Potential Switch Entry Point [HardMAC]

Discussion in 'Switch - Hacking & Homebrew' started by Selver, Apr 6, 2017.

  1. Selver
    OP

    Selver 13,5,1,14,9,14,7,12,5,19,19

    Member
    210
    277
    Dec 22, 2015
    TLDR; Switch may have network SoC that can be compromised... No exploit is even close in time for the Switch, but the possibility of a hardware-based hack that is difficult to fix may now exist....


    Apple's iPhone and many, many other vendors' phones use Broadcom's HardMAC chipset, which provides a System-on-Chip that abstracts many low-level Wi-Fi details. Of course, that abstraction also results in complexity.

    On April 4th, the following chromium bug report log became public:
    https://bugs.chromium.org/p/project-zero/issues/detail?id=1046

    On the same day, the following blog report was published, covering the substantial work involved.
    https://googleprojectzero.blogspot.com.au/2017/04/over-air-exploiting-broadcoms-wi-fi_4.html

    Also on the same day, Plutoo tweeted that NS on switch has fallen:
    https://twitter.com/qlutoo/status/849217859662348290

    And, a user "coincidentally" asked if the Broadcom firmware file was available in decrypted form from this NS break.
    https://twitter.com/laginimaineb/status/849347353299603458
    My guess is that user is familiar with the above SoC firmware break in BCM chips...

    NOTE: The above blog post is an excellent example of how difficult reverse engineering is, including the difficulty of creating a usable exploit from a confirmed bug....


    Here's a bullet-point:
    • Research may apply to the Switch's networking chipset
      • Research was on BCM4358
      • Broadcom claims newer versions use the built-in memory protection units
      • Switch uses BCM4356 (apparently older version in Switch)
    • BCM firmware...
      • puts ROM at 0x0 and RAM at 0x180000
      • parses network packets with an essentially static heap layout
      • first bug corrupts internal heap, with attacker-controlled next pointer
      • ... which is then allocated for next packet.
      • has a vendor-unique command that, if heap is corrupted from above, allows attacker-controlled data to be written to that allocation... the location of which was attacker-controlled from the prior bug
    • The ROM for the BCM line has a software-based version, with open source, making reverse-engineering of the SoC ROM slightly-less-than-impossible
    As you know, the Switch uses ARM TrustZone to at least some degree. But, access to memory by authorized peripherals (on at least some buses) occurs at the security level of the caller.

    Anyone want to guess if the Switch kernels use networking capability... e.g., for firmware updates?
     
    Last edited by Selver, Apr 6, 2017 - Reason: remove reference to ARM4 -- thanks, Wolfvak
    ihaveamac, thomasnet, SLiV3R and 9 others like this.
  2. Selver
    OP

    Selver 13,5,1,14,9,14,7,12,5,19,19

    Member
    210
    277
    Dec 22, 2015
    Reserving for additional notes/updates.
     
  3. proflayton123

    proflayton123 Undeclared Shitposter 2.1

    Member
    5,903
    2,235
    Jan 11, 2016
    Japan
    日本
    This is juicy even tho I don't own a switch yet
     
  4. Wolfvak

    Wolfvak *yawn*

    Member
    808
    1,062
    Oct 25, 2015
    Uruguay
    Source?
     
  5. Selver
    OP

    Selver 13,5,1,14,9,14,7,12,5,19,19

    Member
    210
    277
    Dec 22, 2015
    Hi Wolfvak,
    See https://googleprojectzero.blogspot.com.au/2017/04/over-air-exploiting-broadcoms-wi-fi_4.html, the section at the very end titled "Wrapping Up".

    "Broadcom have informed me that newer versions of the SoC utilise the MPU, along with several additional hardware security mechanisms."

    So, any resulting hardware exploit would be time-limited - until updated ROMs are shipped, or they patch the function via their patching capability (in RAM... but so little space available!).
     
  6. Wolfvak

    Wolfvak *yawn*

    Member
    808
    1,062
    Oct 25, 2015
    Uruguay
    These security measures are hardly ARM4... I read that article a couple of hours ago and it stated these chipsets included a Cortex-M4. These are essentially a better version of M3 CPUs, with just DSP/FPU instructions added.

    Cortex-M3 CPUs fall under the ARMv7-M family, not ARM4 (or ARMv4).
     
    Last edited by Wolfvak, Apr 6, 2017 - Reason: thank mr wikipedia
    Selver likes this.
  7. Selver
    OP

    Selver 13,5,1,14,9,14,7,12,5,19,19

    Member
    210
    277
    Dec 22, 2015
    You're absolutely right ... I had ARM-on-the-brain. Fixed. Thanks for paying attention!
     
  8. Selver
    OP

    Selver 13,5,1,14,9,14,7,12,5,19,19

    Member
    210
    277
    Dec 22, 2015
    For those wanting data on the BCM4356, Cypress bought the product line...
    Part and datasheet links
    Pins of interest

    Why are the pinouts of interest? If using SDIO, then the pins are close to the edge, and may enable man-in-the-middle tracing with small hardware hacks. For example, perhaps initialization of the WiFi might be done manually (not by original system).

    If using PCIe, then there is the potential to insert PCIe bridge, similar to earlier PS4 hacking methods. While slow and costly, the potential for increased understanding of the system working would be high.
     
    Last edited by Selver, Apr 8, 2017 - Reason: Fixing my English
    DayVeeBoi likes this.
  9. Selver
    OP

    Selver 13,5,1,14,9,14,7,12,5,19,19

    Member
    210
    277
    Dec 22, 2015
    The impact of this hardware flaw (portions are baked into the ROM) are starting to be realized.
    Partial logs from #switchdev:

    <@profi200> https://gbatemp.net/threads/potential-switch-entry-point-hardmac.466814/ lol wtf has NS to do with this?
    <@profi200> I doubt it's that useful. It may make the attack surface bigger but that's it.
    <@profi200> It would really surprise me if it is connected over PCIe.
    ... next day ...
    <yifanlu> https://googleprojectzero.blogspot.com/2017/04/over-air-exploiting-broadcoms-wi-fi_11.html?m=1
    <@profi200> I really doubt it uses PCIe. It's expensive enough.
    <yifanlu> What do you mean by expensive?
    <yifanlu> The bcm4356 supports pcie and the Tegra X1 has enough pcie interfaces. It's only a matter of wiring them up.
    <@profi200> Apparently the hw costs 257$.
    <@yellows8> x1 datasheet mentions it but no idea if wifi-hw actually uses it.
    <yifanlu> According to that post though the theoretical maximum speed of 802.11ac exceeds that of sdio so they would have to use either pcie or usb3
    <yifanlu> What's interesting in part 2 is the fact that these wifi chips use pcie now
    <yifanlu> Something I was not aware of
    <yifanlu> Combine that with how easy it is to hack these wifi chips makes for an interesting attack vector

    No, this is not a homebrew level attack vector, at least not for a long time....
     
    SLiV3R likes this.
  10. Selver
    OP

    Selver 13,5,1,14,9,14,7,12,5,19,19

    Member
    210
    277
    Dec 22, 2015
    The second half of exploiting this hardware vulnerability has now been published.
    While it is targeting a different OS, the driver is open-source, and thus likely it could be determined if similar issues exist in the switch at relatively low cost:
    https://googleprojectzero.blogspot.com.au/2017/04/over-air-exploiting-broadcoms-wi-fi_11.html

    With existing information disclosure vulnerabilities, it may be possible that Switch firmware 2.0 would be exploitable using only wifi.

    Much research would still need to be done, and Switch firmware anti-downgrade greatly reduces the threat this poses (possibly to 2.0 firmware).
     
    peteruk likes this.