Hacking Dock Hacking

Jhynjhiruu

Well-Known Member
Member
Joined
Dec 31, 2016
Messages
817
Trophies
0
Age
19
XP
1,619
Country
If you modified a keyboard in the right way (or just used an Arduino or something) is it possible to type Unicode control characters and stuff through USB? If so, could this be used for code injection?
 

CthulhuLabs

Member
OP
Newcomer
Joined
Apr 3, 2017
Messages
11
Trophies
0
XP
46
Country
United States
From https://github.com/dekuNukem/Nintendo_Switch_Reverse_Engineering (at the bottom of the Page):

Docking station firmware dump
The docking station uses a STM32F048 microcontroller. It's actually labeled as STM32P048 because it uses the FASTROM option where ST pre-programs the flash memory inside the factory. It has 32KB flash memory and 6KB RAM, runs at 48MHz.

It uses SWD debugging and programming interface, and interestingly the programming testpoints are on the PCB and clearly labeled. After connecting a ST-Link programmer to it reveals that the chip is not read-protected at all, so a firmware dump was easily made. I'm not going to post it in the repo, but if you want it just ask.

May be helpfull information, maybe get in contact with him?

Thanks for the info. That will help. I am ordering a USB-C female to USB 3 male cable to try and hook the dock up to my Linux box and see what lsusb shows.
 

TimX24968B

"That guy"
Member
Joined
Oct 28, 2015
Messages
1,403
Trophies
0
Location
Nowhere
XP
378
Country
United States
Most motherboards should include USB-Type C.
As far as i know AM4 motherboards have these [AMD Ryzen 7 motherboard]
most motherboards "that came out within the past year"-ish will have them.

I got a case a couple years ago, no usb C. My current motherboard (kinda old), a z77, doesn't have it, and only has a couple usb 3 ports.
 

ktulu909

Member
Newcomer
Joined
Mar 31, 2007
Messages
9
Trophies
0
XP
269
Country
United States
From https://github.com/dekuNukem/Nintendo_Switch_Reverse_Engineering (at the bottom of the Page):

Docking station firmware dump
The docking station uses a STM32F048 microcontroller. It's actually labeled as STM32P048 because it uses the FASTROM option where ST pre-programs the flash memory inside the factory. It has 32KB flash memory and 6KB RAM, runs at 48MHz.

It uses SWD debugging and programming interface, and interestingly the programming testpoints are on the PCB and clearly labeled. After connecting a ST-Link programmer to it reveals that the chip is not read-protected at all, so a firmware dump was easily made. I'm not going to post it in the repo, but if you want it just ask.

May be helpfull information, maybe get in contact with him?

I fly racing drones and almost all of our flight controllers are based on the STM family of chips F1 through F4 currently. I wonder what would happen if I tried to connect to the dock with our flight controller software and run the dump command.
 
  • Like
Reactions: TotalInsanity4

Praxis

Well-Known Member
Member
Joined
Mar 26, 2009
Messages
117
Trophies
0
XP
240
Country
United States
3) ***The most exciting*** Nintendo was thinking about future expansion. By using a lower level protocol than DP they can offer a higher end dock down the road that offers improved capabilities like 4K. This is not uncommon for Nintendo. The N64 had that memory expansion. Plus such a device has been rumored to be in development, and the source of the rumor has brought up several other things that turned out to be true.

I knew it was a moonshot, but I really had hoped Nintendo would implement Thunderbolt 3 on the Switch. Would've been really neat if, 2-3 years down the line, they could release an external GPU dock that does 4K.
 

CthulhuLabs

Member
OP
Newcomer
Joined
Apr 3, 2017
Messages
11
Trophies
0
XP
46
Country
United States
There is a rumor that something like that is in the works, and it is coming from a reliable source. Time will tell though.
 

Josephvb10

Well-Known Member
Member
Joined
Aug 26, 2009
Messages
652
Trophies
0
XP
1,206
Country
Costa Rica
There is a rumor that something like that is in the works, and it is coming from a reliable source. Time will tell though.
What? No reliable source ever mentioned something like that. The only place that "rumor" was mentioned was in a Nintendo patent that will never get used like the clickeable scroll wheels and the oval-shaped handheld.
 

CthulhuLabs

Member
OP
Newcomer
Joined
Apr 3, 2017
Messages
11
Trophies
0
XP
46
Country
United States
Plugged the Dock into the PC at work. It does not show up in lsusb and the Linux kernel dmesg does not show any activity. Either the USB-C port in the PC at work is not working or the Dock will not respond to the USB bus till the Switch does something to activate it. If I had to guess it is the second option is very likely. :-/
 

GerbilSoft

Well-Known Member
Member
Joined
Mar 8, 2012
Messages
2,378
Trophies
1
Age
32
XP
3,915
Country
United States
I dont know if this is possible but can we inject a certain firmware to downgrade cause the switch os is open source
https://www.nintendo.co.jp/support/oss/data/NintendoSwitch_OpenSources1.0.0.zip
(i dont know so much but could this after some research be done, i dont even know if the dock has acces to the firmware so...)
That isn't the Switch OS. It's only specific open-source components that they made use of:
  • NSPR (Netscape Portable Runtime)
  • NSS (Netscape Security Services)
  • WebKit
  • Some NetFront-related code
 
  • Like
Reactions: CthulhuLabs

CthulhuLabs

Member
OP
Newcomer
Joined
Apr 3, 2017
Messages
11
Trophies
0
XP
46
Country
United States
I dont know if this is possible but can we inject a certain firmware to downgrade cause the switch os is open source
https://www.nintendo.co.jp/support/oss/data/NintendoSwitch_OpenSources1.0.0.zip
(i dont know so much but could this after some research be done, i dont even know if the dock has acces to the firmware so...)

The OS is not Open Source. They have some applications loaded onto it that are Open Source. Mainly they used WebKit to allow the Switch to sign into WiFi access points. This was already hacked but that hack has been patched. Also that hack only gave you the ability to run an application with very limited rights. The actual OS is very much closed source.
 

alpmaster

Active Member
Newcomer
Joined
Oct 11, 2010
Messages
26
Trophies
0
XP
147
Country
United States
After doing more research I have pretty much given up on using generic hardware to make my own dock. I will probably be modding my own.

As for using this as a hacking vector, I think this is definitely possible looking at the various chips and how the system is working. It all comes down to how much trust they put in the hardware behaving how the software expects. I will never underestimate lazy programmers under a time crunch to do stupid things.

As for sniffing the USB communications, it is a matter of tricking the bus to connect at slower speeds. USB 3.1 is backwards compatible with USB 1.1. As such if you take USB 1.1 hub and plug it in between the Switch and it's dock, the USB communication should still try to work. It will take some goofy cable arrangements to get this to work, but it should be doable. The devices will probably hate operating at that speed, but that shouldn't stop them from trying to do so. Just like if you plug a USB 3.0 thumb drive into a USB 1.1 port. If this works (I give it a 30% chance of doing so) then it is just a matter of using an Arduino to dump the USB bus. No $10K debuggers needed.
Is it possible to just put the HDMI chip into a empty 3D printed Switch dock? Then you would not need to decode.
 

SIX10

Well-Known Member
Newcomer
Joined
Mar 12, 2017
Messages
67
Trophies
0
XP
244
Country
United States
Is it possible to just put the HDMI chip into a empty 3D printed Switch dock? Then you would not need to decode.
What? There is only one little board on the dock, which has the HDMI, USB, and charging ports on there. Putting it in a different case wont make a difference, its like putting a PCs internals into a different case, just the outer shell has changed.
 
General chit-chat
Help Users
    KennieDaMeanie @ KennieDaMeanie: I hate how you feel good after the first vomit then 30 minutes later it's like instantly back