Hilariously it appears you can just direct the system to turn down its own supply voltage for you (I2C to the PMIC, as you spotted), and that one of the levels has a bit error rate that's low enough to run programs most of the time but triggers a bit flip in AES often enough to leak the key.
A properly designed crypto subsystem that cared about security would detect the voltage drop and either refuse to operate or would have its own local power regulation circuits such that a system level voltage reduction wouldn't impact it.
I presume the CPU here was VERY cost conscious and so trade-offs were made.
I have no background in gaming but have worked with flawed "security" solutions. Often the business does not care that the engineers explain how flawed some security thing is before release, if there's more money to be made by not fixing it then it won't get fixed. Often doing all of the right things is MUCH too expensive, either in dollars, size, or power.
This is called brownout detection, and it's a common feature even on low-end microcontrollers. As the other commenter says, it's derivable from a bandgap reference.
In re "properly secured system": it's a cost-sensitive games console for children, while there's a big incentive against piracy ultimately there's a limit to how much you can defend. And this is the second line of defense, the bootloader having been breached earlier.
The whole "games console" context also comes waaaay after the chip was made — it's not a custom for-Nintendo chip! tegra210 was previously used in the Nvidia Shield 2015, then the Google Pixel C (also from 2015) and the Jetson TX1 dev board.
Could you elaborate? Isn't the substrate usually tied to ground so we can ignore it in modelling? Or are you saying that it could be floated separately to ground in order to attack the chip?
Yes, and normally it is. I think on every moderately modern CMOS IC, body bias is controlled.
> What is body bias?
> Body bias is used to dynamically adjust the threshold voltage (Vt) of a CMOS transistor. While CMOS transistors are usually thought of as having three terminal devices, with terminals for the source, gate, and drain, it’s increasingly common to have a fourth terminal connected to the body (substrate). Because the voltage difference between the source voltage (Vs) and body voltage (Vb) affects the Vt, the body can be thought of as a second gate that helps determine how a transistor turns on and off.
Almost all micros have brown out detection so you can tell if the device undervolts, and typically you can force the device to auto shut down/reset if that condition trips using an onboard programmable fuse. I don't know how much of an attack surface your typical BOD circuit is though.
