Dangerous Reality Inside of VR headset: HTC Vive

VR头戴（HTC Vive）设备内的现实危险

 

https://embedi.com/blog/dangerous-reality-inside-of-vr-headset-htc-vive/

Introduction

引言

The subject of VR has become a modern trend bringing the neon visions of the masters of cyberpunk stories and novels closer to reality. So, it comes as no surprise that it has been lost only on very few. With years, VR headsets grew far more affordable than they had been at the start when first models were released to the market. No doubt, in future, VR devices will be as naturally found in any house and flat as desktop PCs now. According to IDC, the shipments of VR headset will reach 67 million devices by 2021.
VR已经逐渐成为一种趋势，它使得故事和小说中的多彩幻觉更现实。所以，正如预期的只有很少的地方没有出现VR。这些年，VR头戴设备相比刚出来时已经便宜很多。无疑，未来VR设备将如PC一样在家庭中常见。根据IDC，VR头戴设备的出货量在2021年将达到6700万。

That is why we decided to look inside a VR headset and find out how a cybercriminal can toy with it, and what harm can be done to a device owner.
因此，我们觉得研究下VR头戴设备内部，并找出网络罪犯如何操作它，它能对设备使用者造成什么伤害。

We researched the following attack scenarios an adversary may use:
    Infect a headset and change its location coordinates, which may result in injuries to a user.
    Infect a headset and add some spooky visuals, causing psychological traumas and disorders.
    Infect a headset and block its screen with an ad banner.
    Turn a headset into a link in an infection chain that spreads a virus when connected to other devices.
我们研究对手可能使用的如下攻击：

• 感染一个头戴设备并改变它的位置坐标，对使用者造成伤害。
• 感染一个头戴设备并增加一些让人恐怖的图像，引起心里创伤和混乱。
• 感染一个头戴设备并在屏幕里固定一条广告。
• 将头戴设备加入一个感染链，连接到另一个设备时向其传播蠕虫。
  

If you find the topic at least half as amusing as we do, welcome to our short review of the HTC Vive security.
如果你觉得这个主题让你感觉有趣，欢迎看看我们对HTC Vive安全性的小研究。

Researching HTC Vive

研究HTC Vive

HTC Vive is one of the most wide spread VR devices on the market. It is also the one that provokes most research interest. Let’s start with analyzing components of the VR system and their functionality. HTC Vive consists of 4 major elements.
HTC Vive是市场上最流行的VR设备之一。也是使大多数研究感兴趣的。我们先分析VR系统的组件和它们的功能。HTC Vive由4个主要元素组成。

Headset

头戴设备

 

The main purposes of the Headset are positional tracking of a user’s head and outputting image to the displays of the VR headset. It is both the most important and curious part of the system. It is equipped with a camera and 32 positional tracking sensors. It is also packed with four connectors:
    2xUSB 3.0;
    power in;
    Jack 3.5
    HDMI
头戴设备的主要目的是追踪头的位置和输出图像到VR头戴设备的显示器。这是整个系统最重要和最有趣的步伐。它装备了一个摄像机和32个位置追踪传感器。它还包含4个连接口：

• 2个USB3.0
• 电源输入
• Jack 3.5
• HDMI
  

Three connectors are occupied right from the start to connect the device to a PC. There is only one USB connector vacant for peripherals devices.
三个连接口在设备连接PC起就被使用。只有一个USB接口为其它外围设备保留。

The headset is the only component that is always connected to a PC while the system is working. By getting in the guts of the headset, we got access to its motherboard and, consequently, all the elements we were interested in.
系统工作时，头戴设备是唯一连接到PC的部分。进入到头戴设备内，我们可以看到它的主板和所有其它有趣的东西。

There are main four components on the Side 1 of the motherboard:
主板的区域一主要有四个组件：
 

    3 ARM processors;
        NXP 11U35F;
        2xNordic nRF24LU1P
    32 Mb Micron N25Q032A13ESE40E

• 3个ARM处理器：
• NXP 11U35F
• 两个 Nordic nRF24U1P
• 32 Mb Micron N25Q032A13ESE40E
  

There are several important components of Side 2 as well:
    2 ARM processors;
        STM32F072R8;
        AIT8328;
    USB Audio SoC CM108B;
    USB-hub SMSC USB5537b
    FPGA Lattice ICE40HX8K-CB132
    4 Mb Micron MP25P40
    32 Mb Micron N25Q032A13ESE40E
区域二也有几个重要组件：

• 两个ARM处理器：
• STM32F072R8
• AIT8328
• USB 声音 SoC CM108B
• USB-hub SMSC USB5537b
• FPGA 阵列ICE40HX8K-CB132
• 4 Mb Micron MP25P40
• 32 Mb Micron N25Q032A13ESE40E
  

 

Base stations

基站

 
The primary purpose of the base stations is to track a user’s position. With a cycle of 60 times per second, they pass a synchronization impulse and then project a laser beam from top to bottom and from left to right of a room. The data is collected by the sensors and processed by the microcontrollers in the headset and controllers to track a user’s position.
基站的主要目的是为了追踪用户的位置。它以每秒60次频率循环传输一个同步脉冲并从上到下从做到右向房间内发射一个激光束。传感器收集数据并交由头戴设备和控制器里的微控制器处理，以追踪用户的位置。

The base stations are equipped with a power in and Jack 3.5 for synchronization. Each station also has a Bluetooth module used for sending notifications about the device being turned into/from the Sleep mode.
基站配有一个电源输入口和一个用于同步的Jack 3.5口。每个基站有个蓝牙模式用于通知设备进入或退出睡眠模式。

Inside the device, there is the NXP 11U37F (ARM Cortex-M0) chip, responsible for the main functionality of the device.
设备内有一个NXP 11U37F (ARM Cortex-M0)芯片，负责设备的主功能。
 

The interaction between the base station and a PC is close to zero (it is limited only to updating procedures). The headset, in its turn, is communicated with the help of laser beams on the hardware level. If there are any changes made in the way the beams work, the system will become simply inoperable.
基站和PC之间的交互几乎为零（只在更新过程中有交互）。反过来，在硬件层头戴设备基于激光束的帮助进行通信。如果激光束的工作情况有任何变化，系统将变得无法工作。

Controllers

控制器

 
It is quite obvious that a controller is intended for tracking a user’s hand movements and ensuring you get full VR experience. As for connectors, they are equipped only with microUSB for charging and updating. But what is inside it? Well, there is the NXP 11U37F processor based on Cortex-M0 in there. It maintains primary functionality of a controller. There is also FPGA ICE40HX8K-CB132 there dealing with the sensors responding to laser beams projected by base stations; and a 4 Mb Micron M25P40 chip. At first glance, it is hard to spot the Bluetooth chip, because it is a wall-flower Nordic nRF24LU1P hiding under a metal screen.
很明显，控制器用户追踪用户的手部动作并确保获得完整的VR体验。作为连接器，它只装配了一个microUSB用于控制和更新。它里面有什么？有一个内含Cortex-M0的NXP 11U37F处理器。该处理器保证了处理器的主要功能。还包含一个FPGA ICE40HX8K-CB132用于处理传感器对基站投射的激光束的响应。有一个4 Mb Micron M25P40芯片。乍一看，看不出蓝牙芯片，因为蓝牙芯片是一个伪装很好的隐藏在金属屏之下的Nordic nRF24LU1P。
 

Link box

连接盒

 

Link box is a hub between a desktop and the headset. It has four connectors on one of its sides:

    power in;
    USB 3.0 for connecting to a desktop;
    display port;
HDMI.
连接盒是一侧桌面PC和头戴设备间的hub。它的其中一面有4个接口：

• 电源输入
• 连接桌面PC的USB 3.0
• 显示端口
• HDMI
  

On the other side, there are three headset connectors:
    power out;
    HDMI;
    USB3.0.
另一侧有三个头戴设备接口：

• 电源输出
• HDMI
• USB 3.0
  

One can easily find the its Bluetooth chip required for swift and convenient updating of some devices.
很容易发现它需要蓝牙来快速、方便地对一些设备进行更新。

Watchman update and console

Watchman 更新和控制

Having browsed through the SteamVR software folder, we managed to find two helpful programs: lighthouse_console.exe and lighthouse_watchman_update.exe. The first is a console for working with HTC Vive devices; the latter enables updating the headset devices.
浏览SteamVR软件的目录，我们发现了两个有用的程序：lighthouse_console.exe和lighthouse_watchman_update.exe。前一个是管理HTC Vive设备的控制台程序；后一个更新头戴设备。

By executing the help command in lighthouse_console, we could see the following commands listed:
在lighthouse_console中执行help命令，获得如下命令列表：


However, if the program is opened in IDA Pro, it becomes clear that there is much more of them.
如果使用IDA打开该程序，会发现它有更多功能。

Here is the commands that are not listed by the help command. However, they are still in the program:
下面是没有显示在help命令中的命令的列表：

• fpgareset
• fixcalib
• pair
• pairall
• forcepairall
• unpair
• unpairall
• hmdhidtest
• fpgaread
• dongleinfo
• donglereset
• dongleresetall
• eventrate
• wait
• capsensecalibrate
• trackpaddebug
• poweroff
  

With the help of this list, we could test the device in various ways. For example, check the button status. It was also possible to download the configuration file, upload it back, and perform other peculiar operations.
根据这个列表，我们可以用各种方法测试设备。例如检测按钮状态，下载配置文件再上传回去，或执行其它特殊操作。

Thanks to the lighthouse_watchman_update.exe application, an attacker can easily update firmware of any of the devices. As you understand, it is the basis of each attack scenario mentioned above. Moreover, firmware of most microcontrollers is accessible through the neighboring directory, although it is not quite clear what each of them does.
要感谢lighthouse_watchman_update.exe，攻击者很容易更新任何设备的固件。这是上面提到的各种攻击的基础。然而，大多数微控制器的固件可以通过邻近目录访问，同样也不清楚它们每个的功能，

Hardware analysis

硬件分析

The headset motherboard is the most interesting part here. A lot of crucial hardware elements are placed right on it. It also has a lot of debugging connectors. Fortunately, most microcontrollers are not put in the BGA case, that is why we have managed to find the SWD connectors of some chips. Fig. 10 shows the one of NXP LPC11U35F.
这里最关注的是头戴设备的主板。许多有趣的硬件组件放在上面，他还有许多调试连接口。幸运的是，大多数微控制器不属于GA情况，所以我们必须先找到SWD接口。下图是LPC11U35F。
 
To understand the functions performed by each microcontroller and rebuild connections between the components we used a solderer and a multi-meter.
要知道每个微控制器的功能，重建每个组件间的连接，我们使用一个焊接工具和一个万用表。

We disassembled the motherboard, rang out the paths with our multi-meter, and made the scheme of connection between the components (see Fig. 12).
我们拆散主板，使用万用表激活路径并组合各个组件间的连接（见下图）。
 
As we remember, the headset has USB-Hub SMSC USB5537B that connects up to 7 devices via 1 USB. 6 of the available ports are occupied by the main components of the headset, while the remaining external one is vacant for connecting additional equipment. The scheme illustrates that it is impossible to get into the video output processing from the headset side since it is a PC that is responsible for the procedures. The FPGA monitors the status of 32 headset sensors, processes all the data sent by them, and passes it via the UART to the NXP LPC11U35F/401 microcontroller.
我们记得，头戴设备有一个USB-hub SMSC USB5537B基于一个USB连接最多七个设备。有效接口中的6个连接着头戴设备的主要组件，剩下一个空余来连接附加设备。该结构说明不可能从头戴设备一侧介入视频输出处理过程，当由一个PC负责处理该过程。FPGA监控32个头戴设备传感器的状态，处理它们发送的数据，并通过UART传输到LPC11U35F/401微控制器。

What conclusions can be drawn here?
现在能得到什么结论？

The first thing that came to our heads here is that the video stream cannot be affected in any way since it is processed by a PC, which sends the rendered image to the headset. Consequently, Attack Scenarios 2 and 3 are inapplicable.
首先，当由PC负责处理视频时，视频流无法被任何方法介入，PC直接发送图像到头戴设备。随后，攻击情景2和3无法应用。

Second, we found out that the chip (NXP LPC11U35F/401) is responsible for tracking the position of the headset and sends them via USB to a PC. Therefore, a cybercriminal can modify the system that process position data so that a user’s virtual position is different from the real one. This case corresponds to Attack Scenario 1.
其次，芯片NXP LPC11U35F/401负责追踪头戴设备位置信息并基于USB发送到PC。因此，网络罪犯可以修改处理位置数据的系统导致用户的虚拟位置与真实位置不相同。这相当于攻击情景1。

Then, we had to find out what firmware was stored on the microcontroller. All microcontrollers and memory had been unsoldered. So, we needed to read data from them. With the help of our soldering station we soldered microcontrollers to the TQFP adapter (see Fig. 13):
我们还知道了固件存储在微控制器中。所有微控制器和内存已经被焊开。所以，我们需要读它们的数据。借助焊接的帮助，我们焊接微控制器到TQFP适配器。
 
Unfortunately, we could not find adapters for the SPI memory chips since it had fewer pins. So, we just soldered a pin header to them.
不幸，我们找不到SPI内存芯片的适配器，它的针脚太少。所以，我只焊接了一个针脚到它们。
 
ChipProg481 and a bunch of wires came in handy for extracting firmware!
ChipProg481和一束线用于提取固件。
 
We extracted data from a controller for a change. However, all the components there were all right, so we did not have to unsolder them. The procedure of extracting data from two microcontrollers was absolutely seamless, thanks to BlackMagick Probe v2 connected to SWDs.
我们改为从一个控制器提取数据。然而，所有组件都是安装好的，我们无需拆开它们。从两个微控制器中提取数据绝对无缝衔接，得益于使用黑科技探针v2连接到SWD。
 
According to the collected data, we built a table to make it clear what firmware was used and what functionality was performed on each microcontroller.
根据搜集的数据，我们构建了一个表清晰说明每个固件的功能和每个微控制器负责的功能。

Security aspect

安全形势

The security problems of HTC Vive came to the spotlight quite early – at the updating stage. According to the microcontroller documentation, all microcontrollers support updating via USB. Judging by firmware files, it was clear for us that firmware is a binary file with no checksums. Therefore, adversaries can modify firmwares to their liking and upload them to the headset. Also, each microcontroller has sufficient space (45 Kb on average) for the modified code to be put in there. Change, upload, enjoy!
HTC Vive的安全问题很早就出现了，早到产品处于更新阶段。根据微控制器文档，所有微控制器支持通过USB更新。通过固件文件判断，可以确定固件文件是没有完整性校验的二进制文件。因此，攻击者可以任意修改固件并上传到头戴设备。同样，每个微控制器有足够的空间（平均45 Kb）放置增加的代码。修改-上传-发送有趣的是！

For example, in the NXP LPC11U35 documentation the following is stated:
例如，NXP LPC11U35的文档中有如下说明：

-    In-System Programming (ISP) and In-Application Programming (IAP) via on-chip bootloader software.
-    ROM-based USB drivers. Flash updates via USB supported.
-    ROM-based 32-bit integer division routines
-    基于芯片内bootloader软件的系统内编程（In-System Programming (ISP)）和应用内编程（In-Application Programming (IAP)）
-    基于ROM的USB驱动。支持基于USB快速更新。
-    基于ROM的32位整数分配惯例

and in the STM32F072 documentation:
STM32F072文档内有：

-    The boot loader is located in System Memory. It is used to reprogram the Flash memory by
-    using USART on pins PA14/PA15, or PA9/PA10 or I2C on pins PB6/PB7 or through the USB
-    DFU interface.
-    Bootloader位于系统内存。用于通过USART的PA14/PA15针脚或PA9/PA10针脚或PB6/PB7针脚或通过USB DFU接口对flash内存进行重编程

nRF24LU1P says:
nRF24LU1P文档说:

The nRF24LU1P bootloader allows you to program the nRF24LU1+ through the USB interface. The bootloader is pre-programmed into the nRF24LU1+ flash memory and automatically starts when power is applied.
nRF24LU1P准许通过USB接口对nRF24LU1P进行编程。Bootloader预编程在nRF24LU1P flash内存，在上电时自动启动。

As it was written above, there is a special lighthouse_watchman_update.exe console tool available. A mere malicious code can use it to conduct an attack or implement the functionality of the tool in itself.
正如上面写的，有一个特殊的控制台工具lighthouse_watchman_update.exe。恶意代码可以使用它发起攻击或使用它自动的功能。

As seen from HTC_Vive_Tracker_Developer_Guidelines_v1.3, the commands below are used for updating the device:
在HTC_Vive_Tracker_Developer_Guidelines_v1.3中可以看到，下面的命令用于更新设备：

- Update MCU’s firmware:
  - lighthouse_watchman_update -mnt tracker_mcu_filename.bin
- Update FPGA’s firmware:
  - lighthouse_watchman_update -fnt tracker_fpga_filename.bin
- Update RF’s firmware:
  - lighthouse_watchman_update -rnt tracker_rf_filename.bin
- 更新MCU的固件:
  - lighthouse_watchman_update -mnt tracker_mcu_filename.bin
- 更新FPGA的固件:
  - lighthouse_watchman_update -fnt tracker_fpga_filename.bin
- 更新RF的固件:
  - lighthouse_watchman_update -rnt tracker_rf_filename.bin

If it is possible to update the software of HTC Vive, an attacker can add malicious code that can affect the operation of the system and potentially lead to physical injuries of a device owner or cause other inconveniences.
如果能更新HTC Vive的软件，攻击者可以增加恶意代码影响系统运行，造成使用者受伤或引起其它不便。

HTC Vive Pro

Not so long ago, a renewed version of the device was released to the market. Unfortunately, we had no chance to check the Pro version yet. Nonetheless, the available information regarding HTC Vive Pro signifies that there were no fundamental changes made in relation to the basic version. Although some microcontrollers were indeed updated, the overall principles of operation of the device and interaction between its components remained the same. They just slightly changed the arrangement of motherboard (now, there are two of them), and the way debugging connectors are placed.
不久前，新一代设备在市场上发布了。不幸，我还没有机会研究Pro版本。但是，能获取到的关于HTC Vive Pro的信息显示在基础组成上和老版本没有变化。尽管有些微控制器确实更新了，但设备运行的原理和组件间的交互保持不变。他们只是改变了母版的布置和调试接口的位置。

A really new feature is yet to come: the developers announced they are going to release an accessory that will free the device from wires and enable passing data via a wireless channel with the help of the WiGig technology. Apart from useful features, however, this novelty brings another attack vector.
有一个新功能随新版本到来：开发者宣布他们将发布一个附件，使设备无需有线连接，通过WiGig技术无线传输。在该功能的各种用处以外，它增加了一个攻击的道路。

Conclusion

结论

All in all, we drew the list of following conclusions regarding the attack scenarios mentioned above:
关于上面提到的攻击情景，我们分别得出下面的结论：


Attack Scenario 1: An adversary can change the location and coordinates of the headset. Users may become one with their apartment wall before they can say “Jack Robinson” and before the software warns them about this dangerous proximity.
攻击情景一：攻击者可以改变头戴设备的位置和坐标。用户会在软件警告他们位置危险前撞到墙。

Attack Scenarios 2 and 3: It is not possible to use the scenarios because the headset does not process video stream.
攻击情景二和三：这两种情况不会发生，因为头戴设备不处理视频流，视频在PC处理好。

Attack Scenario 4: Although, the scenario is accomplishable; it is still quite comparable to nail-biting since HTC Vive is a stationary device and rarely connected to other desktops but the one of its owner. An owner’s desktop computer will be already infected.
攻击情景四：尽管该情景可以实现。当HTC Vive是一个固定设备并仅连接到用户的电脑时，相比于HTC Vive被攻击用户的电脑被攻击更危险。

HTC vive is a high-tech device, but still it is obvious that its security was not a matter of priority for the developer.
HTC Vive是一个高科技设备，但也很明显安全不是开发者主要考虑的问题。

An attacker can easily get access to firmware of each microcontroller used in HTC Vive, modify and upload them back to the headset. As a result, it is not only gaming experience that will be spoiled, but also an owner injured.
攻击者可以方便地访问每个微控制器的固件，修改并将其上传回到头戴设备。结果，者不仅影响游戏体验，同样也会对攻击者造成物理伤害。

With years, VR and AR technologies will grow more advanced and developed, and so will the security problems of the technology. Unfortunately, the security issues of the technology will progress as well, getting more severe and dangerous.
这些年，VR和AR技术会继续发展，它们的安全问题也会继续发展并更危险。

[培训]《安卓高级研修班(网课)》月薪三万计划，掌握调试、分析还原ollvm、vmp的方法，定制art虚拟机自动化脱壳的方法