Dock Hacking

Discussion in 'Switch - Hacking & Homebrew' started by CthulhuLabs, Apr 3, 2017.

  1. CthulhuLabs
    OP

    CthulhuLabs Member

    Newcomer
    11
    13
    Apr 3, 2017
    United States
    Forgive me if this has been covered elsewhere. I have done some Googling and do not see anything about this. I have some questions about the dock that I plan to investigate on my own but I do not want to waste time reimplementing things that have already been done.

    I have a few questions regarding the dock. First off has anyone attached it to a computer yet? Either by taking it apart and attaching the USB-C directly to a computer or using a USB-C extension cable to it and then into a computer. I would like to know what USB device ID(s) it will show up as. Depending on the results it gives several options.

    The first one is building a custom dock or secondary dock. If the USB to HDMI device used is generic, then we should be able to just buy a matching off the shelf unit and add it into a custom dock. I personally would like to build my own dock with my 3D printer. One where the front is open so it does not scratch the screen and so the dock is at an angle so it is lower profile. Getting the switch in and out of my entertainment center is a pain in the ass.

    We can also use the dock as an attack vector for hacking the unit. There are certain Arduino boards that you can change the USB ID on it. If we change an arduino board to the same one as the USB to HDMI bridge the Switch should attempt to load it in as if it is the proper hardware. Depending how the driver support for this is implemented and how much trust Nintendo put into the USB to HDMI adapter we might have almost direct input into the underlying OS. If they were smart they would have implemented it in a secure way and not to trust it at all, however that security adds to programming complexity and to performance.
     
    elBenyo, alpmaster and ElijahZAwesome like this.


  2. DeslotlCL

    DeslotlCL GBAtemp's Saint Holy Sword Dragon

    Member
    1,889
    2,083
    Oct 28, 2015
    Chile
    under your bed
    Hacking the dock? It's just a hdmi output for the switch, nothing less, nothing more. Even the usb ports don't have other porpuses more than just charging it and providing extra storage options. Not sure how it could be used to attack the system through the dock usb ports, we should have been able to do that since the wii came out.
     
    V0idst4r likes this.
  3. Duo8

    Duo8 I don't like video games

    Member
    3,440
    1,139
    Jul 16, 2013
    It actually uses DP alt mode, then uses a DP - HDMI in the dock to output HDMI. But it doesn't work with normal DP adapters I think.
    There's also a USB hub controller for the USB ports.
     
    elBenyo likes this.
  4. CthulhuLabs
    OP

    CthulhuLabs Member

    Newcomer
    11
    13
    Apr 3, 2017
    United States
    Depsy, one of the ways the PS3 was jailbroken was using USB.



    They made a special USB device that fooled the PS3 into running arbitrary code. It is a perfectly valid hacking vector.

    I understand that it is most likely using DisplayPort over USB-C and then using a DisplayPort to HDMI converter to get the HDMI output, but that does not mean there isn't more too it. If it is using a generic DisplayPort to HDMI adapter, can you plug any other generic DisplayPort to HDMI adapter into the USB-C port and get video out. If not then there is most likely some sort of communication between the DP to HDMI device and the Switch. If that is the case than that protocol is a valid attack vector, especially if the programmers wrote that communication with the assumption that the device will behave properly. If we can create a device using an Arduino that spoofs this device we can inject buffer overflows into this communication and potentially run arbitrary code.
     
    Last edited by CthulhuLabs, Apr 3, 2017
    elBenyo, DayVeeBoi and DeslotlCL like this.
  5. kargath

    kargath Member

    Newcomer
    18
    13
    Mar 29, 2007
    United States
  6. monkeyman4412

    monkeyman4412 GBAtemp Advanced Fan

    Member
    691
    158
    Jun 16, 2016
    United States
    well not only that. But the switch dock supports keyboards. Not full functioning but it does support certain parts of the os. such as naming a horse botw
     
  7. NWPlayer123

    NWPlayer123 GBAtemp Addict

    Member
    2,629
    6,226
    Feb 17, 2012
    United States
    The Everfree Forest
    people have probably posted better pictures of all the boards but here's my assembly instructions from how it was
    https://twitter.com/NWPlayer123/status/848143656250859520
    Also @DespyCL it's not "just an HDMI output", supplying power normally does not magically make it switch to TV mode so the dock is sending extra info to make it Switch and turn off the screen, it might be standard detection from seeing the USB-C supports video data or something else
     
  8. Supercool330

    Supercool330 GBAtemp Advanced Fan

    Member
    685
    140
    Sep 28, 2008
    United States
    So I looked into this quite a bit pre-launch. The dock appears to be several things, a USB 3 hub with USB Power Delivery support, a USB Type-C Display Port Alt-Mode adapter, and a Display Port to HDMI adapter with CEC pass-through. However, there are a lot of third-party docks out there that have these basic components, and they don't work with the switch. My guess is that the switch uses the device ids, or a virtual usb device to actually trigger docked mode. USB type-c sniffers are INSANELY expensive (like 10s of thousands of dollars), but it might be interesting to just connect the dock to a laptop or something with a USB Type-C extension cable and see what lsusb spits out.
     
    V0idst4r likes this.
  9. The Real Jdbye

    The Real Jdbye Always Remember 30/07/08

    Member
    GBAtemp Patron
    The Real Jdbye is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    11,868
    5,018
    Mar 17, 2010
    Norway
    Alola
    It's not DP alt mode. According to iFixit's teardown there is a MyDP (SlimPort) chip in the dock, which is not the same.
    There seems to be a generic MyDP (SlimPort) to HDMI chip in the dock, but people have tried SlimPort adapters with it and have not been successful in getting them to work, and it's unclear why.
     
    Last edited by The Real Jdbye, Apr 4, 2017
    TotalInsanity4 likes this.
  10. gudenau

    gudenau Never a unique idea

    Member
    3,257
    1,225
    Jul 7, 2010
    United States
    /dev/random
    Given Nintendo's history, a crazy USB descriptor could work. A while ago I managed to make a USBTeency crash my PC but the Wii I didn't care at all!
     
  11. DeslotlCL

    DeslotlCL GBAtemp's Saint Holy Sword Dragon

    Member
    1,889
    2,083
    Oct 28, 2015
    Chile
    under your bed
    That actually makes sense. Thanks for the info :)
    omg omg NWPlayer123 replied to one of my comments :D
     
  12. JacksonS

    JacksonS GBAtemp Fan

    Member
    383
    122
    Feb 13, 2016
    United States
    Georgia
    Don't expect any off-the-shelf parts to work. The dock has some flash memory in it which must contain proprietary code. Unless you can dump the code, you'd need those flash ICs from an original dock to make a custom dock.
     
    alpmaster likes this.
  13. CthulhuLabs
    OP

    CthulhuLabs Member

    Newcomer
    11
    13
    Apr 3, 2017
    United States
    After doing more research I have pretty much given up on using generic hardware to make my own dock. I will probably be modding my own.

    As for using this as a hacking vector, I think this is definitely possible looking at the various chips and how the system is working. It all comes down to how much trust they put in the hardware behaving how the software expects. I will never underestimate lazy programmers under a time crunch to do stupid things.

    As for sniffing the USB communications, it is a matter of tricking the bus to connect at slower speeds. USB 3.1 is backwards compatible with USB 1.1. As such if you take USB 1.1 hub and plug it in between the Switch and it's dock, the USB communication should still try to work. It will take some goofy cable arrangements to get this to work, but it should be doable. The devices will probably hate operating at that speed, but that shouldn't stop them from trying to do so. Just like if you plug a USB 3.0 thumb drive into a USB 1.1 port. If this works (I give it a 30% chance of doing so) then it is just a matter of using an Arduino to dump the USB bus. No $10K debuggers needed.
     
  14. The Real Jdbye

    The Real Jdbye Always Remember 30/07/08

    Member
    GBAtemp Patron
    The Real Jdbye is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    11,868
    5,018
    Mar 17, 2010
    Norway
    Alola
    The MyDP portion of it would probably not work though as it requires the extra pins (I'm assuming)
    If you're patient, it shouldn't be too long before 3rd party docks, or breakout boards/"hubs" designed for on the go use surface. It's using a fairly standard protocol, but something is preventing 3rd party ones from working, it could be something as simple as the Switch checking the hardware ID of the device and refusing to communicate with it if it doesn't match what's expected, but that's up to hardware manufacturers to figure out and then implement into a 3rd party device. I wouldn't expect the 3rd party ones to cost much at all since it is a fairly standard protocol, whereas the official dock is really expensive. I'm definitely going to be on the lookout for a breakout board/"hub" style one suited for on the go use that I can bring with me when I go places rather than the big bulky dock. I'll just stick to using the official dock at home.
     
    peteruk likes this.
  15. OfficialFBomb

    OfficialFBomb GBAtemp Advanced Fan

    Member
    530
    145
    Aug 24, 2015
    United States
    There are people who already made new dock kits, implant the guts to something better, can't post a link bit I'm sure Google will help..
     
    alpmaster likes this.
  16. Risingdawn

    Risingdawn GBAtemp Pickle

    Member
    618
    420
    May 22, 2010
    United Kingdom
    It would be good to see some cheap 3rd party docks, simply for hooking up to multiple rooms in the house.
     
  17. GaM3r2Xtreme

    GaM3r2Xtreme Member

    Newcomer
    20
    2
    Jan 9, 2016
    United States
    I wonder why they use MyDP instead of just going directly to HDMI alt mode. I read up on an article it was announced there is a protocol for it, but I don't know how far into development it is.

    I'd love to see or build a portable dock with minimal features. Just a power and display port for when your taking the switch to a friend's place.
     
  18. CthulhuLabs
    OP

    CthulhuLabs Member

    Newcomer
    11
    13
    Apr 3, 2017
    United States
    DP over USB-C is a fully developed protocol.

    I can think of three reasons why they would do it this way.

    1) Nintendo wanted control over what hardware could be used with the system. This is very typical of them. If they used a standard compliant protocol then anyone could build a compatible dock and they would lose out on the sales or royalties from third party sales. This would also explain why it does not work with normal MyDP chips and requires their own special chips. Only authorized hardware manufacturers can probably get those chips.

    2) The built in graphics are either not capable of pushing out the DisplayPort protocol or doing so would be too much of a hardware hit. As such they used a simpler protocol to push the data to an off board chip for final rendering.

    3) ***The most exciting*** Nintendo was thinking about future expansion. By using a lower level protocol than DP they can offer a higher end dock down the road that offers improved capabilities like 4K. This is not uncommon for Nintendo. The N64 had that memory expansion. Plus such a device has been rumored to be in development, and the source of the rumor has brought up several other things that turned out to be true.
     
    elBenyo likes this.
  19. Duo8

    Duo8 I don't like video games

    Member
    3,440
    1,139
    Jul 16, 2013
    1: There are better ways to do that and that's what they're doing anyway.
    2: It's still DP. I think the soc can do DP video and audio.
    3: It's still DP.
     
  20. Kadji

    Kadji Newbie

    Newcomer
    9
    1
    Nov 16, 2006
    Gambia, The
    From https://github.com/dekuNukem/Nintendo_Switch_Reverse_Engineering (at the bottom of the Page):

    Docking station firmware dump
    The docking station uses a STM32F048 microcontroller. It's actually labeled as STM32P048 because it uses the FASTROM option where ST pre-programs the flash memory inside the factory. It has 32KB flash memory and 6KB RAM, runs at 48MHz.

    It uses SWD debugging and programming interface, and interestingly the programming testpoints are on the PCB and clearly labeled. After connecting a ST-Link programmer to it reveals that the chip is not read-protected at all, so a firmware dump was easily made. I'm not going to post it in the repo, but if you want it just ask.

    May be helpfull information, maybe get in contact with him?
     
    DayVeeBoi likes this.