Skip to content

Instantly share code, notes, and snippets.

@plutooo

plutooo/tsec.txt Secret

Last active Dec 1, 2021
Embed
What would you like to do?
+----------------------------------------------------------------------------+
| Full key extraction of NVIDIA™ TSEC |
+----------------------------------------------------------------------------+
With the recent TSEC article by Hexkyz & SciresM [1], I thought I'd talk about
something I've been sitting on. While their attack(s) gives full oracle
access to the crypto hardware, I managed to get my hands on the underlying
* root keys *, and here's the story how that happened. :-)
+----------------------------------------------------------------------------+
| Introduction |
+----------------------------------------------------------------------------+
In 2018, Nintendo was in a rough spot. Their newest console, the Nintendo
Switch™, had sold millions, and each one had shipped a bootrom with a
trivial USB stack buffer overrun.
At that time, any kid could, by jamming some aluminum foil into one of the
joycon rails (to short a debug-mode pin), insert a USB cable and completely
pwn the device!
Furthermore, the AES root key (called the "SBK"), had been extracted earlier
in 2017 by me and Derrek, through a different bug in the bootrom, in the
"warmboot" code path, that we triggered through a chain from a WebKit exploit.
Anyhow, when the system was released in 2017, the original secure boot flow was
very simple, and it looked like this:
[ Chip reset ] -> [ ARM7 BootRom ] -> [ ARM7 Second BootLoader ] -> ...
^
This got pwned
by many people
+----------------------------------------------------------------------------+
| The TSEC Comeback |
+----------------------------------------------------------------------------+
So, what could Nintendo possibly do in this situation? Their secure boot is
gone, the root AES keys are gone... Sure, they could fix the bootrom in new
consoles, but they had already shipped vulnerable units in the millions...
All hope was lost...
Well, some clever guy ;-) reminded them that the T210 chip (the main CPU)
has a proprietary NVIDIA "security processor" called TSEC, which has: [2]
(1) its own SRAM (protected from the rest of the system)
(2) its own "secure boot" (protected from the rest of the system)
(3) bus mastering capabilities
(4) and.. is able to DMA to ARM7's memory
On November 2018, Nintendo released firmware update 6.2.0. And the old boot
flow was gone, it had been replaced by the following stroke of genius:
[ Chip reset ] -> [ ARM7 BootRom ] -> [ ARM7 Second BootLoader ] -> [ .... ARM7 held in reset .............................. ] -> [ ARM7 Third BootLoader ] -> ...
| ^ ^
v | < reset ARM7 > | < start ARM7 >
[ TSEC SecureBoot ] ----+---------------> [ decrypt ARM7 Third BootLoader ] ----------+
^
NOTE: It no longer matters if ARM7 gets pwned!
The TSEC will reset the ARM7 and boot the ARM7
from a clean slate, no matter if the ARM7 was
pwned previously, or not!
So out-of-nowhere, by this huge hack-y BOTCH, Nintendo seemingly managed to
do the impossible:
(A) reclaim their secure boot
(B) introduce new key material
Now, this would have been the greatest comeback in video game security
history. And it would have been perfect if not for the many security flaws in
TSEC secure boot.
But, this article is not about that...
+----------------------------------------------------------------------------+
| Voltage Glitching |
+----------------------------------------------------------------------------+
A CMOS transistor has an activation voltage of about 0.6-0.7V. When a chip
is deprived of voltage, transistors will not switch properly.
On a chip, scattered inbetween gates, are patches of metal that ensure the
voltage supply is stable locally. They act like tiny capacitors. There are also
so-called "buffers", which are gates that stabilize the signal voltage.
If you have high entropy computing ciruit (for example AES-128), a lot of
energy is required to constantly switch the transistors, and as a result, the
local voltage will be more noisy in that neighbourhood. So you'd need a lot of
buffers to keep the VCC stably above 0.7V.
Anyway, let's step back a bit.
+----------------------------------------------------------------------------+
| Setting the Voltage |
+----------------------------------------------------------------------------+
Here is a simple overview of the interaction between the power management
chip (PMIC) and the main CPU. There are multiple voltage rails, but the only
interesting rail is the 1.1V main rail.
+--------+ 1.1v +----------+
| PMIC | ---------> | MAIN CPU |
| | i2c | |
|max77620| <--------- | t210 |
+--------+ +----------+
Voltage scaling is a feature where the main CPU can adjust its own voltage,
depending on its "performance mode". The main CPU can send messages to the PMIC
over an I2C bus to adjust the voltage.
As we already had code execution on the main CPU with the USB bootrom exploit,
I tried sending I2C messages from the CPU to glitch itself.
I tried setting the voltage to 0.6V, and the entire chip froze. At ~0.72V,
the chip was seemingly completely stable. But my TSEC ROP payload gave garbage
AES outputs...
+----------------------------------------------------------------------------+
| Differential Fault Attack on AES |
+----------------------------------------------------------------------------+
YifanLu had in 2019 extracted the Playstation Vita keys using a differential
fault attack [3], shorthand DFA. And that's where I first heard it from.
AES-128 has 10 rounds. The idea with DFA is to ignore the first 8-9 rounds,
and only focus on the last round and second to last. If you can get 1-2
bitflips in the last two rounds, you can solve for the key.
Anyway, I just collected a few thousand samples of glitched AES samples, ran
his script, and all the keys popped out.
-- plutoo
sha256(csecret_00)=7c20cef183f6184f7c5a877040ec63fa44ad42178b1aa6af9932568fc468e426
sha256(csecret_01)=43449338c1bc8ceb1b3232a611f955f9095254f492117a158528589cd16f2930 NVIDIA TSEC code signing key
sha256(csecret_02)=2816295b45e08837846afbe093cd4a3ab5492174798d2e1872fceeccc0463e0f
sha256(csecret_03)=eb06713d87ad94c9832549eb2057f014b5fd34853c0f8ce4108aecd3b23c8a58
sha256(csecret_04)=7fafa6babbc8600ec42969ac81e16701320c4611e4cc910b4c51adcf14363212
sha256(csecret_05)=49371c6ccb2cf64c10633164c202a3f7d03a17a0e0098ab7bcd9f84ae9a4805c
sha256(csecret_06)=8745f02b86bbf722654e43b1fef32ac22c740d10aa4432b93d5b2035523c2c94 NVIDIA TSEC code encryption key
sha256(csecret_07)=d6ecab46e243d80af83ca5f8bdf440b595459ecb39f2e083a50f793ade04822c
sha256(csecret_08)=8ca7cc625a593699870e11056aa52124cc5565df0d934b6431854910314b6c51
sha256(csecret_09)=6836e01fce672b276e3746fac8e7a133a986c7922f2bddebd3c231fcd6a6bac5
sha256(csecret_0a)=96240c628444c83b527fb8de96bbc39e3c9ef4c46952286a57f9d7efe0847ae2
sha256(csecret_0b)=affa6d401592ca2ac21451064a632b6eecc72bb887d29ac93ce7c0de3e2c9212
sha256(csecret_0c)=d19495a97b6dd1dac8ee099107c731cdab49c0e1ec5b3cd1b38480d70dbe7003
sha256(csecret_0d)=1c081ad4d8c7da9291ec4f5de06e558177fc0faf613fb7d9ff0005ef66f63d61
sha256(csecret_0e)=b2429bfb5de59191b825f9675c4320b5e1dfb5cc0e7a8161c5dab64313eb9a63
sha256(csecret_0f)=34141a2aa355cfa1d14ec921db288d1cd04c810c3c30c69abb34bb1542a9966f
sha256(csecret_10)=678d1b92f9dd7e46bdc9bd96378896f58da01e933d5056c812c9d3a948b709b4
sha256(csecret_11)=7e0aec4bfd4160035d04aec8e2aa0e7668ae769681f8a2c6ba62d31791f072aa
sha256(csecret_12)=641622358b351d50e7f3f2cfee6864a68fa7803a649a2bcade226a99a143918a
sha256(csecret_13)=86899161828e7b3ebb8b90e73261d2e34b8b5314f070f9811cf4173570024665
sha256(csecret_14)=735146a321f46b7d130226b0aea05d2042363374b0674e9015d80c4eb17f6e7b
sha256(csecret_15)=9c90367e3b4191706f1018861f1622e233d905445e6f2463bedbdea2f4395205
sha256(csecret_16)=6e607b4265f213530df9d6c9574af4a3a6d5c7282f19214144ac03cda69b68f1
sha256(csecret_17)=fdc6ed08368fc2f19f8f8979fe7545f6f9136897d369045d3afd160756d82c3d
sha256(csecret_18)=40c4d1dfb08fb9963ad20076681651a124f325a6065db51c1b88b2efd8799d01
sha256(csecret_19)=eb9b9813c0a08f7c6af56907e09c5df8e53d2d4299914038fa867578ced8b656
sha256(csecret_1a)=c62e4708e163252adeac56f749cf025a8921a86f786e2cc396304ebd2e625354
sha256(csecret_1b)=0bde3d9cb209d1c132d1c9e80c0ccf595e3feef411be7ee590e181af57421815
sha256(csecret_1c)=a9dc5a0a27de9214909c8dd933cdd82e6df1cc2d09cb654466406e2cebad0017
sha256(csecret_1d)=c58b9370c0c67dbebaf8925f734e29940a3de70d3815fd644f2835f4f0ebb106
sha256(csecret_1e)=02667ae7cbe9a608a648eec9876dc66159068aceb872901a085ce6968f5d17a1
sha256(csecret_1f)=2885bc4f35d01ad469997b6a36a9bfa2976d62ae5dc48a1f96ecbc73bc770528
sha256(csecret_20)=14fc0140daafc49631356da9a6ef5d96ca20b8d45ce63e4227aededbcd0056bf
sha256(csecret_21)=5ad7845f27ea0aa7c717ff56d4cffe5d060a374d86a0e820bdc13fc5f553226b
sha256(csecret_22)=ab1cf064eedfeaa7f71db717bfbcfdbd73b6db7ba356e37cc299d8b731cffe24
sha256(csecret_23)=81fdc5ebcd592f59a063a66155f6b08e48cc89e19c6fb8d3a2756c9ac0590f8f
sha256(csecret_24)=c8312de41a98f7c55c4e21184b1f34a7578145c2cbeca78a9556978dd84939e3
sha256(csecret_25)=b20226d3accc9e554278f3ba7157460ebff8a88757e850d57591342b0a275542
sha256(csecret_26)=cefe01c9e3eeef1a73b8c10d742ae386279b7dff30a2fbc0aabd058c1f135833 OEM key: Nintendo
sha256(csecret_27)=d3ade4766781a5d9862b350867c2572dcb7f513b28c3a812170cd856dfb54f95
sha256(csecret_28)=73f4a07cd1f061f81c42b32e3dd1ffa0ac1114d40df92205869e60a1e537d2ac
sha256(csecret_29)=d97b8509b66ae9b33ed6d1e46b37449ed6f7f3e7f4bc03a59004994ff833bb71
sha256(csecret_2a)=08a0edf7bf91d7fa685ca77246b8394fa4edd0e06639e53e6fa835436b09560f
sha256(csecret_2b)=6d3a215979ae17a947e7c2772d1efec9b0ac9b0063f4e0a64fe93f779fc70188
sha256(csecret_2c)=20c358eeed4f03cc03ddbad4f9cf9e6f83a86c61fe434ee259789a63ba2178b7
sha256(csecret_2d)=07923cbd0e19d3b8c81d3f5d4df8ef58ec667f94e6096897de34c1ebf878b2b0
sha256(csecret_2e)=b8706c9d52b7fe020c3c833cfde328dbcda24c290be60c658b3c1784da85340b
sha256(csecret_2f)=e0c6273094f499180139a06133e582565cc1cd23478a6180914950a672e3bfaf
sha256(csecret_30)=3477d86ed721fd5112c94a566f26b4d30cd7ae78de1b047eb21a709a7934d073
sha256(csecret_31)=d2bf372d3a1b652a31b0fa1264086c8fdce8ab491889dce2cfb4db71eab758b8
sha256(csecret_32)=fc65d00eb14406f76a940368722c4f3b8ab11d1abf44e32499103492cf714af9
sha256(csecret_33)=fa7f4a5cb39ae9205177f3da8f8c2f88ec7f8d14b8c6f75b2dbb661f30ec076d
sha256(csecret_34)=4aa215afd1a0ab118ab60db1fbc5ee769907a1b58813ec417e7f1519a5cc4243
sha256(csecret_35)=ae64ed29f1158feee2c3e858b2868197c173b07e6d1d281dbd458449770c492b
sha256(csecret_36)=083bd0a21da79ae6b63c9e01035fad9334983c79a43d555dba5481c6d531b30f
sha256(csecret_37)=9cc2735bc70f0c756279c41b85dd558e00783dd8ec4202f4db0f6c384b43dda2
sha256(csecret_38)=90483d58fc3e7c298b353f3d9295d8a81d8bb9f5182bcfcf3c8c60e9b6537aec
sha256(csecret_39)=78a4c4ad790921ab5c6f3224ea394fb53e576110d1fa467b3aa942b5c141cfa8
sha256(csecret_3a)=a28b03e2bee0c18640f9607db3cf430af0fc7a9b61b002f3369333e13dec3080
sha256(csecret_3b)=eec13d2a63a89e35834d6e1c2ca879ef556e3e970efaf08bee406979f271e9a9
sha256(csecret_3c)=29b30980914a0201a195dab7c5494d2ca9c94205619c2f91dd74ddeea24d14f0
sha256(csecret_3d)=aeff5b69a19c6a1b767dfae9fd57ffcb11ba2f5eb34f0e013a922d9474218d11
sha256(csecret_3e)=6b07bc90e01a40ae51fd718e2ef751fb174c14c8cb4f68a00be847f020bdc1a6
sha256(csecret_3f)=374708fff7719dd5979ec875d56cd2286f6d3cf7ec317a3b25632aab28ec37bb
+----------------------------------------------------------------------------+
| References |
+----------------------------------------------------------------------------+
[1]: https://hexkyz.blogspot.com/2021/11/je-ne-sais-quoi-falcons-over-horizon.html
[2]: https://switchbrew.org/wiki/TSEC
[3]: https://yifan.lu/2019/02/22/attacking-hardware-aes-with-dfa/
@ntnlabs

This comment has been minimized.

Copy link

@ntnlabs ntnlabs commented Nov 23, 2021

Let's hope the Switch does not have a third Secure Chip :D

PS: awesome work

@Kusurisan

This comment has been minimized.

Copy link

@Kusurisan Kusurisan commented Nov 24, 2021

will this also affect the switch lite? or only the regular switch?

@lukasdoerr

This comment has been minimized.

Copy link

@lukasdoerr lukasdoerr commented Nov 24, 2021

Good job plutoo! I hope there will be HB Software for newer switch models soon! :)

@junormeshud

This comment has been minimized.

Copy link

@junormeshud junormeshud commented Nov 24, 2021

respect, great job..! :)

@Fachpersonal

This comment has been minimized.

Copy link

@Fachpersonal Fachpersonal commented Nov 29, 2021

Great job! Thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment