Hacking Dock Hacking

[CthulhuLabs]

Forgive me if this has been covered elsewhere. I have done some Googling and do not see anything about this. I have some questions about the dock that I plan to investigate on my own but I do not want to waste time reimplementing things that have already been done.

I have a few questions regarding the dock. First off has anyone attached it to a computer yet? Either by taking it apart and attaching the USB-C directly to a computer or using a USB-C extension cable to it and then into a computer. I would like to know what USB device ID(s) it will show up as. Depending on the results it gives several options.

The first one is building a custom dock or secondary dock. If the USB to HDMI device used is generic, then we should be able to just buy a matching off the shelf unit and add it into a custom dock. I personally would like to build my own dock with my 3D printer. One where the front is open so it does not scratch the screen and so the dock is at an angle so it is lower profile. Getting the switch in and out of my entertainment center is a pain in the ass.

We can also use the dock as an attack vector for hacking the unit. There are certain Arduino boards that you can change the USB ID on it. If we change an arduino board to the same one as the USB to HDMI bridge the Switch should attempt to load it in as if it is the proper hardware. Depending how the driver support for this is implemented and how much trust Nintendo put into the USB to HDMI adapter we might have almost direct input into the underlying OS. If they were smart they would have implemented it in a secure way and not to trust it at all, however that security adds to programming complexity and to performance.

 

[DeslotlCL]

Hacking the dock? It's just a hdmi output for the switch, nothing less, nothing more. Even the usb ports don't have other porpuses more than just charging it and providing extra storage options. Not sure how it could be used to attack the system through the dock usb ports, we should have been able to do that since the wii came out.

 

[Duo8]

It actually uses DP alt mode, then uses a DP - HDMI in the dock to output HDMI. But it doesn't work with normal DP adapters I think.
There's also a USB hub controller for the USB ports.

 

[CthulhuLabs]

Depsy, one of the ways the PS3 was jailbroken was using USB.



They made a special USB device that fooled the PS3 into running arbitrary code. It is a perfectly valid hacking vector.

I understand that it is most likely using DisplayPort over USB-C and then using a DisplayPort to HDMI converter to get the HDMI output, but that does not mean there isn't more too it. If it is using a generic DisplayPort to HDMI adapter, can you plug any other generic DisplayPort to HDMI adapter into the USB-C port and get video out. If not then there is most likely some sort of communication between the DP to HDMI device and the Switch. If that is the case than that protocol is a valid attack vector, especially if the programmers wrote that communication with the assumption that the device will behave properly. If we can create a device using an Arduino that spoofs this device we can inject buffer overflows into this communication and potentially run arbitrary code.

 

[kargath]

I've also been interested in this, but I think I may just modify the dock that came with at this point. I haven't researched what all is on the board yet... http://www.gamersnexus.net/guides/2825-nintendo-switch-dock-joycon-teardown

 

[Deleted User]

I've also been interested in this, but I think I may just modify the dock that came with at this point. I haven't researched what all is on the board yet... http://www.gamersnexus.net/guides/2825-nintendo-switch-dock-joycon-teardown

well not only that. But the switch dock supports keyboards. Not full functioning but it does support certain parts of the os. such as naming a horse botw

 

[NWPlayer123]

people have probably posted better pictures of all the boards but here's my assembly instructions from how it was
https://twitter.com/NWPlayer123/status/848143656250859520
Also @DespyCL it's not "just an HDMI output", supplying power normally does not magically make it switch to TV mode so the dock is sending extra info to make it Switch and turn off the screen, it might be standard detection from seeing the USB-C supports video data or something else

 

[Supercool330]

So I looked into this quite a bit pre-launch. The dock appears to be several things, a USB 3 hub with USB Power Delivery support, a USB Type-C Display Port Alt-Mode adapter, and a Display Port to HDMI adapter with CEC pass-through. However, there are a lot of third-party docks out there that have these basic components, and they don't work with the switch. My guess is that the switch uses the device ids, or a virtual usb device to actually trigger docked mode. USB type-c sniffers are INSANELY expensive (like 10s of thousands of dollars), but it might be interesting to just connect the dock to a laptop or something with a USB Type-C extension cable and see what lsusb spits out.

 

[The Real Jdbye]

It actually uses DP alt mode, then uses a DP - HDMI in the dock to output HDMI. But it doesn't work with normal DP adapters I think.
There's also a USB hub controller for the USB ports.

It's not DP alt mode. According to iFixit's teardown there is a MyDP (SlimPort) chip in the dock, which is not the same.

Depsy, one of the ways the PS3 was jailbroken was using USB.



They made a special USB device that fooled the PS3 into running arbitrary code. It is a perfectly valid hacking vector.

I understand that it is most likely using DisplayPort over USB-C and then using a DisplayPort to HDMI converter to get the HDMI output, but that does not mean there isn't more too it. If it is using a generic DisplayPort to HDMI adapter, can you plug any other generic DisplayPort to HDMI adapter into the USB-C port and get video out. If not then there is most likely some sort of communication between the DP to HDMI device and the Switch. If that is the case than that protocol is a valid attack vector, especially if the programmers wrote that communication with the assumption that the device will behave properly. If we can create a device using an Arduino that spoofs this device we can inject buffer overflows into this communication and potentially run arbitrary code.

There seems to be a generic MyDP (SlimPort) to HDMI chip in the dock, but people have tried SlimPort adapters with it and have not been successful in getting them to work, and it's unclear why.

 

[gudenau]

Given Nintendo's history, a crazy USB descriptor could work. A while ago I managed to make a USBTeency crash my PC but the Wii I didn't care at all!

 

[DeslotlCL]

Depsy, one of the ways the PS3 was jailbroken was using USB.



They made a special USB device that fooled the PS3 into running arbitrary code. It is a perfectly valid hacking vector.

I understand that it is most likely using DisplayPort over USB-C and then using a DisplayPort to HDMI converter to get the HDMI output, but that does not mean there isn't more too it. If it is using a generic DisplayPort to HDMI adapter, can you plug any other generic DisplayPort to HDMI adapter into the USB-C port and get video out. If not then there is most likely some sort of communication between the DP to HDMI device and the Switch. If that is the case than that protocol is a valid attack vector, especially if the programmers wrote that communication with the assumption that the device will behave properly. If we can create a device using an Arduino that spoofs this device we can inject buffer overflows into this communication and potentially run arbitrary code.

That actually makes sense. Thanks for the info

people have probably posted better pictures of all the boards but here's my assembly instructions from how it was
https://twitter.com/NWPlayer123/status/848143656250859520
Also @DespyCL it's not "just an HDMI output", supplying power normally does not magically make it switch to TV mode so the dock is sending extra info to make it Switch and turn off the screen, it might be standard detection from seeing the USB-C supports video data or something else

omg omg NWPlayer123 replied to one of my comments

 

[JacksonS]

Don't expect any off-the-shelf parts to work. The dock has some flash memory in it which must contain proprietary code. Unless you can dump the code, you'd need those flash ICs from an original dock to make a custom dock.

 

[CthulhuLabs]

Don't expect any off-the-shelf parts to work. The dock has some flash memory in it which must contain proprietary code. Unless you can dump the code, you'd need those flash ICs from an original dock to make a custom dock.

After doing more research I have pretty much given up on using generic hardware to make my own dock. I will probably be modding my own.

As for using this as a hacking vector, I think this is definitely possible looking at the various chips and how the system is working. It all comes down to how much trust they put in the hardware behaving how the software expects. I will never underestimate lazy programmers under a time crunch to do stupid things.

As for sniffing the USB communications, it is a matter of tricking the bus to connect at slower speeds. USB 3.1 is backwards compatible with USB 1.1. As such if you take USB 1.1 hub and plug it in between the Switch and it's dock, the USB communication should still try to work. It will take some goofy cable arrangements to get this to work, but it should be doable. The devices will probably hate operating at that speed, but that shouldn't stop them from trying to do so. Just like if you plug a USB 3.0 thumb drive into a USB 1.1 port. If this works (I give it a 30% chance of doing so) then it is just a matter of using an Arduino to dump the USB bus. No $10K debuggers needed.

 

[The Real Jdbye]

After doing more research I have pretty much given up on using generic hardware to make my own dock. I will probably be modding my own.

As for using this as a hacking vector, I think this is definitely possible looking at the various chips and how the system is working. It all comes down to how much trust they put in the hardware behaving how the software expects. I will never underestimate lazy programmers under a time crunch to do stupid things.

As for sniffing the USB communications, it is a matter of tricking the bus to connect at slower speeds. USB 3.1 is backwards compatible with USB 1.1. As such if you take USB 1.1 hub and plug it in between the Switch and it's dock, the USB communication should still try to work. It will take some goofy cable arrangements to get this to work, but it should be doable. The devices will probably hate operating at that speed, but that shouldn't stop them from trying to do so. Just like if you plug a USB 3.0 thumb drive into a USB 1.1 port. If this works (I give it a 30% chance of doing so) then it is just a matter of using an Arduino to dump the USB bus. No $10K debuggers needed.

The MyDP portion of it would probably not work though as it requires the extra pins (I'm assuming)
If you're patient, it shouldn't be too long before 3rd party docks, or breakout boards/"hubs" designed for on the go use surface. It's using a fairly standard protocol, but something is preventing 3rd party ones from working, it could be something as simple as the Switch checking the hardware ID of the device and refusing to communicate with it if it doesn't match what's expected, but that's up to hardware manufacturers to figure out and then implement into a 3rd party device. I wouldn't expect the 3rd party ones to cost much at all since it is a fairly standard protocol, whereas the official dock is really expensive. I'm definitely going to be on the lookout for a breakout board/"hub" style one suited for on the go use that I can bring with me when I go places rather than the big bulky dock. I'll just stick to using the official dock at home.

 

[OfficialFBomb]

There are people who already made new dock kits, implant the guts to something better, can't post a link bit I'm sure Google will help..

 

[Risingdawn]

It would be good to see some cheap 3rd party docks, simply for hooking up to multiple rooms in the house.

 

[GaM3r2Xtreme]

I wonder why they use MyDP instead of just going directly to HDMI alt mode. I read up on an article it was announced there is a protocol for it, but I don't know how far into development it is.

I'd love to see or build a portable dock with minimal features. Just a power and display port for when your taking the switch to a friend's place.

 

[CthulhuLabs]

DP over USB-C is a fully developed protocol.

I can think of three reasons why they would do it this way.

1) Nintendo wanted control over what hardware could be used with the system. This is very typical of them. If they used a standard compliant protocol then anyone could build a compatible dock and they would lose out on the sales or royalties from third party sales. This would also explain why it does not work with normal MyDP chips and requires their own special chips. Only authorized hardware manufacturers can probably get those chips.

2) The built in graphics are either not capable of pushing out the DisplayPort protocol or doing so would be too much of a hardware hit. As such they used a simpler protocol to push the data to an off board chip for final rendering.

3) ***The most exciting*** Nintendo was thinking about future expansion. By using a lower level protocol than DP they can offer a higher end dock down the road that offers improved capabilities like 4K. This is not uncommon for Nintendo. The N64 had that memory expansion. Plus such a device has been rumored to be in development, and the source of the rumor has brought up several other things that turned out to be true.

 

[Duo8]

DP over USB-C is a fully developed protocol.

I can think of three reasons why they would do it this way.

1) Nintendo wanted control over what hardware could be used with the system. This is very typical of them. If they used a standard compliant protocol then anyone could build a compatible dock and they would lose out on the sales or royalties from third party sales. This would also explain why it does not work with normal MyDP chips and requires their own special chips. Only authorized hardware manufacturers can probably get those chips.

2) The built in graphics are either not capable of pushing out the DisplayPort protocol or doing so would be too much of a hardware hit. As such they used a simpler protocol to push the data to an off board chip for final rendering.

3) ***The most exciting*** Nintendo was thinking about future expansion. By using a lower level protocol than DP they can offer a higher end dock down the road that offers improved capabilities like 4K. This is not uncommon for Nintendo. The N64 had that memory expansion. Plus such a device has been rumored to be in development, and the source of the rumor has brought up several other things that turned out to be true.

1: There are better ways to do that and that's what they're doing anyway.
2: It's still DP. I think the soc can do DP video and audio.
3: It's still DP.

 

[Kadji]

From https://github.com/dekuNukem/Nintendo_Switch_Reverse_Engineering (at the bottom of the Page):

Docking station firmware dump
The docking station uses a STM32F048 microcontroller. It's actually labeled as STM32P048 because it uses the FASTROM option where ST pre-programs the flash memory inside the factory. It has 32KB flash memory and 6KB RAM, runs at 48MHz.

It uses SWD debugging and programming interface, and interestingly the programming testpoints are on the PCB and clearly labeled. After connecting a ST-Link programmer to it reveals that the chip is not read-protected at all, so a firmware dump was easily made. I'm not going to post it in the repo, but if you want it just ask.

May be helpfull information, maybe get in contact with him?