[News] hexkyz breaks TSEC on 6.2.0

The Tegra Security Co-processor (TSEC) is a controller used in most Tegra devices, including the Switch. Like many other controllers present in Tegra devices, it is powered by a Falcon microprocessor, but with additional encryption capabilities (via the SCP).

On the Switch, in addition to the HDCP protocol, TSEC is used in the console boot process by providing an additional source of security for key bypass. Since firmware 6.2.0, TSEC’s role has been extended to a secure boot chain, as the RCM’s exploit destroyed it.

When version 6.2.0 was introduced, developers were able to defeat TSEC using Tegra’s SMMU. This worked by making TSEC believe that the system operated in a secure environment while fully controlling the memory content. In this case, the TSEC itself was not compromised.

in-switch-hexkyz-casse-le-tsec-sur-620-1

Next, the solution for version 7.0.0 was to introduce a TSEC Payload capable of completely bypassing the SMMU by exploiting a masked communication channel between TSEC and the Tegra memory controller. This necessitated the effective exploitation of the TSEC, which finally made it possible to obtain the necessary keys.

hexkyz adds that this specific feat would only work under certain circumstances (which will not be detailed for obvious reasons). Although 7.0.0 keys can be extracted this way, 6.2.0 keys, for example, could not (as weird as it may seem).

As a result, it was uncertain whether the keys to future updates could be extracted or not … So far, so far. He found a critical design flaw a few weeks ago and after a brief exchange session with SciresM, they were able to perform the TSEC encryption scheme. This means that all the controllers based on Falcon v5 (and potentially before or even after) are vulnerable, at the material level, allowing us to extract the necessary future keys!

For more than a year, January 2018, he has been working on attacks on TSEC, but with the help of qlutoo, shuffle2, SciresM and elmirorac, he has been able to find and exploit more than 5 different bugs that proved crucial to breaking the security of TSEC. The console that celebrates its 2 years has a lot of fun to offer developers.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s