Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
The Game is Over. Nintendo switch has been tota...
Search
Ren Kimura
July 21, 2018
Programming
5.3k
9
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
The Game is Over. Nintendo switch has been totally compromised
KernelVM #14
Ren Kimura
July 21, 2018
More Decks by Ren Kimura
See All by Ren Kimura
脅威解析概論
rkx1209
0
240
Ideas for defeating Anti-Deep-Fakes
rkx1209
0
120
セキュリティベンチャーのリスク管理
rkx1209
0
160
ファジング+トリアージ技術を用いた脆弱性解析自動化
rkx1209
0
140
Introduction to Fuzzing
rkx1209
6
4.4k
ARM TrustZone エクスプロイト入門
rkx1209
7
8.6k
インサイドNintendo Switch
rkx1209
18
13k
More efficient remote debugging with Thin Hypervisor
rkx1209
3
2.7k
Reverse Debugging with radare2
rkx1209
6
2k
Other Decks in Programming
See All in Programming
Go1.27で導入されるジェネリクスメソッドでできること
mackee
0
180
Spring Security 実践 ─ GraphQL APIで実務に役立つ 認証・認可 を学ぶ
wagyu
0
260
才能?センス?知らん、 続けたもん勝ちだ。-- 結婚・出産・癌を越えてなお、私がプロダクトを創り続ける理由
16bitidol
1
350
act1-costs.pdf
sumedhbala
0
110
Semantic Version 単位で戦略を柔軟に変えて、パッケージアップデートを自動化する
daitasu
1
300
AIだと陥りがちなJakarta EE最新技術への移行時の落とし穴と解決策
tnagao7
0
120
セキュリティの専門家じゃなくてもできる。「セキュリティ意識」をアップデートして サプライチェーン攻撃への耐性を高めよう。
tk3fftk
5
940
Javaの型とAI時代に型が大事な理由 / java types and type in AI era
kishida
2
150
PHPで使える日時の表現と、その知り方 #frontend_phpcon_do
o0h
PRO
0
260
過去最大のMCPアップデート! 2026-07-28 RC版の謎に迫る
licux
6
390
Oxcを導入して開発体験が向上した話
yug1224
4
340
ECSアプリログをFireLensでコスト削減しようとしたけど諦めた話 in Fargate×Node.js
akihisaikeda
2
4.2k
Featured
See All Featured
We Analyzed 250 Million AI Search Results: Here's What I Found
joshbly
1
1.4k
What Being in a Rock Band Can Teach Us About Real World SEO
427marketing
0
1k
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
194
17k
The Web Performance Landscape in 2024 [PerfNow 2024]
tammyeverts
12
1.2k
B2B Lead Gen: Tactics, Traps & Triumph
marketingsoph
0
160
The B2B funnel & how to create a winning content strategy
katarinadahlin
PRO
1
400
Groundhog Day: Seeking Process in Gaming for Health
codingconduct
0
220
More Than Pixels: Becoming A User Experience Designer
marktimemedia
3
450
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
162
16k
BBQ
matthewcrist
89
10k
The State of eCommerce SEO: How to Win in Today's Products SERPs - #SEOweek
aleyda
2
11k
Performance Is Good for Brains [We Love Speed 2024]
tammyeverts
12
1.7k
Transcript
The Game is Over Nintendo switch has been totally compromised
@RKX1209
Whoami Japanese student at Kobe University(M2) Research scholar @CyLab, CMU
(2018/10/1~) Twitter: @RKX1209 Splatoon2 player:)
Hardware Spec ODNX02-A2 (based on Tegra X1) ARM Cortex-A57 Maxwell
256 core GPU 4GB DRAM
System software Microkernel “Horizon” Functionalities provided by “Service”. File operations,
I/O processing, Graphics ….etc
Microkernel? Launch the game title from home menu... qlaunch appletAM
Apps Service proxy(sys) pm:shell ldr:pm fsp-ldr (1) Request proxy appletOE (2) Launch game title CreateProcess Mount code Game (3) Request proxy proxy(app) (3) App funcs (Recording movie… etc)
IPC mechanism Communication with “Services” Use shared buffer, TLS(Thread Local
Storage) Notify by svcSendSyncRequest. App Service Apps Service TLS (2) svcSendSyncRequest (1) Send Message (3) Recv Message
IPC mechanism All connections are managed by “session handler” Create
New Session: - svcConnectToNamedPort(name) - sm::GetService App1 Service session(1-sm) App2 Apps Service session(2-sm)
IPC session Almost all sessions are created by sm::GetService, except
connection with sm itself. App1 sm session(1-sm) Apps Service (1) svcConnectToNamedPort(“sm:”) fsp-ldr (2) sm::GetService(“fsp-ldr”) (3) session(1-fspldr) Got from sm::GetService
Service List acc Account services am Applet services audio Audio
services bsd BSD socket services nvdrv NVIDIA graphics driver pm Process manager services sm Service manager usb USB services wlan WLAN services
Case: Launch game title Launch the game title from home
menu... qlaunch appletAM Apps Service proxy(sys) pm:shell ldr:pm fsp-ldr (1) Request proxy appletOE (2) Launch game title CreateProcess Mount code Game (3) Request proxy proxy(app) (3) App funcs (Recording movie… etc)
Case: printf(“Hello World”) Execute simple homebrew app, printf(“Hello World”); with
libnx. Apps Hello App libnx newlib devoptab_list STDOUT STDERR nvdrv Service BufferQueue gfx buffer buffer buffer buffer_producer
Case: printf(“Hello World”) Execute simple homebrew app, printf(“Hello World”); with
libnx. Apps Hello App libnx newlib devoptab_list STDOUT STDERR nvdrv Service BufferQueue gfx buffer buffer buffer buffer_producer Binder(IPC) Parcel libnx implements android graphic system.
.text section File format (NSO) Nintendo switch static executable format.
Every sections are compressed by LZ4.
File format (NRO) Nintendo switch dynamic executable format. Verified at
load time using NRR file.
File format (MOD) Structures used for the runtime-linking of NSOs
and NROs. Header(NRO) .text .rodata .data Header(MOD) Module Objects... .dynamic unwind NRO Binary
Static/Dynamic analysis(DEMO) There are some tools that can parse these
formats. IDA/radare2 plugin Debugger nxdbg, r2-nxdbg(WIP) https://github.com/RKX1209/r2nxdbg
Emulator? yuzu-emu, Ryujinx, NSEMU ... appletAM Apps Service(emulated) pm:shell ldr:pm
fsp-ldr appletOE App ・・・・・・・・・ vCPU(ARMv8) Host Hardware(x64) Audio DSP(ARMv7) BCM4536 (WiFi) USB ・・・・・・・・・ Hardware
NSEMU(DEMO) - ARMv8 CPU emulator Regular ops, SIMD … etc
- Service emulator sm, bsd, fsp-srv, ldr, - Binary loader nso https://github.com/RKX1209/nsemu
Firmware programming Now you can replace firmware on switch console
using bootROM vulnerability.
Fusee Gelee(CVE-2018-6242) Tegra USB Recovery Mode (RCM) Recovery commands are
required. * .--. / / ` + | | ' \ \__, * + '--' * + /\ + .' '. * * /======\ + ;:. _ ; |:. (_) | |:. _ | + |:. (_) | * ;:. ; .' \:. / `. / .-'':._.'`-. \ |/ /||\ \| _..--"""````"""--.._ _.-'`` ``'-._ __ __ _ __ / _| /_/ | | /_/ | |_ _ _ ___ ___ ___ __ _ ___| ___ | _| | | / __|/ _ \/ _ \ / _` |/ _ \ |/ \ | | | |_| \__ \ __/ __/ | (_| | __/ | __/ Field Size Description direction 1b if '1', the device should respond with data type 2b specifies whether this request is of a standard type or not recipient 5b encodes the context in which this request should be considered; request 8b specifies the request number length 16b specifies the maximum amount of data to be transferred
Fusee Gelee(CVE-2018-6242) Tegra USB Recovery Mode (RCM) Recovery commands are
required. * .--. / / ` + | | ' \ \__, * + '--' * + /\ + .' '. * * /======\ + ;:. _ ; |:. (_) | |:. _ | + |:. (_) | * ;:. ; .' \:. / `. / .-'':._.'`-. \ |/ /||\ \| _..--"""````"""--.._ _.-'`` ``'-._ __ __ _ __ / _| /_/ | | /_/ | |_ _ _ ___ ___ ___ __ _ ___| ___ | _| | | / __|/ _ \/ _ \ / _` |/ _ \ |/ \ | | | |_| \__ \ __/ __/ | (_| | __/ | __/ Field Size Description direction 1b if '1', the device should respond with data type 2b specifies whether this request is of a standard type or not recipient 5b encodes the context in which this request should be considered; request 8b specifies the request number length 16b specifies the maximum amount of data to be transferred
Fusee Gelee(CVE-2018-6242) request = GET_STATUS Copy the status variable to
High DMA Buffer. Response size < length
Fusee Gelee(CVE-2018-6242) request = GET_STATUS && recipient=ENDPOINT Copy the “length
bytes buffer” to High DMA Buffer. Overwrite application stack. (No ASLR, stack cookie)
Boot sequence Nintendo switch boot sequence
Boot sequence Nintendo switch boot sequence pwned Arbitrary Code Execution
from BootROM
Atomosphere Open source custom firmware for Nintendo Switch “fusee-pri/sec” “exosphere”
“startosphere”
Fuzzing case(nx-fuzzer) system call fuzzer for nintendo switch. Detect crash
and reboot by using watchdog.
nx-watchdog(DEMO) /dev/watchdog implementation on switch. Firmware program based on hekate-ipl.
NVIDIA Tegra WDT (See manual and linux driver) https://github.com/RKX1209/nx-watchdog
Sammary Nintendo Switch internals. NSEMU - Nintendo switch emulator r2nxdbg/plugin
- Analysis tool, debugger nx-fuzzer - system call fuzzer nx-watchdog - /dev/watchdog on switch