[Script Info]
Title: 
[Events]
Format: Layer, Start, End, Style, Name, MarginL, MarginR, MarginV, Effect, Text
Dialogue: 0,0:00:00.32,0:00:09.50,Default,,0000,0000,0000,,{\i1}32C3 preroll music{\i0}
Dialogue: 0,0:00:09.50,0:00:16.24,Default,,0000,0000,0000,,Herald: Okay, welcome to our\Nlast talk in this hall today!
Dialogue: 0,0:00:16.24,0:00:20.42,Default,,0000,0000,0000,,It’s about Console Hacking and I guess\Nthat’s the reason why you are here.
Dialogue: 0,0:00:20.42,0:00:23.51,Default,,0000,0000,0000,,Console hacking has a long\Ntradition at our great conference
Dialogue: 0,0:00:23.51,0:00:30.11,Default,,0000,0000,0000,,and we have seen lots of funny things.\NPeople doing stuff with Xboxes,
Dialogue: 0,0:00:30.11,0:00:33.90,Default,,0000,0000,0000,,Playstations and everything.
Dialogue: 0,0:00:33.90,0:00:39.01,Default,,0000,0000,0000,,Okay. Today we got a team which\Ndeals with the Nintendo DS,
Dialogue: 0,0:00:39.01,0:00:44.26,Default,,0000,0000,0000,,so give a warm applause\Nfor plutoo, derrek and smea!
Dialogue: 0,0:00:44.26,0:00:53.77,Default,,0000,0000,0000,,{\i1}applause{\i0}
Dialogue: 0,0:00:53.77,0:00:58.91,Default,,0000,0000,0000,,smea: Hi! I’m smea,\Nthis is plutoo, this is derrek,
Dialogue: 0,0:00:58.91,0:01:02.93,Default,,0000,0000,0000,,and today we are going to talk to you\Nabout our work on the Nintendo 3DS.
Dialogue: 0,0:01:02.93,0:01:05.39,Default,,0000,0000,0000,,So, the way this talk is going to be\Nstructured, is we are just going to
Dialogue: 0,0:01:05.39,0:01:08.85,Default,,0000,0000,0000,,go over all the hardware,\Norganisation, software, like…
Dialogue: 0,0:01:08.85,0:01:12.24,Default,,0000,0000,0000,,Just give you a basic overview\Nabout how the system works.
Dialogue: 0,0:01:12.24,0:01:15.04,Default,,0000,0000,0000,,And after that we are going to go into
Dialogue: 0,0:01:15.04,0:01:18.33,Default,,0000,0000,0000,,basically every layer of\Nsecurity the system has,
Dialogue: 0,0:01:18.33,0:01:21.27,Default,,0000,0000,0000,,and break every one of them.
Dialogue: 0,0:01:21.27,0:01:23.22,Default,,0000,0000,0000,,{\i1}laughter{\i0}
Dialogue: 0,0:01:23.22,0:01:27.55,Default,,0000,0000,0000,,{\i1}applause{\i0}
Dialogue: 0,0:01:27.55,0:01:31.86,Default,,0000,0000,0000,,Okay. So, as you probably know,\Nthe 3DS, the original Nintendo 3DS
Dialogue: 0,0:01:31.86,0:01:36.50,Default,,0000,0000,0000,,was released in 2011. It’s a system\Nthat is kind of underpowered.
Dialogue: 0,0:01:36.50,0:01:41.48,Default,,0000,0000,0000,,It’s got, like… It’s got an\NARM11 dual core CPU,
Dialogue: 0,0:01:41.48,0:01:46.40,Default,,0000,0000,0000,,268Mhz, it’s got a nice\Nproprietary GPU, a bit of RAM,
Dialogue: 0,0:01:46.40,0:01:49.92,Default,,0000,0000,0000,,you know, the usual. It’s also backwards\Ncompatible with the DS games,
Dialogue: 0,0:01:49.92,0:01:55.30,Default,,0000,0000,0000,,which is nice. Then the new 3DS\Nwas released in 2014 and 2015,
Dialogue: 0,0:01:55.30,0:02:01.06,Default,,0000,0000,0000,,there was like different regions. And it\Nwas basically just the same console,
Dialogue: 0,0:02:01.06,0:02:04.24,Default,,0000,0000,0000,,just some improvements in the\Nhardware. You’ve got a better CPU,
Dialogue: 0,0:02:04.24,0:02:09.41,Default,,0000,0000,0000,,it has got more cores. It’s faster, it has\Ngot more RAM. Basically everywhere.
Dialogue: 0,0:02:09.41,0:02:12.24,Default,,0000,0000,0000,,So, it is just the same thing,\Nit runs the same software, exactly.
Dialogue: 0,0:02:12.24,0:02:15.80,Default,,0000,0000,0000,,It has got some exclusive\Nsoftware, but not much.
Dialogue: 0,0:02:15.80,0:02:19.46,Default,,0000,0000,0000,,So, in terms of a hardware overview, this\Nis what what we are going to talk about
Dialogue: 0,0:02:19.46,0:02:24.05,Default,,0000,0000,0000,,looks like; in general. So you\Ngot the top part right here,
Dialogue: 0,0:02:24.05,0:02:27.49,Default,,0000,0000,0000,,which is what we are\Ngoing to go into first.
Dialogue: 0,0:02:27.49,0:02:31.47,Default,,0000,0000,0000,,This is like the ARM11 part.
Dialogue: 0,0:02:31.47,0:02:35.11,Default,,0000,0000,0000,,Basically, you’ve got the ARM11,\Nwhich is the main CPU. It runs
Dialogue: 0,0:02:35.11,0:02:40.74,Default,,0000,0000,0000,,the main operating system. It has\N2 cores as I just said, or 4 cores.
Dialogue: 0,0:02:40.74,0:02:42.79,Default,,0000,0000,0000,,So, it runs the main operating\Nsystem, it runs the games,
Dialogue: 0,0:02:42.79,0:02:45.34,Default,,0000,0000,0000,,it runs all the applications.\NBasically, it’s just –
Dialogue: 0,0:02:45.34,0:02:48.38,Default,,0000,0000,0000,,if you’re doing something on the 3DS\Nthat you can… you can see it happening,
Dialogue: 0,0:02:48.38,0:02:52.22,Default,,0000,0000,0000,,it’s happening on that CPU. It has got\Naccess to all of the main memory.
Dialogue: 0,0:02:52.22,0:02:56.09,Default,,0000,0000,0000,,So that includes FCRAM,
Dialogue: 0,0:02:56.09,0:03:01.04,Default,,0000,0000,0000,,which is 128MB or 256MB,
Dialogue: 0,0:03:01.04,0:03:04.73,Default,,0000,0000,0000,,depending on which model it is.\NAnd FCRAM is actually divided
Dialogue: 0,0:03:04.73,0:03:09.13,Default,,0000,0000,0000,,into 3 separate regions. So you\Nfirst got the Application Region,
Dialogue: 0,0:03:09.13,0:03:12.52,Default,,0000,0000,0000,,which contains the currently\Nrunning game or application.
Dialogue: 0,0:03:12.52,0:03:17.20,Default,,0000,0000,0000,,The System Region, which contains applets,\Nwhich are basically tiny applications,
Dialogue: 0,0:03:17.20,0:03:20.05,Default,,0000,0000,0000,,which run in the background.\NSo, that includes the home menu,
Dialogue: 0,0:03:20.05,0:03:23.39,Default,,0000,0000,0000,,which is actually always running\Nin background, and the web browser,
Dialogue: 0,0:03:23.39,0:03:25.89,Default,,0000,0000,0000,,which you can actually run at\Nthe same time as your game, so
Dialogue: 0,0:03:25.89,0:03:28.86,Default,,0000,0000,0000,,it has to run there. And then you got the\NBase Region, which is more interesting.
Dialogue: 0,0:03:28.86,0:03:31.05,Default,,0000,0000,0000,,It contains all the system modules\Nof the operating system,
Dialogue: 0,0:03:31.05,0:03:35.26,Default,,0000,0000,0000,,as well as some kernel data,\Nsuch as handle tables
Dialogue: 0,0:03:35.26,0:03:39.84,Default,,0000,0000,0000,,and MMU tables. So it is kind of sensitive\Nstuff. And then we got a WRAM,
Dialogue: 0,0:03:39.84,0:03:44.33,Default,,0000,0000,0000,,which is tiny and contains all\Nthe kernel code, and, well,
Dialogue: 0,0:03:44.33,0:03:49.55,Default,,0000,0000,0000,,most of the kernel structures as well.\NSo it’s also an interesting target.
Dialogue: 0,0:03:49.55,0:03:55.16,Default,,0000,0000,0000,,Then we’ve got the lower part, which\Nis the ARM9 part of the hardware.
Dialogue: 0,0:03:55.16,0:03:58.27,Default,,0000,0000,0000,,So the ARM9 is basically a separate, well…
Dialogue: 0,0:03:58.27,0:04:02.79,Default,,0000,0000,0000,,it’s an entirely separate CPU,\Nwhich has access to…
Dialogue: 0,0:04:02.79,0:04:06.76,Default,,0000,0000,0000,,well… So it runs basically the\Nsame microkernel as the ARM11.
Dialogue: 0,0:04:06.76,0:04:11.60,Default,,0000,0000,0000,,It’s mostly the same code,\Nit has just got some pure features.
Dialogue: 0,0:04:11.60,0:04:14.63,Default,,0000,0000,0000,,Mostly it runs a single process,\Nwhich is called ‘Process9’,
Dialogue: 0,0:04:14.63,0:04:19.40,Default,,0000,0000,0000,,which does everything the ARM9 does.\NBeyond that the role of the ARM9 is
Dialogue: 0,0:04:19.40,0:04:24.26,Default,,0000,0000,0000,,to broker access to hardware that\Nmight be sensitive in terms of security.
Dialogue: 0,0:04:24.26,0:04:29.32,Default,,0000,0000,0000,,So one of the things it does is it\Nbrokers access to all storage media,
Dialogue: 0,0:04:29.32,0:04:33.59,Default,,0000,0000,0000,,so that includes the permanent\Nstorage as well as the SD card.
Dialogue: 0,0:04:33.59,0:04:38.45,Default,,0000,0000,0000,,And then it does all sorts of crypto\Nstuff, which is really important,
Dialogue: 0,0:04:38.45,0:04:43.93,Default,,0000,0000,0000,,and does that by using hardware, actually.\NSo there is this hardware key scrambler,
Dialogue: 0,0:04:43.93,0:04:48.26,Default,,0000,0000,0000,,which is used to.. to store\Nsecrets in hardware basically.
Dialogue: 0,0:04:48.26,0:04:51.10,Default,,0000,0000,0000,,The idea is, you feed\Nit two separate keys,
Dialogue: 0,0:04:51.10,0:04:54.98,Default,,0000,0000,0000,,and it is going to generate a\Nnormal key and feed that directly
Dialogue: 0,0:04:54.98,0:04:59.26,Default,,0000,0000,0000,,into the hardware implementation\Nof the AES algorithm.
Dialogue: 0,0:04:59.26,0:05:02.34,Default,,0000,0000,0000,,So that way, we never\Nactually see the final keys.
Dialogue: 0,0:05:02.34,0:05:06.43,Default,,0000,0000,0000,,So that’s something that\Nis kind of annoying.
Dialogue: 0,0:05:06.43,0:05:10.10,Default,,0000,0000,0000,,And then beyond that what you can see is:\Nthe ARM9 has access to all of main memory
Dialogue: 0,0:05:10.10,0:05:13.89,Default,,0000,0000,0000,,without much of, well, without any\Nrestrictions. But it has also got
Dialogue: 0,0:05:13.89,0:05:17.79,Default,,0000,0000,0000,,its own internal memory which the\NARM11 does not have access to.
Dialogue: 0,0:05:17.79,0:05:21.35,Default,,0000,0000,0000,,So the ARM9 internal memory is\Nwhere the ARM9 stores all its code,
Dialogue: 0,0:05:21.35,0:05:26.60,Default,,0000,0000,0000,,all of its data; and this way we\Ncan’t actually take over the ARM9
Dialogue: 0,0:05:26.60,0:05:33.34,Default,,0000,0000,0000,,just from the ARM11 without some kind of\Nexploit. So it’s basically a security CPU.
Dialogue: 0,0:05:33.34,0:05:36.73,Default,,0000,0000,0000,,So this leads us to having\N4 layers of security.
Dialogue: 0,0:05:36.73,0:05:39.94,Default,,0000,0000,0000,,Basically, you’re first going to have\Nthe ARM11 userland, which is what…
Dialogue: 0,0:05:39.94,0:05:43.55,Default,,0000,0000,0000,,well, like your games, your applications,\Nwhatever. On top of that,
Dialogue: 0,0:05:43.55,0:05:48.63,Default,,0000,0000,0000,,you’re going to have, well, below\Nthat, I guess, the ARM11 kernel.
Dialogue: 0,0:05:48.63,0:05:51.81,Default,,0000,0000,0000,,So that is going to have\Nfull privileges on the ARM11.
Dialogue: 0,0:05:51.81,0:05:55.30,Default,,0000,0000,0000,,And then you’re going to have\NARM9 userland, which is ‘Process9’.
Dialogue: 0,0:05:55.30,0:05:59.56,Default,,0000,0000,0000,,Beyond that you’ll have ARM9\Nkernel mode. So that’s in theory.
Dialogue: 0,0:05:59.56,0:06:04.38,Default,,0000,0000,0000,,In practice, the microkernel\Nhas a system call,
Dialogue: 0,0:06:04.38,0:06:09.28,Default,,0000,0000,0000,,which we call… syscall…\Nwe call it ‘svc backdoor’.
Dialogue: 0,0:06:09.28,0:06:13.51,Default,,0000,0000,0000,,Because essentially you feed it a\Nfunction pointer and it just executes
Dialogue: 0,0:06:13.51,0:06:16.97,Default,,0000,0000,0000,,that function in kernel mode.\NSo you don’t even need an exploit
Dialogue: 0,0:06:16.97,0:06:20.89,Default,,0000,0000,0000,,if you have access to that syscall.\NOf course, on the ARM11
Dialogue: 0,0:06:20.89,0:06:25.30,Default,,0000,0000,0000,,no application or title or anything\Never has access to that,
Dialogue: 0,0:06:25.30,0:06:29.56,Default,,0000,0000,0000,,but on the ARM9 ‘Process9’ actually\Nhas access to it. Which means,
Dialogue: 0,0:06:29.56,0:06:34.05,Default,,0000,0000,0000,,that from here we actually…\Nwell, userland and kernel mode
Dialogue: 0,0:06:34.05,0:06:37.77,Default,,0000,0000,0000,,are basically the same thing.\NWhen you got userland on the ARM9,
Dialogue: 0,0:06:37.77,0:06:41.02,Default,,0000,0000,0000,,you got kernel mode.\NSo that’s nice.
Dialogue: 0,0:06:41.02,0:06:44.95,Default,,0000,0000,0000,,Beyond that, in terms of\Ncryptography on the system,
Dialogue: 0,0:06:44.95,0:06:49.03,Default,,0000,0000,0000,,basically, they went out loud (?). So, anything\Nthat can be signed, is signed.
Dialogue: 0,0:06:49.03,0:06:51.57,Default,,0000,0000,0000,,So, that includes the firmware,\Nthat includes every application.
Dialogue: 0,0:06:51.57,0:06:55.48,Default,,0000,0000,0000,,Signatures are checked not only\Nat install time but also at runtime,
Dialogue: 0,0:06:55.48,0:06:58.75,Default,,0000,0000,0000,,so that’s something to keep in mind.
Dialogue: 0,0:06:58.75,0:07:02.89,Default,,0000,0000,0000,,Same thing: anything that can\Nbe encrypted is encrypted.
Dialogue: 0,0:07:02.89,0:07:07.65,Default,,0000,0000,0000,,And anything that can be made, well,\Nconsole-specific through cryptography
Dialogue: 0,0:07:07.65,0:07:13.27,Default,,0000,0000,0000,,or authentication, such as\Ninternal permanent storage
Dialogue: 0,0:07:13.27,0:07:17.51,Default,,0000,0000,0000,,or the data that is stored on\Nthe SD card, or savegames,
Dialogue: 0,0:07:17.51,0:07:22.74,Default,,0000,0000,0000,,or extra data for games, this\Nis all made console-specific.
Dialogue: 0,0:07:22.74,0:07:26.51,Default,,0000,0000,0000,,And gamecard-specific in\Nregards of savegames.
Dialogue: 0,0:07:26.51,0:07:31.47,Default,,0000,0000,0000,,So, that’s kind of annoying as well. And,\Nof course, all this is handled by the ARM9
Dialogue: 0,0:07:31.47,0:07:35.59,Default,,0000,0000,0000,,using the hardware… the crypto\Nhardware, so we got to get through that
Dialogue: 0,0:07:35.59,0:07:38.19,Default,,0000,0000,0000,,if we want to do interesting things.
Dialogue: 0,0:07:38.19,0:07:43.86,Default,,0000,0000,0000,,So, first we are going to go through the\Nfirst layer, which is the ARM11 userland.
Dialogue: 0,0:07:43.86,0:07:47.32,Default,,0000,0000,0000,,Basically, getting a full\Nhold onto the system.
Dialogue: 0,0:07:47.32,0:07:51.37,Default,,0000,0000,0000,,So, we first need to find\Nsome kind of entry point.
Dialogue: 0,0:07:51.37,0:07:55.78,Default,,0000,0000,0000,,There are problems… well,\Nthere are challenges there.
Dialogue: 0,0:07:55.78,0:07:59.76,Default,,0000,0000,0000,,One of the challenges is\Nthat the system implements
Dialogue: 0,0:07:59.76,0:08:05.08,Default,,0000,0000,0000,,strict Data Execution Prevention. So,\Nexisting pages will never be read…
Dialogue: 0,0:08:05.08,0:08:09.29,Default,,0000,0000,0000,,well, will never be read-write-executable.\NIt’s all only going to be read-only,
Dialogue: 0,0:08:09.29,0:08:13.48,Default,,0000,0000,0000,,or read-writable or read-executable.\NThere’s no way from a standard application
Dialogue: 0,0:08:13.48,0:08:18.08,Default,,0000,0000,0000,,to reprotect or map new pages\Nthat are read-write-executable.
Dialogue: 0,0:08:18.08,0:08:22.18,Default,,0000,0000,0000,,Because all of the system\Ncalls are locked out, except for
Dialogue: 0,0:08:22.18,0:08:26.40,Default,,0000,0000,0000,,higher privileged system\Nmodules. Another thing is
Dialogue: 0,0:08:26.40,0:08:29.84,Default,,0000,0000,0000,,that there is no ASLR, so that is not\Na challenge, that’s actually kind of nice.
Dialogue: 0,0:08:29.84,0:08:34.02,Default,,0000,0000,0000,,The nice thing here is that we… well,\Nthat makes savegame vulnerabilities
Dialogue: 0,0:08:34.02,0:08:37.01,Default,,0000,0000,0000,,totally fair game because, well, we don’t\Nneed an actual scripting environment
Dialogue: 0,0:08:37.01,0:08:40.64,Default,,0000,0000,0000,,or any kind of exotic\Nvulnerability to exploit this.
Dialogue: 0,0:08:40.64,0:08:44.93,Default,,0000,0000,0000,,As long as we can get past\NDEP somehow. And then,
Dialogue: 0,0:08:44.93,0:08:48.99,Default,,0000,0000,0000,,of course, the fact that all\Nsavegames are both encrypted
Dialogue: 0,0:08:48.99,0:08:52.96,Default,,0000,0000,0000,,and made specific either to the\Ngamecard or the game console,
Dialogue: 0,0:08:52.96,0:08:57.63,Default,,0000,0000,0000,,in the case of eShop games, is really\Nannoying for savegame vulnerabilities
Dialogue: 0,0:08:57.63,0:09:01.45,Default,,0000,0000,0000,,because basically you can’t use those\Nas an initial entry point in most cases,
Dialogue: 0,0:09:01.45,0:09:05.46,Default,,0000,0000,0000,,because, well, you can’t generate\Nthe right, well, ES MAC,
Dialogue: 0,0:09:05.46,0:09:12.16,Default,,0000,0000,0000,,or just… you don’t know the right\Ncryptography. So, that’s annoying.
Dialogue: 0,0:09:12.16,0:09:15.30,Default,,0000,0000,0000,,Thankfully, the 3DS runs Webkit…
Dialogue: 0,0:09:15.30,0:09:18.47,Default,,0000,0000,0000,,{\i1}laughter{\i0}
Dialogue: 0,0:09:18.47,0:09:21.78,Default,,0000,0000,0000,,So, that’s nice.\NCan always use that.
Dialogue: 0,0:09:21.78,0:09:26.40,Default,,0000,0000,0000,,{\i1}applause{\i0}
Dialogue: 0,0:09:26.40,0:09:29.69,Default,,0000,0000,0000,,So, Webkit is used in a number of places,\Nobviously it’s using the main web browser,
Dialogue: 0,0:09:29.69,0:09:32.81,Default,,0000,0000,0000,,which you can access from the home menu.\NIt’s also used in the Youtube application,
Dialogue: 0,0:09:32.81,0:09:37.21,Default,,0000,0000,0000,,which is available free on the eShop\Nand doesn’t use any kind of
Dialogue: 0,0:09:37.21,0:09:41.18,Default,,0000,0000,0000,,client side authentication for the server,\Nso you can just redirect traffic through,
Dialogue: 0,0:09:41.18,0:09:46.59,Default,,0000,0000,0000,,like a DNS server for example. Miiverse\Napplet, other stuff, that also uses it.
Dialogue: 0,0:09:46.59,0:09:50.87,Default,,0000,0000,0000,,Slightly more secure, but might be\Nusable at some point, I don’t know.
Dialogue: 0,0:09:50.87,0:09:54.90,Default,,0000,0000,0000,,Anywho, the important part here,\Nis that it’s not only using webkit,
Dialogue: 0,0:09:54.90,0:09:59.31,Default,,0000,0000,0000,,it is using a very old version of webkit.\NBasically, they do cherrypick
Dialogue: 0,0:09:59.31,0:10:03.29,Default,,0000,0000,0000,,some patches into the version\Nof webkit they use, but only
Dialogue: 0,0:10:03.29,0:10:10.04,Default,,0000,0000,0000,,after we exploit those on release, so it\Ncomes a little too late, most of the time.
Dialogue: 0,0:10:10.04,0:10:15.69,Default,,0000,0000,0000,,So yeah, this has been used by multiple\Npeople, most notably yellows8,
Dialogue: 0,0:10:15.69,0:10:21.58,Default,,0000,0000,0000,,but it has proven to be a very\Nefficient, reliable entry point.
Dialogue: 0,0:10:21.58,0:10:25.69,Default,,0000,0000,0000,,Beyond that, we got Cubic Ninja as initial\Nentry point. Cubic Ninja is a game
Dialogue: 0,0:10:25.69,0:10:30.02,Default,,0000,0000,0000,,that was released in 2011 on Nintendo\N3DS. It is nice, because it actually
Dialogue: 0,0:10:30.02,0:10:34.35,Default,,0000,0000,0000,,allows users to share levels\Nthat they make themselves
Dialogue: 0,0:10:34.35,0:10:40.85,Default,,0000,0000,0000,,through QR codes; and also it is\Nreally bad at parsing those levels.
Dialogue: 0,0:10:40.85,0:10:44.91,Default,,0000,0000,0000,,So what you can do, is just, well,\Nmanufacture your own QR code
Dialogue: 0,0:10:44.91,0:10:47.74,Default,,0000,0000,0000,,that is going to crash the game\Nand give you access. So these are
Dialogue: 0,0:10:47.74,0:10:52.53,Default,,0000,0000,0000,,nice initial entry points. So, once we’ve\Ngot this, what we have to remember is
Dialogue: 0,0:10:52.53,0:10:56.02,Default,,0000,0000,0000,,that we might be able to crash the game\Nand may be able to control registers,
Dialogue: 0,0:10:56.02,0:11:00.55,Default,,0000,0000,0000,,but we don’t actually have our code\Nrunning because of that. So,
Dialogue: 0,0:11:00.55,0:11:04.20,Default,,0000,0000,0000,,the obvious solution to\Nhit this, is to use ROP.
Dialogue: 0,0:11:04.20,0:11:07.77,Default,,0000,0000,0000,,For those of you, who are\Nnot familiar with ROP:
Dialogue: 0,0:11:07.77,0:11:11.73,Default,,0000,0000,0000,,You build your own fake stack\Nthat lets you return into
Dialogue: 0,0:11:11.73,0:11:15.90,Default,,0000,0000,0000,,code snippets that are located right\Nbefore return instructions. That way…
Dialogue: 0,0:11:15.90,0:11:20.75,Default,,0000,0000,0000,,so this is an example. You can just
Dialogue: 0,0:11:20.75,0:11:24.78,Default,,0000,0000,0000,,jump to this kind of instruction,\Nso ‘pop {r0, pc}’ and then
Dialogue: 0,0:11:24.78,0:11:29.22,Default,,0000,0000,0000,,this is going to let you load your own\Nregister value and then it is going to
Dialogue: 0,0:11:29.22,0:11:33.87,Default,,0000,0000,0000,,jump to the next instruction that you give\Nit. So, this is a way of executing code
Dialogue: 0,0:11:33.87,0:11:37.58,Default,,0000,0000,0000,,without actually executing code,\Nwhich is widely used; so this is like
Dialogue: 0,0:11:37.58,0:11:42.08,Default,,0000,0000,0000,,the obvious thing to do. Of course,\NROP is annoying. It is very limiting.
Dialogue: 0,0:11:42.08,0:11:47.56,Default,,0000,0000,0000,,It can be enough to actually execute\Nan exploit to get higher privileges,
Dialogue: 0,0:11:47.56,0:11:53.15,Default,,0000,0000,0000,,but overall it is just annoying and very\Nlimiting for homebrew, for example.
Dialogue: 0,0:11:53.15,0:11:56.00,Default,,0000,0000,0000,,And of course, as I mentioned earlier, we\Ndon’t have access to any of the system calls
Dialogue: 0,0:11:56.00,0:12:01.01,Default,,0000,0000,0000,,that would let us map\Nread-writable-executable pages.
Dialogue: 0,0:12:01.01,0:12:04.85,Default,,0000,0000,0000,,Also, the system does support dynamically\Nlinked libraries, so that might be a way,
Dialogue: 0,0:12:04.85,0:12:09.56,Default,,0000,0000,0000,,but these are signed and checked in\Nplaces that we can’t access at this point.
Dialogue: 0,0:12:09.56,0:12:13.96,Default,,0000,0000,0000,,So, what we’re going to look\Nat next is the GPU to see
Dialogue: 0,0:12:13.96,0:12:19.07,Default,,0000,0000,0000,,if we use that to bypass that.\NWhat you can see here is that
Dialogue: 0,0:12:19.07,0:12:23.22,Default,,0000,0000,0000,,the GPU has access not only to\Nvideo RAM, but also to FCRAM,
Dialogue: 0,0:12:23.22,0:12:26.42,Default,,0000,0000,0000,,which is, if you recall it, main\Nmemory. So, if you look at this,
Dialogue: 0,0:12:26.42,0:12:30.54,Default,,0000,0000,0000,,with all the different memory regions,
Dialogue: 0,0:12:30.54,0:12:33.48,Default,,0000,0000,0000,,we have got the Application Region\Nhere, which is entirely contained within
Dialogue: 0,0:12:33.48,0:12:38.70,Default,,0000,0000,0000,,what the GPU can access within FCRAM.\NOf course, the GPU can not actually access
Dialogue: 0,0:12:38.70,0:12:42.79,Default,,0000,0000,0000,,all of that FCRAM, so that is kind\Nof limiting. What we can see here,
Dialogue: 0,0:12:42.79,0:12:49.28,Default,,0000,0000,0000,,is that, of course, application code is\Nwithin range of the GPU’s level of access.
Dialogue: 0,0:12:49.28,0:12:53.25,Default,,0000,0000,0000,,The reason the GPU has access to\NFCRAM and Video RAM, through DMA,
Dialogue: 0,0:12:53.25,0:12:58.21,Default,,0000,0000,0000,,by the way, is, so that it can access\Ninformation such as textures,
Dialogue: 0,0:12:58.21,0:13:01.03,Default,,0000,0000,0000,,vertex buffers, this sort of thing.
Dialogue: 0,0:13:01.03,0:13:04.24,Default,,0000,0000,0000,,So, it’s actually kind of important. And\Nthe reason it can write to it is because
Dialogue: 0,0:13:04.24,0:13:08.73,Default,,0000,0000,0000,,it has to render its data somewhere.\NThe point is, that we can use this
Dialogue: 0,0:13:08.73,0:13:12.05,Default,,0000,0000,0000,,to render data into main memory.
Dialogue: 0,0:13:12.05,0:13:16.49,Default,,0000,0000,0000,,And main memory contains application\Ncode. And since the physical layout is
Dialogue: 0,0:13:16.49,0:13:20.20,Default,,0000,0000,0000,,actually completely deterministic, and\Neven if it wasn’t, we could just use the
Dialogue: 0,0:13:20.20,0:13:23.58,Default,,0000,0000,0000,,read capabilities of the GPU to\Nsearch for what we are looking for.
Dialogue: 0,0:13:23.58,0:13:27.97,Default,,0000,0000,0000,,Well, we can use this to overwrite our\Ncurrent application’s text section
Dialogue: 0,0:13:27.97,0:13:32.61,Default,,0000,0000,0000,,and we get code execution\Nthat way, in spite of DEP.
Dialogue: 0,0:13:32.61,0:13:34.44,Default,,0000,0000,0000,,Yeah, so this is where\Nwe get code execution…
Dialogue: 0,0:13:34.44,0:13:35.28,Default,,0000,0000,0000,,{\i1}applause{\i0}
Dialogue: 0,0:13:35.28,0:13:37.78,Default,,0000,0000,0000,,We execute our own,\Nunsigned code, which is very…
Dialogue: 0,0:13:37.78,0:13:39.83,Default,,0000,0000,0000,,{\i1}applause{\i0}
Dialogue: 0,0:13:39.83,0:13:44.52,Default,,0000,0000,0000,,It’s great, but we are still confined\Nwithin the application sandbox.
Dialogue: 0,0:13:44.52,0:13:47.45,Default,,0000,0000,0000,,So, we bypassed DEP,\Nwe are inside the sandbox.
Dialogue: 0,0:13:47.45,0:13:53.14,Default,,0000,0000,0000,,This means we can only access\Nour current application’s savedata,
Dialogue: 0,0:13:53.14,0:13:58.12,Default,,0000,0000,0000,,so if we want to install some kind of\Nsecondary exploit, this is too limiting.
Dialogue: 0,0:13:58.12,0:14:02.19,Default,,0000,0000,0000,,We can only access certain services and\Nsystem calls, which is also limiting
Dialogue: 0,0:14:02.19,0:14:06.20,Default,,0000,0000,0000,,and frustrating. And we can’t alter\Nmemory layout, so we can’t allocate
Dialogue: 0,0:14:06.20,0:14:08.77,Default,,0000,0000,0000,,more executable pages\Nthan I mentioned earlier.
Dialogue: 0,0:14:08.77,0:14:10.78,Default,,0000,0000,0000,,So, we are still kind\Nof limited at this point.
Dialogue: 0,0:14:10.78,0:14:14.68,Default,,0000,0000,0000,,So, what we are going to do, is look at\Nwhat else the GPU can access.
Dialogue: 0,0:14:14.68,0:14:18.63,Default,,0000,0000,0000,,And you can see, is that, of course, there\Nis this entirely separate memory region
Dialogue: 0,0:14:18.63,0:14:21.78,Default,,0000,0000,0000,,the GPU can modify.
Dialogue: 0,0:14:21.78,0:14:24.86,Default,,0000,0000,0000,,So it can access most of the System\NRegion. And the System Region contains
Dialogue: 0,0:14:24.86,0:14:27.51,Default,,0000,0000,0000,,a few things. It contains the home menu, as\NI mentioned, because that is an applet.
Dialogue: 0,0:14:27.51,0:14:31.50,Default,,0000,0000,0000,,It contains the internet browser, and it\Ncontains actually a single system module,
Dialogue: 0,0:14:31.50,0:14:38.02,Default,,0000,0000,0000,,which is called ‘NS’, which we think stands\Nfor ‘Nintendo Shell’, we don’t really know.
Dialogue: 0,0:14:38.02,0:14:42.81,Default,,0000,0000,0000,,So, let’s look at this. First we got\NNS code well beyond the GPU cutoff.
Dialogue: 0,0:14:42.81,0:14:46.11,Default,,0000,0000,0000,,We got menu code, which is\Nalso well beyond GPU cutoff.
Dialogue: 0,0:14:46.11,0:14:51.31,Default,,0000,0000,0000,,But we got the menu’s heap, right here,\Nwell, actually there is separate heaps,
Dialogue: 0,0:14:51.31,0:14:55.09,Default,,0000,0000,0000,,these are well within the\NGPU’s range, so that’s good.
Dialogue: 0,0:14:55.09,0:14:59.83,Default,,0000,0000,0000,,NS unfortunately is still well beyond the\Ncutoff. All of its data, all of its code.
Dialogue: 0,0:14:59.83,0:15:03.06,Default,,0000,0000,0000,,So we apparently can’t get to that.
Dialogue: 0,0:15:03.06,0:15:07.83,Default,,0000,0000,0000,,So, then the idea is, to just,\Nwell, okay, so actually…
Dialogue: 0,0:15:07.83,0:15:11.03,Default,,0000,0000,0000,,What’s interesting here, is that\Nthe cutoff is right before the end of
Dialogue: 0,0:15:11.03,0:15:14.20,Default,,0000,0000,0000,,the System Region, which as we just\Nsaw, has some interesting things, but
Dialogue: 0,0:15:14.20,0:15:18.68,Default,,0000,0000,0000,,also excludes all of Base Region,\Nwhich also has very interesting things.
Dialogue: 0,0:15:18.68,0:15:23.67,Default,,0000,0000,0000,,So, it seems likely that Nintendo knew\Nabout the capabilities of GPU DMA,
Dialogue: 0,0:15:23.67,0:15:27.48,Default,,0000,0000,0000,,like the theoretical capabilities, but\Nthey didn’t do anything about it.
Dialogue: 0,0:15:27.48,0:15:30.90,Default,,0000,0000,0000,,So, it seems that they probably didn’t\Nrealize what we could do with it,
Dialogue: 0,0:15:30.90,0:15:33.22,Default,,0000,0000,0000,,which is a lot.
Dialogue: 0,0:15:33.22,0:15:37.63,Default,,0000,0000,0000,,So, basically, we got menu heaps. So\Nwhat we do, is… we have a heap, and
Dialogue: 0,0:15:37.63,0:15:42.40,Default,,0000,0000,0000,,this is all C++ code. We are just\Ngoing to find objects inside the heap
Dialogue: 0,0:15:42.40,0:15:46.79,Default,,0000,0000,0000,,and overwrite it. So it’s pretty simple.\NJust find an object, that is going to be
Dialogue: 0,0:15:46.79,0:15:50.30,Default,,0000,0000,0000,,triggered to some kind of synchronisation\Nmechanism. In this case, it’s gonna be
Dialogue: 0,0:15:50.30,0:15:55.01,Default,,0000,0000,0000,,just ‘Return to Menu’. And we\Ncreate some kind of vague vtable
Dialogue: 0,0:15:55.01,0:15:59.56,Default,,0000,0000,0000,,and get it to run our own\Nstack pivot. And then we get…
Dialogue: 0,0:15:59.56,0:16:03.30,Default,,0000,0000,0000,,we get ROP execution under\NHome menu, which is cool.
Dialogue: 0,0:16:03.30,0:16:07.06,Default,,0000,0000,0000,,We still don’t have code execution\Nin the Home menu, but that’s okay.
Dialogue: 0,0:16:07.06,0:16:10.63,Default,,0000,0000,0000,,So, we can do a bunch of stuff from ROP.
Dialogue: 0,0:16:10.63,0:16:16.18,Default,,0000,0000,0000,,We can access a new system\Nservice, which is called ‘ns:s’,
Dialogue: 0,0:16:16.18,0:16:19.89,Default,,0000,0000,0000,,which is very helpful, because it can\Nkill any arbitrary process, as well as
Dialogue: 0,0:16:19.89,0:16:24.93,Default,,0000,0000,0000,,create new ones. Also it gives us access\Nto SD card, which most applications
Dialogue: 0,0:16:24.93,0:16:29.69,Default,,0000,0000,0000,,actually don’t have. And it lets us\Ndecrypt/dump any title on the system.
Dialogue: 0,0:16:29.69,0:16:34.30,Default,,0000,0000,0000,,So any game, even if it uses new\Ncryptography that Nintendo introduced,
Dialogue: 0,0:16:34.30,0:16:38.23,Default,,0000,0000,0000,,we can actually dump that, because\Nfor some reason, well, Home menu
Dialogue: 0,0:16:38.23,0:16:41.89,Default,,0000,0000,0000,,apparently needs access to\Nthat. And then we can also
Dialogue: 0,0:16:41.89,0:16:47.49,Default,,0000,0000,0000,,access and overwrite all that extra data\Nused by any application, which is great.
Dialogue: 0,0:16:47.49,0:16:50.38,Default,,0000,0000,0000,,So we use this as a base\Nfor running homebrew.
Dialogue: 0,0:16:50.38,0:16:54.92,Default,,0000,0000,0000,,Our homebrew launcher is\Nessentially just a service
Dialogue: 0,0:16:54.92,0:16:58.81,Default,,0000,0000,0000,,that runs in the background under Home\Nmenu process. It is written in ROP,
Dialogue: 0,0:16:58.81,0:17:02.37,Default,,0000,0000,0000,,which is kind of disgusting, but it works.\N{\i1}laughter{\i0}
Dialogue: 0,0:17:02.37,0:17:05.100,Default,,0000,0000,0000,,The ‘Service’ handles running homebrew,\Nso the process is very simple. You just
Dialogue: 0,0:17:05.100,0:17:09.36,Default,,0000,0000,0000,,kill off the current application, you\Nspawn a new one, and then you take it over
Dialogue: 0,0:17:09.36,0:17:15.02,Default,,0000,0000,0000,,using the GPU DMA access.\NAnd then, what we do is
Dialogue: 0,0:17:15.02,0:17:19.49,Default,,0000,0000,0000,,we send all of these new capabilities that\Nwe got through handles to the new process
Dialogue: 0,0:17:19.49,0:17:23.56,Default,,0000,0000,0000,,and that gives us some\Nhigher privilege homebrew.
Dialogue: 0,0:17:23.56,0:17:30.19,Default,,0000,0000,0000,,It also handles events, such as Home\Nbutton, Power button, all that good stuff.
Dialogue: 0,0:17:30.19,0:17:33.75,Default,,0000,0000,0000,,Which is nice, because we can actually\Nrun code under any arbitrary application
Dialogue: 0,0:17:33.75,0:17:37.93,Default,,0000,0000,0000,,or game, so we can actually modify\Nthese games. We can run ROM hacks.
Dialogue: 0,0:17:37.93,0:17:41.18,Default,,0000,0000,0000,,So there has been a bunch of translations\Nthat can be run through this, for games
Dialogue: 0,0:17:41.18,0:17:44.47,Default,,0000,0000,0000,,that haven’t come out outside\Nof Japan, so that’s pretty nice.
Dialogue: 0,0:17:44.47,0:17:46.89,Default,,0000,0000,0000,,It’s the same principle, you just\Nlaunch the app, you take it over,
Dialogue: 0,0:17:46.89,0:17:50.77,Default,,0000,0000,0000,,you pass the code, and then\Nyou jump to it, essentially.
Dialogue: 0,0:17:50.77,0:17:53.96,Default,,0000,0000,0000,,All within the confines of\Nuserland, which is nice.
Dialogue: 0,0:17:53.96,0:17:59.60,Default,,0000,0000,0000,,So, the other thing is, we can actually\Naccess any game or application’s data
Dialogue: 0,0:17:59.60,0:18:03.46,Default,,0000,0000,0000,,because we can run code under\Nit. So, these things include
Dialogue: 0,0:18:03.46,0:18:07.97,Default,,0000,0000,0000,,savegame data for any game. So we\Ncan actually install more convenient
Dialogue: 0,0:18:07.97,0:18:11.98,Default,,0000,0000,0000,,secondary entry points, which do not\Nrely on the browser, which can be
Dialogue: 0,0:18:11.98,0:18:15.75,Default,,0000,0000,0000,,patched any moment, or on some old game.
Dialogue: 0,0:18:15.75,0:18:21.02,Default,,0000,0000,0000,,So, some examples include ‘Menuhax’\Nby yellows8, which exploits
Dialogue: 0,0:18:21.02,0:18:27.54,Default,,0000,0000,0000,,faulty theme handling code, which\Nwas introduced in firmware 9.0.
Dialogue: 0,0:18:27.54,0:18:30.52,Default,,0000,0000,0000,,Which is really nice, because this way,\Nyou can actually just run homebrew
Dialogue: 0,0:18:30.52,0:18:35.36,Default,,0000,0000,0000,,right as Home menu is opened,\Nso right on boot time,
Dialogue: 0,0:18:35.36,0:18:38.93,Default,,0000,0000,0000,,which is great. Then you got other games.\NOf course you got a Zelda game
Dialogue: 0,0:18:38.93,0:18:41.62,Default,,0000,0000,0000,,that’s vulnerable.\N{\i1}audience chuckles{\i0}
Dialogue: 0,0:18:41.62,0:18:44.55,Default,,0000,0000,0000,,This time it wasn’t the\Nhorse’s name, but pretty similar.
Dialogue: 0,0:18:44.55,0:18:48.39,Default,,0000,0000,0000,,And then you got other games. We\Ngot tons of entry points at this point.
Dialogue: 0,0:18:48.39,0:18:54.100,Default,,0000,0000,0000,,We’re really, literally drowning\Nin them. So, this is nice.
Dialogue: 0,0:18:54.100,0:18:58.75,Default,,0000,0000,0000,,But we forgot about ‘Nintendo Shell’,\Nright? It’s a very attractive target,
Dialogue: 0,0:18:58.75,0:19:03.09,Default,,0000,0000,0000,,for a couple of reasons. For one thing,\Nit has access the ‘am:u’ service,
Dialogue: 0,0:19:03.09,0:19:05.93,Default,,0000,0000,0000,,which can be used to\Ndowngrade any system title.
Dialogue: 0,0:19:05.93,0:19:09.60,Default,,0000,0000,0000,,It’s not actually designed to downgrade\Ntitles, the thing is, you can both
Dialogue: 0,0:19:09.60,0:19:13.20,Default,,0000,0000,0000,,install and uninstall titles.\NSo, what happens is,
Dialogue: 0,0:19:13.20,0:19:16.64,Default,,0000,0000,0000,,if you uninstall a title, and\Nthen install an older version
Dialogue: 0,0:19:16.64,0:19:19.21,Default,,0000,0000,0000,,of that title, you actually\Nbypass the version check.
Dialogue: 0,0:19:19.21,0:19:22.21,Default,,0000,0000,0000,,So, you can just do that to\Ndowngrade any system title
Dialogue: 0,0:19:22.21,0:19:27.70,Default,,0000,0000,0000,,and bring back old exploits,\Nif that is necessary.
Dialogue: 0,0:19:27.70,0:19:30.32,Default,,0000,0000,0000,,Assuming you have\Naccess to the service.
Dialogue: 0,0:19:30.32,0:19:32.68,Default,,0000,0000,0000,,And of course it’s in a region\Nthat we can partially modify,
Dialogue: 0,0:19:32.68,0:19:35.99,Default,,0000,0000,0000,,so it’s an interesting target.
Dialogue: 0,0:19:35.99,0:19:38.77,Default,,0000,0000,0000,,Unfortunately, we can’t actually\Naccess its data right now.
Dialogue: 0,0:19:38.77,0:19:42.49,Default,,0000,0000,0000,,But maybe we can actually move\Nit to somewhere, where we can.
Dialogue: 0,0:19:42.49,0:19:47.83,Default,,0000,0000,0000,,The idea is, if you were to kill NS, and\Nthen allocate something in it’s place,
Dialogue: 0,0:19:47.83,0:19:52.13,Default,,0000,0000,0000,,then run NS again, you can\Nmove it below the cutoff.
Dialogue: 0,0:19:52.13,0:19:54.52,Default,,0000,0000,0000,,{\i1}laughter{\i0}
Dialogue: 0,0:19:54.52,0:20:01.81,Default,,0000,0000,0000,,{\i1}applause{\i0}
Dialogue: 0,0:20:01.81,0:20:06.37,Default,,0000,0000,0000,,Thanks. But unfortunately\Nit’s not that simple. That can’t work.
Dialogue: 0,0:20:06.37,0:20:10.79,Default,,0000,0000,0000,,The reason being, that we actually need\NNS to be running to launch NS again.
Dialogue: 0,0:20:10.79,0:20:13.37,Default,,0000,0000,0000,,So that kind of sucks.
Dialogue: 0,0:20:13.37,0:20:15.82,Default,,0000,0000,0000,,But… well, no.\NActually we also can’t run
Dialogue: 0,0:20:15.82,0:20:17.96,Default,,0000,0000,0000,,a second instance of NS at the same time,
Dialogue: 0,0:20:17.96,0:20:20.37,Default,,0000,0000,0000,,so we can’t do that either.
Dialogue: 0,0:20:20.37,0:20:23.56,Default,,0000,0000,0000,,But interestingly…\NWell, the 3DS has an interesting feature,
Dialogue: 0,0:20:23.56,0:20:28.20,Default,,0000,0000,0000,,which is called ‘Safe Mode’. Basically\Nit’s a second firmware, which is
Dialogue: 0,0:20:28.20,0:20:32.65,Default,,0000,0000,0000,,an old version of the\Nregular one, and that
Dialogue: 0,0:20:32.65,0:20:37.07,Default,,0000,0000,0000,,creates a bunch of\Ncopies of system titles.
Dialogue: 0,0:20:37.07,0:20:41.50,Default,,0000,0000,0000,,Most of them, anyways. So that gives\Nit a different ID. So, the idea is,
Dialogue: 0,0:20:41.50,0:20:44.25,Default,,0000,0000,0000,,that if it has got a different ID, we\Nmight be able to run it at the same time,
Dialogue: 0,0:20:44.25,0:20:48.13,Default,,0000,0000,0000,,because, well, PM might fail\Nto notice that. Of course it doesn’t.
Dialogue: 0,0:20:48.13,0:20:51.89,Default,,0000,0000,0000,,It actually does notice that. So we can’t\Nrun the Safe Mode version of a title
Dialogue: 0,0:20:51.89,0:20:54.83,Default,,0000,0000,0000,,at the sime time as the regular\Nversion of the title. But,
Dialogue: 0,0:20:54.83,0:20:59.96,Default,,0000,0000,0000,,for some reason, in the case of NS – you\Nmight not be able to see this very well,
Dialogue: 0,0:20:59.96,0:21:04.67,Default,,0000,0000,0000,,but we’ve got NS’s regular title right\Nhere, and then we got Safe Mode NS
Dialogue: 0,0:21:04.67,0:21:07.10,Default,,0000,0000,0000,,right here. And for some reason\Nthey created a new 3DS version
Dialogue: 0,0:21:07.10,0:21:12.07,Default,,0000,0000,0000,,of the Safe Mode version of NS,\Nthough there is no new 3DS version
Dialogue: 0,0:21:12.07,0:21:16.44,Default,,0000,0000,0000,,of the original NS. So that\Ncreates a separate title ID
Dialogue: 0,0:21:16.44,0:21:20.34,Default,,0000,0000,0000,,which we can run at the same time\Nas regular NS. So then, the exploit
Dialogue: 0,0:21:20.34,0:21:25.06,Default,,0000,0000,0000,,becomes very simple. You keep NS running,\Njust allocate enough data, that it will be
Dialogue: 0,0:21:25.06,0:21:29.44,Default,,0000,0000,0000,,below the cutoff; and then you\Njust run new 3DS Safe Mode NS.
Dialogue: 0,0:21:29.44,0:21:33.24,Default,,0000,0000,0000,,And then it’s within range of the GPU\Nand you can take it over and have
Dialogue: 0,0:21:33.24,0:21:36.98,Default,,0000,0000,0000,,access to everything. So, this is nice.
Dialogue: 0,0:21:36.98,0:21:43.51,Default,,0000,0000,0000,,It’s more of an oversight than\Na proper exploit, but whatever.
Dialogue: 0,0:21:43.51,0:21:46.40,Default,,0000,0000,0000,,So this gives us access to a\Nbunch of system calls. Mostly
Dialogue: 0,0:21:46.40,0:21:50.91,Default,,0000,0000,0000,,service handling system calls,\Nso we can post our own service,
Dialogue: 0,0:21:50.91,0:21:54.64,Default,,0000,0000,0000,,which can be useful for other\Nexploits that I won’t get into, for
Dialogue: 0,0:21:54.64,0:21:59.19,Default,,0000,0000,0000,,impersonating other services\Nto other system modules.
Dialogue: 0,0:21:59.19,0:22:02.57,Default,,0000,0000,0000,,And then we got access to all of\Nthese services, which is great.
Dialogue: 0,0:22:02.57,0:22:06.56,Default,,0000,0000,0000,,So we can downgrade\Nsystem titles arbitrarily.
Dialogue: 0,0:22:06.56,0:22:10.53,Default,,0000,0000,0000,,And this runs in background, which\Ncan always be helpful for homebrew.
Dialogue: 0,0:22:10.53,0:22:14.21,Default,,0000,0000,0000,,The only problem is at this point,\Nit’s still new 3DS only, because
Dialogue: 0,0:22:14.21,0:22:20.52,Default,,0000,0000,0000,,it relies on this new 3DS title. But\Nthere are actually ways around that.
Dialogue: 0,0:22:20.52,0:22:24.27,Default,,0000,0000,0000,,This was just to show that we can actually\Nget fairly high levels of privilege,
Dialogue: 0,0:22:24.27,0:22:28.76,Default,,0000,0000,0000,,even still just always staying\Nin userland on the ARM11.
Dialogue: 0,0:22:28.76,0:22:32.20,Default,,0000,0000,0000,,And there are other, similar attacks to\Nthat. If you’re interested you can look up
Dialogue: 0,0:22:32.20,0:22:36.49,Default,,0000,0000,0000,,‘rohax’, which is a similar\Nattack in the system module.
Dialogue: 0,0:22:36.49,0:22:41.23,Default,,0000,0000,0000,,So, now derrek is going to talk to you\Nabout exploiting the ARM11 kernel.
Dialogue: 0,0:22:41.23,0:22:52.28,Default,,0000,0000,0000,,derrek?\N{\i1}applause{\i0}
Dialogue: 0,0:22:52.28,0:22:55.32,Default,,0000,0000,0000,,derrek: So, hi everyone!
Dialogue: 0,0:22:55.32,0:22:59.53,Default,,0000,0000,0000,,First, I will give you some\Nvery short inside view
Dialogue: 0,0:22:59.53,0:23:05.06,Default,,0000,0000,0000,,of the kernel, and then I will\Nexplain how you can exploit
Dialogue: 0,0:23:05.06,0:23:09.27,Default,,0000,0000,0000,,the latest version of the ARM11 kernel.
Dialogue: 0,0:23:09.27,0:23:12.19,Default,,0000,0000,0000,,So,
Dialogue: 0,0:23:12.19,0:23:16.20,Default,,0000,0000,0000,,this is actually Nintendo’s very\Nfirst gaming console kernel.
Dialogue: 0,0:23:16.20,0:23:20.68,Default,,0000,0000,0000,,Like on any other older console,
Dialogue: 0,0:23:20.68,0:23:26.20,Default,,0000,0000,0000,,there was no kernel. All games\Nwere just running on bare metal.
Dialogue: 0,0:23:26.20,0:23:31.50,Default,,0000,0000,0000,,Like there was a kernel for the Wii,
Dialogue: 0,0:23:31.50,0:23:36.21,Default,,0000,0000,0000,,like a very small microkernel\Nrunning on the security processor,
Dialogue: 0,0:23:36.21,0:23:41.04,Default,,0000,0000,0000,,but that wasn’t written by Nintendo.
Dialogue: 0,0:23:41.04,0:23:44.83,Default,,0000,0000,0000,,So it’s their very first\Ngaming console kernel.
Dialogue: 0,0:23:44.83,0:23:50.79,Default,,0000,0000,0000,,That kernel is made to be thread safe,
Dialogue: 0,0:23:50.79,0:23:54.83,Default,,0000,0000,0000,,so it can run on multiple cores
Dialogue: 0,0:23:54.83,0:23:58.68,Default,,0000,0000,0000,,at the same time and there are like
Dialogue: 0,0:23:58.68,0:24:02.66,Default,,0000,0000,0000,,130 system calls available.
Dialogue: 0,0:24:02.66,0:24:07.35,Default,,0000,0000,0000,,So that’s quite a lot, in my opinion.
Dialogue: 0,0:24:07.35,0:24:12.31,Default,,0000,0000,0000,,But usually, if you have gained execution
Dialogue: 0,0:24:12.31,0:24:16.100,Default,,0000,0000,0000,,in ARM11 userland, you\Nonly have access to, like,
Dialogue: 0,0:24:16.100,0:24:22.05,Default,,0000,0000,0000,,around 50 system calls.
Dialogue: 0,0:24:22.05,0:24:27.02,Default,,0000,0000,0000,,And there’s a reason for that, but I’m\Ngoing to explain that in a second.
Dialogue: 0,0:24:27.02,0:24:34.21,Default,,0000,0000,0000,,So, internally, the kernel\Nworks with C++ objects.
Dialogue: 0,0:24:34.21,0:24:38.03,Default,,0000,0000,0000,,So here are some examples\Nfor system calls. So, we have
Dialogue: 0,0:24:38.03,0:24:43.54,Default,,0000,0000,0000,,‘CreateSemaphore’, for\Nexample. That will just create
Dialogue: 0,0:24:43.54,0:24:47.26,Default,,0000,0000,0000,,a semaphore object in the kernel
Dialogue: 0,0:24:47.26,0:24:52.11,Default,,0000,0000,0000,,and it will return a\Nhandle to the userland.
Dialogue: 0,0:24:52.11,0:24:55.94,Default,,0000,0000,0000,,And when you want to do any operations
Dialogue: 0,0:24:55.94,0:24:59.88,Default,,0000,0000,0000,,on that semaphore, you\Nhave to pass that handle
Dialogue: 0,0:24:59.88,0:25:04.72,Default,,0000,0000,0000,,to the kernel, and it will look up\Nthis handle in a handle table
Dialogue: 0,0:25:04.72,0:25:10.92,Default,,0000,0000,0000,,to find the original C++ object.
Dialogue: 0,0:25:10.92,0:25:15.71,Default,,0000,0000,0000,,Also there are 2 different\Nkinds of memory allocators.
Dialogue: 0,0:25:15.71,0:25:19.30,Default,,0000,0000,0000,,So, we have a memory allocator\Nfor the main memory, which is
Dialogue: 0,0:25:19.30,0:25:25.04,Default,,0000,0000,0000,,the FCRAM. And there is also a Slab Heap,
Dialogue: 0,0:25:25.04,0:25:29.87,Default,,0000,0000,0000,,where all the C++ objects are stored in.
Dialogue: 0,0:25:29.87,0:25:35.24,Default,,0000,0000,0000,,And this Slab Heap is located in FCRAM,
Dialogue: 0,0:25:35.24,0:25:39.34,Default,,0000,0000,0000,,which is the ARM11 memory,
Dialogue: 0,0:25:39.34,0:25:43.66,Default,,0000,0000,0000,,where all the kernel code and data is in.
Dialogue: 0,0:25:43.66,0:25:50.45,Default,,0000,0000,0000,,Also, there’s an IPC system.
Dialogue: 0,0:25:50.45,0:25:53.68,Default,,0000,0000,0000,,IPC is ‘inter process communication’.
Dialogue: 0,0:25:53.68,0:26:05.15,Default,,0000,0000,0000,,And it basically allows you\Nto talk to other processes
Dialogue: 0,0:26:05.15,0:26:08.27,Default,,0000,0000,0000,,like services,
Dialogue: 0,0:26:08.27,0:26:17.27,Default,,0000,0000,0000,,e.g. the GSP service or FS.
Dialogue: 0,0:26:17.27,0:26:21.94,Default,,0000,0000,0000,,So, let’s look at the security.
Dialogue: 0,0:26:21.94,0:26:28.78,Default,,0000,0000,0000,,So, the kernel is really small.\NThere are only like 200KB of code,
Dialogue: 0,0:26:28.78,0:26:34.65,Default,,0000,0000,0000,,which is pure ARM code. And\Nthere are only like 1000 functions.
Dialogue: 0,0:26:34.65,0:26:39.66,Default,,0000,0000,0000,,So, they try to keep\Nthe code size very low
Dialogue: 0,0:26:39.66,0:26:46.72,Default,,0000,0000,0000,,and that makes it harder to find bugs.
Dialogue: 0,0:26:46.72,0:26:51.100,Default,,0000,0000,0000,,The code size is really small, and
Dialogue: 0,0:26:51.100,0:26:57.35,Default,,0000,0000,0000,,you don’t have really much to choose from
Dialogue: 0,0:26:57.35,0:27:03.69,Default,,0000,0000,0000,,what to exploit. Also there are no\Nsymbols included in the kernel.
Dialogue: 0,0:27:03.69,0:27:11.63,Default,,0000,0000,0000,,Like when you run strings on it, it will\Njust give you some names of C++ objects,
Dialogue: 0,0:27:11.63,0:27:16.39,Default,,0000,0000,0000,,but there are no function\Nnames or something like that.
Dialogue: 0,0:27:16.39,0:27:21.04,Default,,0000,0000,0000,,As we have seen earlier\Nit’s physically isolated
Dialogue: 0,0:27:21.04,0:27:26.60,Default,,0000,0000,0000,,in its own memory. Which turned out\N- of course - to be a good idea.
Dialogue: 0,0:27:26.60,0:27:33.68,Default,,0000,0000,0000,,Otherwise it would have been\Noverwritable by the CPU eventually.
Dialogue: 0,0:27:33.68,0:27:38.30,Default,,0000,0000,0000,,And all objects have a reference counting.
Dialogue: 0,0:27:38.30,0:27:43.45,Default,,0000,0000,0000,,So that’s similar to the\NC++ shared pointer
Dialogue: 0,0:27:43.45,0:27:49.81,Default,,0000,0000,0000,,where every object has a small field
Dialogue: 0,0:27:49.81,0:27:54.45,Default,,0000,0000,0000,,like a counter field and everytime\Nthe kernel wants to use an object
Dialogue: 0,0:27:54.45,0:27:59.90,Default,,0000,0000,0000,,this counter gets increased.\NAnd everytime the…
Dialogue: 0,0:27:59.90,0:28:04.24,Default,,0000,0000,0000,,like when the reference is no longer\Nneeded it will decrease the counter
Dialogue: 0,0:28:04.24,0:28:11.08,Default,,0000,0000,0000,,and when the counter reaches Zero it\Nwill automatically delete that object
Dialogue: 0,0:28:11.08,0:28:19.01,Default,,0000,0000,0000,,from the Slab Heap. So they are basically\Ntrying to prevent use after freeze.
Dialogue: 0,0:28:19.01,0:28:24.01,Default,,0000,0000,0000,,Also I’m not sure if that’s\Na security measurement
Dialogue: 0,0:28:24.01,0:28:29.69,Default,,0000,0000,0000,,but there are more than 100\Npanic calls in the kernel
Dialogue: 0,0:28:29.69,0:28:35.69,Default,,0000,0000,0000,,and that’s every 10th function
Dialogue: 0,0:28:35.69,0:28:44.02,Default,,0000,0000,0000,,- per average. And they have\Nthe syscall access restriction.
Dialogue: 0,0:28:44.02,0:28:51.91,Default,,0000,0000,0000,,So you - as I said - you only have\Naccess to like 50 system calls.
Dialogue: 0,0:28:51.91,0:28:55.19,Default,,0000,0000,0000,,All the interesting ones are disabled.
Dialogue: 0,0:28:55.19,0:29:01.73,Default,,0000,0000,0000,,E.g. you can’t map executable pages.
Dialogue: 0,0:29:01.73,0:29:06.04,Default,,0000,0000,0000,,On the other hand there\Nis no ASLR. But at least
Dialogue: 0,0:29:06.04,0:29:11.81,Default,,0000,0000,0000,,they’re trying to change the\Nmemory mapping every time
Dialogue: 0,0:29:11.81,0:29:17.07,Default,,0000,0000,0000,,during a larger kernel update.
Dialogue: 0,0:29:17.07,0:29:22.55,Default,,0000,0000,0000,,Also there’s no stack protection. And\Nthe Userland is always mapped.
Dialogue: 0,0:29:22.55,0:29:29.06,Default,,0000,0000,0000,,So once you’ve got control\Nover the program counter
Dialogue: 0,0:29:29.06,0:29:33.09,Default,,0000,0000,0000,,you can just jump to
Dialogue: 0,0:29:33.09,0:29:36.77,Default,,0000,0000,0000,,Userland pages that are\Nmarked as executable.
Dialogue: 0,0:29:36.77,0:29:40.90,Default,,0000,0000,0000,,So you don’t have to do ROP in the kernel.
Dialogue: 0,0:29:40.90,0:29:44.66,Default,,0000,0000,0000,,It’s pretty nice.
Dialogue: 0,0:29:44.66,0:29:50.60,Default,,0000,0000,0000,,But they tried to have\Nan execution prevention
Dialogue: 0,0:29:50.60,0:29:57.81,Default,,0000,0000,0000,,in the kernel that is: they’re\Nmarking executable kernel pages
Dialogue: 0,0:29:57.81,0:30:01.90,Default,,0000,0000,0000,,– that is the code – they’re\Nmarking them as executable
Dialogue: 0,0:30:01.90,0:30:08.71,Default,,0000,0000,0000,,in their Page Table. So let’s take a look.
Dialogue: 0,0:30:08.71,0:30:14.82,Default,,0000,0000,0000,,The highlighted parts in orange\Nare the kernel code sections.
Dialogue: 0,0:30:14.82,0:30:20.63,Default,,0000,0000,0000,,And as you can see like when\Nlooking at the first highlighted line
Dialogue: 0,0:30:20.63,0:30:24.91,Default,,0000,0000,0000,,it says ‘virtual address #FFF00’ etc.
Dialogue: 0,0:30:24.91,0:30:32.49,Default,,0000,0000,0000,,is mapped to the physical\Naddress 1FF80000.
Dialogue: 0,0:30:32.49,0:30:40.32,Default,,0000,0000,0000,,And it is marked as executable\Nand you only have access to it
Dialogue: 0,0:30:40.32,0:30:45.22,Default,,0000,0000,0000,,in Kernel Mode, of course,\Nand only Read access. Right?
Dialogue: 0,0:30:45.22,0:30:49.98,Default,,0000,0000,0000,,So this is correct.
Dialogue: 0,0:30:49.98,0:30:56.02,Default,,0000,0000,0000,,But when you look at the second\Nline of that Page Table dump
Dialogue: 0,0:30:56.02,0:31:00.80,Default,,0000,0000,0000,,you will notice that\Nthere is another section
Dialogue: 0,0:31:00.80,0:31:05.96,Default,,0000,0000,0000,,which covers the entire AXI WRAM
Dialogue: 0,0:31:05.96,0:31:09.78,Default,,0000,0000,0000,,and it’s mapped as Read-Write.
Dialogue: 0,0:31:09.78,0:31:15.61,Default,,0000,0000,0000,,So it doesn’t really make sense. Yeah.
Dialogue: 0,0:31:15.61,0:31:23.94,Default,,0000,0000,0000,,So basically it’s completely useless.\NWe have Read-Write access to it.
Dialogue: 0,0:31:23.94,0:31:28.43,Default,,0000,0000,0000,,So, to summarize everything,
Dialogue: 0,0:31:28.43,0:31:32.85,Default,,0000,0000,0000,,there’s actually no exploitation\Nprotection. Once we found
Dialogue: 0,0:31:32.85,0:31:38.70,Default,,0000,0000,0000,,an exploitable bug it’s\Npretty likely that we gain
Dialogue: 0,0:31:38.70,0:31:43.22,Default,,0000,0000,0000,,code execution in kernel mode.
Dialogue: 0,0:31:43.22,0:31:47.78,Default,,0000,0000,0000,,So, let’s find that bug.
Dialogue: 0,0:31:47.78,0:31:53.51,Default,,0000,0000,0000,,And I started at looking at the SVC table.
Dialogue: 0,0:31:53.51,0:31:59.81,Default,,0000,0000,0000,,So this is kind of the interface\Nbetween kernel land and userland.
Dialogue: 0,0:31:59.81,0:32:05.89,Default,,0000,0000,0000,,And this shows all system calls
Dialogue: 0,0:32:05.89,0:32:11.37,Default,,0000,0000,0000,,that are available in the kernel. So\Nyou have like normal system calls.
Dialogue: 0,0:32:11.37,0:32:18.05,Default,,0000,0000,0000,,For memory management you can\Nmap read- and writable pages;
Dialogue: 0,0:32:18.05,0:32:25.12,Default,,0000,0000,0000,,you can mirror pages and do\Nother memory management stuff.
Dialogue: 0,0:32:25.12,0:32:30.87,Default,,0000,0000,0000,,And there’s also some\Nconfiguration for threads like
Dialogue: 0,0:32:30.87,0:32:37.59,Default,,0000,0000,0000,,you can choose which\Ncore should be used for
Dialogue: 0,0:32:37.59,0:32:41.45,Default,,0000,0000,0000,,executing the thread and all that stuff.
Dialogue: 0,0:32:41.45,0:32:47.22,Default,,0000,0000,0000,,You have a really large range\Nof synchronization objects
Dialogue: 0,0:32:47.22,0:32:51.12,Default,,0000,0000,0000,,like kernel mute tags and\Nall that stuff. And of course
Dialogue: 0,0:32:51.12,0:32:56.30,Default,,0000,0000,0000,,you have IPC requesting, so you can
Dialogue: 0,0:32:56.30,0:33:03.10,Default,,0000,0000,0000,,send messages to services. And\Nthere’s a more advanced section
Dialogue: 0,0:33:03.10,0:33:09.27,Default,,0000,0000,0000,,like this is used by services mostly,
Dialogue: 0,0:33:09.27,0:33:14.63,Default,,0000,0000,0000,,because they have to\Nrespond to your IPC requests.
Dialogue: 0,0:33:14.63,0:33:20.77,Default,,0000,0000,0000,,And there’s also Kernel DMA,\Ncache control, some things.
Dialogue: 0,0:33:20.77,0:33:26.71,Default,,0000,0000,0000,,And they have a set of debug system calls.
Dialogue: 0,0:33:26.71,0:33:31.10,Default,,0000,0000,0000,,It’s just basic debugging.\NYou can set breakpoints,
Dialogue: 0,0:33:31.10,0:33:36.43,Default,,0000,0000,0000,,read and write process memory.\NBut you don’t have access to them.
Dialogue: 0,0:33:36.43,0:33:39.92,Default,,0000,0000,0000,,Like on retail it’s not actually used.
Dialogue: 0,0:33:39.92,0:33:47.10,Default,,0000,0000,0000,,And so one last section\Nis the Privileged section.
Dialogue: 0,0:33:47.10,0:33:53.72,Default,,0000,0000,0000,,And here are all the\Ninteresting system calls
Dialogue: 0,0:33:53.72,0:34:00.26,Default,,0000,0000,0000,,that allow you to create processes and
Dialogue: 0,0:34:00.26,0:34:07.25,Default,,0000,0000,0000,,map executable memory and all that stuff.
Dialogue: 0,0:34:07.25,0:34:13.87,Default,,0000,0000,0000,,Unfortunately, we can’t use the Advanced,\NDebug and Privileged system calls.
Dialogue: 0,0:34:13.87,0:34:19.81,Default,,0000,0000,0000,,I mean that would require\Nexploiting some service.
Dialogue: 0,0:34:19.81,0:34:24.02,Default,,0000,0000,0000,,And that’s just more work for us.
Dialogue: 0,0:34:24.02,0:34:29.13,Default,,0000,0000,0000,,So this leaves us with\Nthe normal system calls.
Dialogue: 0,0:34:29.13,0:34:33.76,Default,,0000,0000,0000,,But IPC sounds really interesting.
Dialogue: 0,0:34:33.76,0:34:41.24,Default,,0000,0000,0000,,But unfortunately it’s full of panics.
Dialogue: 0,0:34:41.24,0:34:49.57,Default,,0000,0000,0000,,Also there’s not much to attack at\Nsynchronization object system calls.
Dialogue: 0,0:34:49.57,0:34:59.47,Default,,0000,0000,0000,,So you only have like this\Nmore interesting system call
Dialogue: 0,0:34:59.47,0:35:06.52,Default,,0000,0000,0000,,for local memory management. And in\Ntheory there’s a lot that you can mess up.
Dialogue: 0,0:35:06.52,0:35:12.29,Default,,0000,0000,0000,,Right? There’s a lot that can possibly\Ngo wrong. And also we have
Dialogue: 0,0:35:12.29,0:35:17.03,Default,,0000,0000,0000,,unchecked DMA access!\NLike through the GPU.
Dialogue: 0,0:35:17.03,0:35:22.18,Default,,0000,0000,0000,,So maybe we can do\Nsomething useful with that.
Dialogue: 0,0:35:22.18,0:35:26.43,Default,,0000,0000,0000,,Okay, so let’s have a look\Nat the memory allocator.
Dialogue: 0,0:35:26.43,0:35:30.44,Default,,0000,0000,0000,,There are 2 types of memory allocators.
Dialogue: 0,0:35:30.44,0:35:37.08,Default,,0000,0000,0000,,First is the regular one. And it’s\Njust for mapping normal heap
Dialogue: 0,0:35:37.08,0:35:43.70,Default,,0000,0000,0000,,like for malloc in C, e.g. And you\Nhave the linear memory allocator
Dialogue: 0,0:35:43.70,0:35:49.25,Default,,0000,0000,0000,,that is used for GPU textures, like
Dialogue: 0,0:35:49.25,0:35:55.08,Default,,0000,0000,0000,,when memory has to be\Nphysically continuous
Dialogue: 0,0:35:55.08,0:35:58.74,Default,,0000,0000,0000,,you use the linear memory allocator.
Dialogue: 0,0:35:58.74,0:36:03.91,Default,,0000,0000,0000,,And there’s the FCRAM memory\Nlayout that we saw earlier.
Dialogue: 0,0:36:03.91,0:36:09.92,Default,,0000,0000,0000,,You have these 3 regions\Nand every region has
Dialogue: 0,0:36:09.92,0:36:14.93,Default,,0000,0000,0000,,its own set of free pages.
Dialogue: 0,0:36:14.93,0:36:21.74,Default,,0000,0000,0000,,So how are they keeping track of them?
Dialogue: 0,0:36:21.74,0:36:27.43,Default,,0000,0000,0000,,So you have a region descriptor\Nwhich tells us the dimensions like:
Dialogue: 0,0:36:27.43,0:36:32.02,Default,,0000,0000,0000,,where does it start, the region,\Nand its size. And you get also
Dialogue: 0,0:36:32.02,0:36:39.41,Default,,0000,0000,0000,,a pointer to the first\Nfree piece of memory
Dialogue: 0,0:36:39.41,0:36:47.23,Default,,0000,0000,0000,,in that region. And each\Nfree piece of memory
Dialogue: 0,0:36:47.23,0:36:53.65,Default,,0000,0000,0000,,which we call a Memchunk\Nhas a Memchunk header
Dialogue: 0,0:36:53.65,0:36:58.45,Default,,0000,0000,0000,,right at the beginning. And\Nit basically tells the kernel
Dialogue: 0,0:36:58.45,0:37:03.85,Default,,0000,0000,0000,,how large that Memchunk\Nis. And it’s also linked
Dialogue: 0,0:37:03.85,0:37:08.41,Default,,0000,0000,0000,,in a Doubly Linked List. So you\Nhave a next and previous pointer
Dialogue: 0,0:37:08.41,0:37:15.03,Default,,0000,0000,0000,,pointing to the next and\Nprevious Memchunk headers.
Dialogue: 0,0:37:15.03,0:37:20.97,Default,,0000,0000,0000,,It kind of looks like that.\NSo you have the red parts
Dialogue: 0,0:37:20.97,0:37:29.17,Default,,0000,0000,0000,,which are the free Memchunks\Nand the green parts are memory
Dialogue: 0,0:37:29.17,0:37:34.76,Default,,0000,0000,0000,,that is already allocated. So
Dialogue: 0,0:37:34.76,0:37:40.24,Default,,0000,0000,0000,,allocation is pretty straightforward.\NIt’s not really complicated.
Dialogue: 0,0:37:40.24,0:37:45.90,Default,,0000,0000,0000,,So the first thing that the\Nallocator function does:
Dialogue: 0,0:37:45.90,0:37:52.17,Default,,0000,0000,0000,,it loads the next free pointer\Nfrom the region descriptor.
Dialogue: 0,0:37:52.17,0:37:59.23,Default,,0000,0000,0000,,And for regular memory it\Njust goes through the list
Dialogue: 0,0:37:59.23,0:38:05.38,Default,,0000,0000,0000,,following the pointers\Nand it sums up their size
Dialogue: 0,0:38:05.38,0:38:10.67,Default,,0000,0000,0000,,until the requested size is reached.\NFor linear memory it would just
Dialogue: 0,0:38:10.67,0:38:17.12,Default,,0000,0000,0000,,look for a suitable memory chunk to make\Nsure that the memory is really continuous.
Dialogue: 0,0:38:17.12,0:38:22.49,Default,,0000,0000,0000,,So when it found enough memory\Nit sets the next pointer
Dialogue: 0,0:38:22.49,0:38:28.23,Default,,0000,0000,0000,,of the very last Memchunk\Nto Zero. It will then
Dialogue: 0,0:38:28.23,0:38:33.69,Default,,0000,0000,0000,,update the list and also\Nthe next free pointer
Dialogue: 0,0:38:33.69,0:38:38.55,Default,,0000,0000,0000,,for the region descriptor\Nand finally it will return
Dialogue: 0,0:38:38.55,0:38:44.78,Default,,0000,0000,0000,,a pointer to the first\NMemchunk. So,
Dialogue: 0,0:38:44.78,0:38:48.93,Default,,0000,0000,0000,,let’s look at this from\Na security perspective.
Dialogue: 0,0:38:48.93,0:38:53.41,Default,,0000,0000,0000,,And there’s a problem. They\Nbasically have kernel structures
Dialogue: 0,0:38:53.41,0:38:59.50,Default,,0000,0000,0000,,inside the FCRAM!\NAnd that is a problem
Dialogue: 0,0:38:59.50,0:39:03.93,Default,,0000,0000,0000,,because we have DMA access\Nto it through the GPU.
Dialogue: 0,0:39:03.93,0:39:08.74,Default,,0000,0000,0000,,And there was an attack by yellows8
Dialogue: 0,0:39:08.74,0:39:13.18,Default,,0000,0000,0000,,that is called ‘memchunkhax’.\NAnd what he did
Dialogue: 0,0:39:13.18,0:39:17.06,Default,,0000,0000,0000,,is basically: he overwrote\Nmemchunk headers
Dialogue: 0,0:39:17.06,0:39:21.54,Default,,0000,0000,0000,,with the GPU DMA\Nflaw. And then
Dialogue: 0,0:39:21.54,0:39:27.33,Default,,0000,0000,0000,,he gained an arbitrary kernel write
Dialogue: 0,0:39:27.33,0:39:31.71,Default,,0000,0000,0000,,when it’s deallocating memory. So because
Dialogue: 0,0:39:31.71,0:39:36.79,Default,,0000,0000,0000,,next/prev pointers have been modified.
Dialogue: 0,0:39:36.79,0:39:42.14,Default,,0000,0000,0000,,So, unfortunately, this\Nwas fixed by Nintendo
Dialogue: 0,0:39:42.14,0:39:47.60,Default,,0000,0000,0000,,in system update 9.3 last year,
Dialogue: 0,0:39:47.60,0:39:54.10,Default,,0000,0000,0000,,like 1 year ago. And the new kernel will\Nnow verify every memchunk header
Dialogue: 0,0:39:54.10,0:40:00.28,Default,,0000,0000,0000,,during allocation. Like its size\Nand also next/prev pointers.
Dialogue: 0,0:40:00.28,0:40:08.16,Default,,0000,0000,0000,,So, in theory, everything has been fixed.\NInvalid pointers or invalid sizes
Dialogue: 0,0:40:08.16,0:40:16.87,Default,,0000,0000,0000,,will just result in a\Nkernel panic. In theory.
Dialogue: 0,0:40:16.87,0:40:22.26,Default,,0000,0000,0000,,So when you look at the system\Ncall for Controlmemory…
Dialogue: 0,0:40:22.26,0:40:29.14,Default,,0000,0000,0000,,we have access to it. It’s one\Nof the normal system calls.
Dialogue: 0,0:40:29.14,0:40:33.52,Default,,0000,0000,0000,,It does basic stuff. You\Ncan map/free RW pages,
Dialogue: 0,0:40:33.52,0:40:41.04,Default,,0000,0000,0000,,but not executable of course. And it\Ntakes an address and size as argument.
Dialogue: 0,0:40:41.04,0:40:46.53,Default,,0000,0000,0000,,And also an operation code\Nwhich tells the kernel what to do:
Dialogue: 0,0:40:46.53,0:40:50.67,Default,,0000,0000,0000,,to map or free pages, whatever.
Dialogue: 0,0:40:50.67,0:40:55.59,Default,,0000,0000,0000,,So first it does some basic\Nchecks on the address
Dialogue: 0,0:40:55.59,0:41:01.71,Default,,0000,0000,0000,,and eventually it will\Ncall a very large function.
Dialogue: 0,0:41:01.71,0:41:08.64,Default,,0000,0000,0000,,And I just call that function\Nkern::controlmemory.
Dialogue: 0,0:41:08.64,0:41:14.98,Default,,0000,0000,0000,,So what can kern::controlmemory:\Nit calls the allocator function
Dialogue: 0,0:41:14.98,0:41:20.55,Default,,0000,0000,0000,,and it will just return a\Nmemchunk header pointer
Dialogue: 0,0:41:20.55,0:41:28.46,Default,,0000,0000,0000,,– as we have seen earlier. Then it goes\Nthrough all of the allocated memchunks
Dialogue: 0,0:41:28.46,0:41:33.10,Default,,0000,0000,0000,,and it’s mapping them to user space.
Dialogue: 0,0:41:33.10,0:41:40.33,Default,,0000,0000,0000,,And it’s also updating some block\Ninformation for KProcess object.
Dialogue: 0,0:41:40.33,0:41:47.49,Default,,0000,0000,0000,,So there’s a problem. There’s\Nobviously a race condition.
Dialogue: 0,0:41:47.49,0:41:57.07,Default,,0000,0000,0000,,Like we can overwrite memchunk\Nheaders after they have been allocated.
Dialogue: 0,0:41:57.07,0:42:03.57,Default,,0000,0000,0000,,So we could try using the GPU\Nbut it’s really slow, actually,
Dialogue: 0,0:42:03.57,0:42:11.02,Default,,0000,0000,0000,,because we would have to ask\Nthe GSP service to read memory
Dialogue: 0,0:42:11.02,0:42:19.57,Default,,0000,0000,0000,,and we have to go to this\Nvery large IPC kernel code.
Dialogue: 0,0:42:19.57,0:42:26.73,Default,,0000,0000,0000,,And that would be probably too\Nslow. Allocation is really fast.
Dialogue: 0,0:42:26.73,0:42:30.93,Default,,0000,0000,0000,,Let’s dig a little bit deeper.
Dialogue: 0,0:42:30.93,0:42:38.06,Default,,0000,0000,0000,,I tried to reconstruct\Nthe source code in C.
Dialogue: 0,0:42:38.06,0:42:44.04,Default,,0000,0000,0000,,So this is the first step.\NIt tries to allocate memory.
Dialogue: 0,0:42:44.04,0:42:54.07,Default,,0000,0000,0000,,For this example, it will just\Nallocate regular memory.
Dialogue: 0,0:42:54.07,0:42:58.51,Default,,0000,0000,0000,,So when it found a memchunk
Dialogue: 0,0:42:58.51,0:43:04.70,Default,,0000,0000,0000,,which means that it’s not\Nenough memory is available.
Dialogue: 0,0:43:04.70,0:43:11.89,Default,,0000,0000,0000,,It will then execute this\Nreally interesting do-while loop.
Dialogue: 0,0:43:11.89,0:43:15.52,Default,,0000,0000,0000,,I know, it’s a lot of code. I’m not\Nsure that you can actually read it.
Dialogue: 0,0:43:15.52,0:43:21.90,Default,,0000,0000,0000,,So let’s go quickly through this code.
Dialogue: 0,0:43:21.90,0:43:27.99,Default,,0000,0000,0000,,The pages read from the Memchunk header.\NIt gets converted to a physical address.
Dialogue: 0,0:43:27.99,0:43:31.70,Default,,0000,0000,0000,,And that physical address\Ngets mapped to userland
Dialogue: 0,0:43:31.70,0:43:38.98,Default,,0000,0000,0000,,by mem_map function. And then\Nit will go to the next memchunk.
Dialogue: 0,0:43:38.98,0:43:45.41,Default,,0000,0000,0000,,Here. And it will also update\Nthe userland virtual address.
Dialogue: 0,0:43:45.41,0:43:49.50,Default,,0000,0000,0000,,And then it will clear that memory. So
Dialogue: 0,0:43:49.50,0:43:53.88,Default,,0000,0000,0000,,what’s wrong here?
Dialogue: 0,0:43:53.88,0:44:00.02,Default,,0000,0000,0000,,The problem is they’re mapping\Nthe Memorychunk into userland.
Dialogue: 0,0:44:00.02,0:44:05.77,Default,,0000,0000,0000,,And after it has been mapped\Nthey’re accessing it again.
Dialogue: 0,0:44:05.77,0:44:10.04,Default,,0000,0000,0000,,And what they access is the next pointer.
Dialogue: 0,0:44:10.04,0:44:13.25,Default,,0000,0000,0000,,So we can just overwrite it.
Dialogue: 0,0:44:13.25,0:44:19.51,Default,,0000,0000,0000,,When we have 2 threads running we can
Dialogue: 0,0:44:19.51,0:44:25.41,Default,,0000,0000,0000,,– from another CPU core –\Ntry to overwrite that pointer.
Dialogue: 0,0:44:25.41,0:44:32.32,Default,,0000,0000,0000,,So our goal would be to map\Nkernel pages to userspace.
Dialogue: 0,0:44:32.32,0:44:37.51,Default,,0000,0000,0000,,But there are some problems. It\Nrequires really, really perfect timing.
Dialogue: 0,0:44:37.51,0:44:45.04,Default,,0000,0000,0000,,There’s only a very small\Ntime frame to do the overwrite.
Dialogue: 0,0:44:45.04,0:44:53.50,Default,,0000,0000,0000,,Also, we need a Memchunk header\Nstructure at the next pointer address…
Dialogue: 0,0:44:53.50,0:45:00.71,Default,,0000,0000,0000,,…to do this. To make sure\Nwe get a perfect timing
Dialogue: 0,0:45:00.71,0:45:06.81,Default,,0000,0000,0000,,I came up with a kernel\Naddress arbiter oracle.
Dialogue: 0,0:45:06.81,0:45:11.65,Default,,0000,0000,0000,,It is actually used for thread\Nsynchronization, we don’t care about it.
Dialogue: 0,0:45:11.65,0:45:15.43,Default,,0000,0000,0000,,But it tries to read from address and\Nreturns an error when the address is
Dialogue: 0,0:45:15.43,0:45:23.86,Default,,0000,0000,0000,,not accessible by userland. So\Nwe can use that system call
Dialogue: 0,0:45:23.86,0:45:28.60,Default,,0000,0000,0000,,to make sure that the memory\Nhas been mapped to userland.
Dialogue: 0,0:45:28.60,0:45:32.26,Default,,0000,0000,0000,,And once it has been mapped\Nwe’re trying to overwrite it.
Dialogue: 0,0:45:32.26,0:45:38.08,Default,,0000,0000,0000,,So one last problem: we have to\Ninject a memory chunk error
Dialogue: 0,0:45:38.08,0:45:44.72,Default,,0000,0000,0000,,in kernel. I did this\Nby using the Slab Heap.
Dialogue: 0,0:45:44.72,0:45:50.72,Default,,0000,0000,0000,,We can just create some KObject\Nand set their member variables
Dialogue: 0,0:45:50.72,0:45:56.17,Default,,0000,0000,0000,,to create a faked memchunk header.
Dialogue: 0,0:45:56.17,0:46:00.43,Default,,0000,0000,0000,,So this is the Slab Heap.\NWe’ve got C++ objects,
Dialogue: 0,0:46:00.43,0:46:04.68,Default,,0000,0000,0000,,vtable pointer and some attributes.
Dialogue: 0,0:46:04.68,0:46:11.20,Default,,0000,0000,0000,,So the Slab Heap is basically just\Na really large area of C++ objects.
Dialogue: 0,0:46:11.20,0:46:17.03,Default,,0000,0000,0000,,And what I did was\NI changed the attributes
Dialogue: 0,0:46:17.03,0:46:22.17,Default,,0000,0000,0000,,and used them as Memchunk\Nheader. And I am redirecting
Dialogue: 0,0:46:22.17,0:46:29.95,Default,,0000,0000,0000,,the next-pointer to that\Nobject and it will map
Dialogue: 0,0:46:29.95,0:46:34.41,Default,,0000,0000,0000,,multiple C++ objects to userland.\NAnd that’s really nice because
Dialogue: 0,0:46:34.41,0:46:40.18,Default,,0000,0000,0000,,we have vtable pointers, so\Nwe can just overwrite them.
Dialogue: 0,0:46:40.18,0:46:44.44,Default,,0000,0000,0000,,And that means that\Nwe gain code execution.
Dialogue: 0,0:46:44.44,0:46:49.57,Default,,0000,0000,0000,,So, as a summary, we set\Nup some kernel objects,
Dialogue: 0,0:46:49.57,0:46:52.84,Default,,0000,0000,0000,,change their attributes, request\Nmemory from the kernel;
Dialogue: 0,0:46:52.84,0:46:57.29,Default,,0000,0000,0000,,and once it becomes available\Nwe patch the next-pointer,
Dialogue: 0,0:46:57.29,0:47:02.10,Default,,0000,0000,0000,,overwrite that mapped\NSlabHeap pages and
Dialogue: 0,0:47:02.10,0:47:08.06,Default,,0000,0000,0000,,then we call a system call\Nwhich closes the handle
Dialogue: 0,0:47:08.06,0:47:11.94,Default,,0000,0000,0000,,for the kernel objects that\Nwe created in step one.
Dialogue: 0,0:47:11.94,0:47:17.47,Default,,0000,0000,0000,,So it will eventually call\Nsome vtable function
Dialogue: 0,0:47:17.47,0:47:23.56,Default,,0000,0000,0000,,and it will just jump to our\Nmodified vtable function.
Dialogue: 0,0:47:23.56,0:47:29.38,Default,,0000,0000,0000,,And we got ARM11\NLevel0 Code Execution!!
Dialogue: 0,0:47:29.38,0:47:38.75,Default,,0000,0000,0000,,{\i1}applause, motivated by smea{\i0}
Dialogue: 0,0:47:38.75,0:47:43.88,Default,,0000,0000,0000,,So, now plutoo will tell us\Nwhat nice things you can do
Dialogue: 0,0:47:43.88,0:47:47.31,Default,,0000,0000,0000,,once you gained ARM11\NCode execution.
Dialogue: 0,0:47:47.31,0:47:55.06,Default,,0000,0000,0000,,plutoo: Hey guys! Okay, so… the ARM9.
Dialogue: 0,0:47:55.06,0:47:58.99,Default,,0000,0000,0000,,Let’s go.
Dialogue: 0,0:47:58.99,0:48:05.50,Default,,0000,0000,0000,,The ARM9 is actually also used\Nfor executing old DS games.
Dialogue: 0,0:48:05.50,0:48:10.39,Default,,0000,0000,0000,,So what they do is, they actually,\Nyou could say, reused the ARM9
Dialogue: 0,0:48:10.39,0:48:14.21,Default,,0000,0000,0000,,which is their backwards compatibility\Nprocessor. They use it
Dialogue: 0,0:48:14.21,0:48:21.13,Default,,0000,0000,0000,,as a security processor\Nwhen executing 3DS code.
Dialogue: 0,0:48:21.13,0:48:24.89,Default,,0000,0000,0000,,And like smea said it’s running\Na stripped-down version
Dialogue: 0,0:48:24.89,0:48:30.70,Default,,0000,0000,0000,,of the ARM11 kernel. It basically\Nonly does threading sequencation,
Dialogue: 0,0:48:30.70,0:48:35.46,Default,,0000,0000,0000,,things like that. And there’s\Nno MMU. There’s an MPU,
Dialogue: 0,0:48:35.46,0:48:39.56,Default,,0000,0000,0000,,8 regions you can configure.
Dialogue: 0,0:48:39.56,0:48:46.21,Default,,0000,0000,0000,,You could do no-execute\Nwithin those regions etc. but
Dialogue: 0,0:48:46.21,0:48:50.28,Default,,0000,0000,0000,,the granularity is not very\Nnice. And they only have 8.
Dialogue: 0,0:48:50.28,0:48:55.39,Default,,0000,0000,0000,,So they basically ran out of space.\NAnd .data+stack is executable
Dialogue: 0,0:48:55.39,0:49:00.02,Default,,0000,0000,0000,,as long as you can jump to\Nit. And .text is writable
Dialogue: 0,0:49:00.02,0:49:06.24,Default,,0000,0000,0000,,so that’s bad. Basically whenever you can
Dialogue: 0,0:49:06.24,0:49:11.94,Default,,0000,0000,0000,,write code into arbitrary memory\Nyou can just overwrite code.
Dialogue: 0,0:49:11.94,0:49:16.25,Default,,0000,0000,0000,,These features – you don’t want\Nthem on a security processor.
Dialogue: 0,0:49:16.25,0:49:18.43,Default,,0000,0000,0000,,{\i1}laughter{\i0}
Dialogue: 0,0:49:18.43,0:49:23.74,Default,,0000,0000,0000,,So let’s go. So it turns out that
Dialogue: 0,0:49:23.74,0:49:28.04,Default,,0000,0000,0000,,there have been lots of exploits over\Nthe years and most of them are fixed.
Dialogue: 0,0:49:28.04,0:49:33.33,Default,,0000,0000,0000,,And most of them used the\Nnormal command interface.
Dialogue: 0,0:49:33.33,0:49:37.94,Default,,0000,0000,0000,,But in this case we’re taking\Na different approach. So
Dialogue: 0,0:49:37.94,0:49:42.73,Default,,0000,0000,0000,,on the 3DS the memory-mapped\NI/O is split up into 3 regions.
Dialogue: 0,0:49:42.73,0:49:46.42,Default,,0000,0000,0000,,There’s the ARM9-only I/O: it does crypto,
Dialogue: 0,0:49:46.42,0:49:50.98,Default,,0000,0000,0000,,it does DMA engine,
Dialogue: 0,0:49:50.98,0:49:54.76,Default,,0000,0000,0000,,things like that. Then there’s\Nthe Shared I/O region.
Dialogue: 0,0:49:54.76,0:49:58.03,Default,,0000,0000,0000,,And then, finally, there’s the\NARM11 I/O region which contains
Dialogue: 0,0:49:58.03,0:50:02.76,Default,,0000,0000,0000,,the GPU video decoder.
Dialogue: 0,0:50:02.76,0:50:06.31,Default,,0000,0000,0000,,Thanks to derrek and smea\Nwe have full ARM11 control.
Dialogue: 0,0:50:06.31,0:50:09.68,Default,,0000,0000,0000,,We execute kernel mode.
Dialogue: 0,0:50:09.68,0:50:13.28,Default,,0000,0000,0000,,So the question is: can we use\Nthe shared I/O region, somehow,
Dialogue: 0,0:50:13.28,0:50:17.75,Default,,0000,0000,0000,,to own the ARM9? So it turns out
Dialogue: 0,0:50:17.75,0:50:21.55,Default,,0000,0000,0000,,the interface for reading old\NDS cartridges is actually
Dialogue: 0,0:50:21.55,0:50:24.94,Default,,0000,0000,0000,,in the shared I/O region.
Dialogue: 0,0:50:24.94,0:50:30.26,Default,,0000,0000,0000,,We’re not sure why this is, but
Dialogue: 0,0:50:30.26,0:50:33.97,Default,,0000,0000,0000,,they have it there for some\Nreason. And it’s only the ARM9
Dialogue: 0,0:50:33.97,0:50:38.12,Default,,0000,0000,0000,,which is actually using this region.\NBut ARM11 still has access to it.
Dialogue: 0,0:50:38.12,0:50:43.78,Default,,0000,0000,0000,,So when you insert the cartridge\Nit starts by reading the banner.
Dialogue: 0,0:50:43.78,0:50:49.10,Default,,0000,0000,0000,,And it does this by writing this\Nmagic value to CTRL register.
Dialogue: 0,0:50:49.10,0:50:53.94,Default,,0000,0000,0000,,And basically it just asks\Nfor 0x200 [hex] bytes.
Dialogue: 0,0:50:53.94,0:50:56.49,Default,,0000,0000,0000,,And then there’s this loop.
Dialogue: 0,0:50:56.49,0:50:59.77,Default,,0000,0000,0000,,And this Assembler code\Nis on the right side.
Dialogue: 0,0:50:59.77,0:51:04.64,Default,,0000,0000,0000,,You can see it basically waits\Nfor some bits to clear / to set
Dialogue: 0,0:51:04.64,0:51:11.17,Default,,0000,0000,0000,,and then they read 4 bytes and\Nthen they wait for another bit.
Dialogue: 0,0:51:11.17,0:51:15.52,Default,,0000,0000,0000,,And there’s no range check on the\Nbuffer. But it’s always 200 bytes,
Dialogue: 0,0:51:15.52,0:51:20.54,Default,,0000,0000,0000,,so it should be fine.
Dialogue: 0,0:51:20.54,0:51:24.51,Default,,0000,0000,0000,,What if we overwrite the\NCTRL register from ARM11
Dialogue: 0,0:51:24.51,0:51:27.88,Default,,0000,0000,0000,,asking for 0x4000 bytes?
Dialogue: 0,0:51:27.88,0:51:32.08,Default,,0000,0000,0000,,Boom!
Dialogue: 0,0:51:32.08,0:51:36.49,Default,,0000,0000,0000,,We have a nice buffer overrun.\NIt’s in the DSS segment but…
Dialogue: 0,0:51:36.49,0:51:40.69,Default,,0000,0000,0000,,it’s still nice. And can control the data.
Dialogue: 0,0:51:40.69,0:51:48.11,Default,,0000,0000,0000,,So the data actually comes\Nfrom the cartridge.
Dialogue: 0,0:51:48.11,0:51:51.72,Default,,0000,0000,0000,,We need to make our\Nown DS cartridge. So,
Dialogue: 0,0:51:51.72,0:51:56.03,Default,,0000,0000,0000,,there’s this old device, called the\NPassMe. It’s for the original DS,
Dialogue: 0,0:51:56.03,0:51:59.85,Default,,0000,0000,0000,,where you basically plug\Nold DS cartridge in
Dialogue: 0,0:51:59.85,0:52:03.96,Default,,0000,0000,0000,,and it basically modifies\Nthe header as its read. So,
Dialogue: 0,0:52:03.96,0:52:08.62,Default,,0000,0000,0000,,these are available online for 5 bucks.
Dialogue: 0,0:52:08.62,0:52:15.48,Default,,0000,0000,0000,,And then you add an FPGA.
Dialogue: 0,0:52:15.48,0:52:21.15,Default,,0000,0000,0000,,I implemented this and it\Nworks, but it’s very gimmicky.
Dialogue: 0,0:52:21.15,0:52:26.29,Default,,0000,0000,0000,,I don’t recommend it.
Dialogue: 0,0:52:26.29,0:52:30.79,Default,,0000,0000,0000,,And here’s my soldering,\Nit’s not very nice.
Dialogue: 0,0:52:30.79,0:52:35.73,Default,,0000,0000,0000,,This gives us ARM9 code execution\Nand this works on latest firmware.
Dialogue: 0,0:52:35.73,0:52:41.37,Default,,0000,0000,0000,,But we want something better.\NLet’s look at the chain of trust.
Dialogue: 0,0:52:41.37,0:52:46.62,Default,,0000,0000,0000,,The chain of trust: the idea is of course,\Nyou verify all the code that is running.
Dialogue: 0,0:52:46.62,0:52:51.56,Default,,0000,0000,0000,,But you’re basically verifying\Neverything at load time.
Dialogue: 0,0:52:51.56,0:52:55.23,Default,,0000,0000,0000,,The 3DS has the simplest\Nchain of trust you can have.
Dialogue: 0,0:52:55.23,0:52:58.56,Default,,0000,0000,0000,,There’s the Boot ROM at\Nthe start. And then it loads
Dialogue: 0,0:52:58.56,0:53:04.49,Default,,0000,0000,0000,,the firmware binary from\NNAND and it jumps to it.
Dialogue: 0,0:53:04.49,0:53:07.90,Default,,0000,0000,0000,,On the new 3DS they were a bit clever.
Dialogue: 0,0:53:07.90,0:53:12.76,Default,,0000,0000,0000,,They added an extra crypto\Nlayer on the ARM9 portion.
Dialogue: 0,0:53:12.76,0:53:17.52,Default,,0000,0000,0000,,But it’s actually part\Nof the firmware binary.
Dialogue: 0,0:53:17.52,0:53:20.38,Default,,0000,0000,0000,,We call this ‘ARM9 loader’.
Dialogue: 0,0:53:20.38,0:53:23.53,Default,,0000,0000,0000,,So the theory that Nintendo had was:
Dialogue: 0,0:53:23.53,0:53:27.46,Default,,0000,0000,0000,,“Let’s add another layer of\Ncrypto, so we change the keys,
Dialogue: 0,0:53:27.46,0:53:32.47,Default,,0000,0000,0000,,we introduce new keys,\Nand they can’t break it”.
Dialogue: 0,0:53:32.47,0:53:35.56,Default,,0000,0000,0000,,And they don’t have any worked-out\Nplace to put those keys.
Dialogue: 0,0:53:35.56,0:53:39.20,Default,,0000,0000,0000,,So they placed them in NAND!
Dialogue: 0,0:53:39.20,0:53:42.76,Default,,0000,0000,0000,,But they’re encrypted with\Nthe per-Console key that’s
Dialogue: 0,0:53:42.76,0:53:48.03,Default,,0000,0000,0000,,based on a hash of the OTP\Nthat’s unique for each Console.
Dialogue: 0,0:53:48.03,0:53:52.12,Default,,0000,0000,0000,,And then OTP access is\Ndisabled early in the Boot.
Dialogue: 0,0:53:52.12,0:53:59.41,Default,,0000,0000,0000,,So later on you can’t dump the OTP\Nand you can’t figure out the keys.
Dialogue: 0,0:53:59.41,0:54:03.58,Default,,0000,0000,0000,,This looks safe, in theory.\NSo here’s the implementation.
Dialogue: 0,0:54:03.58,0:54:08.62,Default,,0000,0000,0000,,So they calculate some hash of the OTP.\NThey read the key-sector from NAND.
Dialogue: 0,0:54:08.62,0:54:12.43,Default,,0000,0000,0000,,And they decrypt the key.\NAnd they put it in a keyslot.
Dialogue: 0,0:54:12.43,0:54:17.18,Default,,0000,0000,0000,,It’s basically an isolated memory area.
Dialogue: 0,0:54:17.18,0:54:21.17,Default,,0000,0000,0000,,And then they generate\Na bunch of sub keys and
Dialogue: 0,0:54:21.17,0:54:24.62,Default,,0000,0000,0000,,they verify that the key they loaded\Nfrom NAND is the correct one.
Dialogue: 0,0:54:24.62,0:54:30.81,Default,,0000,0000,0000,,So even if we were to switch the key\Nthey would detect that and just panic.
Dialogue: 0,0:54:30.81,0:54:35.30,Default,,0000,0000,0000,,And then they decrypt the ARM9 binary\Nand they jump to the entry point.
Dialogue: 0,0:54:35.30,0:54:40.42,Default,,0000,0000,0000,,But… they forgot to clear the 0x11 key!
Dialogue: 0,0:54:40.42,0:54:44.19,Default,,0000,0000,0000,,So we can just get code execution\Nlater on. And we can just regenerate
Dialogue: 0,0:54:44.19,0:54:51.46,Default,,0000,0000,0000,,all those keys! So this\Nimplementation is useless.
Dialogue: 0,0:54:51.46,0:54:52.76,Default,,0000,0000,0000,,Okay.\N{\i1}laughs{\i0}
Dialogue: 0,0:54:52.76,0:54:58.96,Default,,0000,0000,0000,,{\i1}applause{\i0}
Dialogue: 0,0:54:58.96,0:55:03.76,Default,,0000,0000,0000,,And they fixed this because they have\Nmore than 1 key hidden in the NAND.
Dialogue: 0,0:55:03.76,0:55:07.78,Default,,0000,0000,0000,,So they took their next key.
Dialogue: 0,0:55:07.78,0:55:10.68,Default,,0000,0000,0000,,It’s basically the same idea: you\Ncalculate the same hash, you read
Dialogue: 0,0:55:10.68,0:55:14.92,Default,,0000,0000,0000,,the key sector from NAND, you generate\Nall the previous keys for compatibility,
Dialogue: 0,0:55:14.92,0:55:19.90,Default,,0000,0000,0000,,and then you decrypt a\Nnew key, we call it Key#2.
Dialogue: 0,0:55:19.90,0:55:23.92,Default,,0000,0000,0000,,And then you decrypt ARM9\Nbinary using the second key.
Dialogue: 0,0:55:23.92,0:55:27.78,Default,,0000,0000,0000,,You clear the keyslot, and\Nyou jump to entry point.
Dialogue: 0,0:55:27.78,0:55:32.01,Default,,0000,0000,0000,,But they forgot to verify the second key!\N{\i1}audience laughs{\i0}
Dialogue: 0,0:55:32.01,0:55:40.00,Default,,0000,0000,0000,,This is epic fail!\N{\i1}applause{\i0}
Dialogue: 0,0:55:40.00,0:55:44.52,Default,,0000,0000,0000,,So let’s exploit this. ‘ARM9LOADERHAX’.
Dialogue: 0,0:55:44.52,0:55:49.51,Default,,0000,0000,0000,,We can change the second key. ARM9\Nloader will just decrypt the binary
Dialogue: 0,0:55:49.51,0:55:54.82,Default,,0000,0000,0000,,to garbage and jump to it.
Dialogue: 0,0:55:54.82,0:56:00.11,Default,,0000,0000,0000,,If you look at the encoding\Nof a ARM Branch instruction:
Dialogue: 0,0:56:00.11,0:56:04.31,Default,,0000,0000,0000,,the probability is pretty high that\Nthere will just be a Branch instruction.
Dialogue: 0,0:56:04.31,0:56:08.59,Default,,0000,0000,0000,,And just any random data will eventually…\Nlike if you try enough keys,
Dialogue: 0,0:56:08.59,0:56:14.81,Default,,0000,0000,0000,,it will eventually become a Branch\Ninstruction to some memory.
Dialogue: 0,0:56:14.81,0:56:19.49,Default,,0000,0000,0000,,So if we try a lot of keys, eventually\Nwe will find some garbage
Dialogue: 0,0:56:19.49,0:56:23.99,Default,,0000,0000,0000,,that is useful.
Dialogue: 0,0:56:23.99,0:56:29.68,Default,,0000,0000,0000,,This is the NAND of the Flash\Nmemory of an unmodified 3DS
Dialogue: 0,0:56:29.68,0:56:37.35,Default,,0000,0000,0000,,– a new 3DS. So there’s a small key\Nsection, marked in teal, like, blue.
Dialogue: 0,0:56:37.35,0:56:41.66,Default,,0000,0000,0000,,And it contains those keys\Nthat we’re talking about.
Dialogue: 0,0:56:41.66,0:56:44.55,Default,,0000,0000,0000,,And then there are 2 firmware partitions.
Dialogue: 0,0:56:44.55,0:56:47.96,Default,,0000,0000,0000,,One is used for backup, in\Ncase one gets corrupted;
Dialogue: 0,0:56:47.96,0:56:52.12,Default,,0000,0000,0000,,so it doesn’t brick the device, whatever.
Dialogue: 0,0:56:52.12,0:56:57.19,Default,,0000,0000,0000,,We installed our custom key.
Dialogue: 0,0:56:57.19,0:57:00.92,Default,,0000,0000,0000,,And we installed the largest\Nfirm binary we have
Dialogue: 0,0:57:00.92,0:57:06.10,Default,,0000,0000,0000,,in the firm0 partition. And we keep\Nthe one with the vulnerability
Dialogue: 0,0:57:06.10,0:57:11.76,Default,,0000,0000,0000,,in the firm1 partition. And\Nthen we put our code payload
Dialogue: 0,0:57:11.76,0:57:17.25,Default,,0000,0000,0000,,on top of the firmware0 binary.
Dialogue: 0,0:57:17.25,0:57:21.34,Default,,0000,0000,0000,,And then we reboot.\NAnd so what will happen?
Dialogue: 0,0:57:21.34,0:57:24.07,Default,,0000,0000,0000,,The Bootrom is executed.
Dialogue: 0,0:57:24.07,0:57:29.66,Default,,0000,0000,0000,,It will load the first firmware partition.
Dialogue: 0,0:57:29.66,0:57:34.51,Default,,0000,0000,0000,,And it has our code in the end,\Nbut it doesn’t know about it.
Dialogue: 0,0:57:34.51,0:57:38.88,Default,,0000,0000,0000,,And then it decrypts it.\NAnd, you see, it looks okay.
Dialogue: 0,0:57:38.88,0:57:43.80,Default,,0000,0000,0000,,There’s the ARM9 loader stub in the front;\Nand then comes the encrypted binary.
Dialogue: 0,0:57:43.80,0:57:48.17,Default,,0000,0000,0000,,And then, finally,\Nthere’s our payload.
Dialogue: 0,0:57:48.17,0:57:52.96,Default,,0000,0000,0000,,But Bootrom checks the\Nhash, right? And it fails.
Dialogue: 0,0:57:52.96,0:57:58.28,Default,,0000,0000,0000,,So it thinks the partition got corrupted.
Dialogue: 0,0:57:58.28,0:58:03.00,Default,,0000,0000,0000,,So it will load the smaller one on top.\NYou see we have our payload in memory,
Dialogue: 0,0:58:03.00,0:58:09.38,Default,,0000,0000,0000,,at Boot. And then it decrypts firmware1
Dialogue: 0,0:58:09.38,0:58:14.81,Default,,0000,0000,0000,,which is smaller and it still has ARM9\Nloader and another encrypted ARM9 binary.
Dialogue: 0,0:58:14.81,0:58:18.91,Default,,0000,0000,0000,,And then it jumps to ARM9 loader\Nbecause the hash checks out.
Dialogue: 0,0:58:18.91,0:58:24.23,Default,,0000,0000,0000,,And then the ARM9 loader will\Ndecrypt our corrupted key
Dialogue: 0,0:58:24.23,0:58:28.94,Default,,0000,0000,0000,,from NAND and it will\Ndecrypt this one to garbage
Dialogue: 0,0:58:28.94,0:58:37.10,Default,,0000,0000,0000,,and it will jump to it. And\Nhopefully it jumps to our code.
Dialogue: 0,0:58:37.10,0:58:41.77,Default,,0000,0000,0000,,So this gives us ARM9 code\Nexecution from cold Boot.
Dialogue: 0,0:58:41.77,0:58:46.23,Default,,0000,0000,0000,,Early, very early. So it turns out we\Ncan actually use this to get some keys
Dialogue: 0,0:58:46.23,0:58:52.00,Default,,0000,0000,0000,,that are later not available\Nbecause they clear those…
Dialogue: 0,0:58:52.00,0:58:56.87,Default,,0000,0000,0000,,they use a certain memory area for seeding\Nencryption engine to generate keys
Dialogue: 0,0:58:56.87,0:59:04.44,Default,,0000,0000,0000,,and the memory is later cleared.\NSo you can’t regenerate the keys.
Dialogue: 0,0:59:04.44,0:59:08.40,Default,,0000,0000,0000,,But with this we can actually\Nget those 2 keys.
Dialogue: 0,0:59:08.40,0:59:11.85,Default,,0000,0000,0000,,They’re called the firmware 6.x save-key
Dialogue: 0,0:59:11.85,0:59:15.78,Default,,0000,0000,0000,,and firmware 7.x NCCH-key.
Dialogue: 0,0:59:15.78,0:59:20.40,Default,,0000,0000,0000,,That’s a bonus.
Dialogue: 0,0:59:20.40,0:59:25.22,Default,,0000,0000,0000,,We talked a bit about the AES engine.\NIt’s used everywhere for the crypto
Dialogue: 0,0:59:25.22,0:59:30.20,Default,,0000,0000,0000,,and it’s used for everything, basically.
Dialogue: 0,0:59:30.20,0:59:35.99,Default,,0000,0000,0000,,It supports all the usual\Nblock cipher modes.
Dialogue: 0,0:59:35.99,0:59:40.94,Default,,0000,0000,0000,,It has 2 security features: it has\Nwrite-only keys. Which is really useful.
Dialogue: 0,0:59:40.94,0:59:44.75,Default,,0000,0000,0000,,Like you write a key and then\Nyou can never ever read it back.
Dialogue: 0,0:59:44.75,0:59:49.77,Default,,0000,0000,0000,,This means that they can\Nfill in the keys by the Bootrom
Dialogue: 0,0:59:49.77,0:59:56.15,Default,,0000,0000,0000,,and we can’t dump them later.
Dialogue: 0,0:59:56.15,1:00:01.30,Default,,0000,0000,0000,,So they can keep the keys secret.
Dialogue: 0,1:00:01.30,1:00:08.28,Default,,0000,0000,0000,,Even if we hacked the ARM9, even if we get\Ncode execution we’ll never get the keys.
Dialogue: 0,1:00:08.28,1:00:12.25,Default,,0000,0000,0000,,And then there’s the key scrambler.\NWhich is that the key is actually
Dialogue: 0,1:00:12.25,1:00:16.32,Default,,0000,0000,0000,,– it’s an optional thing –\Nwhere the actual key is hidden,
Dialogue: 0,1:00:16.32,1:00:21.09,Default,,0000,0000,0000,,calculated by a hardware\Nfunction, that is never…
Dialogue: 0,1:00:21.09,1:00:26.36,Default,,0000,0000,0000,,that we don’t know about. So the key\Nis actually never exposed to the CPU
Dialogue: 0,1:00:26.36,1:00:30.58,Default,,0000,0000,0000,,– the actual key. So we just feed it 2\Nvalues, 2 keys and then it generates
Dialogue: 0,1:00:30.58,1:00:35.00,Default,,0000,0000,0000,,a new key based on that. And\Nwe don’t know what that key is.
Dialogue: 0,1:00:35.00,1:00:40.50,Default,,0000,0000,0000,,So this creates a situation similar to\Nthe isolated SPUs on the PS3
Dialogue: 0,1:00:40.50,1:00:44.00,Default,,0000,0000,0000,,where you can ask it to decrypt\Nstuff, but you don’t get the keys.
Dialogue: 0,1:00:44.00,1:00:49.64,Default,,0000,0000,0000,,And if you don’t get the keys,\Nthen… we want the keys!!
Dialogue: 0,1:00:49.64,1:00:53.30,Default,,0000,0000,0000,,We want to decrypt things on\Nour PC because we’re lazy.
Dialogue: 0,1:00:53.30,1:00:57.72,Default,,0000,0000,0000,,So there’re 2 keys –\NKeyX, KeyY we call them.
Dialogue: 0,1:00:57.72,1:01:01.97,Default,,0000,0000,0000,,They’re 128bits and the\Nnormal key is derived
Dialogue: 0,1:01:01.97,1:01:06.25,Default,,0000,0000,0000,,as a function of those 2;\Nand that function is unknown.
Dialogue: 0,1:01:06.25,1:01:12.04,Default,,0000,0000,0000,,It’s implemented in hardware, in silicon.
Dialogue: 0,1:01:12.04,1:01:15.76,Default,,0000,0000,0000,,So even if we know X and Y we\Ncan’t figure out the normal key
Dialogue: 0,1:01:15.76,1:01:21.96,Default,,0000,0000,0000,,and we can’t decrypt things\Nwithout asking the 3DS first.
Dialogue: 0,1:01:21.96,1:01:26.55,Default,,0000,0000,0000,,But we can poke this hardware engine.
Dialogue: 0,1:01:26.55,1:01:30.05,Default,,0000,0000,0000,,The first thing you notice when you\Ndo this is that if you set the N-th bit
Dialogue: 0,1:01:30.05,1:01:37.14,Default,,0000,0000,0000,,of the X key and the N+2 bit in\Nthe Y key you get the same result.
Dialogue: 0,1:01:37.14,1:01:41.08,Default,,0000,0000,0000,,And in general, you find that\Nthe function that we’re looking for
Dialogue: 0,1:01:41.08,1:01:45.28,Default,,0000,0000,0000,,is actually just a function\Nof one variable where it’s
Dialogue: 0,1:01:45.28,1:01:50.69,Default,,0000,0000,0000,,the XOR between the X rotated by 2…
Dialogue: 0,1:01:50.69,1:01:56.10,Default,,0000,0000,0000,,so this is rotation, not shift,\Nand XOR-ed with Y.
Dialogue: 0,1:01:56.10,1:01:59.43,Default,,0000,0000,0000,,But we still don’t know the key.\NBut we want to know keys. So…
Dialogue: 0,1:01:59.43,1:02:08.14,Default,,0000,0000,0000,,So step back a little bit.
Dialogue: 0,1:02:08.14,1:02:12.07,Default,,0000,0000,0000,,The keyscrambler is used for Mii QR-codes.
Dialogue: 0,1:02:12.07,1:02:18.74,Default,,0000,0000,0000,,It’s used for everything, right? So it’s\Nused for network protocol, called UDS,
Dialogue: 0,1:02:18.74,1:02:23.93,Default,,0000,0000,0000,,and it’s used for Download Play – which\Nis when you download games over WiFi,
Dialogue: 0,1:02:23.93,1:02:28.00,Default,,0000,0000,0000,,temporary games. But the\NWii U also supports all of this.
Dialogue: 0,1:02:28.00,1:02:31.18,Default,,0000,0000,0000,,But it doesn’t have the\Nkey scrambler in hardware.
Dialogue: 0,1:02:31.18,1:02:33.09,Default,,0000,0000,0000,,So the Wii U must be using normal keys.
Dialogue: 0,1:02:33.09,1:02:36.52,Default,,0000,0000,0000,,{\i1}applause{\i0}\N{\i1}screamed from audience: WHAT?{\i0}
Dialogue: 0,1:02:36.52,1:02:46.36,Default,,0000,0000,0000,,{\i1}applause{\i0}
Dialogue: 0,1:02:46.36,1:02:51.21,Default,,0000,0000,0000,,So we make a table of the shared keys and
Dialogue: 0,1:02:51.21,1:02:54.62,Default,,0000,0000,0000,,these are the 3 keys that\Nare shared with the Wii U.
Dialogue: 0,1:02:54.62,1:03:00.24,Default,,0000,0000,0000,,Who is where the KeyX\Nand KeyY on the 3DS…
Dialogue: 0,1:03:00.24,1:03:05.92,Default,,0000,0000,0000,,where they are set. And 2 of them\Nhave KeyY set by firmware.
Dialogue: 0,1:03:05.92,1:03:11.51,Default,,0000,0000,0000,,So we can’t read the keys set by the\NBootrom because it’s locked away
Dialogue: 0,1:03:11.51,1:03:17.31,Default,,0000,0000,0000,,and we don’t have it. But can\Nwe still figure out G? Let’s see.
Dialogue: 0,1:03:17.31,1:03:23.39,Default,,0000,0000,0000,,So I gave shoutout to shuffle2 and\Nto fail0verflow who hacked the WiiU
Dialogue: 0,1:03:23.39,1:03:27.54,Default,,0000,0000,0000,,and they helped us… or shuffle\Nhelped us extract the Wii U keys.
Dialogue: 0,1:03:27.54,1:03:36.67,Default,,0000,0000,0000,,So thank you! Now we have KeyY and\Nwe know the normal key from the Wii U.
Dialogue: 0,1:03:36.67,1:03:39.74,Default,,0000,0000,0000,,However, KeyX is still unknown.
Dialogue: 0,1:03:39.74,1:03:44.56,Default,,0000,0000,0000,,And if G(t) is ‘bad’ then a\Nsmall change in the KeyY
Dialogue: 0,1:03:44.56,1:03:48.97,Default,,0000,0000,0000,,will only lead to a small\Nchange in the normal key.
Dialogue: 0,1:03:48.97,1:03:53.37,Default,,0000,0000,0000,,It’s bad! So let’s look at the data.
Dialogue: 0,1:03:53.37,1:03:56.67,Default,,0000,0000,0000,,So when we flip one bit in the\NKeyY we can brute-force all keys
Dialogue: 0,1:03:56.67,1:04:01.39,Default,,0000,0000,0000,,similar to the normal key which\Nis just within a couple of bit flips
Dialogue: 0,1:04:01.39,1:04:06.54,Default,,0000,0000,0000,,and we find that it always\Nresults in the normal key
Dialogue: 0,1:04:06.54,1:04:12.98,Default,,0000,0000,0000,,with bits flipped at\Nposition either 87 or 88,
Dialogue: 0,1:04:12.98,1:04:16.34,Default,,0000,0000,0000,,sometimes 89, but never 86.
Dialogue: 0,1:04:16.34,1:04:22.36,Default,,0000,0000,0000,,So this reminds me of an adder\Nwhere you had a carry bit
Dialogue: 0,1:04:22.36,1:04:26.16,Default,,0000,0000,0000,,being propagated to upper\Nbits, but never to lower ones.
Dialogue: 0,1:04:26.16,1:04:30.98,Default,,0000,0000,0000,,So let’s guess that this is\Nan adder and let’s try:
Dialogue: 0,1:04:30.98,1:04:37.60,Default,,0000,0000,0000,,it’s an adder with a rotation so\Nwe guess that G(t) = (t+C)
Dialogue: 0,1:04:37.60,1:04:45.14,Default,,0000,0000,0000,,– some constant C, we don’t know it –\Nand rotated to the left by 87.
Dialogue: 0,1:04:45.14,1:04:50.68,Default,,0000,0000,0000,,And then we plug it in to our original\Nformula and we don’t know KeyX, remember,
Dialogue: 0,1:04:50.68,1:04:53.64,Default,,0000,0000,0000,,because it’s set by Bootrom,\Nwe don’t have it.
Dialogue: 0,1:04:53.64,1:04:59.44,Default,,0000,0000,0000,,We don’t know the constant C because\Nit’s in silicon, it’s in hardware.
Dialogue: 0,1:04:59.44,1:05:04.63,Default,,0000,0000,0000,,But if we look at the formula,\Nand we consider the inequality,
Dialogue: 0,1:05:04.63,1:05:09.44,Default,,0000,0000,0000,,where we basically rotate right by 87
Dialogue: 0,1:05:09.44,1:05:13.50,Default,,0000,0000,0000,,– we’re basically undoing\Nthe outer rotation.
Dialogue: 0,1:05:13.50,1:05:18.81,Default,,0000,0000,0000,,And then we plug in our formula\Nour guess. And then we get this.
Dialogue: 0,1:05:18.81,1:05:23.30,Default,,0000,0000,0000,,And then we subtract C from\Nboth sides. We end up with this.
Dialogue: 0,1:05:23.30,1:05:28.51,Default,,0000,0000,0000,,And this is basically… we’re XOR-ing\N2 different keys with the same X value
Dialogue: 0,1:05:28.51,1:05:34.81,Default,,0000,0000,0000,,rotated to the left by 2.
Dialogue: 0,1:05:34.81,1:05:38.15,Default,,0000,0000,0000,,Well if you stare for\Nthis bit you’ll see that
Dialogue: 0,1:05:38.15,1:05:45.95,Default,,0000,0000,0000,,if y0 and y1 – which are 2 different\NKeyY’s – are equal except for
Dialogue: 0,1:05:45.95,1:05:52.24,Default,,0000,0000,0000,,at one bit position then\Nthe XOR is smallest
Dialogue: 0,1:05:52.24,1:05:58.10,Default,,0000,0000,0000,,for the one which shares\Nthe same bit value
Dialogue: 0,1:05:58.10,1:06:03.07,Default,,0000,0000,0000,,at the position that the\N2 Y’s are differing at.
Dialogue: 0,1:06:03.07,1:06:07.74,Default,,0000,0000,0000,,It’s actually pretty simple\Nbut it sounds difficult.
Dialogue: 0,1:06:07.74,1:06:12.72,Default,,0000,0000,0000,,XOR is Zero if they’re the same\Ninput and One if they’re different.
Dialogue: 0,1:06:12.72,1:06:16.08,Default,,0000,0000,0000,,If they’re the same it’s\NZero and it’s smaller.
Dialogue: 0,1:06:16.08,1:06:20.55,Default,,0000,0000,0000,,So we actually look\Nbit-by-bit on this. And
Dialogue: 0,1:06:20.55,1:06:27.91,Default,,0000,0000,0000,,we repeat this 128 times. And we\Nrecover all 128 bits of the KeyX.
Dialogue: 0,1:06:27.91,1:06:32.74,Default,,0000,0000,0000,,And when we have the KeyX we can\Ncalculate the silicon constant C.
Dialogue: 0,1:06:32.74,1:06:38.25,Default,,0000,0000,0000,,So the end result is: the key\Nscrambler is figured out
Dialogue: 0,1:06:38.25,1:06:45.29,Default,,0000,0000,0000,,and we have also the secret Bootrom\NKeyX for a couple of keyslots, as a bonus.
Dialogue: 0,1:06:45.29,1:07:00.78,Default,,0000,0000,0000,,{\i1}applause, motivated by smea{\i0}
Dialogue: 0,1:07:00.78,1:07:04.53,Default,,0000,0000,0000,,I didn’t think trough the constants in\Nthe slides because I want this to be
Dialogue: 0,1:07:04.53,1:07:11.84,Default,,0000,0000,0000,,an exercise for the listener.
Dialogue: 0,1:07:11.84,1:07:16.40,Default,,0000,0000,0000,,When the new 3DS was released\Nthey rushed it, we think,
Dialogue: 0,1:07:16.40,1:07:22.44,Default,,0000,0000,0000,,because they left some interesting\Ncommands in the PsPs service. And
Dialogue: 0,1:07:22.44,1:07:31.15,Default,,0000,0000,0000,,it included an early version of the NFC\Ncrypto used for the Amiibo figurines.
Dialogue: 0,1:07:31.15,1:07:36.61,Default,,0000,0000,0000,,This implementation, the first\None, uses a normal key. And the…
Dialogue: 0,1:07:36.61,1:07:40.06,Default,,0000,0000,0000,,the newer one changed it to KeyY.
Dialogue: 0,1:07:40.06,1:07:44.29,Default,,0000,0000,0000,,So they accidently gave us one of\Nthese pairs in the firmware images.
Dialogue: 0,1:07:44.29,1:07:47.26,Default,,0000,0000,0000,,We don’t need to use the Wii U at all.
Dialogue: 0,1:07:47.26,1:07:52.21,Default,,0000,0000,0000,,So anyone who can decrypt\N3DS firmware binaries
Dialogue: 0,1:07:52.21,1:07:58.40,Default,,0000,0000,0000,,can perform this attack\Nto get the constants.
Dialogue: 0,1:07:58.40,1:08:03.29,Default,,0000,0000,0000,,So anyone out there: Good luck!
Dialogue: 0,1:08:03.29,1:08:06.75,Default,,0000,0000,0000,,And now: back to smea, for a summary.
Dialogue: 0,1:08:06.75,1:08:13.72,Default,,0000,0000,0000,,{\i1}applause{\i0}
Dialogue: 0,1:08:13.72,1:08:16.88,Default,,0000,0000,0000,,smea: Right, I’m just gonna conclude\Nreally quickly. So, some take-aways of
Dialogue: 0,1:08:16.88,1:08:20.84,Default,,0000,0000,0000,,what we talked about\Ntoday: first thing is:
Dialogue: 0,1:08:20.84,1:08:23.99,Default,,0000,0000,0000,,it’s all pretty obvious lessons,\Nbut – you know – bare with me
Dialogue: 0,1:08:23.99,1:08:29.05,Default,,0000,0000,0000,,Giving access to physical memory to\Nany application, through GPU or whatever,
Dialogue: 0,1:08:29.05,1:08:31.85,Default,,0000,0000,0000,,is dangerous. You should always be\Ncareful about that. Even if you think
Dialogue: 0,1:08:31.85,1:08:36.06,Default,,0000,0000,0000,,you’ve protected stuff, there’s probably\Ngonna be stuff that you forgot. So just,
Dialogue: 0,1:08:36.06,1:08:39.54,Default,,0000,0000,0000,,like “you don’t do it or do it right”.
Dialogue: 0,1:08:39.54,1:08:42.41,Default,,0000,0000,0000,,Other thing is: Shared I/O is\Ndangerous if you don’t know
Dialogue: 0,1:08:42.41,1:08:47.91,Default,,0000,0000,0000,,what can actually control the I/O, then,\Nwell, again, you should be very careful.
Dialogue: 0,1:08:47.91,1:08:52.32,Default,,0000,0000,0000,,Also, only checking your data\Nbefore decryption is dangerous,
Dialogue: 0,1:08:52.32,1:08:56.43,Default,,0000,0000,0000,,and - both that and not checking the key\Nwhen you know that it could possibly
Dialogue: 0,1:08:56.43,1:09:00.61,Default,,0000,0000,0000,,be modified by an attacker\Nis a bad idea. And finally,
Dialogue: 0,1:09:00.61,1:09:05.10,Default,,0000,0000,0000,,secrets in hardware are great\Nunless you give them away, so…
Dialogue: 0,1:09:05.10,1:09:07.57,Default,,0000,0000,0000,,don’t do that! {\i1}laughs\N{\i0}audience laughs*
Dialogue: 0,1:09:07.57,1:09:11.31,Default,,0000,0000,0000,,Beyond that we just wanted to talk about\Nthe state of Homebrew really quickly.
Dialogue: 0,1:09:11.31,1:09:15.49,Default,,0000,0000,0000,,You might recall, on the - during the\NWii U talk around here
Dialogue: 0,1:09:15.49,1:09:19.83,Default,,0000,0000,0000,,2 years ago. And fail0verflow said\Nthat they didn’t think necessarily
Dialogue: 0,1:09:19.83,1:09:23.60,Default,,0000,0000,0000,,there was much of a future for console\NHomebrew. And there’s definitely
Dialogue: 0,1:09:23.60,1:09:28.63,Default,,0000,0000,0000,,an argument for that with\Nthe rise of phones, mostly.
Dialogue: 0,1:09:28.63,1:09:31.91,Default,,0000,0000,0000,,Anyone can make an app, can make\Na game for any number of devices
Dialogue: 0,1:09:31.91,1:09:37.19,Default,,0000,0000,0000,,and sell it to millions of people.\NBut you know, we disagree.
Dialogue: 0,1:09:37.19,1:09:39.06,Default,,0000,0000,0000,,{\i1}cheers and applause{\i0}
Dialogue: 0,1:09:39.06,1:09:43.92,Default,,0000,0000,0000,,It’s been a year since we started\Nreleasing 3DS homebrew. And
Dialogue: 0,1:09:43.92,1:09:47.79,Default,,0000,0000,0000,,– this is supposed to be moving,\Nbut… let’s imagine it’s moving.
Dialogue: 0,1:09:47.79,1:09:52.49,Default,,0000,0000,0000,,Well, there in there - like a bunch of\N3DS Homebrew. It’s been awesome!
Dialogue: 0,1:09:52.49,1:09:56.20,Default,,0000,0000,0000,,We’ve been working on this really hard.\NA lot of people had been joining us.
Dialogue: 0,1:09:56.20,1:10:01.57,Default,,0000,0000,0000,,It’s a great community effort. And\Nbasically what I want to say is
Dialogue: 0,1:10:01.57,1:10:05.86,Default,,0000,0000,0000,,we want more developers.\NSo if you’d like to join us
Dialogue: 0,1:10:05.86,1:10:10.53,Default,,0000,0000,0000,,there is a very… well it’s not\Nvery mature, but it’s maturing,
Dialogue: 0,1:10:10.53,1:10:15.13,Default,,0000,0000,0000,,our SDK. And you know what:\Nreverse-engineering hardware is fun.
Dialogue: 0,1:10:15.13,1:10:18.21,Default,,0000,0000,0000,,When we don’t have any documentation,\Nreverse-engineering software is fun.
Dialogue: 0,1:10:18.21,1:10:22.77,Default,,0000,0000,0000,,We can always use more reverse-engineers\Nand just people who want to make cool shit,
Dialogue: 0,1:10:22.77,1:10:28.100,Default,,0000,0000,0000,,so… Yeah, oh… right! Just one more thing.
Dialogue: 0,1:10:28.100,1:10:32.77,Default,,0000,0000,0000,,Lately there has been a wave\Nof patches by Nintendo,
Dialogue: 0,1:10:32.77,1:10:36.17,Default,,0000,0000,0000,,of known exploits, which\Nhas been really annoying.
Dialogue: 0,1:10:36.17,1:10:40.48,Default,,0000,0000,0000,,So for our Browser Hacks, well,\Nyellows8’s Browser Hacks,
Dialogue: 0,1:10:40.48,1:10:45.15,Default,,0000,0000,0000,,menu hacks, stuff like that…\NYellows8’s been working pretty hard,
Dialogue: 0,1:10:45.15,1:10:49.20,Default,,0000,0000,0000,,so he actually brought back browser\Nhacks, it should have been released
Dialogue: 0,1:10:49.20,1:11:02.72,Default,,0000,0000,0000,,about 10 minutes ago.\N{\i1}laughter, applause{\i0}
Dialogue: 0,1:11:02.72,1:11:07.85,Default,,0000,0000,0000,,But we also had ironhax for an\NeShop game, a free eShop game,
Dialogue: 0,1:11:07.85,1:11:12.48,Default,,0000,0000,0000,,so you could just download it. That was\Npatched. The thing is, there’s actually
Dialogue: 0,1:11:12.48,1:11:16.65,Default,,0000,0000,0000,,a way to download the old version from\Nthe eShop application with some patches.
Dialogue: 0,1:11:16.65,1:11:20.27,Default,,0000,0000,0000,,So we’re also releasing that right now!\NSo basically if you can get Homebrew
Dialogue: 0,1:11:20.27,1:11:23.89,Default,,0000,0000,0000,,and get on to the eShop\Nwith a modified patch.
Dialogue: 0,1:11:23.89,1:11:27.54,Default,,0000,0000,0000,,That should also be released in about…\Nwell, whenever this is done.
Dialogue: 0,1:11:27.54,1:11:31.24,Default,,0000,0000,0000,,So get it as soon as possible,\Nthis is a free game, it will get you
Dialogue: 0,1:11:31.24,1:11:36.59,Default,,0000,0000,0000,,Homebrew forever. So just do that.\NAnd also, yellows8 just released
Dialogue: 0,1:11:36.59,1:11:39.80,Default,,0000,0000,0000,,a new version of menuhax which\Nworks on latest firmware version.
Dialogue: 0,1:11:39.80,1:11:43.50,Default,,0000,0000,0000,,This was also patched like a couple of\Nweeks or months ago. So, this is all out
Dialogue: 0,1:11:43.50,1:11:48.10,Default,,0000,0000,0000,,right now. If you have a 3DS, get it.\NIf you have friends who have 3DS’s,
Dialogue: 0,1:11:48.10,1:11:53.75,Default,,0000,0000,0000,,well, tell them and tell them to get it.\NBecause it might not last super long.
Dialogue: 0,1:11:53.75,1:11:57.95,Default,,0000,0000,0000,,Yeah, so we would like to thank yellows8\Nwho unfortunately can not be here tonight
Dialogue: 0,1:11:57.95,1:12:01.80,Default,,0000,0000,0000,,but has been super helpful, has been\Ndoing a ton of work on the 3DS.
Dialogue: 0,1:12:01.80,1:12:05.48,Default,,0000,0000,0000,,And honestly, a ton of this could\Nnot have been done without him.
Dialogue: 0,1:12:05.48,1:12:08.64,Default,,0000,0000,0000,,And thanks to everyone on the\N#3DSDEV Homebrew channel,
Dialogue: 0,1:12:08.64,1:12:11.91,Default,,0000,0000,0000,,everyone who is attending tonight.\NThanks for this.
Dialogue: 0,1:12:11.91,1:12:14.100,Default,,0000,0000,0000,,And if you have any questions,\NI don’t think we have a lot of time,
Dialogue: 0,1:12:14.100,1:12:28.43,Default,,0000,0000,0000,,but we’ll accommodate. Thanks!\N{\i1}applause{\i0}
Dialogue: 0,1:12:28.43,1:12:31.74,Default,,0000,0000,0000,,Herald: Thank you for your patience, if\Nyou got questions, please come upfront
Dialogue: 0,1:12:31.74,1:12:36.47,Default,,0000,0000,0000,,to these guys, because we have no more\Ntime for structured Q&A. Thank you!
Dialogue: 0,1:12:36.47,1:12:41.40,Default,,0000,0000,0000,,{\i1}postroll music{\i0}
Dialogue: 0,1:12:41.40,1:12:47.50,Default,,0000,0000,0000,,{\i1}Subtitles created by c3subtitles.de\Nin the year 2016. Join and help us!{\i0}