Simone Ferrini sferrini

The following is a write-up of how I initially achieved kernel code execution on the Nintendo Switch, very much inspired by hexkyz's write-ups. The work discussed was completed over the course of a single conversation between hthh and I during the evening of November 21st, 2017. A number of snippets are attached from that conversation as inline links, in the hopes that they'll be interesting to readers.

Background information

I would recommend one read hexkyz's recent write-up on how the switch was broken into via GPU DMA attacks. It's a great read!

In particular, he describes:

Additionally, the kernel itself would start allocating memory outside of the carveout region

iOS-v12.0-16A366-iPhone11,6

instructions about setting pac key

__text:FFFFFFF007A0834C                 LDR             X0, =0xFEEDFACEFEEDFACF ; LDR X0, #348, 0xFFFFFFF007A084A8
__text:FFFFFFF007A08350                 MSR             #0, c2, c1, #2, X0 ; APIBKeyLo_EL1
__text:FFFFFFF007A08354                 MSR             #0, c2, c1, #3, X0 ; APIBKeyHi_EL1
__text:FFFFFFF007A08358                 ADD             X0, X0, #1
__text:FFFFFFF007A0835C                 MSR             #0, c2, c2, #2, X0 ; APDBKeyLo_EL1
__text:FFFFFFF007A08360                 MSR             #0, c2, c2, #3, X0 ; APDBKeyHi_EL1

Here's a list of mildly interesting things about the C language that I learned mostly by consuming Clang's ASTs. Although surprises are getting sparser, I might continue to update this document over time.

There are many more mildly interesting features of C++, but the language is literally known for being weird, whereas C is usually considered smaller and simpler, so this is (almost) only about C.

1. Combined type and variable/field declaration, inside a struct scope [https://godbolt.org/g/Rh94Go]

struct foo {
   struct bar {
 int x;

What is the Strict Aliasing Rule and Why do we care?

(OR Type Punning, Undefined Behavior and Alignment, Oh My!)

What is strict aliasing? First we will describe what is aliasing and then we can learn what being strict about it means.

In C and C++ aliasing has to do with what expression types we are allowed to access stored values through. In both C and C++ the standard specifies which expression types are allowed to alias which types. The compiler and optimizer are allowed to assume we follow the aliasing rules strictly, hence the term strict aliasing rule. If we attempt to access a value using a type not allowed it is classified as undefined behavior(UB). Once we have undefined behavior all bets are off, the results of our program are no longer reliable.

Unfortunately with strict aliasing violations, we will often obtain the results we expect, leaving the possibility the a future version of a compiler with a new optimization will break code we th

	This bug was also called moonshine in the beginning
	Basically the following bug is present in all bootroms I have looked at:
	1. When usb is started to get an image over dfu, dfu registers an interface to handle all the commands and allocates a buffer for input and output
	2. if you send data to dfu the setup packet is handled by the main code which then calls out to the interface code
	3. the interface code verifies that wLength is shorter than the input output buffer length and if that's the case it updates a pointer passed as an argument with a pointer to the input output buffer
	4. it then returns wLength which is the length it wants to recieve into the buffer
	5. the usb main code then updates a global var with the length and gets ready to recieve the data packages
	6. if a data package is recieved it gets written to the input output buffer via the pointer which was passed as an argument and another global variable is used to keep track of how many bytes were recieved already
	7. if all the data was recieved th

	<html>
	<pre id='log'></pre>
	<script src="mojo_bindings.js"></script>
	<script src="third_party/blink/public/mojom/blob/blob_registry.mojom.js"></script>
	<script src="being_creator_interface.mojom.js"></script>
	<script src="food_interface.mojom.js"></script>
	<script src="dog_interface.mojom.js"></script>
	<script src="person_interface.mojom.js"></script>
	<script src="cat_interface.mojom.js"></script>
	<script>

	uint64_t
	aarch64_page_table_lookup(uint64_t ttbr, uint64_t vaddr,
	uint64_t l1_tte_, uint64_t l2_tte_, uint64_t *l3_tte_) {
	const uint64_t pg_bits = 14;
	const uint64_t l1_size = 3;
	const uint64_t l2_size = 11;
	const uint64_t l3_size = 11;
	const uint64_t tte_physaddr_mask = ((1uLL << 40) - 1) & ~((1 << pg_bits) - 1);
	uint64_t l1_index = (vaddr >> (l2_size + l3_size + pg_bits)) & ((1 << l1_size) - 1);
	uint64_t l2_index = (vaddr >> (l3_size + pg_bits)) & ((1 << l2_size) - 1);

	#! /bin/bash
	#
	# build-xnu-4903.221.2.sh
	# Brandon Azad
	#
	# A script showing how to build XNU version 4903.221.2 (which corresponds to
	# macOS 10.14.1) on macOS High Sierra 10.14.1 with Xcode 9.4.1.
	#
	# Note: This process will OVERWRITE files in Xcode's MacOSX10.13.sdk. Make a
	# backup of this directory first!

	#! /bin/bash
	#
	# build-xnu-4570.61.1.sh
	# Brandon Azad
	#
	# A script showing how to build XNU version 4570.61.1 (which corresponds to
	# macOS 10.13.5) on macOS High Sierra 10.13.5 with Xcode 9.4.
	#
	# Note: This process will OVERWRITE files in Xcode's MacOSX10.13.sdk. Make a
	# backup of this directory first!

	# !/bin/bash
	# 2k20 ~antoniofrighetto
	# Build any XNU kernel version. Make sure you have the related MacOSX SDK version installed
	#
	# macOS 10.15.4 kernel compilation successfully tested on macOS 10.15.6 and Xcode 11.6
	#
	# MACOS_VERSION=10.15.4 BACKUP_SDK=1 OPTIONS=RELEASE,DEVELOPMENT ./build-xnu.sh
	# XNU_VERSION=xnu-4570.41.2 ./build-xnu.sh

	set_macos_version() {