fail0verflow / shofel2

Tegra X1 bootrom exploit
BSD 3-Clause "New" or "Revised" License
751 stars 154 forks source link

macOS Support #18

Closed b- closed 6 years ago

b- commented 6 years ago

macOS (and really most things that aren't Linux or Cygwin) do not implement /proc/self/fd (not sure if Plan 9 From Bell Labs does — it's where /proc originates from — but I digress).

I'm not knowledgeable enough with python to implement an equivalent, but I'm sure there's another way to get the file descriptors for a given process that's more portable.

Or perhaps use a different method for exploiting RCM mode. Fusée Gelée's fusee-launcher.py uses a separate backend for launching the exploit on macOS: https://github.com/reswitched/fusee-launcher/blob/c68ae700b558ff320ff8298f7a690b5d9ebcee6e/fusee-launcher.py#L125

Either way, if these both use the same exploit I imagine it wouldn't be too difficult to port ShofEL2 to macOS since Fusée works fine.

b- commented 6 years ago

I took a much closer look at both ShofEL2 and Fusée, as well as https://github.com/rajkosto/TegraRcmSmash. I definitely don't know enough to port this myself, but it doesn't look like it would be TOO much work.

The biggest differences between Shofel2 and fusee are that shofel2 is both written specifically to launch Linux which requires some extra communications code between the host and target (i.e., the computer you're using and the Nintendo Switch) to pass some extra args, etc. but was not at all written with portability in mind, as the methods used pretty much only work on Linux.

TegraRCMSmash on the other hand is also a little hacky, and it uses a lot of low level Windows APIs that would be difficult to translate from, but the fact that it is able to support both ShofEL2 and Fusee payloads is very promising.

Getting this to work on macOS shouldn't be too challenging, as the OS simply lets the malformed USB control commands through as is (see the line of code above) — half of the shofel2.py code is unnecessary on macOS. I unfortunately don't think I'm up to the task — I sat at it for hours, but I couldn't get anything that went anywhere. The fact that the code isn't entirely straight forward, and that so much more is needed to get Linux to send the malformed USB packet is throwing me off. :(

Hopefully someone else can chime in or help?