Hacking Possible Switch Arbitrary R/W Through Web Browser

[zurgeg]

Hello!

I recently decided "I wonder what would happened if I ran a PS4 exploit on my Switch?".

Now, you might be thinking "Well, it would either not work or crash". Well, it did crash, but the kind of crash interested me.

I ran the exploit, and saw 2168-0002 and I thought "Oh, probably some 'go away script kiddie
( ͡° ͜ʖ ͡°)' error" but no.

It was a "Data Abort" error. Now, some of the less technical of you won't know what this is, but it's basically the Switch blocking a read (or write, but read in this case) from RAM.

What does this mean for me, or my patched Switch?
Well, nothing really yet. It is still required to
1. Find the address at which we can write to
2. Find the address that is being executed
3. Manage to obtain root level access and/or more RAM (optional)

tl;dr: This doesn't mean anything yet

EDIT: Turns out, the Nintendo Switch has no kernel bugs according to people much better at this then me. This means that not only does it not mean anything, but it probably never will.

 

[gbadl]

Keep going. You may be on to something.

 

[Adran_Marit]

from switchbrew

'2168-0002 - Userland ARM data abort. Also caused by abnormal process termination via svcExitProcess. Note: directly jumping to nnMain()-retaddr from non-main-thread has the same result.'

It's more than likely already been thought about, in addition pegaswitch uses a web exploit which was patched in later firmware versions

 

[zurgeg]

I definitely think it's been thought about. Although I haven't seen it yet, someone more inclined probably knows how to use something like this.

However I did some more research and there is no set place we can write to. Like I said, someone more inclined can probably use this.

 

[Adran_Marit]

I definitely think it's been thought about. Although I haven't seen it yet, someone more inclined probably knows how to use something like this.

However I did some more research and there is no set place we can write to. Like I said, someone more inclined can probably use this.

again pegaswitched used a web browser exploit so

*shrug*

only time will tell

 

[Imancol]

Hello!

I recently decided "I wonder what would happened if I ran a PS4 exploit on my Switch?".

Now, you might be thinking "Well, it would either not work or crash". Well, it did crash, but the kind of crash interested me.

I ran the exploit, and saw 2168-0002 and I thought "Oh, probably some 'go away script kiddie
( ͡° ͜ʖ ͡°)' error" but no.

It was a "Data Abort" error. Now, some of the less technical of you won't know what this is, but it's basically the Switch blocking a read (or write, but read in this case) from RAM.

What does this mean for me, or my patched Switch?
Well, nothing really yet. It is still required to
1. Find the address at which we can write to
2. Find the address that is being executed
3. Manage to obtain root level access and/or more RAM (optional)

tl;dr: This doesn't mean anything yet

Hi. First, the Switch community and its Scene would be very happy with your participation. I recommend you update yourself on the theme of the Scene.
https://switchbrew.org/wiki/Main_Page

Good luck!

 

[zurgeg]

Please check the post, I've edited it to include info on how the Switch's kernel has no bugs, and probably never will, I will be watching the switchbrew flaws page though.

 

[Draxzelex]

Yeah I doubt there are any potential exploits that neither SciresM nor hexkyz are already aware of.

 

[Aheago]

Hello!

I recently decided "I wonder what would happened if I ran a PS4 exploit on my Switch?".

Now, you might be thinking "Well, it would either not work or crash". Well, it did crash, but the kind of crash interested me.

I ran the exploit, and saw 2168-0002 and I thought "Oh, probably some 'go away script kiddie
( ͡° ͜ʖ ͡°)' error" but no.

It was a "Data Abort" error. Now, some of the less technical of you won't know what this is, but it's basically the Switch blocking a read (or write, but read in this case) from RAM.

What does this mean for me, or my patched Switch?
Well, nothing really yet. It is still required to
1. Find the address at which we can write to
2. Find the address that is being executed
3. Manage to obtain root level access and/or more RAM (optional)

tl;dr: This doesn't mean anything yet

EDIT: Turns out, the Nintendo Switch has no kernel bugs according to people much better at this then me. This means that not only does it not mean anything, but it probably never will.

I was able to make a connector that allows me to read/write memory from my pc while my switch lite is in use

 

[The Real Jdbye]

Browser exploits are relatively easy to come by, as the Switch's webkit version is quite outdated. But that on its own doesn't get you very far. You need several stages of privilege escalation to eventually get kernel access. But a userland exploit is the first step, so you could say it's the most important one.

 

[Imancol]

not even injecting Fake News gives the possibility to Firmware after 4.x.x PegaSwitch / PegaScape. Maybe the one that you find as Downgrade and use it without checking fuses and without using Hekate, it could be used.

 

[Draxzelex]

not even injecting Fake News gives the possibility to Firmware after 4.x.x PegaSwitch / PegaScape. Maybe the one that you find as Downgrade and use it without checking fuses and without using Hekate, it could be used.

To bypass the fuse check, you would need a coldboot exploit because a fuse check is one of the first actions the console performs. So you can't really bypass the fuses with a warmboot exploit like Fake News or PegaSwitch.

 

[Imancol]

To bypass the fuse check, you would need a coldboot exploit because a fuse check is one of the first actions the console performs. So you can't really bypass the fuses with a warmboot exploit like Fake News or PegaSwitch.

So the verifier is at the hardware level and cannot be rewritten? How about redirecting blown fuses to an external "fuse emulator". Of course this would already require cutting some pins and feeding it to the verifier with false information.

 

[Draxzelex]

So the verifier is at the hardware level and cannot be rewritten? How about redirecting blown fuses to an external "fuse emulator". Of course this would already require cutting some pins and feeding it to the verifier with false information.

If the bootrom wasn't read-only, we would have modified it when the Switch was released. As for what you're suggesting, I don't even know if that is practical let alone possible. You potentially would have to reverse engineer the hardware which I don't think has been accomplished with the Switch and that might not be enough. In terms of a hardmod, it would just be easier to replace the motherboard.

 

[Imancol]

If the bootrom wasn't read-only, we would have modified it when the Switch was released. As for what you're suggesting, I don't even know if that is practical let alone possible. You potentially would have to reverse engineer the hardware which I don't think has been accomplished with the Switch and that might not be enough. In terms of a hardmod, it would just be easier to replace the motherboard.

So there is nothing from JTAG, just RGH, from Xecuter.

 

[hippy dave]

So the verifier is at the hardware level and cannot be rewritten? How about redirecting blown fuses to an external "fuse emulator". Of course this would already require cutting some pins and feeding it to the verifier with false information.

The fuses are inside the chip with the CPU.

 

[linuxares]

@zurgeg since you wrote this in February. There been a couple of improvements for a new exploit on the PS4, that exploits the FreeBSD kernel/network part. Guess what the Switch uses?

 

[Imancol]

The fuses are inside the chip with the CPU.

So there are no external clues, both the bootrom and the fuses are embedded in the CPU.

 

[Draxzelex]

So there is nothing from JTAG, just RGH, from Xecuter.

Well I mean I don't know why those teams would need to release anything when they released the SX Core and Lite.

 

[zurgeg]

@zurgeg since you wrote this in February. There been a couple of improvements for a new exploit on the PS4, that exploits the FreeBSD kernel/network part. Guess what the Switch uses?

I have doubts that'd work, without escalation especially, but I will try on my switch later
Also you mean this? https://www.exploit-db.com/exploits/48644