The Tegra Security Co-processor (TSEC) is a controller used in most Tegra devices, including the Switch. Like many other controllers present in Tegra devices, it is powered by a Falcon microprocessor, but with additional encryption capabilities (via the SCP).
On the Switch, in addition to the HDCP protocol, TSEC is used in the console boot process by providing an additional source of security for key bypass. Since firmware 6.2.0, TSEC’s role has been extended to a secure boot chain, as the RCM’s exploit destroyed it.
When version 6.2.0 was introduced, developers were able to defeat TSEC using Tegra’s SMMU. This worked by making TSEC believe that the system operated in a secure environment while fully controlling the memory content. In this case, the TSEC itself was not compromised.
Next, the solution for version 7.0.0 was to introduce a TSEC Payload capable of completely bypassing the SMMU by exploiting a masked communication channel between TSEC and the Tegra memory controller. This necessitated the effective exploitation of the TSEC, which finally made it possible to obtain the necessary keys.
hexkyz adds that this specific feat would only work under certain circumstances (which will not be detailed for obvious reasons). Although 7.0.0 keys can be extracted this way, 6.2.0 keys, for example, could not (as weird as it may seem).
As a result, it was uncertain whether the keys to future updates could be extracted or not … So far, so far. He found a critical design flaw a few weeks ago and after a brief exchange session with SciresM, they were able to perform the TSEC encryption scheme. This means that all the controllers based on Falcon v5 (and potentially before or even after) are vulnerable, at the material level, allowing us to extract the necessary future keys!
For more than a year, January 2018, he has been working on attacks on TSEC, but with the help of qlutoo, shuffle2, SciresM and elmirorac, he has been able to find and exploit more than 5 different bugs that proved crucial to breaking the security of TSEC. The console that celebrates its 2 years has a lot of fun to offer developers.