How will we hack the Switch 2

[kijetesantakalu042]

Just as a reminder, we now have
AI PROGRAMS that can calculate and change intern settings in just a few seconds.

You no longer have to be a Hero-hacker, you just have to write the right ideas into the program in the search bar, then simply press enter button to see the obstacles.
After a certain time these obstacles are understood.

You don't understand how these things work

 

[ihaveahax]

These statements don't relate to each other. Reimplementing something doesn't mean you find all vulnerabilities in it. Nintendo still made some stupid mistakes on the Switch and it'd be silly to assume they'd all be found by a handful of (very talented) people.

Yes they are in fact related. SciresM and maybe other contributors had to reverse engineer the microkernel and fully reimplement it faithfully. SciresM says there are no vulnerabilities in the Nintendo microkernel. To quote him directly from ReSwitched:

I genuinely believe the microkernel/EL3 secure monitor to have zero security bugs.

When he says there are no vulnerabilities, he means there are none. Zero. To suggest that there "is always something!" is cope.

 

[tomberyx]

For example, we humans can only count to 3, but an AI can count to 30000 and more in seconds.
Even if it doesn't make much sense now when hacking, but someone who is as fast and good as an AI can only be an asset.
You just have to write the right thing...

 

[Deleted member 731084]

Just as a reminder, we now have
AI PROGRAMS that can calculate and change intern settings in just a few seconds.

You no longer have to be a Hero-hacker, you just have to write the right ideas into the program in the search bar, then simply press enter button to see the obstacles.
After a certain time these obstacles are understood.

LLMs are pattern regurgitation machines that aren't capable of creatively combining or even understanding knowledge and they'll usually just parrot someone else's work (or worst case, make up an answer that follows the cadence of a correct answer).

They look impressive because you're only asking things other people have written about with a certain level of specificity. The more novel the knowledge, the worse the answer. Particularly for programming the quality of the answer almost exactly correlates to how popular the language is on the last StackOverflow developer survey.

Post automatically merged: Jan 18, 2025

When he says there are no vulnerabilities, he means there are none. Zero. To suggest that there "is always something!" is cope.

There always is though. It is a byproduct of complexity. A fundamental assumption in threat modeling for infosec. And we haven't even gotten into how broken all modern microprocessors really are (no surprise a bunch of these flaws, including the most important one, are on NVIDIA).

 

[tomberyx]

Even if Ai doesn't bring a breakthrough, it can save a hell of a lot of time and get you to your destination faster.

-Software hack needs 2-5 years if you are good

-now with Ki 1-2 years

You just have to know how to approach unknown things, here the Ki can be active as a right hand.

 

[ihaveahax]

There always is though. It is a byproduct of complexity. A fundamental assumption in threat modeling for infosec. And we haven't even gotten into how broken all modern microprocessors really are (no surprise a bunch of these flaws, including the most important one, are on NVIDIA).

Do you have evidence that there exists an uncovered vulnerability in the microkernel? Or is this is just more vague "I don't know anything but I think there's something in it!"?

Keep in mind the microkernel was deliberately kept small by Nintendo. They went out of their way to reduce complexity in it. SciresM is a highly skilled reverse engineer who has done extensive work on the Switch.

 

[M7L7NK7]

It's already been linked in here that there have been many vulnerabilities on the switch but with out kernel access they're pointless

 

[Deleted member 731084]

Do you have evidence that there exists an uncovered vulnerability in the microkernel? Or is this is just more vague "I don't know anything but I think there's something in it!"?

Burden of proof is much higher on a negative. Historically, every computing system devised has security vulnerabilities. And I didn't exactly claim the vulnerability had to be in the SM or Kernel.

(Also, I win by default, because the Tegra is a modern microprocessor and thus has speculative execution which is always vulnerable to a Spectre-class attack.)

It's all a matter of how many resources a few dozen (again, very talented) hacker / security researchers have and how easily exploited a vulnerability is for the average user. It doesn't look like the Switch 2 will have the same level of sophistication as the Xbox One SoC in terms of mitigating hardware attacks at least.

 

[ihaveahax]

Burden of proof is much higher on a negative. Historically, every computing system devised has security vulnerabilities. And I didn't exactly claim the vulnerability had to be in the SM or Kernel.

(Also, I win by default, because the Tegra is a modern microprocessor and thus has speculative execution which is always vulnerable to a Spectre-class attack.)

It's all a matter of how many resources a few dozen (again, very talented) hacker / security researchers have and how easily exploited a vulnerability is for the average user. It doesn't look like the Switch 2 will have the same level of sophistication as the Xbox One SoC in terms of mitigating hardware attacks at least.

Sure, the console can be hacked with hardware-based exploits. But in terms of software modding, there is none. And that's where my specific claim was originally when I stated "Keep in mind that the current Switch has no softmod". This statement still stands. While there could be vulnerabilities in other parts of the software, the most important part - the microkernel - has none whatsoever.

 

[The Catboy]

I hope something similar to how the 3DS was hacked due to the DS-Mode, but instead, the Switch-mode causes the vulnerability to be found.
Nintendo's history to be like:
DS ===> hacked through GBA
DSi ===> hacked through DSi-enhanced DS game
3DS ===> hacked through DS-Mode
Let's hope the Switch 2 get hacked through the Switch-mode somehow

 

[xtrem3x]

I'm wondering if the flash carts will work with it

 

[Deleted member 731084]

I hope something similar to how the 3DS was hacked due to the DS-Mode, but instead, the Switch-mode causes the vulnerability to be found.
Nintendo's history to be like:
DS ===> hacked through GBA
DSi ===> hacked through DSi-enhanced DS game
3DS ===> hacked through DS-Mode
Let's hope the Switch 2 get hacked through the Switch-mode somehow

All these systems had at least two chips in them - a new one and the one from the prior system that could either be used as a co-processor (e.g. the arm7 in DS mode does audio, the arm9 in the 3DS does security) or to run games from the older system (the arm7 in the DS goes into GBA mode, the arm9 goes into DS mode). The vulnerabilities came from not "detaching" the secondary core from accessing the main system properly when transitioning from one purpose to the other. The DSi is obviously a different case, but that's just the security of the DSi being underdeveloped.

The Switch is going to be much more like upgrading the CPU in a normal computer, closer to the upgrade the arm9 got in the DSi. It's the same thing, just faster.

 

[The Catboy]

All these systems had at least two chips in them - a new one and the one from the prior system that could either be used as a co-processor (e.g. the arm7 in DS mode does audio, the arm9 in the 3DS does security) or to run games from the older system (the arm7 in the DS goes into GBA mode, the arm9 goes into DS mode). The vulnerabilities came from not "detaching" the secondary core from accessing the main system properly when transitioning from one purpose to the other. The DSi is obviously a different case, but that's just the security of the DSi being underdeveloped.

The Switch is going to be much more like upgrading the CPU in a normal computer, closer to the upgrade the arm9 got in the DSi. It's the same thing, just faster.

I am aware of the flaws and history, I am just hoping Nintendo somehow successfully gets hacked due to backward compatibility again. This isn't because I believe it will happen, but that it would be extremely funny if it does. It would just be so disrespectful for it to happen again.

 

[Evilengine]

Release an official game on eshop with a yet unknown exploit that could benefit from the similar(?) architecture, so that it can unfold through backwards compatibility.

 

[Deleted member 731084]

Release an official game on eshop with a yet unknown exploit that could benefit from the similar(?) architecture, so that it can unfold through backwards compatibility.

Userspace takeovers aren't too useful, I'd recommend watching this if you want to make more educated guesses. I don't think much is going to change, except that they'll include all the learnings from the Switch 1. But backwards compat will likely be the exact same thing.

 

[LightBeam]

Isn't the fact that the Switch 1 doesn't have vulnerabilities because of devs collaborating with Nintendo ?
Not blaming them or anything. I've just HEARD somewhere that Sciresm did tell them about software holes, but because I have no clue if it's true or not I'm asking here.

Does Nintendo have bug bounties like Sony does ? I know that Sony's consoles are usually harder to hack because these vulnerabilities can be published after Sony patched them out. I wonder if Nintendo is doing the same thing, can't blame the devs for making the easy choice between getting paid with money or visibility :rofl :

Considering the fact that they quickly released new models that patched RCM, I have no doubt it's going to take a while to find a software entry (if any). Probably going to get a modchip as soon as possible (hopefully it's not going to be too expensive)

 

[Reploid]

I hope something similar to how the 3DS was hacked due to the DS-Mode, but instead, the Switch-mode causes the vulnerability to be found.
Nintendo's history to be like:
DS ===> hacked through GBA
DSi ===> hacked through DSi-enhanced DS game
3DS ===> hacked through DS-Mode
Let's hope the Switch 2 get hacked through the Switch-mode somehow

Wii hack also connected to gamecube mode

 

[ihaveahax]

Isn't the fact that the Switch 1 doesn't have vulnerabilities because of devs collaborating with Nintendo ?
Not blaming them or anything. I've just HEARD somewhere that Sciresm did tell them about software holes, but because I have no clue if it's true or not I'm asking here.

Does Nintendo have bug bounties like Sony does ? I know that Sony's consoles are usually harder to hack because these vulnerabilities can be published after Sony patched them out. I wonder if Nintendo is doing the same thing, can't blame the devs for making the easy choice between getting paid with money or visibility :rofl :

Considering the fact that they quickly released new models that patched RCM, I have no doubt it's going to take a while to find a software entry (if any). Probably going to get a modchip as soon as possible (hopefully it's not going to be too expensive)

Yes Nintendo has a bug bounty: https://hackerone.com/nintendo

 

[rull_bull]

The best thing about these threads is the people that say: If WE find bla bla… If WE find a exploit, If WE hack bla bla.

You ain’t hacking shit, if you would then you wouldn’t speculate in this thread.

Look at the ps4,ps5, switch and Xbox scene.
The hackers who are public is a handful, then there is the ones in the shadows.

None are in a thread about something that is not released yet, 100%.

So skip the WE part, because you will not contribute to anything in the long run. Others maybe.

Yes, you can speculate. Like I did, but we don’t know anything at all.

 

[linuxares]

Isn't the fact that the Switch 1 doesn't have vulnerabilities because of devs collaborating with Nintendo ?
Not blaming them or anything. I've just HEARD somewhere that Sciresm did tell them about software holes, but because I have no clue if it's true or not I'm asking here.

Does Nintendo have bug bounties like Sony does ? I know that Sony's consoles are usually harder to hack because these vulnerabilities can be published after Sony patched them out. I wonder if Nintendo is doing the same thing, can't blame the devs for making the easy choice between getting paid with money or visibility :rofl :

Considering the fact that they quickly released new models that patched RCM, I have no doubt it's going to take a while to find a software entry (if any). Probably going to get a modchip as soon as possible (hopefully it's not going to be too expensive)

They do have a Bug Bounty,
https://hackerone.com/nintendo

As you can see its very alive and well. Kryp1c does a lot of bug reports.