I want to start looking for exploits on patched systems, where do I start? (Btw is this even legal in the US?)

[supernov52]

I found out my Switch was patched sadly which is a bummer, but it encourages me to attempt to find an exploit since I have a patched one. I don't care how hard it will be i'm ready and am quite tech savy when it comes to software stuff. Though it should be legal in the US right?

 

[M7L7NK7]

There are no exploits.

 

[urherenow]

You start by reading several dozen books, then you have an idea what you're even asking about. You don't "look for exploits" unless they already exist. In that case, you "start" on Google.

What you "look for", are vulnerabilities. When you find one, you figure out if you can exploit it.

In the case of Nintendo Switch, the entire OS is nearly 100% accurately reverse-engineered (Atmosphere CFW), so it's never going to happen. There are NO software vulnerabilities that can be exploited, and that's not going to change. Buy a modchip and grab a bunch of broken electronics out of the trash to practice microsoldering. Or just buy a pre-modded Switch, because it's still a lot cheaper than buying all of the tools you need, if you don't already have them.

 

[RednaxelaNnamtra]

I found out my Switch was patched sadly which is a bummer, but it encourages me to attempt to find an exploit since I have a patched one. I don't care how hard it will be i'm ready and am quite tech savy when it comes to software stuff. Though it should be legal in the US right?

It's very unlikely that you find something, that others, who reimplenented the relevant parts, didn't find, but you could start by learning assembly and doing ctfs to get a feeling for how exploiting works and how to find them. You can also look at atmospheres source code to learn how the different parts of the system communicate with each other, and what their responsibilities are.
But keep in mind, the main part we need to take over for cfw is the trustzone or at least the kernel for a fake cfw. Those two parts are pretty small, and it's easy for a small team of devs at Nintendo to have a full overview about these parts, and to also directly test a lot of potential exploit cases via unit testing.
This, in combination with the fact that those parts are fully reverse engeneered and checked by multiple skilled people, is the reason why is so unlikely that people find something new to exploit in there.

 

[BeniBel]

No offence, but the fact that you ask these questions makes me think you don't have the skills to find exploits.

You have to study the hardware architecture and code, find out where there are vulnerabilities, and in the off chance you find one, write code to make use of it.

So do you have good knowledge about hardware architecture? Can you code? Can you solder, as it is possible you need to read chips out with specific hardware.

And heck, if you can solder, you might just as well put a modchip in your switch.

 

[duckbill007]

No vulnerabilities does not mean system can not be hacked by software only.

 

[RednaxelaNnamtra]

No vulnerabilities does not mean system can not be hacked by software only.

Unless you get your hands at nintendos singing key it means exactly that.
But this key seems to be stored in crypto hardware, so its not easily extractable and leakable for workers or even hacker that get access to a system with the key.
So to heal the system you will need to have vulnerabilities in at least the kernel, but better trustzone or bootloader code, and those also need to be exploitable, otherwise no software hack.
And even if you meant no known vulnerability, it's unlikely that someone finds a new one since the code base for the switches kernel and trustzone, which are the highest two permission parts, is pretty small compared to something like the windows or Linux kernel, where a lot of device drivers are run in kernel mode.
On the switch everything only has access to whatever hardware, memory or whatever it needs, nothing more. So even if you for example exploit the Bluetooth chip, you don't get much more then access to the Bluetooth chip and the bluetooth module, and that has not access to a lot more stuff.

 

[pinbi7]

No vulnerabilities does not mean system can not be hacked by software only.

I can't not , understand what you aren't trying to not say

 

[duckbill007]

But this key seems to be stored in crypto hardware, so its not easily extractable and leakable for workers or even hacker that get access to a system with the key.

But still it is an option.

 

[RednaxelaNnamtra]

But still it is an option.

Nintendo has a good employee retention rate, I don't think employees who have access to them, likely only a small group, will try to leak it and risk their jobs for 5 seconds of internet fame. Especially since there is a lot of stuff attached to it in terms of required skill for the hardware exploitation to get the keys.
And you can get around hackers, by just not having the systems doing the signing connected to a network.

 

[urherenow]

And heck, if you can solder, you might just as well put a modchip in your switch.

Not specific enough. MICRO-solder. To be fair, I could solder. I hard-modded both my O3DS and N3DS, so I was pretty fearless in testing things for people, since I can directly reflash my nand in case of disaster. I also had to replace the analog stick on my pro controller a couple of times before I modded an OLED.

So... I "could solder"... but I completely destroyed my first OLED. My scope, flux, and skils, were simply not good enough. Got it done perfectly on my second try though.

 

[linuxares]

I mean there is always a possibility someone discover an exploit, but it's not likely to happen for many, many years. If someone manage to find the magical keys, tada. Software hack is possible!