1. zurgeg

    OP zurgeg Newbie
    Newcomer

    Joined:
    Sep 2, 2020
    Messages:
    6
    Country:
    United Kingdom
    Hello!

    I recently decided "I wonder what would happened if I ran a PS4 exploit on my Switch?".

    Now, you might be thinking "Well, it would either not work or crash". Well, it did crash, but the kind of crash interested me.

    I ran the exploit, and saw 2168-0002 and I thought "Oh, probably some 'go away script kiddie
    ( ͡° ͜ʖ ͡°)' error" but no.


    It was a "Data Abort" error. Now, some of the less technical of you won't know what this is, but it's basically the Switch blocking a read (or write, but read in this case) from RAM.

    What does this mean for me, or my patched Switch?
    Well, nothing really yet. It is still required to
    1. Find the address at which we can write to
    2. Find the address that is being executed
    3. Manage to obtain root level access and/or more RAM (optional)


    tl;dr: This doesn't mean anything yet

    EDIT: Turns out, the Nintendo Switch has no kernel bugs according to people much better at this then me. This means that not only does it not mean anything, but it probably never will.
     
    Last edited by zurgeg, Feb 14, 2021
  2. gbadl

    gbadl GBAtemp Regular
    Member

    Joined:
    Sep 13, 2009
    Messages:
    169
    Country:
    Keep going. You may be on to something.
     
  3. Adran_Marit

    Adran_Marit Walküre's Hacker
    Member

    Joined:
    Oct 3, 2015
    Messages:
    3,054
    Country:
    Australia
    from switchbrew

    '2168-0002 - Userland ARM data abort. Also caused by abnormal process termination via svcExitProcess. Note: directly jumping to nnMain()-retaddr from non-main-thread has the same result.'

    It's more than likely already been thought about, in addition pegaswitch uses a web exploit which was patched in later firmware versions
     
  4. zurgeg

    OP zurgeg Newbie
    Newcomer

    Joined:
    Sep 2, 2020
    Messages:
    6
    Country:
    United Kingdom
    I definitely think it's been thought about. Although I haven't seen it yet, someone more inclined probably knows how to use something like this.

    However I did some more research and there is no set place we can write to. Like I said, someone more inclined can probably use this.
     
  5. Adran_Marit

    Adran_Marit Walküre's Hacker
    Member

    Joined:
    Oct 3, 2015
    Messages:
    3,054
    Country:
    Australia
    again pegaswitched used a web browser exploit so

    *shrug*

    only time will tell
     
  6. Ghost92

    Ghost92 GBAtemp Maniac
    Member

    Joined:
    Jun 29, 2017
    Messages:
    1,050
    Country:
    Colombia
    Hi. First, the Switch community and its Scene would be very happy with your participation. I recommend you update yourself on the theme of the Scene.
    https://switchbrew.org/wiki/Main_Page

    Good luck!
     
    zurgeg likes this.
  7. zurgeg

    OP zurgeg Newbie
    Newcomer

    Joined:
    Sep 2, 2020
    Messages:
    6
    Country:
    United Kingdom
    Please check the post, I've edited it to include info on how the Switch's kernel has no bugs, and probably never will, I will be watching the switchbrew flaws page though.
     
  8. Draxzelex

    Draxzelex GBAtemp Legend
    Member

    Joined:
    Aug 6, 2017
    Messages:
    15,008
    Country:
    United States
    Yeah I doubt there are any potential exploits that neither SciresM nor hexkyz are already aware of.
     
  9. Aheago

    Aheago Advanced Member
    Newcomer

    Joined:
    Jan 4, 2021
    Messages:
    69
    Country:
    United States
    I was able to make a connector that allows me to read/write memory from my pc while my switch lite is in use
     
  10. The Real Jdbye

    The Real Jdbye Always Remember 30/07/08
    Member

    Joined:
    Mar 17, 2010
    Messages:
    20,758
    Country:
    Norway
    Browser exploits are relatively easy to come by, as the Switch's webkit version is quite outdated. But that on its own doesn't get you very far. You need several stages of privilege escalation to eventually get kernel access. But a userland exploit is the first step, so you could say it's the most important one.
     
  11. Ghost92

    Ghost92 GBAtemp Maniac
    Member

    Joined:
    Jun 29, 2017
    Messages:
    1,050
    Country:
    Colombia
    not even injecting Fake News gives the possibility to Firmware after 4.x.x PegaSwitch / PegaScape. Maybe the one that you find as Downgrade and use it without checking fuses and without using Hekate, it could be used.
     
  12. Draxzelex

    Draxzelex GBAtemp Legend
    Member

    Joined:
    Aug 6, 2017
    Messages:
    15,008
    Country:
    United States
    To bypass the fuse check, you would need a coldboot exploit because a fuse check is one of the first actions the console performs. So you can't really bypass the fuses with a warmboot exploit like Fake News or PegaSwitch.
     
    Ghost92 likes this.
  13. Ghost92

    Ghost92 GBAtemp Maniac
    Member

    Joined:
    Jun 29, 2017
    Messages:
    1,050
    Country:
    Colombia
    So the verifier is at the hardware level and cannot be rewritten? How about redirecting blown fuses to an external "fuse emulator". Of course this would already require cutting some pins and feeding it to the verifier with false information.
     
  14. Draxzelex

    Draxzelex GBAtemp Legend
    Member

    Joined:
    Aug 6, 2017
    Messages:
    15,008
    Country:
    United States
    If the bootrom wasn't read-only, we would have modified it when the Switch was released. As for what you're suggesting, I don't even know if that is practical let alone possible. You potentially would have to reverse engineer the hardware which I don't think has been accomplished with the Switch and that might not be enough. In terms of a hardmod, it would just be easier to replace the motherboard.
     
  15. Ghost92

    Ghost92 GBAtemp Maniac
    Member

    Joined:
    Jun 29, 2017
    Messages:
    1,050
    Country:
    Colombia
    So there is nothing from JTAG, just RGH, from Xecuter.
     
  16. hippy dave

    hippy dave BBMB
    Member

    Joined:
    Apr 30, 2012
    Messages:
    6,596
    Country:
    United Kingdom
    The fuses are inside the chip with the CPU.
     
  17. linuxares

    linuxares I'm not a generous god!
    Moderator

    Joined:
    Aug 5, 2007
    Messages:
    8,612
    Country:
    Sweden
    @zurgeg since you wrote this in February. There been a couple of improvements for a new exploit on the PS4, that exploits the FreeBSD kernel/network part. Guess what the Switch uses?
     
  18. Ghost92

    Ghost92 GBAtemp Maniac
    Member

    Joined:
    Jun 29, 2017
    Messages:
    1,050
    Country:
    Colombia
    So there are no external clues, both the bootrom and the fuses are embedded in the CPU.
     
  19. Draxzelex

    Draxzelex GBAtemp Legend
    Member

    Joined:
    Aug 6, 2017
    Messages:
    15,008
    Country:
    United States
    Well I mean I don't know why those teams would need to release anything when they released the SX Core and Lite.
     
  20. zurgeg

    OP zurgeg Newbie
    Newcomer

    Joined:
    Sep 2, 2020
    Messages:
    6
    Country:
    United Kingdom
    I have doubts that'd work, without escalation especially, but I will try on my switch later
    Also you mean this? https://www.exploit-db.com/exploits/48644
     
    Last edited by zurgeg, Apr 30, 2021
Draft saved Draft deleted
Loading...

Hide similar threads Similar threads with keywords - Arbitrary, Possible, Through