Toggle sidebar

Hacking Possible Switch Arbitrary R/W Through Web Browser

  • Thread starter Thread starter zurgeg
  • Start date Start date
  • Views Views 7,384
  • Replies Replies 27
Z

zurgeg

Member
Newcomer
Level 2
Joined
Sep 2, 2020
Messages
8
Reaction score
3
Trophies
0
Age
42
XP
197
Country
United Kingdom
Hello!

I recently decided "I wonder what would happened if I ran a PS4 exploit on my Switch?".

Now, you might be thinking "Well, it would either not work or crash". Well, it did crash, but the kind of crash interested me.

I ran the exploit, and saw 2168-0002 and I thought "Oh, probably some 'go away script kiddie
( ͡° ͜ʖ ͡°)' error" but no.

It was a "Data Abort" error. Now, some of the less technical of you won't know what this is, but it's basically the Switch blocking a read (or write, but read in this case) from RAM.

What does this mean for me, or my patched Switch?
Well, nothing really yet. It is still required to
1. Find the address at which we can write to
2. Find the address that is being executed
3. Manage to obtain root level access and/or more RAM (optional)

tl;dr: This doesn't mean anything yet

EDIT: Turns out, the Nintendo Switch has no kernel bugs according to people much better at this then me. This means that not only does it not mean anything, but it probably never will.
 
Last edited by zurgeg,
from switchbrew

'2168-0002 - Userland ARM data abort. Also caused by abnormal process termination via svcExitProcess. Note: directly jumping to nnMain()-retaddr from non-main-thread has the same result.'

It's more than likely already been thought about, in addition pegaswitch uses a web exploit which was patched in later firmware versions
 
I definitely think it's been thought about. Although I haven't seen it yet, someone more inclined probably knows how to use something like this.

However I did some more research and there is no set place we can write to. Like I said, someone more inclined can probably use this.
 
zurgeg said:
I definitely think it's been thought about. Although I haven't seen it yet, someone more inclined probably knows how to use something like this.

However I did some more research and there is no set place we can write to. Like I said, someone more inclined can probably use this.
Click to expand...

again pegaswitched used a web browser exploit so

*shrug*

only time will tell
 
zurgeg said:
Hello!

I recently decided "I wonder what would happened if I ran a PS4 exploit on my Switch?".

Now, you might be thinking "Well, it would either not work or crash". Well, it did crash, but the kind of crash interested me.

I ran the exploit, and saw 2168-0002 and I thought "Oh, probably some 'go away script kiddie
( ͡° ͜ʖ ͡°)' error" but no.

It was a "Data Abort" error. Now, some of the less technical of you won't know what this is, but it's basically the Switch blocking a read (or write, but read in this case) from RAM.

What does this mean for me, or my patched Switch?
Well, nothing really yet. It is still required to
1. Find the address at which we can write to
2. Find the address that is being executed
3. Manage to obtain root level access and/or more RAM (optional)

tl;dr: This doesn't mean anything yet
Click to expand...
Hi. First, the Switch community and its Scene would be very happy with your participation. I recommend you update yourself on the theme of the Scene.
https://switchbrew.org/wiki/Main_Page

Good luck!
 
  • Like
Reactions: zurgeg
Please check the post, I've edited it to include info on how the Switch's kernel has no bugs, and probably never will, I will be watching the switchbrew flaws page though.
 
zurgeg said:
Hello!

I recently decided "I wonder what would happened if I ran a PS4 exploit on my Switch?".

Now, you might be thinking "Well, it would either not work or crash". Well, it did crash, but the kind of crash interested me.

I ran the exploit, and saw 2168-0002 and I thought "Oh, probably some 'go away script kiddie
( ͡° ͜ʖ ͡°)' error" but no.

It was a "Data Abort" error. Now, some of the less technical of you won't know what this is, but it's basically the Switch blocking a read (or write, but read in this case) from RAM.

What does this mean for me, or my patched Switch?
Well, nothing really yet. It is still required to
1. Find the address at which we can write to
2. Find the address that is being executed
3. Manage to obtain root level access and/or more RAM (optional)

tl;dr: This doesn't mean anything yet

EDIT: Turns out, the Nintendo Switch has no kernel bugs according to people much better at this then me. This means that not only does it not mean anything, but it probably never will.
Click to expand...
I was able to make a connector that allows me to read/write memory from my pc while my switch lite is in use
 
Browser exploits are relatively easy to come by, as the Switch's webkit version is quite outdated. But that on its own doesn't get you very far. You need several stages of privilege escalation to eventually get kernel access. But a userland exploit is the first step, so you could say it's the most important one.
 
not even injecting Fake News gives the possibility to Firmware after 4.x.x PegaSwitch / PegaScape. Maybe the one that you find as Downgrade and use it without checking fuses and without using Hekate, it could be used.
 
Ghost92 said:
not even injecting Fake News gives the possibility to Firmware after 4.x.x PegaSwitch / PegaScape. Maybe the one that you find as Downgrade and use it without checking fuses and without using Hekate, it could be used.
Click to expand...
To bypass the fuse check, you would need a coldboot exploit because a fuse check is one of the first actions the console performs. So you can't really bypass the fuses with a warmboot exploit like Fake News or PegaSwitch.
 
  • Like
Reactions: Naminave
Draxzelex said:
To bypass the fuse check, you would need a coldboot exploit because a fuse check is one of the first actions the console performs. So you can't really bypass the fuses with a warmboot exploit like Fake News or PegaSwitch.
Click to expand...
So the verifier is at the hardware level and cannot be rewritten? How about redirecting blown fuses to an external "fuse emulator". Of course this would already require cutting some pins and feeding it to the verifier with false information.
 
Ghost92 said:
So the verifier is at the hardware level and cannot be rewritten? How about redirecting blown fuses to an external "fuse emulator". Of course this would already require cutting some pins and feeding it to the verifier with false information.
Click to expand...
If the bootrom wasn't read-only, we would have modified it when the Switch was released. As for what you're suggesting, I don't even know if that is practical let alone possible. You potentially would have to reverse engineer the hardware which I don't think has been accomplished with the Switch and that might not be enough. In terms of a hardmod, it would just be easier to replace the motherboard.
 
Draxzelex said:
If the bootrom wasn't read-only, we would have modified it when the Switch was released. As for what you're suggesting, I don't even know if that is practical let alone possible. You potentially would have to reverse engineer the hardware which I don't think has been accomplished with the Switch and that might not be enough. In terms of a hardmod, it would just be easier to replace the motherboard.
Click to expand...
So there is nothing from JTAG, just RGH, from Xecuter.
 
@zurgeg since you wrote this in February. There been a couple of improvements for a new exploit on the PS4, that exploits the FreeBSD kernel/network part. Guess what the Switch uses?
 
Last edited by zurgeg,

Site & Scene News

Go to forum More news

Popular threads in this forum

Homebrew  Full List of N64 Recompilation Switch ports

Feedback Homebrew  Essential Homebrew

Homebrew Tutorial Translation Project  CS2SX — Write Nintendo Switch Homebrew in C#

Homebrew Homebrew game Project  So... Dan didn't want to reveal his Vulkan, so I made mine.

Homebrew  Sonic Unleashed Recompiled (Homebrew Port)

running 20.5 Is it worth upgrading my firmware...?

Homebrew Homebrew game  GTA: Chinatown Wars - Switch port

Is it fixable