,
11 tweets,
4 min read
Read on Twitter
It seems my tweets from yesterday confused some people. I don't blame you. Me failing at basic english ("until" instead of "while", smh) *and* posting the wrong hash didn't help at all, but what can I say? I was too excited and tired to even notice. :P
I'll now try to provide a brief overview for all this.
TSEC is a controller used in most Tegra devices, including the Switch. Like many other controllers found in Tegra devices, it is powered by a Falcon microprocessor, but with additional crypto capabilities (via the SCP).
TSEC is a controller used in most Tegra devices, including the Switch. Like many other controllers found in Tegra devices, it is powered by a Falcon microprocessor, but with additional crypto capabilities (via the SCP).
On the Switch, besides HDCP, the TSEC is used in the console's boot process by providing an extra source of secrecy for key derivation.
Starting with fw 6.2.0, TSEC's role has been extended in order to regain a secure boot chain since the RCM exploit had destroyed it.
Starting with fw 6.2.0, TSEC's role has been extended in order to regain a secure boot chain since the RCM exploit had destroyed it.
When 6.2.0 dropped we were able to defeat TSEC using Tegra's SMMU. This worked by making TSEC think it was running in a safe environment while we had full control over memory contents.
In this case there was no compromising of the TSEC itself.
In this case there was no compromising of the TSEC itself.
Then came 7.0.0 which introduced a TSEC payload that could bypass the SMMU entirely by taking advantage of a hidden communication channel between the TSEC and the Tegra's Memory Controller.
This required actual exploitation of the TSEC which eventually yielded the necessary keys.
This required actual exploitation of the TSEC which eventually yielded the necessary keys.
What you probably don't know is that this specific exploit would only work under certain circumstances (which won't be detailed for obvious reasons). While the 7.0.0 keys could be extracted this way, the 6.2.0 ones, for example, couldn't (as bizarre as that may sound).
Due to this, it was uncertain if keys in future updates could be extracted or not... Until now.
Third time's the charm. I found a critical design flaw a few weeks ago and after a short brainstorm session with @SciresM, we were able to obliterate the TSEC's crypto scheme forever.
Third time's the charm. I found a critical design flaw a few weeks ago and after a short brainstorm session with @SciresM, we were able to obliterate the TSEC's crypto scheme forever.
This means any and all Falcon v5 (and potentially before or even after) based controllers are vulnerable, at the hardware level, granting us the ability to extract any future keys necessary!
The road to get here was not easy: I started attacking TSEC as early as January 2018. But together with the brilliant minds of @qlutoo, @shuffle2, @SciresM and @elmirorac we were able to find and exploit over 5 different bugs among us that were crucial to get here.
The first hash was supposed to be of a 6.2.0 key that we couldn't dump before (except I messed up and posted the hash of *the* *only* *one* we actually *could* dump, sigh...) while the second hash is of something that can only be obtained from this level of pwn.
Once again, big shout out to @qlutoo, @shuffle2, @SciresM and @elmirorac for all the work involved and also to the nouveau/envytools' people for the amazing work in documenting the Falcon and other obscure controllers over the years!
