Some fuel for the Switch scene: Writeups on TSEC (Tegra Security Processor) exploits

Hackers HexkyzSciresM, and Plutoo have recently published detailed writeups on their recent work on the TSEC/Falcon security of the Nintendo Switch, and how they managed to 1) break its security in an unfixable way for Nintendo and 2) extract the underlying root keys.

The two articles are in-depth explanations on how the specific hacks were achieved, although I won’t lie to you, the blog post by Hexkyz and SciresM in particular is pretty long and detailed. It’s interesting but not for the faint of heart. I won’t pretend I understood even 10% of what’s being detailed there, so I’ll let those interested read the entire article instead:

https://hexkyz.blogspot.com/2021/11/je-ne-sais-quoi-falcons-over-horizon.html

Hexkyz and SciresM thank the following folks/groups for their contribution to the exploits:

By comparison, Plutoo’s article on how he extracted all keys from NVidia’s TSEC almost looks like it was easy, but don’t get mistaken. Reusing ideas and tools developed by Yifanlu back in the vita days, Plutoo used DFA (Differential Fault Analysis) to glitch the system and extract information, that’s not your entry level konami cheat code.

https://gist.githubusercontent.com/plutooo/733318dbb57166d203c10d12f6c24e06/raw/15c5b2612ab62998243ce5e7877496466cabb77f/tsec.txt

How is this useful to the scene?

Long story short, this isn’t directly useful to you, the end user: the hackers managed to break security of the console pretty deeply, but you’d still need a way to run code one way or another as an entry point in order to leverage these exploits. Nowadays, running unsigned code on the Switch can be achieved through the fusee gelée hack or modchips (see our detailed article here), but if you have one of the recent models where a modchip is required, there’s still hope software hacks could eventually see the light of day for those of us patient enough.

Source: SciresM and Plutoo (thanks to @unamear for the tip)