| There was a lot of work done by the Switch hacking community, which uncovered some fatal cryptosystem flaws w.r.t. secretful FALCONs. It is apparently possible to leak the hash against which the secretful falcon compares against in the hardware from the High Security side of things to LS. It's a fairly in-depth and tricky thing though. Basically you're having to do firmware reverse engineering and basically chaining together ROP gadgets to figure out what the FALCON expects to see to transition into HS mode, and then retrying/cleverly orchestrating things to make it happen. The write up in question was https://hexkyz.blogspot.com/2021/11/je-ne-sais-quoi-falcons-... I haven't had the bandwidth/life situation to really sit down and cobble together the requisite set of skills to make inroads on proving my hunch that one could use some of the methods described to front-run the HS signed firmware check with the right gadget. Heck, last note I have, I was still trying to figure out how to setup linux kernel code such that I could get a reasonably ergonomic "attempt load firmware blob, gracefully fail to try again" to get a decent test rig going for the experiment to at least make the requisite facechecking of my own ignorance required endurable until I could get a PoC sorted. If I could manage to do it, I guess I'd be in a decent position to hit up EFF and see if I can be a decent legal test case to see if I could squeak through in terms of the exception for reverse engineering something to restore it to it's previous functioning. (Older cards not having secretful shenanigans to deal with) or something. The legal nastiness is actually part of what has kept me from making much in the way of progress even though I really, really want to do it. If my reading of supporting documentation is right though, it's technically possible, you just have to be really patient and not give up. Also note, this would almost certainly attract legal attention, because it is HS mode that secures a bunch of the HDMI related DRM functions as well. As demonstrated in that write up, you can bubble out the hashes of keys burnt in in the manufacturing process. Just because you don't have DMCA to worry about, doesn't mean it won't rear it's head elsewhere. There's a lotta money at stake. I don't care half so much about that the HDMI though as the power management and reclocking shenanigans; there was absolutely 0 reason to lock that behind HS mode other than Nvidia wanting to create vendor lock-in, and prevent users/non-Nvidia developers from being able to write their own firmware. If you beat me to the experiment, go with the knowledge you're doing $deity's work, and good hunting. |
Thanks for the read.