bootstrap

Mirage Bootstrap

mirage-bootstrap is Mirage's first-stage bootloader that runs under the Boot and Power Management Processor- Lite. It is similar to the design of Package1ldr and is responsible for initializing the hardware and loading the second-stage bootloader, which runs under the CCPLEX (Arm Cortex-A57).

It is laid out to be injected through CVE-2018-6242, which allows for a full takeover of the BPMP, making it possible to run arbitrary code.

It also contains an additional debug interface that can be used to poke the Tegra ReCovery Mode (RCM).

Features

• RCM payload relocation

• Hardware initialization

• Detailed panic handling

• Debugging functionality (USB, UART, display, ...)

• Booting CCPLEX and chainloading other payloads

Compiling

As for all other components, cargo-make is required to build the bootstrap. It takes care of all the build dependencies.

Install it with:

cargo install --force cargo-make

Then you can build the bootstrap:

# Debug build
cargo make bootstrap

# Release build
cargo make bootstrap --profile production

Debug builds are useful if you need additional symbols and buildinfo, for example if you want to load the payload into IDA.

Credits

• roblabla, Thog, and leo60228 for lots of advice, troubleshooting assistance and Rust support

• Thog for the rboot project where the tegra210 module was a great inspirational source to start off with

• SwitchBrew for their extensive research and documentation pertaining to the Nintendo Switch

• CTCaer for the hekate project and the late-night hours of bugfixing and consultance pertaining to the Switch hardware

• rust-embedded and rust-osdev for some great documentation and tools pertaining to Rust on the bare metal

• Nvidia for their TRM, which contains tons of useless stuff, but also some helpful documentation

• Again Nvidia for their SoC design that gave me a headache almost every day