Hacking WIP Switch Exploit Idea - I want the Community to Use it!

[aarock1234]

I made an account just to post this.

Mostly I have been a browser of this forum for a long time and like to look at random posts.

I have been developing an idea with a friend and we decided we wanted to share it with the community and see what they could do withit.

Exploit

Notes:

• Involves JPEG images and buffer overflow.

Usage:

The basic premises state that you would essentially take an image from the switches SD card and edit it in a text editor. You would in theory add many characters to the file so the switch would not know what to do. Basic rules for computers say if a file is too large it would write that overflowing data somewhere else (buffer overflow). That data could be a homebrew launcher, program, game or some other thing that could be written on the switch itself. The reason we use JPEG images is that they are injectable/can be edited. The idea would be to somehow take some code (arm asm) and compile it into a jpeg and use the switch image viewer to access the program.​

 

[Jhynjhiruu]

People have already tried this.

 

[KiiWii]

How have you "developed" this?

 

[smilodon]

JPEG is a VERY well-tested file format. It wont happen.

 

[BlackWizzard17]

How have you been browsing the forums for a long time yet failed to notice that this was already mentioned not only in regards to the switch but to other systems as well such as the Wii u and 3DS.

 

[froggestspirit]

jpeg of all things. Maybe if nintendo had a highschool student code the jpeg parser?

 

[Sonic Angel Knight]

Sounds like psp Chicken hen exploit.... Would that really work a second time, especially on a console 10 years later?
(Not denying the possibility, just was curious what others thinks)

 

[Urbanshadow]

I'd honestly try malforming a .tiff header like was done to the PSP, or malform a .svg to load it from the "browser" but I'm sure it doesn't lead anywhere.

--------------------- MERGED ---------------------------

Sounds like psp Chicken hen exploit.... Would that really work a second time, especially on a console 10 years later?
(Not denying the possibility, just was curious what others thinks)

Oh the ninja. That was a .tiff file preview, back in the day.

 

[Mnecraft368]

http://gbatemp.net/threads/hacking-the-switch-through-the-album.473691/
http://gbatemp.net/threads/is-it-po...nto-the-switchs-gallery-and-view-them.473129/

 

[Sonic Angel Knight]

Oh the ninja. That was a .tiff file preview, back in the day.

I dunno what it was to be exact, I just now every video i watched was someone opening the picture folder filled with images, and scrolling to the bottom one, and enable homebrew. BAM! I'm batman... err Chicken hen!

 

[Urbanshadow]

I dunno what it was to be exact, I just now every video i watched was someone opening the picture folder filled with images, and scrolling to the bottom one, and enable homebrew. BAM! I'm batman... err Chicken hen!

The tiff header is limited in size, the tiff header reader for psp was coded by sony, they didn't check the size. It was really cheap and dirty. The hit and miss part was depending on what was after the tiff header in memory and if it corrupts the xmb menu memory. After that went the hen payload and the rest is history.

 

[8BitWonder]

A for effort, and welcome officially to gbatemp!

People here like to lynch anyone that has an idea about an exploit but no PoC.
Try not to take it to heart.

 

[Hiccup]

you don't edit binary files using text editors.

 

[DarkOrb]

That won't work. This way the file will be corrupt and not readable anymore. You have to edit the file in a special way, so it's still readable AND will cause a buffer overflow, but this would need an exploit in the Switch image viewer app in the first place. You don't have the slightest chance to make that happen if you're not a very talented dev.

 

[Deleted User]

In theory it would work if:

• Somebody could make a tool to re-calculate the hashes for images so that they would be compatible with the Switch (because they are HMAC-SHA256 hash checked)
• We could patch out the size check on screenshots

They size check is pretty much impossible to bypass (that we know of right now) because it is coded into the firmware.

Also, please read the forums like you said you did before posting stuff like this.

 

[The Catboy]

Honestly I think this thread should be locked until the OP has something to show (though extremely doubtful) If they want to take the time and try something, they are clearly not going to get the support of the community until we have something to see.

 

[shinyquagsire23]

Buffer overflows don't work trivially on Switch, the days of easy savegame exploits are over due to ASLR, basically requires scripting of some sort like JavaScript.

 

[linuxares]

And people laught at my "No, no you haven't found an exploit" thread.

 

[Issac]

This has been locked. This has been discussed before, and if you don't have anything new to bring to the table, use any of the old threads.
If you want this one open again, because you actually have something to show: PM me.