HOWTO: Learn the basics of reverse engineering

Discussion in 'Switch - Hacking & Homebrew' started by Selver, Apr 14, 2017.

  1. Selver
    OP

    Selver 13,5,1,14,9,14,7,12,5,19,19

    Member
    210
    277
    Dec 22, 2015
    Check out the following map:
    https://securinghardware.com/articles/BlackHat-Hardware-Training-Roadmap/

    Even if you're a software wizard, most would likely learn something from at least one of the following classes (separate fees per class):
    The power analysis and glitching training uses open-source hardware and software. There are also pre-built hardware cheap for this type of technology (<1000USD for ChipWhisperer Lite).
     
    yanagi, iAqua, peteruk and 1 other person like this.
  2. FAST6191

    FAST6191 Techromancer

    pip Reporter
    23,838
    9,725
    Nov 21, 2005
    United Kingdom
    While I am all for getting peeps to learn some reverse engineering, and would look to hardware hacking methods as part of it all, are you sure you want to jump right in with that?
    Anyway here is an old thread I made back when the 3ds was not so well hacked, maybe some links in there will also help people that want to start and want to use the switch as their focal point
    https://gbatemp.net/threads/some-hacking-concepts-and-links.287721/

    If you, the hypothetical new hacker in this, want to make a useful mod then I have not seen any rapid fire mods yet and those tend to lead directly to macros -- make one for zelda to swap weapons better.
     
    Selver and peteruk like this.
  3. Selver
    OP

    Selver 13,5,1,14,9,14,7,12,5,19,19

    Member
    210
    277
    Dec 22, 2015
    First: Good linked post from your past.

    Unfortunately, focusing on simple software bugs (e.g., stack overflows) is getting less and less useful, in large part due to the various protections now in place. Even ROP has started to be mitigated. With proper hardware-enforced NX, memory management units, and segmentation, the layers needed to start leaking kernel info is getting greater and greater.

    On the other side, hardware reverse engineering and glitching are great potential that only grows. Most SoC haven't had the security reviews and security architecture that were forced on Adobe, Apple, Microsoft, etc. Negatively, the steep learning curve is keeping many away. Differential Power Analysis uses advanced maths, but the complexity can be helped with software. ChipWhisperer being open source hardware and software, while staying under 1000USD for a professionally made board, greatly lowers barrier to entry on some advanced techniques.

    Are the above for everyone? No. But there are students who know programming / VHDL that want to learn new reverse engineering skills... reverse engineering without understanding the subject matter you're poking into ... I don't recommend it.

    Finally, I liked the map... it gives a nice segmentation, and lets one start at many different levels/areas.

    Simple rapid-fire and macro mods are not particularly likely in the short-term. For most up-to-date status, see:
    https://github.com/dekuNukem/Nintendo_Switch_Reverse_Engineering

    I share the desire to more properly quick-switch both weapons and outfits in Breath of the Wild
     
    peteruk likes this.
  4. FAST6191

    FAST6191 Techromancer

    pip Reporter
    23,838
    9,725
    Nov 21, 2005
    United Kingdom
    I agree hardware is the way to provide the easier in but I am not sure I would throw someone that maybe just about knows their way around a multimeter into powerline and fun with signals stuff. It is why I looked to the controller stuff, others might learn to figure out the save protocol (open a cart, figure out what goes to the save chip, if any, fly some leads or build a breakout board, learn snapshots with your scope/signal analyser), mess around with NAND dumping and restore and maybe even dual NAND. Some of it has probably been done and dismissed by those that already have the skills.
    If it was electronics repair then yeah I would probably introduce active scope probes and some of the things they get to figure out fairly early on, full bore reverse engineering as far as injecting your own code and modifying behaviours I would take slower.

    On the other hand if it was not your intention to get those in the I have a cheap multimeter/more money than sense so splurged on a fluke despite knowing nothing else camp in on this then OK. While not absent around here those with the base stuff there and just needing a little push, or a maybe a call back to the group, are a bit thinner on the ground.

    On the controller stuff I took a look at some PCB shots on https://www.ifixit.com/Teardown/Nintendo+Switch+Teardown/78263 and while I don't see any immediately obvious test pads that people prefer for modern controllers there are some good candidates. Stick an oscillator or pattern generator into all that should not be too troubling. I quite like them for getting people in as it is not trivial, gets some interesting things done, gets people to start understanding the ideas of timing and signals*, does not cost the earth (under 1000 is nice but skip lunch and buy some small low pin count microcontrollers is even more approachable) and has a pretty tangible end result (rapid fire, auto reload, small macros...).

    *sure I guess software types would understand a race condition and thus be fairly primed for glitching but at the same analogue signals in electronics is not something that is really taught that much any more so my experience has been start talking about matched impedance and you get glassy eyes and their best fish impression. If going with micros as well then it tends to mean arduino so you then also get to see the... less than accurate timings/delays involved with the sleep function if you are sending a pattern.
     
    Selver likes this.
  5. Selver
    OP

    Selver 13,5,1,14,9,14,7,12,5,19,19

    Member
    210
    277
    Dec 22, 2015
    @FAST6191 -- It's a pleasure having a reasonable discussion here even when opinions differ.

    You make good points. I am not even disagreeing with them. :)

    Save game protocol: Breaking the save game protocol is unlikely an early success. Why? No save data to the game cart with Switch anymore. Even on 3DS, the communication protocol itself uses encryption....

    Nand dumping: Switch appears to have some anti-rollback technology, so while some operations with NAND backup/restore may still work, firmware downgrading by rolling back of the NAND appears a dead-end for now.

    Controller: Given the Bluetooth protocol is in-the-clear, and joycon firmware has been dumped, it may be easier (and cheaper) to simply emulate a controller. Cypress (the ones who bought Broadcom's IoT wireless chipsets) appear to have really cheap Bluetooth LE development kits. More difficult than Arduino, but clocks are more stable and you get much functionality for "free".
     
  6. FAST6191

    FAST6191 Techromancer

    pip Reporter
    23,838
    9,725
    Nov 21, 2005
    United Kingdom
    3ds used encryption but other than, or maybe prior to, pokemon you could still restore earlier saves, and while I don't expect it here the crypto (other stuff was just basic console managed signing) side of things was XOR without randomised padding. Full editing it is wonderful but save restore and data dumping has its uses too -- despite not actually caring for pokemon I seem to mention it a lot in this but have a look at pokemon simulators, if you can have someone dump a save rather than going manually between each mon and copying numbers you will make friends quickly. Likewise when pokemon sent good info over unencrypted connections on the 3ds there were loads of people ready to make programs, anti hack programs (they sent lists for battles prior to the opponent confirming their team selection, which given the rock, paper, scissors nature of things...). The days when raw sockets (gone in consumer windows XP SP2) and arp poisoning were things wanted were variously painful or hilarious to watch unfold but they were done.
    For a non pokemon one then if you are able to dump your mario levels in the mario maker, music compilations in a music game or something similar then watch the desire appear.

    On the anti rollback stuff are we talking 360 style efuses or an equivalent that maybe prevents older kernels booting or some kind of boot count/power on count that prevents me from dumping, booting a few more times and then restoring?
    If the former than that sucks for some things but if I can still restore an earlier save then some will take it. The option to do a bunch of silly things, maybe for something pokemon throw a bunch of things on wifi and clone pokemon for my friends before restoring back to a nice state, is still one some seek. In the spirit of https://marcan.st/2011/01/safe-hacking/ I guess would say make sure there is always a current dump taken before every restore (and any program made will attempt to ensure it, maybe even check if enough is in cleartext).

    Emulate a controller? Would be the option I take if I am going to go this way, whether it is that all would take is a different matter. £40 ( http://uk.farnell.com/cypress-semic...ble/dev-board-psoc-4-bluetooth-low/dp/2453490 ) is pretty agreeable too, might even be below the pain point of some. However I fear you may not speak largely non technical hacker forum, or have spent too long knocking about with those that are already there. Something else usually means can I buy it cheaply in the real world/from amazon/ebay, or better yet I have some pocket lint, but I am willing to spend 5 times longer getting something done, and I still want to emphasise the practical/tangible results aspect. I wish I had saved a conversation I saw on the old xboxhacker forums around the time the JTAG/smc hack had become viable for end users as some of the hack makers were using $70 dev kits and being driven nuts by people asking for another way without outright stating the stuff from the previous line.

    It cuts the other way too -- if you need a thousand different NAND/memory/whatever dumps for some kind of differences analysis a small tangible benefit like any of those mentioned means that will happen 20 times quicker.

    Bring me a dump of the hypervisor function names and general calls and we will absolutely have a late night figuring that out (or probably not me as kernel stuff is not really my forte, I will watch you c3/defcon/blackhat presentation with rapt attention though). Academic/blue sky stuff, love it. If you are trying to get the forum going you are doing the equivalent of launching into fancy hacks without trying the default password.