The Game is Over. Nintendo switch has been totally compromised

Transcript

1. The Game is Over Nintendo switch has been totally compromised

   @RKX1209

2. Whoami Japanese student at Kobe University(M2) Research scholar @CyLab, CMU

   (2018/10/1~) Twitter: @RKX1209 Splatoon2 player:)

3. Hardware Spec ODNX02-A2 (based on Tegra X1) ARM Cortex-A57 Maxwell

   256 core GPU 4GB DRAM

4. System software Microkernel “Horizon” Functionalities provided by “Service”. File operations,

   I/O processing, Graphics ….etc

5. Microkernel? Launch the game title from home menu... qlaunch appletAM

   Apps Service proxy(sys) pm:shell ldr:pm fsp-ldr (1) Request proxy appletOE (2) Launch game title CreateProcess Mount code Game (3) Request proxy proxy(app) (3) App funcs (Recording movie… etc)

6. IPC mechanism Communication with “Services” Use shared buffer, TLS(Thread Local

   Storage) Notify by svcSendSyncRequest. App Service Apps Service TLS (2) svcSendSyncRequest (1) Send Message (3) Recv Message

7. IPC mechanism All connections are managed by “session handler” Create

   New Session: - svcConnectToNamedPort(name) - sm::GetService App1 Service session(1-sm) App2 Apps Service session(2-sm)

8. IPC session Almost all sessions are created by sm::GetService, except

   connection with sm itself. App1 sm session(1-sm) Apps Service (1) svcConnectToNamedPort(“sm:”) fsp-ldr (2) sm::GetService(“fsp-ldr”) (3) session(1-fspldr) Got from sm::GetService

9. Service List acc Account services am Applet services audio Audio

   services bsd BSD socket services nvdrv NVIDIA graphics driver pm Process manager services sm Service manager usb USB services wlan WLAN services

10. Case: Launch game title Launch the game title from home

    menu... qlaunch appletAM Apps Service proxy(sys) pm:shell ldr:pm fsp-ldr (1) Request proxy appletOE (2) Launch game title CreateProcess Mount code Game (3) Request proxy proxy(app) (3) App funcs (Recording movie… etc)

11. Case: printf(“Hello World”) Execute simple homebrew app, printf(“Hello World”); with

    libnx. Apps Hello App libnx newlib devoptab_list STDOUT STDERR nvdrv Service BufferQueue gfx buffer buffer buffer buffer_producer

12. Case: printf(“Hello World”) Execute simple homebrew app, printf(“Hello World”); with

    libnx. Apps Hello App libnx newlib devoptab_list STDOUT STDERR nvdrv Service BufferQueue gfx buffer buffer buffer buffer_producer Binder(IPC) Parcel libnx implements android graphic system.

13. .text section File format (NSO) Nintendo switch static executable format.

    Every sections are compressed by LZ4.

14. File format (NRO) Nintendo switch dynamic executable format. Verified at

    load time using NRR file.

15. File format (MOD) Structures used for the runtime-linking of NSOs

    and NROs. Header(NRO) .text .rodata .data Header(MOD) Module Objects... .dynamic unwind NRO Binary

16. Static/Dynamic analysis(DEMO) There are some tools that can parse these

    formats. IDA/radare2 plugin Debugger nxdbg, r2-nxdbg(WIP) https://github.com/RKX1209/r2nxdbg

17. Emulator? yuzu-emu, Ryujinx, NSEMU ... appletAM Apps Service(emulated) pm:shell ldr:pm

    fsp-ldr appletOE App ・・・・・・・・・ vCPU(ARMv8) Host Hardware(x64) Audio DSP(ARMv7) BCM4536 (WiFi) USB ・・・・・・・・・ Hardware

18. NSEMU(DEMO) - ARMv8 CPU emulator Regular ops, SIMD … etc

    - Service emulator sm, bsd, fsp-srv, ldr, - Binary loader nso https://github.com/RKX1209/nsemu

19. Firmware programming Now you can replace firmware on switch console

    using bootROM vulnerability.

20. Fusee Gelee(CVE-2018-6242) Tegra USB Recovery Mode (RCM) Recovery commands are

    required. * .--. / / ` + | | ' \ \__, * + '--' * + /\ + .' '. * * /======\ + ;:. _ ; |:. (_) | |:. _ | + |:. (_) | * ;:. ; .' \:. / `. / .-'':._.'`-. \ |/ /||\ \| _..--"""````"""--.._ _.-'`` ``'-._ __ __ _ __ / _| /_/ | | /_/ | |_ _ _ ___ ___ ___ __ _ ___| ___ | _| | | / __|/ _ \/ _ \ / _` |/ _ \ |/ \ | | | |_| \__ \ __/ __/ | (_| | __/ | __/ Field Size Description direction 1b if '1', the device should respond with data type 2b specifies whether this request is of a standard type or not recipient 5b encodes the context in which this request should be considered; request 8b specifies the request number length 16b specifies the maximum amount of data to be transferred

21. Fusee Gelee(CVE-2018-6242) Tegra USB Recovery Mode (RCM) Recovery commands are

    required. * .--. / / ` + | | ' \ \__, * + '--' * + /\ + .' '. * * /======\ + ;:. _ ; |:. (_) | |:. _ | + |:. (_) | * ;:. ; .' \:. / `. / .-'':._.'`-. \ |/ /||\ \| _..--"""````"""--.._ _.-'`` ``'-._ __ __ _ __ / _| /_/ | | /_/ | |_ _ _ ___ ___ ___ __ _ ___| ___ | _| | | / __|/ _ \/ _ \ / _` |/ _ \ |/ \ | | | |_| \__ \ __/ __/ | (_| | __/ | __/ Field Size Description direction 1b if '1', the device should respond with data type 2b specifies whether this request is of a standard type or not recipient 5b encodes the context in which this request should be considered; request 8b specifies the request number length 16b specifies the maximum amount of data to be transferred

22. Fusee Gelee(CVE-2018-6242) request = GET_STATUS Copy the status variable to

    High DMA Buffer. Response size < length

23. Fusee Gelee(CVE-2018-6242) request = GET_STATUS && recipient=ENDPOINT Copy the “length

    bytes buffer” to High DMA Buffer. Overwrite application stack. (No ASLR, stack cookie)

24. Boot sequence Nintendo switch boot sequence

25. Boot sequence Nintendo switch boot sequence pwned Arbitrary Code Execution

    from BootROM

26. Atomosphere Open source custom firmware for Nintendo Switch “fusee-pri/sec” “exosphere”

    “startosphere”

27. Fuzzing case(nx-fuzzer) system call fuzzer for nintendo switch. Detect crash

    and reboot by using watchdog.

28. nx-watchdog(DEMO) /dev/watchdog implementation on switch. Firmware program based on hekate-ipl.

    NVIDIA Tegra WDT (See manual and linux driver) https://github.com/RKX1209/nx-watchdog

29. Sammary Nintendo Switch internals. NSEMU - Nintendo switch emulator r2nxdbg/plugin

    - Analysis tool, debugger nx-fuzzer - system call fuzzer nx-watchdog - /dev/watchdog on switch