Commit 97302777 authored by PoroCYon's avatar PoroCYon
Browse files

add stuff

parents
bin/
obj/
*.pdf
default: all
USE_LATEXMK := $(shell which latexmk >/dev/null 2>&1 && echo 1 || echo 0)
PDFVIEW ?= mupdf
PAGER ?= less
PDFLATEX ?= pdflatex
TARGET := pres
ifneq ($(USE_LATEXMK),0)
LATEXMK ?= latexmk
LATEXMKFLAGS ?= -pdf -Werror -f- -use-make -outdir=../obj/ \
-pdflatex="$(PDFLATEX) -interaction=nonstopmode"
else
PDFLATEXFLAGS ?= -output-directory=../obj/
endif
BIBSRC := $(shell find ref -type f -name "*.bib")
TEXSRC := $(shell find src -type f -name "*.tex")
%/:
@mkdir -vp "$@"
obj/$(TARGET).pdf: src/$(TARGET).tex obj/ $(filter-out src/$(TARGET).tex,$(TEXSRC))
ifneq ($(USE_LATEXMK),0)
cd src && $(LATEXMK) $(LATEXMKFLAGS) "../$<"
else
cd src && $(PDFLATEX) $(PDFLATEXFLAGS) "../$<"
endif
bin/$(TARGET).pdf: obj/$(TARGET).pdf bin/
@cp -v "$<" "$@"
all: bin/$(TARGET).pdf
@cp "$<" "nl21brom.pdf"
clean:
ifneq ($(USE_LATEXMK),0)
$(LATEXMK) -CA $(LATEXMKFLAGS) src/$(TARGET).tex
else
@-$(RM) -v obj/*
endif
@-$(RM) -v bin/$(TARGET).pdf TODO obj/*
view: bin/$(TARGET).pdf
$(PDFVIEW) "$<"
.PHONY: default all clean view todo
todo:
rg -g '*.tex' -F TODO -p -C 2 | tee TODO | $(PAGER) -RS
This diff is collapsed.
% vim: set ft=tex:
\section{ARM9 ROM}
\begin{frame}{Possible approaches}
\begin{itemize}
\item \texttt{SCFG\_ROMWE} magic switch
\item Glitch ARM7 and take over, pretend to be regular boot ROM,
don't do lockout, glitch ARM9 to skip lockup check, resume normal
boot
\item Put payload in TCMs, NWRAM, glitch to jump to it
\item Variants of the above 2
\end{itemize}
\end{frame}
\begin{frame}{\texttt{SCFG\_ROMWE} magic}
\begin{itemize}
\item Is it the ARM9 reset signal?
\item Does it make \texttt{SCFG\_ROM} non-oneshot?
\item Does it make the ROM area writable??
\pause
\item Glitching the write doesn't seem to work: timing too tight, or
it's hardwired to 0
\end{itemize}
\end{frame}
\begin{frame}{ARM7 takeover}
\begin{itemize}
\item Fake ARM7 bootrom execution: start from where? (when does the
glitch happen?)
\item ARM cores need to go to the stage2 entrypoint at the same point:
how does the ARM7 know the ARM9 has been glitched successfully?
\item Lots of possible mistakes to be made in payload code
\pause
\item Can have signals to trigger the glitcher to target the ARM9 now,
as opposed to blind lockout skip glitching
\end{itemize}
\end{frame}
\begin{frame}{ARM9 glitch}
\begin{itemize}
\item Need payload in NWRAM: how?
\item Output: only AUXSPI available on ARM9, needs ARM7-side init
\item From eMMC: won't be able to boot Unlaunch anymore, eMMC wears
out \emph{really} fast. Init AUXSPI using ntrboot: will cause CPUs
to suspend in later stages when hardwiring lid open/close.
\item From ARM7: need to glitch it, too. Init AUXSPI from ARM7 payload.
\pause
\item No double glitching required, easier on the software side
\end{itemize}
\end{frame}
\begin{frame}{This is hard}
\begin{itemize}
\item Trying ARM7 takeover method, Currently working on checking where
the ARM7 is glitched.
\end{itemize}
~\\~\\~\\
\centering
{\large Suggestions are welcome}
\end{frame}
% vim: set ft=tex:
\section{Analyzing the ROM}
\begin{frame}{What's in the boot ROM?}
\begin{itemize}
\item AES keys
\item Blowfish keys
\item No RSA keys, sadly
\item It's mostly code
\end{itemize}
\end{frame}
\begin{frame}{Boot flow}
% \begin{enumerate}
% \item Disable IRQs, set up \texttt{BIOSPROT}, get a stack
% \item Clear RAM vectors, more hw init%Set up NWRAM, timers,
% %\item Set up \texttt{.data}, \texttt{.bss}
% %\item Initialize AES, DMA
% \item Read byte from SPI flash: boot medium selection
% %\item Initialize SD/MMC controller
% \item Send FIFO notification to ARM9
% \item Read boot header (offset, load address, entrypoint, size,
% signature)
% \item Send header to ARM9 over FIFO
% \item Wait for ARM9 response
% \item Load stage2 blobs, send to ARM9, wait for verification
% \item If OK: copy key data to WRAM, reset hardware, send FIFO
% notification, lock bootroms, jump to stage2 entrypoint
% (public code)
% \item If not OK: lock up
% \end{enumerate}
\centering
\includegraphics[width=0.9\textheight,angle=90,origin=c]{bootflow}
\end{frame}
\begin{frame}{Extra finds}
\begin{itemize}
\item Boot ROM clears bit 0 of \texttt{0x04004002} on entry
(``\texttt{SCFG\_ROMWE}''), unknown MMIO register
\item Extra recovery boot method: will try to boot from game cart
on magic keycombo (A, start, select, lid closed) \\
$\Rightarrow$ ntrboot! 3DS has this, too. Needs RSA signature.
(explains the Blowfish keys)
\item Observeable: booting into Unlaunch 0.8 with magic keycombo will
initialize \texttt{SCFG\_MC} and power up game cart.
\end{itemize}
\end{frame}
\note{``lid closed'': checked by sensing magnet from loudspeaker in upper half
(demo putting a DSi to sleep on stage, using a magnet?)}
\begin{frame}{Vulnerability search}
\begin{itemize}
\item No sighax (required for ntrboot): 3DS uses ASN.1 (with broken
parser), DSi uses raw signatures.
\item 3DS bootrom has callback function pointers to be sent between
ARM cores, DSi doesn't do this.
\item Several people have looked at it, and found nothing.
\pause
\item DSi is more secure than the 3DS
\item No cheap way to dump the ARM9, need another round of glitching
\end{itemize}
\end{frame}
% vim: set ft=tex:
\section{DSi boot ROMs}
\begin{frame}{General structure}
\begin{itemize}
\item 64k in size
\item 2 parts: `public' and `private' (each 32k)
\item `Public' part: GBA-style protection, aka ``BIOS''
\item `Private' part: detached from bus after boot!
\item ARM7: \texttt{0x00000000}, ARM9: \texttt{0xffff0000}
\pause
\item Nintendo source leaks last year: have (almost) everything...
except boot ROMs.
\end{itemize}
\end{frame}
\begin{frame}{Public part}
\begin{itemize}
\item Vector table: reset, IRQ, software interrupt, etc.
\item Reset: \texttt{b +0x8000}...
\item Others: read pointer from RAM, jump to it
\item \texttt{swi} calls: much like GBA/NDS
\end{itemize}
\end{frame}
\begin{frame}{BIOS routines}
\begin{itemize}
\item System reset/power management helpers (eg. suspend CPU, softreset)
\item \texttt{memcpy}, \texttt{memset}, \texttt{sqrt}, ...
\item LZ77 and Huffman decompression
\item CRC16, SHA1, RSA routines
\item Sound helpers: sine, pitch lookup tables
\end{itemize}
\end{frame}
\begin{frame}{Private part}
\begin{itemize}
\item Boot stuff? Needs to load and start stage2.
\item eMMC driver? stage2 resides here.
\item AES, RSA keys? stage2 is encrypted (with a global key) and RSA-signed.
\item ???
\end{itemize}
\end{frame}
\begin{frame}{Observing the boot ROM}
\begin{itemize}
\item eMMC access happens
\item But also SPI flash (on wifi daughterboard)
\item Leaks keys to ARM7 WRAM and ARM9 TCMs (dumpable using stage2 \texttt{title.tmd}
parsing bug: Unlaunch\footnote{\url{https://problemkaputt.de/unlaunch.htm}})
\end{itemize}
\end{frame}
\begin{frame}{Observing the boot ROM}
\begin{itemize}
\item Lockout needs to happen in public part: \texttt{SCFG\_ROM} access
visible
\item ARM7: sets `private part disable' bits
\item ARM9: waits until bits are set
\item Same code copies keys to RAM, then jumps to an address in a
register
\end{itemize}
\end{frame}
% vim: set ft=tex:
\section{Dumping the ROM}
\begin{frame}{Why me?}
\begin{itemize}
\item Arisotura (melonDS dev) was working on DSi emulation, annoyed by
lack of boot ROM dump
\item Quite a bit of equipment needed she doesn't have
\item I said ``I'll do it, I have no idea how, but I can use stuff from
my uni''
\end{itemize}
\end{frame}
\begin{frame}{Strategies}
\begin{itemize}
\item Reset \texttt{SCFG\_ROM} bits\only<2->{: register is one-shot...}
\item Glitch RSA verification check\only<3->{: nobody knows when/how this happens,
doesn't stop lockout}\only<1-2>{~\\~\\}
\item Glitch to skip over lockout\only<4->{: will hang ARM9, double glitch is
very impractical}
\item<5-> ``vector glitch'': RAM also not cleared on reset on DSi!
\end{itemize}
\end{frame}
\begin{frame}{DSi vector glitch}
\begin{itemize}
\item Already attempted by Nocash et al\footnote{
\url{http://4dsdev.kuribo64.net/thread.php?id=130}} (voltage
glitching)
\item Blasty and others also tried some approaches
\item Nobody succeeded
\item<2-> ARM9: vector seems to only run after lockout\only<3->{:
possible explanation: FCRAM disabled during stage1}
\only<1-2>{~\\~\\}
\item<2-> ARM7: couldn't get it to glitch \only<3->{(Nocash didn't
remove decouping capactiors...)}
\end{itemize}
\end{frame}
\note{Decoupling capacitors: capacitors close to an IC, connected to power
rails, used to filter out noise from other components. When shorting VCC to
GND, these cause a slowdown in the voltage drop.}
\begin{frame}{Glitching setup}
\begin{itemize}
\item Use EMFI instead of voltage glitching: less intrusive, more
precise, no decoupling capacitor problems
\item Many parameters: time offset from trigger, duration, strength, X-
Y- and Z-position of inductor coil
\item Before we glitch the boot ROMs, we need to be able to glitch
code in the first place
\end{itemize}
\end{frame}
\begin{frame}{At the lab}
\begin{columns}[T]
\begin{column}{.7\textwidth}
\begin{itemize}
\item Check: persistent RAM regions: FCRAM, some parts of WRAM/NWRAM,
``Wifi RAM'' (messagebox region)
\item Check: \texttt{CE2} pin enabled long after \texttt{eMMC} reads
$\Rightarrow$ stage2 loaded into NWRAM
\item \texttt{printf}-debugging over I2C, GPIO and CAM LED signalling
for glitch controller
\item Wifi daughterboard needs to be moved (on top of SoC), but cannot
be detached (SPI flash) $\Rightarrow$ annoying wiring needed
\item Need Unlaunch 0.8 to avoid having to initialize Wifi chip
\end{itemize}
\end{column}
\begin{column}{.3\textwidth}
\centering
\includegraphics[height=0.5\textheight]{dsimess}
\end{column}
\end{columns}
\end{frame}
\note{wifi RAM: packages are passed to/from wifi chip here
~\\
grey thing at the top of the foto: is wifi chip, was above 3 black chips
(top-bottom: SoC, FCRAM, eMMC): obstruction for EM probe
~\\
stage1 reads from SPI flash on wifi board: access needs to be available,
otherwise won't boot
~\\
Unlaunch: newer versions init touchscreen, wifi, etc., which would then also
hang. Ninty stage2 also does this}
\begin{frame}{Test setup}
\begin{enumerate}
\item Set up undefined instruction vector
\item Set \texttt{GPIO330} low: signal to controller to start glitching
\item Run code that does nothing (in persistent Wifi RAM)
\item On undefined instruction: blink \texttt{CAMLED}
\item Let it run to test many duration, strength, position combinations
\item Hope one parameter set causes \texttt{CAMLED} blinking
\end{enumerate}
\end{frame}
\begin{frame}{Test results}
\begin{columns}[T]
\begin{column}{.5\textwidth}
\begin{itemize}
\item After many months... nothing
%\pause
\only<2->{\item We used a commercial glitching device
\item EM probe replaced by custom design (used in earlier research)%
\footnotemark[1]
\item This worked right away!}
%\pause
\only<3->{\item (Then the stepper broke due to unrelated reasons and needed a
week for replacement parts to arrive, and thus also redo the
test scan.)}
\end{itemize}
\end{column}
\begin{column}{.5\textwidth}
\only<1>{\includegraphics[height=0.7\textheight]{dsiglitch1}}
\only<2>{\includegraphics[height=0.7\textheight]{dsiglitch2}}
\only<3>{\includegraphics[height=0.7\textheight]{dsiglitch3}}
\end{column}
\end{columns}
\footnotetext[1]{\url{https://youtube.com/watch?v=DuP7TsqDr1M}}
\end{frame}
\begin{frame}{Payload}
\begin{itemize}
\item Put ``on glitch successful'' code in Wifi RAM
\item Set up exception vectors
\item Fill \emph{all} WRAM and NWRAM with NOP sleds to Wifi RAM
\item NOP sled: enables Wifi RAM in \texttt{POWCNT2} (otherwise not
accessible), jumps to it. Needs to be working ARM \emph{and} Thumb
code.
\item Payload read \texttt{SCFG\_ROM} register, toggle either
\texttt{GPIO330} or \texttt{CAMLED} depending on boot ROM availability
\item On success, write it out over I2C
\item On failure, reboot using BPTWL
\item Available at
\url{https://git.titandemo.org/PoroCYon/dsi-bios-payload} for your
interest
\end{itemize}
\end{frame}
\begin{frame}{Results}
\begin{columns}[T]
\begin{column}{.5\textwidth}
\begin{itemize}
\item It works!
\item About 26k in size, has ``\texttt{NINTENDO}'' strings
\item Looks like ARM code
\item SHA512 = \\
\texttt{a0ae160a76d305dc3f368aa205dfc979}
\texttt{bff64637d6637a6fedd81178a306f2d3}
\texttt{09316b8f8d12481bc17831657709affc}
\texttt{3f0c6e393f559cbbe9a099a98a1d4e4b}
\item Entry \texttt{z005} in the No-Intro DSi database
\end{itemize}
\end{column}
\begin{column}{.5\textwidth}
% \begin{lstlisting}
\tiny
\texttt{00008000 78 30 9f e5 00 10 d3 e5 01 10 c1 e3 00 10 c3 e5} \\
\texttt{00008010 01 c3 a0 e3 08 c2 8c e5 64 30 9f e5 20 10 a0 e3} \\
\texttt{00008020 b0 10 c3 e1 13 00 a0 e3 00 f0 21 e1 54 d0 9f e5} \\
\texttt{00008030 12 00 a0 e3 00 f0 21 e1 4c 00 9f e5 00 d0 a0 e1} \\
\texttt{00008040 01 1b a0 e3 01 10 40 e0 1f 00 a0 e3 00 f0 2f e1} \\
\texttt{00008050 04 d0 41 e2 00 00 a0 e3 01 13 a0 e3 01 2b a0 e3} \\
\texttt{00008060 02 10 41 e0 32 00 00 eb 09 00 00 eb 16 00 00 eb} \\
\texttt{00008070 18 10 9f e5 00 e0 8f e2 11 ff 2f e1 fe ff ff ea} \\
\texttt{00008080 02 40 00 04 08 03 00 04 c0 ff ff 03 80 ff ff 03} \\
% \end{lstlisting}
\end{column}
\end{columns}
\end{frame}
\note{``Looks like ARM code'': \texttt{0xEx} in column 4,8,12,16: ARM condition
code/predicate field in insn encoding}
% vim: set ft=tex:
\section{DSi hardware overview}
\begin{frame}{Nintendo DS}
\centering
\includegraphics[width=0.8\textwidth]{diagram-ntr}
\begin{itemize}
\item Two processors: ARM7 and ARM9
\item ARM9 does graphics, ARM7 does sound and peripherals
\end{itemize}
\end{frame}
\begin{frame}{Nintendo DSi}
\centering
\includegraphics[width=0.8\textwidth]{diagram-twl}
\begin{itemize}
\item Faster, new peripherals, more RAM, eMMC
\end{itemize}
{\tiny Original (NDS) image source: \url{https://www.copetti.org/writings/consoles/nintendo-ds/}}
\end{frame}
%\begin{frame}{Interesting parts}
\note{
\begin{itemize}
\item FCRAM, eMMC, ROMs, AES
\item NWRAM: complex mapping scheme
\item SPI, I2C, RTC, GPIO (not shown), gamecart AUXSPI
\item BPTWL: performs low-level reboot procedure, LED control
\item SCFG: DSi system config registers, fuse: ConsoleID
\end{itemize}
}
%\end{frame}
% vim: set ft=tex:
\section{Introduction}
\begin{frame}{Whoami}
\begin{itemize}
\item Democoder at K2 and Titan
\item Made a few Nintendo DS demos
\item Contributor of melonDS (eg. DSP emulation)
\end{itemize}
\end{frame}
\note{Other stuff I've done: Linux demoscene 4k intro tooling, Terraria
modding, ..., not very relevant here
~\\
Tried to come to Newline 2 times before, but didn't happen (eg. broke my arms)}
\begin{frame}{DSi boot ROMs}
\begin{itemize}
\item Only\footnote{mostly} unknown part of the DSi
\item Longest to be dumped (13y for DSi vs 10 for GBC)
\item People tried to dump them, and failed
\end{itemize}
\end{frame}
\begin{frame}{Glitching}
\begin{itemize}
\item Cause sudden, transient hardware malfunctions, typically only for
a few clock cycles, otherwise hardware shuts down, or gets bricked
\end{itemize}
\only<2>{
\begin{columns}[T]
\begin{column}{.7\textwidth}
\begin{description}
\item \textbf{Voltage glitching}: short VCC to GND
$\Rightarrow$ results become low when they should be
high in CMOS logic
\end{description}
\end{column}
\begin{column}{.3\textwidth}
\centering
\includegraphics[height=0.6\textheight]{CMOS_NAND} ~\\
{\tiny Source: Wikimedia}
\end{column}
\end{columns}
}
\only<3>{
\begin{description}
\item[\textbf{Clock glitching}:] suddenly speed up clock, violates
setup and hold times of memory elements
\end{description}
\begin{columns}[T]
\begin{column}{.5\textwidth}
\centering
\includegraphics[height=0.5\textheight]{SetupHold} ~\\
{\tiny: Source: Dave Pereles at DesignNews}
\end{column}
\begin{column}{.5\textwidth}
\centering
\includegraphics[height=0.2\textheight]{clockglitch} ~\\
{\tiny: Source: US patent 08319524}
\end{column}
\end{columns}
}
\only<4>{
\begin{description}
\item[\textbf{Electromagnetic Field Injection}:] induce eddy currents
in interconnects between transistors
\end{description}
\begin{columns}[T]
\begin{column}{.5\textwidth}
\centering
%\includegraphics[height=0.5\textheight]{emfi-stnucleo} ~\\
\includegraphics[height=0.5\textheight]{Chip-Stack} ~\\
{\tiny: Source: Applus}
\end{column}
\begin{column}{.5\textwidth}
\centering
\includegraphics[height=0.5\textheight]{emfi2} ~\\
{\tiny: Source: COSIC}
\end{column}
\end{columns}
}
\only<5>{
\begin{description}
\item[\textbf{Laser fault injection}:] generate electron-hole pairs in
semiconductor, causing extra currents and voltage biases
\end{description}
\centering
\includegraphics[height=0.5\textheight]{LaserFI} ~\\
{\tiny: Source: COSIC}
}
\end{frame}
\note{laser FI: often not used: needs hole in package}
mktexpk --mfmode / --bdpi 600 --mag 1+0/600 --dpi 600 mathkerncmssi9
mktexpk --mfmode / --bdpi 600 --mag 1+0/600 --dpi 600 mathkerncmssi9
% vim: set ft=tex:
\section{Other DSi secrets}
\begin{frame}{ntrboot}
\begin{itemize}
\item No sighax: will need another exploit
\item Hopefully some vulns in ARM9 boot ROM, or, magic \texttt{0x0c}
field in header: ASN.1 vs raw signature selection?
\item If not, need to factor an RSA-1024 public key
\end{itemize}
\end{frame}
\begin{frame}{Other obscure DSi things (1)}
\begin{itemize}
\item DSP: no ROM, executes directly from NWRAM, can now be used, eg.