The Game is Over
Nintendo switch has been totally compromised
@RKX1209
Slide 2
Slide 2 text
Whoami
Japanese student at Kobe University(M2)
Research scholar @CyLab, CMU (2018/10/1~)
Twitter: @RKX1209
Splatoon2 player:)
Slide 3
Slide 3 text
Hardware Spec
ODNX02-A2 (based on Tegra X1)
ARM Cortex-A57
Maxwell 256 core GPU
4GB DRAM
Slide 4
Slide 4 text
System software
Microkernel “Horizon”
Functionalities provided by “Service”.
File operations, I/O processing, Graphics ….etc
Slide 5
Slide 5 text
Microkernel?
Launch the game title from home menu...
qlaunch appletAM
Apps Service
proxy(sys) pm:shell
ldr:pm fsp-ldr
(1) Request proxy
appletOE
(2) Launch game title
CreateProcess
Mount code
Game
(3) Request proxy
proxy(app)
(3) App funcs
(Recording movie… etc)
Slide 6
Slide 6 text
IPC mechanism
Communication with “Services”
Use shared buffer, TLS(Thread Local Storage)
Notify by svcSendSyncRequest.
App Service
Apps Service
TLS
(2) svcSendSyncRequest
(1) Send Message
(3) Recv Message
Slide 7
Slide 7 text
IPC mechanism
All connections are managed by “session handler”
Create New Session:
- svcConnectToNamedPort(name)
- sm::GetService
App1 Service
session(1-sm)
App2
Apps Service
session(2-sm)
Slide 8
Slide 8 text
IPC session
Almost all sessions are created by sm::GetService, except
connection with sm itself.
App1 sm
session(1-sm)
Apps Service
(1) svcConnectToNamedPort(“sm:”)
fsp-ldr
(2) sm::GetService(“fsp-ldr”)
(3) session(1-fspldr)
Got from sm::GetService
Slide 9
Slide 9 text
Service List
acc Account services
am Applet services
audio Audio services
bsd BSD socket services
nvdrv NVIDIA graphics driver
pm Process manager services
sm Service manager
usb USB services
wlan WLAN services
Slide 10
Slide 10 text
Case: Launch game title
Launch the game title from home menu...
qlaunch appletAM
Apps Service
proxy(sys) pm:shell
ldr:pm fsp-ldr
(1) Request proxy
appletOE
(2) Launch game title
CreateProcess
Mount code
Game
(3) Request proxy
proxy(app)
(3) App funcs
(Recording movie… etc)
.text section
File format (NSO)
Nintendo switch static executable format.
Every sections are compressed by LZ4.
Slide 14
Slide 14 text
File format (NRO)
Nintendo switch dynamic executable format.
Verified at load time using NRR file.
Slide 15
Slide 15 text
File format (MOD)
Structures used for the runtime-linking of NSOs and NROs.
Header(NRO)
.text
.rodata
.data
Header(MOD)
Module Objects...
.dynamic
unwind
NRO Binary
Slide 16
Slide 16 text
Static/Dynamic analysis(DEMO)
There are some tools that can parse these
formats.
IDA/radare2 plugin
Debugger
nxdbg, r2-nxdbg(WIP)
https://github.com/RKX1209/r2nxdbg
Firmware programming
Now you can replace firmware on switch
console using bootROM vulnerability.
Slide 20
Slide 20 text
Fusee Gelee(CVE-2018-6242)
Tegra USB Recovery Mode (RCM)
Recovery commands are required. * .--.
/ / `
+ | |
' \ \__,
* + '--' *
+ /\
+ .' '. *
* /======\ +
;:. _ ;
|:. (_) |
|:. _ |
+ |:. (_) | *
;:. ;
.' \:. / `.
/ .-'':._.'`-. \
|/ /||\ \|
_..--"""````"""--.._
_.-'`` ``'-._
__ __ _ __
/ _| /_/ | | /_/
| |_ _ _ ___ ___ ___ __ _ ___|
___
| _| | | / __|/ _ \/ _ \ / _` |/ _ \ |/
\
| | | |_| \__ \ __/ __/ | (_| | __/ |
__/
Field Size Description
direction 1b if '1', the device should respond with data
type 2b specifies whether this request is of a standard type or not
recipient 5b encodes the context in which this request should be considered;
request 8b specifies the request number
length 16b specifies the maximum amount of data to be transferred
Slide 21
Slide 21 text
Fusee Gelee(CVE-2018-6242)
Tegra USB Recovery Mode (RCM)
Recovery commands are required. * .--.
/ / `
+ | |
' \ \__,
* + '--' *
+ /\
+ .' '. *
* /======\ +
;:. _ ;
|:. (_) |
|:. _ |
+ |:. (_) | *
;:. ;
.' \:. / `.
/ .-'':._.'`-. \
|/ /||\ \|
_..--"""````"""--.._
_.-'`` ``'-._
__ __ _ __
/ _| /_/ | | /_/
| |_ _ _ ___ ___ ___ __ _ ___|
___
| _| | | / __|/ _ \/ _ \ / _` |/ _ \ |/
\
| | | |_| \__ \ __/ __/ | (_| | __/ |
__/
Field Size Description
direction 1b if '1', the device should respond with data
type 2b specifies whether this request is of a standard type or not
recipient 5b encodes the context in which this request should be considered;
request 8b specifies the request number
length 16b specifies the maximum amount of data to be transferred
Slide 22
Slide 22 text
Fusee Gelee(CVE-2018-6242)
request = GET_STATUS
Copy the status variable to High DMA Buffer.
Response size < length
Slide 23
Slide 23 text
Fusee Gelee(CVE-2018-6242)
request = GET_STATUS && recipient=ENDPOINT
Copy the “length bytes buffer” to High DMA Buffer.
Overwrite application stack. (No ASLR, stack cookie)
Slide 24
Slide 24 text
Boot sequence
Nintendo switch boot sequence
Slide 25
Slide 25 text
Boot sequence
Nintendo switch boot sequence
pwned
Arbitrary Code Execution from BootROM
Slide 26
Slide 26 text
Atomosphere
Open source custom firmware for Nintendo Switch
“fusee-pri/sec” “exosphere” “startosphere”
Slide 27
Slide 27 text
Fuzzing case(nx-fuzzer)
system call fuzzer for nintendo switch.
Detect crash and reboot by using watchdog.
Slide 28
Slide 28 text
nx-watchdog(DEMO)
/dev/watchdog implementation on switch.
Firmware program based on hekate-ipl.
NVIDIA Tegra WDT (See manual and linux driver)
https://github.com/RKX1209/nx-watchdog
Slide 29
Slide 29 text
Sammary
Nintendo Switch internals.
NSEMU - Nintendo switch emulator
r2nxdbg/plugin - Analysis tool, debugger
nx-fuzzer - system call fuzzer
nx-watchdog - /dev/watchdog on switch