Full key extraction of Nvidia TSEC

+----------------------------------------------------------------------------+ | Full key extraction of NVIDIA™ TSEC | +----------------------------------------------------------------------------+ With the recent TSEC article by Hexkyz & SciresM [1], I thought I'd talk about something I've been sitting on. While their attack(s) gives full oracle access to the crypto hardware, I managed to get my hands on the underlying * root keys *, and here's the story how that happened. :-) +----------------------------------------------------------------------------+ | Introduction | +----------------------------------------------------------------------------+ In 2018, Nintendo was in a rough spot. Their newest console, the Nintendo Switch™, had sold millions, and each one had shipped a bootrom with a trivial USB stack buffer overrun. At that time, any kid could, by jamming some aluminum foil into one of the joycon rails (to short a debug-mode pin), insert a USB cable and completely pwn the device! Furthermore, the AES root key (called the "SBK"), had been extracted earlier in 2017 by me and Derrek, through a different bug in the bootrom, in the "warmboot" code path, that we triggered through a chain from a WebKit exploit. Anyhow, when the system was released in 2017, the original secure boot flow was very simple, and it looked like this: [ Chip reset ] -> [ ARM7 BootRom ] -> [ ARM7 Second BootLoader ] -> ... ^ This got pwned by many people +----------------------------------------------------------------------------+ | The TSEC Comeback | +----------------------------------------------------------------------------+ So, what could Nintendo possibly do in this situation? Their secure boot is gone, the root AES keys are gone... Sure, they could fix the bootrom in new consoles, but they had already shipped vulnerable units in the millions... All hope was lost... Well, some clever guy ;-) reminded them that the T210 chip (the main CPU) has a proprietary NVIDIA "security processor" called TSEC, which has: [2] (1) its own SRAM (protected from the rest of the system) (2) its own "secure boot" (protected from the rest of the system) (3) bus mastering capabilities (4) and.. is able to DMA to ARM7's memory On November 2018, Nintendo released firmware update 6.2.0. And the old boot flow was gone, it had been replaced by the following stroke of genius: [ Chip reset ] -> [ ARM7 BootRom ] -> [ ARM7 Second BootLoader ] -> [ .... ARM7 held in reset .............................. ] -> [ ARM7 Third BootLoader ] -> ... | ^ ^ v | < reset ARM7 > | < start ARM7 > [ TSEC SecureBoot ] ----+---------------> [ decrypt ARM7 Third BootLoader ] ----------+ ^ NOTE: It no longer matters if ARM7 gets pwned! The TSEC will reset the ARM7 and boot the ARM7 from a clean slate, no matter if the ARM7 was pwned previously, or not! So out-of-nowhere, by this huge hack-y BOTCH, Nintendo seemingly managed to do the impossible: (A) reclaim their secure boot (B) introduce new key material Now, this would have been the greatest comeback in video game security history. And it would have been perfect if not for the many security flaws in TSEC secure boot. But, this article is not about that... +----------------------------------------------------------------------------+ | Voltage Glitching | +----------------------------------------------------------------------------+ A CMOS transistor has an activation voltage of about 0.6-0.7V. When a chip is deprived of voltage, transistors will not switch properly. On a chip, scattered inbetween gates, are patches of metal that ensure the voltage supply is stable locally. They act like tiny capacitors. There are also so-called "buffers", which are gates that stabilize the signal voltage. If you have high entropy computing ciruit (for example AES-128), a lot of energy is required to constantly switch the transistors, and as a result, the local voltage will be more noisy in that neighbourhood. So you'd need a lot of buffers to keep the VCC stably above 0.7V. Anyway, let's step back a bit. +----------------------------------------------------------------------------+ | Setting the Voltage | +----------------------------------------------------------------------------+ Here is a simple overview of the interaction between the power management chip (PMIC) and the main CPU. There are multiple voltage rails, but the only interesting rail is the 1.1V main rail. +--------+ 1.1v +----------+ | PMIC | ---------> | MAIN CPU | | | i2c | | |max77620|

from Hacker News https://ift.tt/30QAEO2