So this is full of a lot of uneducated guesses, but i think it makes up a good story.
Some Facts
- The exploited vulnerability is in the bootrom
- It needs a simple hardware mod if no software exploit chain is available
- We are supposed to have a usb cable ready
- The vulnerability is not switch specific (but for many Tegra devices)
The Tegra Boot Flow documentation (please google, i can't post links yet) states that there is a usb recovery mode (NOT the same as Switch Recovery Mode or Maintanence Mode!). I guess this recovery mode is part of the bootrom. It can be triggered by several ways:
In recovery mode you can upload an run arbitray code if either
So, what's left? Well the recovery mode software reads and interpretes whatever you send to it via usb. No clue if the usb stack is software or hardware, but the data has to be interpreted somewhere.
So my guess is that there is a vulnerability somewhere in tegra recovery mode data interpretation that can be exploited via usb.
So what do you need modchips for? Well with a modchip you could trigger recovery mode only conditionally and maybe there is a way to insert usb data or whatever that is converted to (uart?) inside of the switch. Or you just have a usb dongle modchip (solderless tx?) that just sends some exploit data to over usb to the recovery mode.
Does anyone know how to trigger Tegra usb recovery mode in the switch? Probably most of the hardware is uninitialized so screen would be blank and you would only notice that there is something on the usb port.
Some Facts
- The exploited vulnerability is in the bootrom
- It needs a simple hardware mod if no software exploit chain is available
- We are supposed to have a usb cable ready
- The vulnerability is not switch specific (but for many Tegra devices)
The Tegra Boot Flow documentation (please google, i can't post links yet) states that there is a usb recovery mode (NOT the same as Switch Recovery Mode or Maintanence Mode!). I guess this recovery mode is part of the bootrom. It can be triggered by several ways:
- "If no valid BCT can be found"
- "A recovery mode strap exists. If this is asserted, recovery mode will be entered unconditionally. This would usually be asserted by the user pressing a button, or some system management controller asserting the strap."
- "If Tegra PMC register scratch0 bit 2 is set at power-up, recovery mode will be entered. This register bit is not cleared when Tegra resets, so any software may set this bit, then reboot, to request recovery mode."
In recovery mode you can upload an run arbitray code if either
- security is off
- you have the keys to encrypt and sign the messages you are sending via usb
So, what's left? Well the recovery mode software reads and interpretes whatever you send to it via usb. No clue if the usb stack is software or hardware, but the data has to be interpreted somewhere.
So my guess is that there is a vulnerability somewhere in tegra recovery mode data interpretation that can be exploited via usb.
So what do you need modchips for? Well with a modchip you could trigger recovery mode only conditionally and maybe there is a way to insert usb data or whatever that is converted to (uart?) inside of the switch. Or you just have a usb dongle modchip (solderless tx?) that just sends some exploit data to over usb to the recovery mode.
Does anyone know how to trigger Tegra usb recovery mode in the switch? Probably most of the hardware is uninitialized so screen would be blank and you would only notice that there is something on the usb port.