Bestand wählen
Merken

Console Security - Switch

Zitierlink des Filmsegments
Embed Code

Automatisierte Medienanalyse

Beta
Erkannte Entitäten
Sprachtranskript
choose to that was the the
the and use it to put in for long as Nintendo has been making video games they've been building in copy protection and region locking and as long as there's been copy-protection there have been people breaking it today include all their and their but returned to enlighten us on the state of the Nintendo's which you give them a round of applause hash of the is working 0 yeah go looking for an 8 I method of this is very and their work and yet 1st of all time we try to be as ethical hackers so we don't condone by 1st see and we really just wanted a creative things we all harbor that we also and it and in so then it'll switch was released about 9 months and months ago and within the around with since they there if if there is successful place lot units and so very 100 right so the usual point that you do is you go by the web browser and this which has a web browser but it doesn't have a generic web browsers so we found a way to launch browser but it's not actually intended interventions way so this is that this game if you can buy them yeah the it was it something that leading to the main menu uh the press that rights to the bottom you're right show on and luscious their game manual
indicates and then you can go all the way down to the bottom and then they
include links to the website and I thank you the yeah the yeah you know know I think sometimes strain the the the and I think we I wouldn't break it on the it was ah I wrote at the time the the get so 1 more time on yeah so this is actually out there what people expect that we use it's a really old 1 like it was 6 months old at the time that this which was released and we didn't even have to find our own just take a public 1 and and the you start you you you you you you you you you you you you you you in it's pretty painful reading this over and over that I've got used is like and then this is a a thousand times
but it then all along the but on that it is in yeah seems it is so I find and the yeah I don't I 1 sorry at the you so this is not the way we intended to be but the marriage later of sorry and if fj few the you can go into the many and later on the of but what we
need current well thank you thank you and
the the and the and maybe L here so auditory subsidiaries that we get them working for later so that an OK so of but this which is that you've quite powerful units it's a hybrid handled and stationary so it has a quad-core that cover 1 yeah it's it's and if it's an arm and it dozen an NVIDIA GPU Mexico architecture except on either 304 84 double that if on if depending on if you talked to for supplier not so if you're running a battery they wanna reduced apart part assumption the and it has plenty of memory like 4 the about CD-ROM OK and then there's the selling point 3 much the joy comes and those are detachable so you can either play yourself we can share 1 your cons with the with a friend and you can play 2 players they have all the nice sensors Giro and C I R and they have this feature college you rumbled but it's just a vibrator and and these ones don't have any security at all so you can use unscrew them look at the part number google the port number get all the data sheets and dump the flash insulting texts and but we open the main unit so this is what you see and you have the 2 D RAM sits in the orange action in any of the main CPU which is in rats and then the rest is just their Wi-Fi boring stuff so 0 we have
and the flesh they exceed made a separate daughterboard for the flash so we can easily just unplug it and on paper and stuff and get the code name for this which is half I'm not sure what they were thinking about it and look at the things he you know its branded Expo to psych because Nintendo's the ODE on this ship is actually just got from India an n x is the code name of the sentence which but it turns out that they're part numbers is the life it's the regular cigarettes 1 and forget like people the kept and it looks just the same and yet we have the reference manual online it's freely available pretty much it's 3 thousand pages so it goes into detail pretty much everything except the security part and but they also provide their own Linux drivers that gets we can get their security at least some of the scripting registers and everything that and the main overview of the SSC is that you have an on 7 and the beauty does power management and it has a boot ROM they'll sets and journalist uh and then you have the means of you and it has 64 K of a strand as for trust so that's secure only secure boss secure access only and then you have been to you on the same died and they have the straight engine that those are the years acceleration in India may stuff and and be i want i fuses a lot of them actually like it doesn't and then and the memory controller t set which is an secure CPU so really weird architecture and a they were really creative and so in the near the the which is kind of boring and then a bunch of busses that get you cannot external devices so and then pilots refuses these a lot stuff configurations of but if the 2 bits dedicated downgrade protection so every time they have a vulnerable thinking just burn use and every bootloader reads diffuse to make sure that and the number of bits of expects the section sets if you try to downgrade just rewrite the flash memory it will not boot because there's a fuse inside of the CPU that said says so we're not allowed to produce any more so and then their the SPK which is just normal AES 128 a and it's still a source of all the confidentiality and system so this is what you wanna have if you want critical that suffer and it's also infuses and you you can disable this 1 later on in so you can access it during early with time and then they saw the hash of the are public key which is are they verify the from a binaries but they don't start actually disorder hash because they 1 states but it's equally good and and they have this local feature that they can patch to boot so they can store at patch instructions for how to modify the wood from code so if they have exploitable bugs and would from and they do and they can actually fix them which is that it is if every time so uh there could fill up all of the states just fixing bugs and it turns out that this is this is just an off-the-shelf shipped from Nintendo there from and India sorry that they actually just provide this step forward you can buy from them it's a 7 box or have that if you're a student so this gives you access to you can play with all the I O and discover what's undocumented about it and and if we look at the software so that something people just do with this room is on BBC and always asking this from now it doesn't run it of asking an esthetic of the customer kernel called horizon that's been in development at the time 4 and preview for the 3 D S so it's it's they have like 8 9 years old maybe and all the drivers running userspace nickel services since microcredit micro-services architecture and and they have a customer NVIDIA graphics driver that's kind of similar to that and Linux driver but they modified it a lot and then they have their custom API to talk to it so they have a kind like Vulcan like it's a really thin abstraction on top of the GPU and it's custom it's undocumented for us so so if you come from there 3 as hacking scene that you can with comparison so the main difference is that all the samples this is not a lot all the drivers and all the games are using is a lot and so it's there randomized data space and that makes it really hard to exploit save games because if you just have a file from a spot you really can't do much if you don't know where things are in memory and and they rewrote everything promotions refactored and renamed everything but if you just uh switch of the abbreviations all the concepts are the same and they don't have a secured processes like the 3 s had online this is a big problem 3 as because
it was sort should well compliant the yeah and so don't do it so the 3 s set is on 1 processor which did a lot of stuff that was a big attack surface and in done anything member protection so that they remove this now everything is running since CPU with their memory protection proper to dispute among they have is and the most religious their partners trust so they just is a crypto interface pretty much it's the it's the same in a way that uh the keys never need to trust some hopefully while the theory that so they wanted to it kind of works like a harbor a secret from many of the kernel so it it's goal is just to keep you to enforce process isolation and communication between processes and of diamond you uh couples diamond and then it has what called based services these are processes with a star and everything and this FS model which is the file system driver and and and which is not really interesting and S. M. which is a service manager this was pretty interesting it and it enforces the widest of which process is to talk to which process and this PM loader which just that noting creates new processes and SPL which is the interface to trust and then they have a bunch of market services like they GPU driver Wi-Fi driver Bluetooth and stuff like that and then finally we have at most original where the game or if the web browser so the web so there were present in a sandbox we only get access to approximately half of the Cisco calls and we therefore the user services which are the other sources that you're supposed axis is the user the and it has a constant a process 5 systems so again can on X has its own saved a fancy games and then can't mount a card which is when when they given exploit for example 1 of them of can load files of its godlike like else but here we can't do that just from the uh breast alone the service that box which is where are the drivers are at we have like 20 horses calls it's mostly just for talking to the amazing devices and handling xt communication and it has a service like this but it's that that the reduced but you get access to a few more and services don't have any fun have access at all in general there are a few exceptions but this is true powerful because even if you were to elevate let's say I'm going to the GPU driver you don't get any extra file-access results from and they sometimes they talk to external devices that they have an online mapped yeah and let's even if a malicious driver duty may request outside its own process at a space and a kernel such as the 1 who maintains the ion and you for all the boss masses so a malicious driver cannot really asked to a different the device to do something it's not supposed to do and the base service and blocks which is those that have 5 6 processes that are a special them they are a bundle inside the kernel packaged together with kernel and they have proportion of instances closest normal services but these ones and have a service right this is these ones are the ones that actually enforce the widest so we can that make their so they're the ones you've a faucet and also fill it in and and maintain its so they can check themselves basically and it also because made in a file system they have no widest for fast the gasses everything this so that we're going places and then we start from the lower like the most unprivileged part and yet so Mr. we WebKit's that's within them later and and the yeah so they had a bunch of box here they fix them all but we just keeps coming more if it's used for each of them like when you buy games online and manual and other stuff results always or HTTP or down when we can control accepted with this 1 game also from arrangements 0 into implemented a new way of launching a browser you just uh creating exit points and acts like a Wi-Fi and yes you can just render arbitration of because it seems the login page and for a particular benefit and yet we just think it there's a case is exploited for its from so it could wind up the memory of the processes with fishing find is and thinking it's dynamic thinking with a file called this decay and when we run strings on its something else but we converted enough and we get pretty much all of the functions which is really nice when you're versioning stuff with names of all this is calls and all the fancy could so they can keep the stuff yeah so if this is what we're gonna them later so the game application the out they knew were going to get this at some point and with look at this priestly so what we didn't this switching to black box trying to elevate the privileges from the sum of the mind by a my hand was to go and this service called to so I don't believe in fate of the i looked into the service and the successful service that's what we use for we think PO is for preload that there's 3 commands that take an integer and signing the how and if you hit the big value that units it's crashes and this is just like in every other bonds read work unfolding that's completely to do just give it a negative index and you read out the entire binary of service so this would the code of an ass which is 1 of the 1st step so we mention it 1 of the markers services for just a black box that cooking things while and now we're look into the SM which is service manager is the 1 that enforces the widest of which services you're allowed to access and so the way you just before you give it a string and get back a handle to that service that you asked for and you send it you use in your page so that it knows which white list to enforce but yet what if we just don't call the initial assumptions we never actually give it our it turns out that the variable that's suppose for paired is uninitialized it would just be 0 and so as something repressors we did 0 thank you and then we get this is of this but we still we can't talk everything but we don't have the code so we're going to do is 1 example the coding system so we can analyze it so if you look 0 have devised a large functions way and all the code comes from this FST loader service as a function called mont code so we just need to connect to it and read out all the virus right that was a trick I forget some error message features of the kernel forces can on the 1 session at a time yeah uh but this issue terms are held by the loader so the loader has session to the file system driver but if we crash loader that can will garbage collects reference counts the 0 and if we release the session so we find a command in the order that you just give it the thread handle and expressions so we get all the code binaries just can read amounts so this really nice but not now we can really understand the system a lot better the and finally with the good kernel and for that we're going to take a little detour so deck is going
further next about it what happens before uh the system is booted up so thank you OK so it seems like real sometimes them also untrained during the and so OK so far and this was all a chief of images using the uplink books like most testing and you know complex of like book setting fun except that it's not because well this which uses a microkernel and that means the attack surface so go up pretty low it seems quite unlikely that you will get some read primitive where you can just dump the entire country and also there's states are in the British processes so you might you need you vulnerabilities in the process of shoe get x eschew like our call system cause that on the parish courses can use so yeah I like assessing the kernel was kind of a dead end for us and when you think about the chain of trust web kid is pretty much at the end so maybe it is in a cone so so maybe you 1 that shows so start at the other end so can we us have a look at the boot sequence and 3 cruel because it's all a document of publicly by India and the you get a bunch of information just for free yeah and the way how it works is there's that Edward from that runs on the arm 7 which is like as super all entropies CPU that they called the EPP and key which means like you know which and power management processor and this is a section of the custom from it's written by NVIDIA but as you go up or a mention of Nintendo has some constant catch a solid the from will well as a this x as it is explained in the documentation it would just the BCG which is the boot configuration table and the 2nd stage loader from union so at this point you don't really know if you want to be seduced but basically it hurts the route from where the next what well those where the 2nd stage order is located in the in C and also contains the interest and so when and that's the usual group flow on the switches were tried you grew from humans even if that fails because for example the human sees missing it will enter a recurrent nodes and which allows you to send you speed messages to the root from and if you might think yeah this is a constant vector or all unfortunately it's it's not because all messages must be signed by using Nintendo's braided hours a she and of course we don't have I about what we can do this we can dump the which is like super easy uh and we did that and we got a pretty nice overview of on all the good components of the stored in the in the so this little bit complicated but in our chickens use the move from on the left it loads something that was called package 1 which is basically you of the 2nd stage moderate and the next stage in 1 image and the 1st part of this section is sort on human see in plain text is not encrypted and the other part is encrypted by using an the universal in encryption keys it's not so there's no all consul unique encryption there so does subvert how the package 1 in order to contain the digits the next stage and so they have this feature where they know key block from the riches con so unique and it basically contains of encrypted keys bands package 1 Laura generates a key block key chou decreed that she broke and then uses the decryption keys from that year of dude the grip the next stage so we would like to get this key because of because of also interested in it's part of part of package to to consume the right and the well this G is only label you package 1 the order so that means we need to get code execution in Finnish 1 loaded OK but and so I didn't use while in the past as as you might know really existed for years and of the keys and release you and got the keys so maybe yeah maybe you can judge the switch and get the keys so we want to try that and in order to do this so you want to get caught institution package when the order and this is the once a glitch the component that loads a package 1 order which is the good from but how was this issue verified so the blue from this is that IBC TIA which I've already mentioned and this is basically you need the the plaintext block start and median c and it contains all the signatures of the Bucharest and then there's an idea of hours ATP is a signature and talk or as a pure says as a really strong and a signature scheme the and uses the Århus a public key which you can see you on on the topic to verify that signature and this public key is hashed and this hash is storage are in the views of the device so you cannot say you cannot changes the and basically what we want to do this of when the which Rome verifies this public key using the hash we want to clinch this hatched check because then we can put all public key and or own the city signatures and that's all input URIs signatures so we can sign on OK so far but we don't know that well we didn't have the would from them but there and we didn't know when this check like the hashtag when when does this happen so we have to find the time for it and for that we can take a look at the names you bus are you can just sniff it so again the in I stumble of all the comments that are issued by the neutron through the agency so you can see that this it's the time difference between each hormones that was issued and that's basically the time that the Quattro needed to do some operation between those streets so when the when the when the BC cheese was good it took quite some time to rarified and when you puts the like an invalid still on public key in the B C T B city validation will fail and will actually start reading next PCT and then you can see the differences in much smaller so that means the Bush from will see over over the the public he's wrong I will not just I will not try to verify the rest of the city and with that they basically the the time of czech when the boot from checks the public key hash OK so this was all in theory on it's easier to have like 1 month to develop a commission set up and this is this just uses partly change so I'm what it was the 1st
disordered all the capacitors underwater trailers was and the policy arm 7 and then if you stand FPGA to basically control some more steps and those small steps will pretty much lower the voltage for a short time so hopefully there public key hash check will fail and and then when you get code institutions but we are pretty lazy in which is still a big bang the year Yancy clock because we actually found some clock wider register so basically by changing the frequency we could encode Our the data of all the secret keys a bit by bit sending its Jewish pj and then we get all the keys and with that of all the binaries and OK so I so thanks very because all the keys which is really nice snow generalize the kernel white bar white boxes that a black box which means we can read the code and the 1st thing you do when you want exploit something is you find out of the memory mapped is 1 group memory eventually way should you uh rights so it because not that I address somewhere of of of of the of the read execute but this actually is a virtual address that maps to deer and and then they have a deer and mirror that's read write so that we can to bypass the read only portion by using the other addresses that and this simple but I think they're thinking here is that the out Mexico to let the keeners so they just always keep this the mirror inside the there is and all the objects allocating study which is like 1 he per object types and all allegations are of the same size so this makes use of countries really difficult exploit because there you can't overlapped to different of the 2 objects of different types which you usually 1 do so you can only overlap an object with different objects yeah and that has the same types of some of the fields would be different but and and mustard appointers as a valid as for both object was to be at the same offsets so yeah and now the current context in you and code because these the privileged it should never be the exam which is a hurdle that have to get through and the shaving on the detentions OK just expect this the string to write this the permissions the 1st 3 are a privileged operations and the lower 3 hour you should land permissions and there's something related to we hear of and the excellent that the kernel induces space as the executable and it's mostly useless but there this means that we can use these would just jump into kernel from each space and will execute kernel functions used music this context but which uses the snakes are bypassed because the kernel is or is not the same address so we can use it forget it but this really we haven't really on the training at so that I am new is 1 of the parts of the country contact it's get something in the controller of the SSE and is that all of the known CPU bus masters are protected so uh in the assignment and address space identifier acid and then you assign a page table to that acid and that every device that goes for diamond you can access what's snapped in the pitch table and the kernel which maintains this picture will that's quite secure so and malicious star accounts and violates the process isolation and hence this sex this force is that you can only access your own he really the set of function before accessing a from another process heat this well you can lend memory but yet so how do we but has this so we got the official sheet 3 thousand pages and we can just search for by process and then you this is because I thank you so that you can use memory mentioned unit GPU and yet it's the ports by passing as a means of NVIDIA back themselves I so this is it you manufacture um because it it 31 that pitch entry and it's in another words we can fix it and differently and few for this is 1 way of doing it and they can fix it but have 7 different way of bypassing this new and it has to do with the trust issue so and the load the reels the permissions that we have from Fs and if we own affairs surfer when built-in offense we can just tell it what were allowed to do so we can tell it were allowed we should be allowed to access the memory controller linkages assign acids to concerned acid 0 here to our device that just means that we don't do that and the virtual addressing so we can e-mail already RAM much and so they as a simple just decrease in so can guesstimates but that doesn't work because there's a particular feature in them are a controller you can specify all contiguous memory range that's protected from the main and they protect this thing of the kernel so we can really touch it and but we stick to the code and with more and when they allocated time 100 table and they're 2 different ways of allocation if you have a small and uh and table list of 40 capacity and yell you just using the internal structure as the storage but if you have more than 40 and the allocation pool and this is the simplest used for all the memory of all the user processes and this police are protected by the Carlyle but there handle tables you just trusted like it contains current point is everything and here we can use the maze so we can create a shared memory object which is just a predict primitive that provides and we can tell it to share the kernel to and then injected it into our handle Table of our process and then use this is to map it into our own process so then it will match to kernel into our process thinking it's a shared memory and then we can just patchy during sector back anything so this way we on the kernel From this encode uh the 1st you know we don't want to thank movement of the system so there were people alright so trust honestest nice execution environment by arm and then we index exhibiting actually gave us a method to decrypt like at 1 point 1 and it just contains the trust some payload and know what I will show you in the next 10 minutes or so is where we can actually ignored just trust someone at all so dominates put stress on them to code running on a secure 3 which is trust trustfulness recall it is called a secure monitored this is an official name internal calls at the same but under Nintendo's which it thus monitoring thing right so in the Secure Monitor me it said the 1st code that runs in the army 18 main CPU so the armed 7 the crude spectrum . 1 he writes that trust some payload twenties here that what results this small RAM in the army it stressed songs it from memory good Dom B. 8 jumps
there and then this section the 1st task of to secure monitor ready this and boating arising kernel so we saw this package to at this point think will be main RAM demand secure manage all we'll start deriving some keys the crib package to write the kernel to the the in the crib dead the package modules and then just start executing kernel so this is still the most important task for for 1 of the most important ones and the 2nd most important task of disagreement was actually cryptography so cryptography is not directed and software by distinct from 1 about them they actually make use of this nice security engine that is provided by an Nvidia Tegra security engine and under some not so important task is an trust only order secure mentors actually used to start stop the additional CPU cost as we've seen we have 4 CPU cores we start executing from core free initially so we have to have means to stop stop the other course and the last important part is that to sleep mode so from the tag Rachel supports some deep sleep mode to save some of that tree this always a nice feature of Nintendo consoles usually very long for this known could take a good look at this list this section we not important for homebrew and all that that's why I said we we can really just ignored the trust completely the but let's look at it anyways for completeness sake so the tagger is the inner dimension it's a hard the credentialing supports 80 s stars a on the all the things MAB remember from the 3 previous they had to ski slope concept it's apparently good concept so that kept at 40 here as well so you have 16 kids for for a yes to 4 hours a you can look them individually this is for example what tuple from uses SPK is written to a key slot it's locked so you can't read it out I mean gets cleared once we're in this area but then from the trust code just the same it derive some keys into the upper Keys looks them see even if you get caught execution and the trust song you wouldn't be simply able to adjust read out is case so that that's quite secure 4 and then what's another interesting thing about the terraces that the crypto operations actually don't operate a memory you can actually encrypt and decrypt between key slots of the sexual enables you to do some security derivation so you could imagine having a key in 1 piece lot Heaslip be locked and then you could actually the crudest key 1701 without ever having any keys leaving into memory so the sum maybe you could think of something coughing circuit with that so honest a cryptography work so the left side This is secure world this would be distinct from the testament secure world the user-mode mostly this is used in the file system module so what you have to do at 1st have to request a key encryption key and in a secure world will generate disk encryption key you pass some parametres it'll wrap 2 key encryption key and this is really important part comes in intellectually user the random session key so even if you get the key encryption key from 1 session was a reporter console you switch and the next time it'll be invalid so even if you for example exploit the file system model and grab 1 key encryption key you won't be able to use it after the rebuild so this is secured assigned their butts on the other hand them do use these key encryption keys will it has unencrypted keen to secure the world so along with think encryption key then this at the keys decrypted and then a plaintext final key actually back to use them all to that's quite interesting so watch actually find is that for example the file system onto this and use the the hard recruit the the crib games are binaries what not at all so this is all done by accelerated hybrid an accelerated I'm instruction actually so the theory you could for example exploit the pulses module gets and permissions and then ask the Security Monitor to derive all the keys for you right so this is another reason why it's not really important here now the last task which seems to sleep mode so this is actually a string from the secure monitored the Kodori Azumi probably means a good nite or something and then sit on a sock there's too small thing it's the power management controller and this controls to sleep and wake transitions and then consistency entire system-on-a-chip this part down except for a teensy so there's a small block that's all along and that the must put into some self freshman so that it keeps the continent's right know if you into sleep mode Secure Monitor actually has to state some states right so it doesn't spills to secure memory into external the RAM which is entrusted but but as a writer synchroton so don't worry and it also authenticates to to the room to PMC Susan cryptic and authenticated the consciousness with the right tells the security engine to save its context of year and also to retain the keys I mean have use them after weight of bright and then signal the arm to put everything into this scope 0 mold which is like the slope Palmer and then wake up due to stroll everything up from back to the 4th so this is the Ohio and the book from Miller restored assisted from the around then it'll pass on could execution to assign war would being in this bond but being is bit like a bootloader for the rents instead from and and build a cold boot redoing a warm bowl so from dear and this 1 would be signed that's almost what this does it with just a trip to the Secure Monitor from Europe to trust around verified with the authentication information that reflect and conceived and then domains of you will just resume running to in theory this all sounds very good but time for completeness sake consisted removed the trust from trust song so as miss or from Pluto there's some trust issues becomes last a kernel to map the lord the Rambler all this states of storage can mapping PMC into user mode became 0 testers etc. etc. and we just seeing that this is a crucial weaker process right we've seen that the the trust song memory the cryptic from the room into tesa-ROM and what not so if you hold all these areas in just the right way you get the put it using from from user mode with many of the few and as I said it's sister and things used very useful for homebrew and thank you have right so it's proving um OK so what are those of forest when we prune kernel we need to use the debugger of so uh and uh it's yet it works so that you can buy you forensic and break points and this vector registers you don't get the symbols yeah but it's it's open source so even once that it's currently requires a kernel exploit but we don't share it but hopefully someone will make their own by this F to stop em but it would you really care about this number of so we've made live on X which is a user-mode humble library and we have the we provide all the kernel primitives like in great threads get can the text you can talk to other processes using ITC will have nice wrappers for everything and we fully working network file system you can add that the use the host where the controllers in before the game and of how it's that's no
but it and so every before working on this to the really long time I think our friend Jose for this for like 2 weeks full time and the running like Android Binder IPC interface inside their own interface it's pretty crazy but here we have working and repression updates so uh and want to just use this now and so but so this work to be done right we enjoy reversing Product on a lot it's a lot of fun and respond to the theory and at work but wind was so that work to be done right so we don't have any GPU acceleration right now in the bond axis so right now everything is suffering and obvious support that we don't have council and and we want people to make games because otherwise stacking is for thing and so we can't release its today but we're working on of a larger so there will be homebrew soon have it said in cooperation with the team humorous which which actually implemented a lot of that exploits so we just like trying to make it a nice stable platform for and get get on from 3 if you're lower and stay there so thank you to everyone involved and especially Jose to couldn't make it so now we have them working and I'll have it so much thank
you to do and the from other things didn't know is it on OK thanks to Nintendo's well have it's not been a system and the can most of the time you have the real this kind of knowledge this and this reason is with the OK
and this is just something I wrote like again last nite but of the words thank you
fewer them questions we can have them we have time for some questions there are microphones stations around the auditorium number 1 through 6 you have a question burning like that this the user was 1 of the kind of so called also there is a signal into the questions to me that I see that he already has 1 so years Civil War and the use of thank you for then glitching there to get the keys how long did it take to get the keys but the you know the exact them right timing you have you been either to anyhow automate this task so I could you repeat the question the the speakers in the classes but then itching to get the keys or how long did it take and could you um anyhow automate this task OK so the question was a limited get the keys and if we have yeah did it took about like a 1 month of to get some people up keys and just recently light of Inc last week but we get some of the other cases close so here the 3 and the glitch instead of yes it was possible to automated because of we on the reset signal so after each switching intent that failure to be recent and try again microphone number 6 yeah I think it's a great talk I would like to read to you a little that this this stuff some in the so you could hear the guy you was something about glitch attack reproducing it's yes I I would really like to find a method of this novel mission volatility some of really so the question is if there more information is available on the internet and the yeah well uh basically it's just call switching of those low loaf information about it but it's it's not that difficult and the new so it was a pretty you set up just need some moss that's that some whole whole avoided stone to ground and will just work years yeah microphone 1 and the use of the word on the time I know we didn't try that yet but I think it would be pretty sweet you have Android running ones which you know where the are and then you would only make sense with some kind of cold food exploits and you know we're still working on that so signaling angel and thank you and so you told about doing kept Lake key slots could kill copy em and trapped at key from locked key slot into an unlocked keys not read it out and then to trap that and so there bits that actually follow the question was whether you could copy and included a lock key slot into another look his Lord and then read out so there's some bits that actually controls whether you can read write from about kids love and you could actually set it up such that you wouldn't be able to encrypt from a lot key into an and what he to connections make it secure this is 1 take the thought of that they're mitigations against this effect by by the locking mechanism so unfortunately that that's not possible if if you set it up correctly thank you yeah microphone for yeah thank you very much you just a little of the features of the expected use of the word we'll rules so what did stage from 2 to review the mating the whole group of that and what all have all the people in the real world while what so that would be more and so the question is why don't we won't work beyond 3 . 0 0 I got it right and the reason is that that but we'll talk about where you you and don't send the kids it's 0 they fix that by on 3 0 1 so if you're below that use a vulnerable but if you're above that you can bypass the white list and you can't really get anywhere M. hazardous density that an but it something else and say that get out from you gave of many important from microphone to the other so this exploits love was something that had just lost can be able to pass this on other well casts like the captive portal yeah so the question was if they were exploit only works with this interesting and you know the answer is that and that work it's not actually bundled with the game it's more like a system have led to so the game just slashes an after from this system per and so we have the same body that this is 1 that we denote and it works up to 2 . 3 I think and
then they fix that and with fixed the fixed for all of the against but and yet if you're on about 2 . 0 you don't really have to buy this game it's interesting because just logic without itself so model was old and new questions of human or on walls or have was left was
found to if the the mice thank you it comparing the poop a
Punkt
Spielkonsole
Browser
Unrundheit
Generizität
Computerspiel
Einheit <Mathematik>
Nintendo Co. Ltd.
Rechter Winkel
Spieltheorie
Hash-Algorithmus
Minimum
Computersicherheit
Hacker
Aggregatzustand
Software
Web Site
Kontrollstruktur
Minimum
Zoom
Mathematisierung
Information
Binder <Informatik>
Homepage
Lesen <Datenverarbeitung>
Bit
Punkt
Prozess <Physik>
t-Test
Binärcode
Graphikprozessor
Raum-Zeit
Kernel <Informatik>
Eins
Homepage
Freeware
Datenmanagement
Einheit <Mathematik>
Nintendo Co. Ltd.
Computersicherheit
System-on-Chip
Druckertreiber
Horizontale
Computersicherheit
Abstraktionsebene
Spieltheorie
Ausnahmebehandlung
Quellcode
RSA-Verschlüsselung
Arithmetisches Mittel
Software
Dienst <Informatik>
Generator <Informatik>
Menge
Benutzerschnittstellenverwaltungssystem
Festspeicher
Dynamisches RAM
Garbentheorie
Zentraleinheit
Aggregatzustand
Public-Key-Kryptosystem
Subtraktion
Quader
Gruppenoperation
Zahlenbereich
Patch <Software>
Zentraleinheit
Mehrkernprozessor
Code
Homepage
Demoszene <Programmierung>
Flash-Speicher
Spieltheorie
Software
Mikrokernel
Hash-Algorithmus
Stichprobenumfang
Diffusor
Booten
Softwareentwickler
Konfigurationsraum
Peripheres Gerät
Hardware
Leistung <Physik>
Videospiel
Booten
sinc-Funktion
Paarvergleich
Paarvergleich
Physikalisches System
Elektronische Publikation
Maxwellsche Gleichungen
Gewöhnliche Differentialgleichung
Programmfehler
PCI-Express
Patch <Software>
Druckertreiber
Mereologie
Gamecontroller
Entropie
Horizontale
Computerarchitektur
Kernel <Informatik>
Gewichtete Summe
Browser
Blackbox
Raum-Zeit
Homepage
Last
Softwaretest
Code
Gruppe <Mathematik>
Speicherabzug
Computersicherheit
Dateiverwaltung
Gasdruck
Schnittstelle
Gebundener Zustand
Softwaretest
Sichtenkonzept
Schlüsselverwaltung
Dreizehn
Ruhmasse
Ausnahmebehandlung
Rhombus <Mathematik>
Dienst <Informatik>
Forcing
Benutzerschnittstellenverwaltungssystem
Rechter Winkel
Festspeicher
Digitalisierer
Ein-Ausgabe
Ordnung <Mathematik>
Faserbündel
Tabelle <Informatik>
Fehlermeldung
Zeichenkette
Instantiierung
Lesen <Datenverarbeitung>
Mathematisierung
Systemzusammenbruch
Patch <Software>
Dienst <Informatik>
Knotenmenge
Informationsmodellierung
Webforum
Spieltheorie
Flächentheorie
Hash-Algorithmus
Thread
Konfigurationsraum
Ganze Funktion
Peripheres Gerät
Drucksondierung
Leck
Binärdaten
Speicherschutz
Booten
Datenmodell
Indexberechnung
Elektronische Publikation
Datenfluss
Medianwert
Chipkarte
Zeichenkette
Softwareschwachstelle
Resultante
Chipkarte
Prozess <Physik>
Punkt
Gruppenkeim
Kartesische Koordinaten
Systemzusammenbruch
Binärcode
Login
Komplex <Algebra>
Kernel <Informatik>
Eins
Arithmetischer Ausdruck
Einheit <Mathematik>
Datenmanagement
Nintendo Co. Ltd.
Total <Mathematik>
Folge <Mathematik>
Lineares Funktional
Nichtlinearer Operator
Physikalischer Effekt
Kryptologie
Spieltheorie
Systemaufruf
Übergang
Nummerung
Quellcode
p-Block
Ein-Ausgabe
RSA-Verschlüsselung
Elektronische Unterschrift
Zeitzone
Transduktor <Automatentheorie>
Verkettung <Informatik>
Chiffrierung
Ganze Zahl
Automatische Indexierung
ATM
Garbentheorie
Information
Schlüsselverwaltung
Message-Passing
Aggregatzustand
Public-Key-Kryptosystem
Telekommunikation
Computervirus
Quader
Zentraleinheit
Term
Code
Physikalische Theorie
Wiederherstellung <Informatik>
Mikrokernel
Benutzerbeteiligung
Elektronische Unterschrift
Zusammenhängender Graph
Booten
Coprozessor
Speicher <Informatik>
Bildgebendes Verfahren
Leistung <Physik>
Fehlermeldung
Eindeutigkeit
Validität
Paarvergleich
Routing
Vektorraum
Physikalisches System
Online-Spiel
Quick-Sort
System F
Druckertreiber
Last
Parametersystem
Mereologie
Codierung
Bus <Informatik>
Entropie
Betriebsmittelverwaltung
Offene Menge
Kernel <Informatik>
Gewichtete Summe
Blackbox
Programmverifikation
Seitentabelle
Raum-Zeit
Homepage
Netzwerktopologie
Puls <Technik>
Code
Gruppe <Mathematik>
Computersicherheit
Dateiverwaltung
Kontrollstruktur
Softwaretest
Addition
Vervollständigung <Mathematik>
Schlüsselverwaltung
Datennetz
Computersicherheit
Güte der Anpassung
Wurm <Informatik>
Ausnahmebehandlung
Kontextbezogenes System
Rhombus <Mathematik>
Generator <Informatik>
Menge
Forcing
Einheit <Mathematik>
System-on-Chip
Rechter Winkel
Festspeicher
Ein-Ausgabe
Dynamisches RAM
Translation <Mathematik>
Ordnung <Mathematik>
Programmierumgebung
Lesen <Datenverarbeitung>
Tabelle <Informatik>
Zeichenkette
Objekt <Kategorie>
Feinstruktur <Mengenlehre>
Subtraktion
Wellenpaket
Dienst <Informatik>
Homepage
Chiffrierung
Graphikprozessor
Domain-Name
Informationsmodellierung
Spannweite <Stochastik>
Authentifikation
Spieltheorie
Hash-Algorithmus
Datentyp
Widget
Programmbibliothek
Thread
Primitive <Informatik>
Datenstruktur
Ganze Funktion
Binärdaten
Booten
Raum-Zeit
Open Source
Datenmodell
Symboltabelle
Modul
Thread
Debugging
Digitaltechnik
Gamecontroller
Authentifikation
Wort <Informatik>
Resultante
Bit
Punkt
Prozess <Physik>
Gemeinsamer Speicher
Atomarität <Informatik>
Hintertür <Informatik>
Adressraum
Gruppenkeim
Snake <Bildverarbeitung>
Binärcode
Marketinginformationssystem
Eins
Kernel <Informatik>
Wechselsprung
Datenmanagement
Einheit <Mathematik>
Kryptologie
Nintendo Co. Ltd.
Gamecontroller
Primzahlzwillinge
Randomisierung
Druckertreiber
Lineares Funktional
Nichtlinearer Operator
ATM
Kryptologie
Spieltheorie
Systemaufruf
p-Block
Exploit
Frequenz
Arithmetisches Mittel
Datenfeld
Chiffrierung
Funktion <Mathematik>
Automatische Indexierung
ATM
Identifizierbarkeit
Garbentheorie
Information
Decodierung
Normalspannung
Schlüsselverwaltung
Zentraleinheit
Parametrische Erregung
Speicherverwaltung
Aggregatzustand
Public-Key-Kryptosystem
Quader
Hausdorff-Dimension
Gruppenoperation
n-Tupel
Zahlenbereich
Derivation <Algebra>
Zentraleinheit
ROM <Informatik>
Punktspektrum
Code
Physikalische Theorie
Task
Physikalisches System
Task
Proxy Server
Adressraum
Mini-Disc
Wrapper <Programmierung>
Booten
Speicher <Informatik>
Hybridrechner
Widerspruchsfreiheit
Hardware
Leistung <Physik>
Beobachtungsstudie
Wald <Graphentheorie>
Kanalkapazität
Mailing-Liste
Physikalisches System
Vektorraum
Objekt <Kategorie>
Mapping <Computergraphik>
Flächeninhalt
Last
Ganze Funktion
Mereologie
Bus <Informatik>
Speicherabzug
Verkehrsinformation
Kernel <Informatik>
Rahmenproblem
Thread
Spieltheorie
Code
Gamecontroller
Datennetz
MIDI <Musikelektronik>
Biprodukt
Physikalische Theorie
Schnittstelle
Wort <Informatik>
Physikalisches System
Einfach zusammenhängender Raum
Kraftfahrzeugmechatroniker
Bit
Klasse <Mathematik>
Gruppenkeim
Zahlenbereich
Schlussregel
Prozessautomation
Physikalisches System
Baumechanik
Exploit
Mathematische Logik
Internetworking
Eins
Dichte <Physik>
Task
Informationsmodellierung
Spieltheorie
Arbeitsplatzcomputer
Wort <Informatik>
Information
Schlüsselverwaltung
Hypermedia
Systemprogrammierung
Medianwert

Metadaten

Formale Metadaten

Titel Console Security - Switch
Untertitel Homebrew on the Horizon
Serientitel 34th Chaos Communication Congress
Autor plutoo
derrek
naehrwert
Lizenz CC-Namensnennung 4.0 International:
Sie dürfen das Werk bzw. den Inhalt zu jedem legalen Zweck nutzen, verändern und in unveränderter oder veränderter Form vervielfältigen, verbreiten und öffentlich zugänglich machen, sofern Sie den Namen des Autors/Rechteinhabers in der von ihm festgelegten Weise nennen.
DOI 10.5446/34815
Herausgeber Chaos Computer Club e.V.
Erscheinungsjahr 2017
Sprache Englisch

Inhaltliche Metadaten

Fachgebiet Informatik
Abstract Nintendo has a new console, and it's more secure than ever.
Schlagwörter Security

Zugehöriges Material

Folgende Ressource ist Begleitmaterial zum Video
Video wird in der folgenden Ressource zitiert

Ähnliche Filme

Loading...
Feedback