537aec | |
sha256(csecret_39)=78a4c4ad790921ab5c6f3224ea394fb53e576110d1fa467b3aa942b5c141cfa8 | |
sha256(csecret_3a)=a28b03e2bee0c18640f9607db3cf430af0fc7a9b61b002f3369333e13dec3080 | |
sha256(csecret_3b)=eec13d2a63a89e35834d6e1c2ca879ef556e3e970efaf08bee406979f271e9a9 | |
sha256(csecret_3c)=29b30980914a0201a195dab7c5494d2ca9c94205619c2f91dd74ddeea24d14f0 | |
sha256(csecret_3d)=aeff5b69a19c6a1b767dfae9fd57ffcb11ba2f5eb34f0e013a922d9474218d11 | |
sha256(csecret_3e)=6b07bc90e01a40ae51fd718e2ef751fb174c14c8cb4f68a00be847f020bdc1a6 | |
sha256(csecret_3f)=374708fff7719dd5979ec875d56cd2286f6d3cf7ec317a3b25632aab28ec37bb | |
+----------------------------------------------------------------------------+ | |
| References | | |
+----------------------------------------------------------------------------+ | |
[1]: https://hexkyz.blogspot.com/2021/11/je-ne-sais-quoi-falcons-over-horizon.html | |
[2]: https://switchbrew.org/wiki/TSEC | |
[3]: https://yifan.lu/2019/02/22/attacking-hardware-aes-with-dfa/ |
will this also affect the switch lite? or only the regular switch?
Good job plutoo! I hope there will be HB Software for newer switch models soon! :)
respect, great job..! :)
Great job! Thank you!
Please fix "Playstation" -> "PlayStation".
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Let's hope the Switch does not have a third Secure Chip :D
PS: awesome work