Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

In 2018, the Nintendo's Switch security was in a bad place. The bootrom was vulnerable to an easy to exploit buffer overflow in the USB stack. Because of this, the flow could be hijacked, the DRM checks could be completely bypassed and this was in the bootrom, the security of the Switch was completely compromised.

How does one fix this? The AES root keys were stolen, meaning that all previous consoles were going to be compromised forever. The T210 chip (main CPU) has a security processor that was currently not in use. By using this chip, Nintendo has fixed their secure boot and added new material!

A CMOS transistor has an activation voltage of 0.6-0.7V. When the chip does not have the proper voltage, the transistors act in very funny ways. The main CPU communicates with the PMIC (power management chip) to set the voltage via i2c.

When dropping the voltage below a certain point, the CPU starts to act in strange ways. The USB bootrom can be used to compromise the main CPU. Using this, the messages can be sent over i2c in order to set the voltage.

This is the perfect setup for a differential fault attack (DFA). This involves causes glitches at the exact right time in order to leak data from the system. In this case, AES-128 has 10 rounds. The idea with DFA is to ignore the first 8-9 rounds, and only focus on the last 2 rounds. If you can get 1-2 bitflips in the last two rounds, you can solve for the key, which is pretty awesome! A reference to DFA can be found here.