Methodically Defeating Nintendo Switch Security
share
We explain, step by step, how we strategically circumvented the Nintendo Switch's system security, from basic userland code execution, to undermining and exposing the secrets of the security co-processor. To this end, we've identified and utilized two distinct analysis procedures. The software-based analysis suffices for reverse-engineering the userland and operating system services, and is necessary for a general architectural understanding of the software systems in the Nintendo Switch. While this method is extremely powerful and provides significant leverage over the control of the system and its software security, a hardware-based method was devised, which employs analysis of the trusted bootstrap code in ROM. This strategy was essential for the goal of defeating the hardware root of trust. Together, these two vectors provide essential insight required to instance a chain of attacks, in order to gain code execution from the context of a high-security mode of a secure co-processor of a running system, thus allowing us to demonstrate an multi-faceted approach on attacking secure, embedded devices in an unfamiliar and novel environment.
READ FULL TEXT