Monday, June 25, 2018

Chill, shills...

Sigh... I didn't really want to write a whole blog post about this, but since people keep paraphrasing me out of context (or just plain wrongly) I figured it might be beneficial for those few who care.

So, the SX OS brick code... I'm going to try and explain all this again one last time in a good old Q&A style (Qs have been exaggerated for comedic purposes).

Q: lul u bricked! that's what you get for tryin to crack the almighty SX OS!
A: Yes I know this isn't really a question. Apparently people think I'm butthurt about this or that I simply have no clue how this happened.
Sorry to disappoint you, but I wouldn't try to run a closed-source piece of software at a system's highest possible level of execution privilege if I wasn't sure of what could happen. Naturally, I reserved one unit that I didn't care much about for experimenting with this.
Sure, it sucks to go through the process of restoring it, but I was willing to do it and no I'm not sad/mad/annoyed/butthurt/whatever about what happened. I guess people inferred a tone from my original first tweet (was it the emoticons?), but the purpose of the PSA was merely informative.

Q: You SJWs try anything to discredit TX! First it was "itz goin to get cracked day 1" now it's "oh no! brick code! stay away!".
A: Another non-question. For starters, I'm not the author of the first claim, I never underestimated the preventing measures in place for their software.
As for the second claim, I couldn't care less about what you do with your system. I'm not here to tell you to stay away from their product because it has code that can brick your NAND, I was just doing an informative tweet. Something I've done in the past regarding the Switch itself.

Q: TX has a solid 15 year reputation! How can you find yourself superior to them?
A: Even though I never claimed to be above them, I've been around security for almost 18 years now. What exactly does that prove anyway?

Q: Why are you wasting time REing SX OS instead of working for the free open-source alternatives you defend so much?
A: I'm still doing active work on Atmosphère (writing critical parts of fusee from scratch), just because you're not seeing commits it doesn't mean work isn't getting done.
As for REing the OS, why not? It's a challenge. I'm not trying to break their product to make them lose money or whatever crappy excuses I've seen people throwing around. If I worked on cracking the Switch itself, why shouldn't I try to do the same with their product? It's out there for anyone to grab and has multiple layers of obfuscation, seems like an interesting puzzle to me.

Q: Yeah right, you ReSwitched folks are all the same!
A: To be accurate, I'm not part of ReSwitched. I work independently while collaborating with multiple parties such as ReSwitched and Switchbrew.
This doesn't mean I don't share their views, because I do agree with several people on multiple things, but I speak for myself whenever I deem fit.

Q: Oh, but you attacked TX in the past!
A: I did yes. I have no problems admitting that in my opinion what they do is despicable, but that's a personal and subjective view. I'm also intelligent enough to not mix this with objective work such as reversing their products.

Q: Pffft. Can you even prove they have brick code?
A: Run this script on the folder where you have the "boot.dat" file: https://gist.github.com/hexkyz/238fe509911f5b3e2aa286295e235e27
It will generate a few files, but we're only interested in the "data_80000000.bin" one. This is a payload that runs in RAM and is composed of various chunks of code that decrypt and re-encrypt themselves to prevent people from live debugging their code.
Afterwards, run this other script in the same folder: https://gist.github.com/hexkyz/d5b3f5b1700b507b41e7fc1dc12e8dfd
You will get a file called "data_80000000_unpacked.bin". This is the payload with its chunks decrypted and placed in the proper memory addresses. Open this in IDA or any other disassembler of your preference (the binary is AARCH64, little endian and base offset is what's in the file name: 0x80000000) and locate sub_80306200.
What you're seeing there is performance monitor (using the Cortex-A57 CP15 registers c9, c12 and c13) that watches over the overall execution time of this payload. If the timing doesn't match what the payload expects, a different code path is taken (and different chunks of code will be decrypted and executed). You'll have to dig a bit, but eventually the MMIO register 0x700B0600 (comes from 0x8000407C after deobfuscation), which is the Tegra's SDMMC4 (eMMC) base address, will be accessed to perform the aforementioned issuing of the MMC_LOCK_UNLOCK command (CMD42).
The password used is generated in the same fashion as Gateway's brick code for the 3DS. In my case, since I was messing with the code, it picked up the password seed from random garbage in the stack so it would've been very difficult (if not impossible) to regenerate it.
In theory, it should be really difficult for this mechanism to trigger at random, but it is possible. The performance monitor features of the CPU are prone to mistakes just like anything else.

Q: What's your endgame with this then?
A: Nothing, I just like to crack DRMs.

So, that's it I guess.
I'm a strong advocate of the idea that if a product is good enough (regardless of their origins or purposes) it should be able to stand by itself. Seeing a good amount of people actively defending the SX OS and getting pissed by just about anything is making me believe that TX themselves don't trust this product.
I actually know Team Xecuter's history and I've even had some of their products in my hands a long time ago. What I'm learning by reversing the SX OS doesn't resonate at all with the TX that worked on solutions for the Xbox family. It's not the first time TX releases software to accompany their hacks, but I don't remember them including brick code in their products.

In sum, my stance on piracy is very clear: it's a despicable and toxic practice that goes directly against the morals and values of the homebrew community. It completely discredits our attempts to show companies that we are capable of building positive solutions by modifying their products.
That being said, I don't mix my personal views with my attempts to reverse engineer this product and I certainly wouldn't tweet about it if I wasn't sure of what I found.

Anyway, my guinea Switch is being restored at the moment and this didn't hinder in the slightest my progress in cracking the SX OS. Ironically, it had the reverse effect since I was able to observe where and how the next stages are loaded into which in turn allows to improve emulation solutions to further crack the code.

32 comments:

  1. I appreciatiate your blogpost :) Thanks for your analysis and all stuff around switch and sx.

    ReplyDelete
  2. I can assure you that, while this product is different than what they have offered previously, the same "Team Xecuter" members from the 360 days are behind it.

    ReplyDelete
  3. Piracy is actually good. Investing emotional energy to oppose children getting 'free games' is a lot more problematic. As is capitalism in general, to be honest.

    ReplyDelete
    Replies
    1. Oh for fucks sake.

      Delete
    2. So someone owes them games? Who? How does a software developer get paid? How does the software get *developed* if they're not going to get paid for it. I don't know about you but I work because it costs money, and working gets me money. Capitalism is fine if people play by the rules - hence it's downfall, but i at least try to show some support for the notion by paying my work-reward (money) for someone else's work.

      Delete
  4. Appreciate the post. Thanks for all the work

    ReplyDelete
  5. You should RE it some more, the bricking code path is not dependent on timing (performance counter / timer). This makes the whole point 'it's possible' moot since it's not.

    ReplyDelete
    Replies
    1. What makes you say it's not timing? Not defending or attacking just curious. Could you show me/us?

      Delete
  6. An entire, wonderfully written post, ruined because you had to hate on piracy.

    ReplyDelete
  7. Doing god's work.

    ReplyDelete
  8. Why do you even bother on giving explanations to people? You do not work for them, you only work for yourself.

    ReplyDelete
  9. Cool writeup, keep it up!

    ReplyDelete
  10. Appreciate your work and explanations, very insightful, don't let the haters get you down! :)

    ReplyDelete
  11. Thanks, already enough drama for today ...
    It seems a really peculiar DRM...

    ReplyDelete
  12. Pretty cringe. You autistic or something?

    ReplyDelete
  13. Dumb question, but could we set the eMMC password preemptively and thereby block any unauthorized locking or password setting/resetting? It wouldn't block TX from force-erasing the eMMC, though.

    ReplyDelete
    Replies
    1. Wouldn't the pass just block the switch from using the eMMC?

      Delete
    2. It looked like an eMMC password is needed to lock, unlock, set, or reset the password. So, if the password is set, the eMMC could remain unlocked and not be locked unless the password was provided.

      Delete
  14. I am very impressed on your wise and mature tone in this FAQ. Crack or no crack...this is a good read.

    ReplyDelete
  15. Thanks for writing this. Its on par with something Scires would write. Also you should write here more often. Its nice hearing from other developers and hackers.

    ReplyDelete
  16. You state you are anti-piracy, does that mean you won't release the crack? Because that is why everyone is coming here. SciresM also claim the same, but we know this is BS since it always end up being public with a slight modification. So we count on you to do the same! thanks!

    ReplyDelete
  17. That obnoxious user from DiscordJune 25, 2018 at 2:53 PM

    Okay, I read this entire thing, not 'cos I'm into it, but to increase my lexile.

    ReplyDelete
  18. loved the read keep doing what your doing

    ReplyDelete
  19. GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG

    ReplyDelete
  20. Considering Atmosphere will probably be the ultimate CFW for the Switch, opposed to a closed source software I totally agree with what you're doing here. Interesting read!

    ReplyDelete
  21. "Cool." (J.O. Style)

    ReplyDelete
  22. >It completely discredits our attempts to show companies that we are capable of building positive solutions by modifying their products

    This is an incredibly naive position.

    Why are you trying to bootlick these companies? If their products are incompatible with consumer modification and preservation of games then they need to be taxed into oblivion to compensate for loss of history and culture.

    A EU agency or office in the Library of Congress needs to be given authority over banning and fining companies for use of DRM in all places - including selling software as a service.

    Consumers > Creators - Always.

    ReplyDelete
    Replies
    1. This kind of horseshit always makes me question all kinds of things about the author's status. These are the words of someone who does not create, refuses to understand the meaning of "consume", does not understand market dynamics in the slightest, and spends far too much time contemplating things entirely orthogonal to themselves. To additionally chide for naivete is peak arrogance.

      Delete
  23. Crack everything!!!!

    ReplyDelete
  24. " goes directly against the morals and values of the homebrew community:

    lol no

    ReplyDelete
  25. is there a chance of accidental bricks using SX OS?

    ReplyDelete
  26. hater will always hate lol keep cracking dude

    ReplyDelete