Methodically Defeating Nintendo Switch Security

TL;DR

This paper details a comprehensive approach to bypass Nintendo Switch security by combining software reverse-engineering and hardware analysis, culminating in executing code in a high-security environment.

Contribution

It introduces a novel multi-vector attack methodology that combines software and hardware analysis to defeat the Nintendo Switch's security system.

Findings

Successfully reverse-engineered userland and OS services.

Devised hardware analysis of ROM bootstrap code.

Achieved ROP code execution in a secure co-processor.

Abstract

We explain, step by step, how we strategically circumvented the Nintendo Switch's system security, from basic userland code execution, to undermining and exposing the secrets of the security co-processor. To this end, we've identified and utilized two distinct analysis procedures. The software-based analysis suffices for reverse-engineering the userland and operating system services, and is necessary for a general architectural understanding of the software systems in the Nintendo Switch. While this method is extremely powerful and provides significant leverage over the control of the system and its software security, a hardware-based method was devised, which employs analysis of the trusted bootstrap code in ROM. This strategy was essential for the goal of defeating the hardware root of trust. Together, these two vectors provide essential insight required to instance a chain of attacks, in order to gain ROP code execution from the context of a high-security mode of a secure co-processor of a running system, thus allowing us to demonstrate a multi-faceted approach on attacking secure, embedded devices in an unfamiliar and novel environment.