CVE-2018-6242: ShofEL2 and Fusée Gelée

Re: https://firmwaresecurity.com/2018/04/24/shofel2-a-tegra-x1-and-nintendo-switch-exploit/

https://www.nvidia.com/en-us/product-security/

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6242

ShofEL2 responsible disclosure window ends April 25th

Re: https://firmwaresecurity.com/2018/02/19/nintendos-new-kde-linux-tablet/ and https://firmwaresecurity.com/2018/01/16/dumping-the-playstation4-kernel/

Nintendo’s new KDE Linux tablet :-)

Re: https://firmwaresecurity.com/2018/01/16/dumping-the-playstation4-kernel/

https://liliputing.com/2018/02/fail0verflow-turns-a-nintendo-switch-into-a-full-fledged-linux-pc.html

https://www.theverge.com/circuitbreaker/2018/2/19/17029916/nintendo-switch-hack-linux-fail0verflow

https://www.forbes.com/sites/jasonevangelho/2018/02/09/hackers-are-running-linux-on-the-switch-and-claim-nintendo-cant-patch-it/#73bc32eb512c

https://www.nintendo.com/switch/

I have never once considered purchasing a Nintendo Switch …until now. 🙂

 

Nintendo 3DS Secure Bootchain attack

Keyshuffling Attack for Persistent Early Code Execution in the Nintendo 3DS Secure Bootchain
We demonstrate an attack on the secure bootchain of the Nintendo 3DS in order to gain early code execution. The attack utilizes the block shuffling vulnerability of the ECB cipher mode to rearrange keys in the Nintendo 3DS’s encrypted keystore. Because the shuffled keys will deterministically decrypt the encrypted firmware binary to incorrect plaintext data and execute it, and because the device’s memory contents are kept between hard reboots, it is possible to reliably reach a branching instruction to a payload in memory. This payload, due to its execution by a privileged processor and its early execution, is able to extract the hash of hardware secrets necessary to decrypt the device’s encrypted keystore and set up a persistent exploit of the system.[…]

https://github.com/Plailect/keyshuffling

https://media.ccc.de/v/32c3-7240-console_hacking