wraggster
January 21st, 2018, 19:44
I dont yet own or have hands on the Nintendo Switch but its an awesome console with a fantastic hacking scene, heres the release news:
A joint effort of ReSwitched developer SciresM and motezazer, jamais vu (French for "never seen") allows for code execution at the highest possible privilege level on the Nintendo Switch. Quoting from the writeup on Reddit, practical applications include:
On 1.0.0, code execution at the highest possible privilege level. TrustZone is only responsible for cryptography, but because jamais vu results in our controlling the entire contents of TZRAM when the system is booting back up, we're in an ideal position to "reboot" into our own, patched version of the OS.
We can dump keys from "write-only" keyslots. Nintendo's cryptosystem relies on TrustZone receiving only two keys: a shared master key, and a console-unique device key. Newer firmwares can change the master keywhen a fuse is burnt, but we can dump the 1.0.0 master key and our console's device key and perform all encryption a 1.0.0 to 2.3.0 console knows how to do at runtime on our PCs.
We've peeled back another layer of security, and can analyze and understand Nintendo's cryptosystem. That's the real victory http://gbatemp.net/styles/default/xenforo/clear.png
You can find the writeup below, as well as the ongoing discussions on GBAtemp.
http://gbatemp.net/styles/default/xenforo/clear.png Source (https://www.reddit.com/r/SwitchHacks/comments/7rq0cu/jamais_vu_a_100_trustzone_code_execution_exploit/)
http://gbatemp.net/styles/default/xenforo/clear.png Ongoing Discussion (https://gbatemp.net/threads/jamais-vu-a-1-0-0-trustzone-code-execution-exploit-for-the-nintendo-switch.494712/)
via http://gbatemp.net/threads/jamais-vu-a-1-0-0-trustzone-code-execution-exploit-for-nintendo-switch.494717/
A joint effort of ReSwitched developer SciresM and motezazer, jamais vu (French for "never seen") allows for code execution at the highest possible privilege level on the Nintendo Switch. Quoting from the writeup on Reddit, practical applications include:
On 1.0.0, code execution at the highest possible privilege level. TrustZone is only responsible for cryptography, but because jamais vu results in our controlling the entire contents of TZRAM when the system is booting back up, we're in an ideal position to "reboot" into our own, patched version of the OS.
We can dump keys from "write-only" keyslots. Nintendo's cryptosystem relies on TrustZone receiving only two keys: a shared master key, and a console-unique device key. Newer firmwares can change the master keywhen a fuse is burnt, but we can dump the 1.0.0 master key and our console's device key and perform all encryption a 1.0.0 to 2.3.0 console knows how to do at runtime on our PCs.
We've peeled back another layer of security, and can analyze and understand Nintendo's cryptosystem. That's the real victory http://gbatemp.net/styles/default/xenforo/clear.png
You can find the writeup below, as well as the ongoing discussions on GBAtemp.
http://gbatemp.net/styles/default/xenforo/clear.png Source (https://www.reddit.com/r/SwitchHacks/comments/7rq0cu/jamais_vu_a_100_trustzone_code_execution_exploit/)
http://gbatemp.net/styles/default/xenforo/clear.png Ongoing Discussion (https://gbatemp.net/threads/jamais-vu-a-1-0-0-trustzone-code-execution-exploit-for-the-nintendo-switch.494712/)
via http://gbatemp.net/threads/jamais-vu-a-1-0-0-trustzone-code-execution-exploit-for-nintendo-switch.494717/