Slide 1

Slide 1 text

The Game is Over Nintendo switch has been totally compromised @RKX1209

Slide 2

Slide 2 text

Whoami Japanese student at Kobe University(M2) Research scholar @CyLab, CMU (2018/10/1~) Twitter: @RKX1209 Splatoon2 player:)

Slide 3

Slide 3 text

Hardware Spec ODNX02-A2 (based on Tegra X1) ARM Cortex-A57 Maxwell 256 core GPU 4GB DRAM

Slide 4

Slide 4 text

System software Microkernel “Horizon” Functionalities provided by “Service”. File operations, I/O processing, Graphics ….etc

Slide 5

Slide 5 text

Microkernel? Launch the game title from home menu... qlaunch appletAM Apps Service proxy(sys) pm:shell ldr:pm fsp-ldr (1) Request proxy appletOE (2) Launch game title CreateProcess Mount code Game (3) Request proxy proxy(app) (3) App funcs (Recording movie… etc)

Slide 6

Slide 6 text

IPC mechanism Communication with “Services” Use shared buffer, TLS(Thread Local Storage) Notify by svcSendSyncRequest. App Service Apps Service TLS (2) svcSendSyncRequest (1) Send Message (3) Recv Message

Slide 7

Slide 7 text

IPC mechanism All connections are managed by “session handler” Create New Session: - svcConnectToNamedPort(name) - sm::GetService App1 Service session(1-sm) App2 Apps Service session(2-sm)

Slide 8

Slide 8 text

IPC session Almost all sessions are created by sm::GetService, except connection with sm itself. App1 sm session(1-sm) Apps Service (1) svcConnectToNamedPort(“sm:”) fsp-ldr (2) sm::GetService(“fsp-ldr”) (3) session(1-fspldr) Got from sm::GetService

Slide 9

Slide 9 text

Service List acc Account services am Applet services audio Audio services bsd BSD socket services nvdrv NVIDIA graphics driver pm Process manager services sm Service manager usb USB services wlan WLAN services

Slide 10

Slide 10 text

Case: Launch game title Launch the game title from home menu... qlaunch appletAM Apps Service proxy(sys) pm:shell ldr:pm fsp-ldr (1) Request proxy appletOE (2) Launch game title CreateProcess Mount code Game (3) Request proxy proxy(app) (3) App funcs (Recording movie… etc)

Slide 11

Slide 11 text

Case: printf(“Hello World”) Execute simple homebrew app, printf(“Hello World”); with libnx. Apps Hello App libnx newlib devoptab_list STDOUT STDERR nvdrv Service BufferQueue gfx buffer buffer buffer buffer_producer

Slide 12

Slide 12 text

Case: printf(“Hello World”) Execute simple homebrew app, printf(“Hello World”); with libnx. Apps Hello App libnx newlib devoptab_list STDOUT STDERR nvdrv Service BufferQueue gfx buffer buffer buffer buffer_producer Binder(IPC) Parcel libnx implements android graphic system.

Slide 13

Slide 13 text

.text section File format (NSO) Nintendo switch static executable format. Every sections are compressed by LZ4.

Slide 14

Slide 14 text

File format (NRO) Nintendo switch dynamic executable format. Verified at load time using NRR file.

Slide 15

Slide 15 text

File format (MOD) Structures used for the runtime-linking of NSOs and NROs. Header(NRO) .text .rodata .data Header(MOD) Module Objects... .dynamic unwind NRO Binary

Slide 16

Slide 16 text

Static/Dynamic analysis(DEMO) There are some tools that can parse these formats. IDA/radare2 plugin Debugger nxdbg, r2-nxdbg(WIP) https://github.com/RKX1209/r2nxdbg

Slide 17

Slide 17 text

Emulator? yuzu-emu, Ryujinx, NSEMU ... appletAM Apps Service(emulated) pm:shell ldr:pm fsp-ldr appletOE App ・・・・・・・・・ vCPU(ARMv8) Host Hardware(x64) Audio DSP(ARMv7) BCM4536 (WiFi) USB ・・・・・・・・・ Hardware

Slide 18

Slide 18 text

NSEMU(DEMO) - ARMv8 CPU emulator Regular ops, SIMD … etc - Service emulator sm, bsd, fsp-srv, ldr, - Binary loader nso https://github.com/RKX1209/nsemu

Slide 19

Slide 19 text

Firmware programming Now you can replace firmware on switch console using bootROM vulnerability.

Slide 20

Slide 20 text

Fusee Gelee(CVE-2018-6242) Tegra USB Recovery Mode (RCM) Recovery commands are required. * .--. / / ` + | | ' \ \__, * + '--' * + /\ + .' '. * * /======\ + ;:. _ ; |:. (_) | |:. _ | + |:. (_) | * ;:. ; .' \:. / `. / .-'':._.'`-. \ |/ /||\ \| _..--"""````"""--.._ _.-'`` ``'-._ __ __ _ __ / _| /_/ | | /_/ | |_ _ _ ___ ___ ___ __ _ ___| ___ | _| | | / __|/ _ \/ _ \ / _` |/ _ \ |/ \ | | | |_| \__ \ __/ __/ | (_| | __/ | __/ Field Size Description direction 1b if '1', the device should respond with data type 2b specifies whether this request is of a standard type or not recipient 5b encodes the context in which this request should be considered; request 8b specifies the request number length 16b specifies the maximum amount of data to be transferred

Slide 21

Slide 21 text

Fusee Gelee(CVE-2018-6242) Tegra USB Recovery Mode (RCM) Recovery commands are required. * .--. / / ` + | | ' \ \__, * + '--' * + /\ + .' '. * * /======\ + ;:. _ ; |:. (_) | |:. _ | + |:. (_) | * ;:. ; .' \:. / `. / .-'':._.'`-. \ |/ /||\ \| _..--"""````"""--.._ _.-'`` ``'-._ __ __ _ __ / _| /_/ | | /_/ | |_ _ _ ___ ___ ___ __ _ ___| ___ | _| | | / __|/ _ \/ _ \ / _` |/ _ \ |/ \ | | | |_| \__ \ __/ __/ | (_| | __/ | __/ Field Size Description direction 1b if '1', the device should respond with data type 2b specifies whether this request is of a standard type or not recipient 5b encodes the context in which this request should be considered; request 8b specifies the request number length 16b specifies the maximum amount of data to be transferred

Slide 22

Slide 22 text

Fusee Gelee(CVE-2018-6242) request = GET_STATUS Copy the status variable to High DMA Buffer. Response size < length

Slide 23

Slide 23 text

Fusee Gelee(CVE-2018-6242) request = GET_STATUS && recipient=ENDPOINT Copy the “length bytes buffer” to High DMA Buffer. Overwrite application stack. (No ASLR, stack cookie)

Slide 24

Slide 24 text

Boot sequence Nintendo switch boot sequence

Slide 25

Slide 25 text

Boot sequence Nintendo switch boot sequence pwned Arbitrary Code Execution from BootROM

Slide 26

Slide 26 text

Atomosphere Open source custom firmware for Nintendo Switch “fusee-pri/sec” “exosphere” “startosphere”

Slide 27

Slide 27 text

Fuzzing case(nx-fuzzer) system call fuzzer for nintendo switch. Detect crash and reboot by using watchdog.

Slide 28

Slide 28 text

nx-watchdog(DEMO) /dev/watchdog implementation on switch. Firmware program based on hekate-ipl. NVIDIA Tegra WDT (See manual and linux driver) https://github.com/RKX1209/nx-watchdog

Slide 29

Slide 29 text

Sammary Nintendo Switch internals. NSEMU - Nintendo switch emulator r2nxdbg/plugin - Analysis tool, debugger nx-fuzzer - system call fuzzer nx-watchdog - /dev/watchdog on switch