Hacking Question What have I missed?

[thla]

I know that its encrypted. But with the exploit in 1.0.0 you can basically have trustzone fetch the key for you without needing to know it. So you wouldn't technically need the key to decrypt the game with that exploit if I understand correctly. This is info coming from the 34c3 talk

The trustzone can't fetch something it doesn't have. The point of having this safeguard is that they can contain the potential for game piracy if their system is compromised.

3.0.0 was compromised so they changed to a new one starting with 3.0.1, when/if that's cracked they'll just do it again and we're then limited to piracy for at most that version.

 

[TheCyberQuake]

The trustzone can't fetch something it doesn't have. The point of having this safeguard is that they can contain the potential for game piracy if their system is compromised.

3.0.0 was compromised so they changed to a new one starting with 3.0.1, when/if that's cracked they'll just do it again and we're then limited to piracy for at most that version.

Did you even watch the 34c3 presentation? They explained why you can, in their own words, "basically ignore trustzone".

 

[thla]

Did you even watch the 34c3 presentation? They explained why you can, in their own words, "basically ignore trustzone".

Yes I watched it.

Trustzone is not the issue, to read from a gamecart you need to be able to decrypt it, if you do not have the key to decrypt it then you cannot read it.

 

[Xzi]

Get 1.0.0 I’m selling one for $1500
On eBay,free shipping if you’re from US

Damn, dat free shipping doe...

 

[Jackson98]

Technically unless your a person willing to fork out an extra 300$ on a second switch you haven't missed anything , your trading off switch games beyond 3.0 for retro emulation- its one compromise for another. Excitingly enough they've managed to get SNES emulation running through console commands, although still no GUIloader i believe? Retroarch cores look to be a near future prospect for emulation. I hope emulation progress keeps thriving, and I'm not unhappy to say I'm one of the people thats chosen to upgrade, and have 0 regrets in doing so. Ive already got 3DS in terms of portable emulation, my biggest hope for the switch is to see good N64 emulation, due largely in part because Microsoft went and f$#ked RARE up, and certain games don't have the legal licence to release on the VC.

 

[smf]

3.0 will get homebrew only, no kernel. There's no kernelhax either private or public for this version and there won't be one for a while according to SciresM.

I thought smhax was a kernel exploit.

3.0 doesn't seem to have a permanent hack yet, you have to trigger it from a web browser each time.

It's still early days though, nothing is actually released. This could be a damp squib.

 

[the_randomizer]

Damn, dat free shipping doe...

I know, right, an amazing deal

 

[Astoria]

I thought smhax was a kernel exploit.

3.0 doesn't seem to have a permanent hack yet, you have to trigger it from a web browser each time.

It's still early days though, nothing is actually released. This could be a damp squib.

smhax allows access to services necessary for homebrew like the filesystem. This is what's possible on 3.0:

 

[DayVeeBoi]

Yes I watched it.

Trustzone is not the issue, to read from a gamecart you need to be able to decrypt it, if you do not have the key to decrypt it then you cannot read it.

Basically what they said was they don't need to know the key to be able to manipulate it. The keyslots can keep the keys private but allow the OS to use them still and with the right "poking" and prodding they can still use the keys to decrypt things without knowing them.

 

[thla]

Basically what they said was they don't need to know the key to be able to manipulate it. The keyslots can keep the keys private but allow the OS to use them still and with the right "poking" and prodding they can still use the keys to decrypt things without knowing them.

They have nothing to manipulate because the key doesn't exist on their system.

 

[TheCyberQuake]

They have nothing to manipulate because the key doesn't exist on their system.

Very clearly you didn't pay attention or didn't understand the presentation. They dont need the key, trustzone is broken in a way that they don't need the keys. And the keys aren't stored on the system, that's not how it works.

 

[smf]

smhax allows access to services necessary for homebrew like the filesystem. This is what's possible on 3.0:

If you watch further to the mchammer slide, they explain how to patch the kernel by mapping the kernel in as shared memory using svcMapSharedMemory(). He then say "here's the code" and quickly gets rid of it. I admit they don't specifically say it still works in 3.0 and http://switchbrew.org/index.php?title=Switch_System_Flaws doesn't mention it at all either so you can't check. It also doesn't mention the UntrustZone exploit either, which is a bit vague in it's explanation but sounds like there might be an exploit for getting it to boot a modified os.

 

[DayVeeBoi]

They have nothing to manipulate because the key doesn't exist on their system.

What is this guy talking about?

If you watch further to the mchammer slide, they explain how to patch the kernel by mapping the kernel in as shared memory using svcMapSharedMemory(). He then say "here's the code" and quickly gets rid of it. I admit they don't specifically say it still works in 3.0 and http://switchbrew.org/index.php?title=Switch_System_Flaws doesn't mention it at all either so you can't check. It also doesn't mention the UntrustZone exploit either, which is a bit vague in it's explanation but sounds like there might be an exploit for getting it to boot a modified os.

Did you watch any other presentations regarding ARM TrustZone? I linked a few in this post on another thread. There's some fairly recent research into attacking trusted execution environments one in specific called CLKSCREW that I think may be valid if someone is willing to look into it. One of the other talks is by a researcher employed by ARM who if I understand correctly is working on automating some parts of security auditing code. His personal work is open sourced, this is his GitHub Repo for this work.

The CLKSCREW paper is hosted at the author Adrian Tang's (Columbia U.) GitHub. The attack is similar to what was used to extract the keys via Glitching (I think anyways) at the start of the video. I haven't read the paper or anything, but there was brief explanation in one of the 34C3 talks I linked to earlier. From what I understand it can't be mitigated without new hardware (maybe it can?), but its basically using power fluctuations to mess with the CLK and cause faults in the caching process.

Again someone smarter than me can and hopefully will pop in here and fill us in on if I'm misunderstanding or if they have a better explanation, or any suggestions of what to watch or read to further our understanding.

 

[smf]

Did you watch any other presentations regarding ARM TrustZone? I linked a few in this post on another thread. There's some fairly recent research into attacking trusted execution environments one in specific called CLKSCREW that I think may be valid if someone is willing to look into it.

I didn't watch them, I've only managed to watch a couple of videos so far this year. AFAICT TrustZone is essentially broken on Switch anyway, although they may have been light on the facts in their talk as they don't say what firmware versions their exploits work on but kinda let everyone think it's all working on 3.0 (which may be on purpose). I certainly won't be opening a switch and installing a clock glitcher

 

[SoslanVanWieren]

its cheaper to buy a dev kit then buy a console on an old firmware if you want to make games for the switch

 

[NyaakoXD]

A 1.0 Switch is much more valuable, atm. Especially because of potential EmuNAND support coming for it that SciresM said a few days back.

 

[zerodevide]

so,no backup loaders for 3.0 ?

 

[TheCyberQuake]

so,no backup loaders for 3.0 ?

Not yet, and likely not for a while. Also the same for playing higher firmware games.

 

[NyaakoXD]

so,no backup loaders for 3.0 ?

Any time soon? No. Since there's no way to get kernal in 3.0, atm, and so it'll be a long time before it happens.

 

[TheCyberQuake]

I've said this before, but anyone holding out on 3.0.0 in hopes of piracy will likely be extremely disappointed.