Toggle sidebar

Hacking Speculations about Switch 2 hacking

  • Thread starter Thread starter KeeperCP1
  • Start date Start date
  • Views Views 305,013
  • Replies Replies 806
  • Likes Likes 10
M7L7NK7 said:
There isn't going to be an exploit so there isn't anything on topic to discuss
Click to expand...
Dunno about the last couple of updates, but older ones have userland webkit exploits. SciresM and Comex were discussing it... not very useful without a kexploit, but getting r/w in the browser is a start...

EDIT: I keep getting thumbs up, so I figure I need to clarify something. This will lead nowhere. The post right below this points it out fairly clearly. I was just splitting hairs about "there isn't going to be an exploit". The correct answer is that there won't be a KERNEL exploit, so there's nothing to see here...
 

Attachments

  • discordswitch2.jpg
    discordswitch2.jpg
    105 KB · Views: 47
Last edited by urherenow,
  • Like
Reactions: _iggyman_, MidnightMegaplex, ber71 and 1 other person
urherenow said:
Dunno about the last couple of updates, but older ones have userland webkit exploits. SciresM and Comex were discussing it... not very useful without a kexploit, but getting r/w in the browser is a start...
Click to expand...
SciresM

Hacking  Post in thread 'Speculations about Switch 2 hacking'

Hotmayo said:
I dont want to be the first comment after sciresM since I highly respect your work and input.

No Bluesky embedder
But Is this legit and what does this mean?

First userland exploit?
Click to expand...
This is a demo of a transferred hax savegame from switch 1 working on switch 2. I helped retr0id with setting this up months ago, and it working was expected.

This means essentially nothing for end users. This gives ROP under a switch 1 game process, which is very heavily sandboxed. You cannot load or run custom code executables or interact with anything the switch 1 game cannot...
  • Like
Post automatically merged:

urherenow said:
Dunno about the last couple of updates, but older ones have userland webkit exploits. SciresM and Comex were discussing it... not very useful without a kexploit, but getting r/w in the browser is a start...
Click to expand...
Message by SciresM on Reddit:

This kind of post is inane. Are you really posting a...random Japanese commentary on a short discord interaction?

Anyway; this is meaningless for end users, does not represent significant progress anyone here should care about.

I have been helping Hexkyz work on WebKit stuff so he can look at 19.0.0 because he's a friend and it's fun. Affirming that I am not making a cfw for switch 2 even if it gets hacked.

WebKit is known hackable and the existence of bugs in it isn't news. It's just high effort.

It doesn't grant interesting new capabilities over retr0id's rop in any sense that literally anyone here would care about.

This sub is a dumpster, man.

Also chiming in that I and others have audited the kernel and found no bugs. Comex hasn't audited it yet, and I'm always happy for fresh eyes, but it's overwhelmingly likely nothing will be found.
Click to expand...
 

Attachments

  • Screenshot_20251019_192254_Chrome.png
    Screenshot_20251019_192254_Chrome.png
    345.3 KB · Views: 48
  • Screenshot_20250803_183131_Reddit.png
    Screenshot_20250803_183131_Reddit.png
    322.9 KB · Views: 43
Last edited by FernandoRocker,
  • Like
Reactions: MidnightMegaplex, _iggyman_, xadra and 4 others
FernandoRocker said:
SciresM

Hacking  Post in thread 'Speculations about Switch 2 hacking'

Hotmayo said:
I dont want to be the first comment after sciresM since I highly respect your work and input.

No Bluesky embedder
But Is this legit and what does this mean?

First userland exploit?
Click to expand...
This is a demo of a transferred hax savegame from switch 1 working on switch 2. I helped retr0id with setting this up months ago, and it working was expected.

This means essentially nothing for end users. This gives ROP under a switch 1 game process, which is very heavily sandboxed. You cannot load or run custom code executables or interact with anything the switch 1 game cannot...
  • Like
Post automatically merged:


Message by SciresM on Reddit:
Click to expand...
Most of the above still stands (kernel exploit will likely never be found), and the note from Reddit addresses the one I was talking about... but the first quote you made, has nothing to do with what I was talking about. I either didn't know, or completely forgot about a hax save thing... so being locked into the Switch 1 sandbox doesn't really apply here. I think.

But yea... tiny kernel with no vulnerabilities, and anti-glitching stuff in hardware. Game over, I think.
 
  • Like
Reactions: Augusto101, _iggyman_ and peteruk
urherenow said:
Most of the above still stands (kernel exploit will likely never be found), and the note from Reddit addresses the one I was talking about... but the first quote you made, has nothing to do with what I was talking about. I either didn't know, or completely forgot about a hax save thing... so being locked into the Switch 1 sandbox doesn't really apply here. I think.

But yea... tiny kernel with no vulnerabilities, and anti-glitching stuff in hardware. Game over, I think.
Click to expand...
To me it doesn't sound implausible. It would need custom hardware though, because something like that has already been done on the PC world several years ago: hackintosh.

You see, when OS X was first ported to intel, it shared many features that you mention: tiny microkernel (based on BSD too, like the HOS kernel), anti-piracy stuff in hardware AND kernel extension (Don't Steal MacOS.kext or DSMOS), custom SMBIOS and custom EFI bootloader.

What hackers did back then was literally EMULATE all that stuff (even the bootloader).

  • The bootloader required a special key? they emulated it via software
  • The kernel wouldn't boot or give panic if the anti-tamper chip wasn't found? they created a kernel extension that literally emulated that (VirtualSMC.kext)
  • The kernel required a unique serial number and model to even work? they created an SMBIOS injector at bootloader level
So... if the Switch 2 has that many (or even more) lock, the most logical way to "hack" it would be to literally solder it a new nand directly to the SoC and start reading the requests with a probe. Then start interacting with the SoC to get the right hook for the bootloader to load and begin from there.

Remember: NOTHING is unhackable.
 
  • Like
Reactions: zebrone
cybermiguel said:
literally solder it a new nand directly to the SoC and start reading the requests with a probe. Then start interacting with the SoC to get the right hook for the bootloader to load and begin from there.
Click to expand...
Already done and ended on a bricked console displaying a message about do not temper with the hardware.
 
cybermiguel said:
To me it doesn't sound implausible. It would need custom hardware though, because something like that has already been done on the PC world several years ago: hackintosh.

You see, when OS X was first ported to intel, it shared many features that you mention: tiny microkernel (based on BSD too, like the HOS kernel), anti-piracy stuff in hardware AND kernel extension (Don't Steal MacOS.kext or DSMOS), custom SMBIOS and custom EFI bootloader.

What hackers did back then was literally EMULATE all that stuff (even the bootloader).

  • The bootloader required a special key? they emulated it via software
  • The kernel wouldn't boot or give panic if the anti-tamper chip wasn't found? they created a kernel extension that literally emulated that (VirtualSMC.kext)
  • The kernel required a unique serial number and model to even work? they created an SMBIOS injector at bootloader level
So... if the Switch 2 has that many (or even more) lock, the most logical way to "hack" it would be to literally solder it a new nand directly to the SoC and start reading the requests with a probe. Then start interacting with the SoC to get the right hook for the bootloader to load and begin from there.

Remember: NOTHING is unhackable.
Click to expand...
Don't confuse BSD with FreeBSD
 
  • Like
Reactions: Dat0_

Site & Scene News

Go to forum More news

Popular threads in this forum

Why was there almost no outrage about game keys?

bought a switch 2 from amazon.de(europe) and its banned,what are my chances nitendo unbans it?(i dint know if its seconds hand or not

Gaming  Pokemon Wind/Wave will be the first Pokemon game since X/Y that won't be datamined

STARFOX DIRECT!

Lack of Proper Game Streaming...

Hardware  Mobapad M12 HD

Gaming  Are you enjoying Yoshi and the Mysterious Book?

The Switch interface beats the Wii U's in one aspect