WIP Switch Exploit Idea - I want the Community to Use it!

Discussion in 'Switch - Hacking & Homebrew' started by aarock1234, Aug 4, 2017.

Thread Status:
Not open for further replies.
  1. aarock1234
    OP

    aarock1234 Newbie

    Newcomer
    1
    0
    Aug 4, 2017
    United States
    I made an account just to post this.

    Mostly I have been a browser of this forum for a long time and like to look at random posts.

    I have been developing an idea with a friend and we decided we wanted to share it with the community and see what they could do withit.

    Exploit

    Notes:
    • Involves JPEG images and buffer overflow.
    Usage:

    The basic premises state that you would essentially take an image from the switches SD card and edit it in a text editor. You would in theory add many characters to the file so the switch would not know what to do. Basic rules for computers say if a file is too large it would write that overflowing data somewhere else (buffer overflow). That data could be a homebrew launcher, program, game or some other thing that could be written on the switch itself. The reason we use JPEG images is that they are injectable/can be edited. The idea would be to somehow take some code (arm asm) and compile it into a jpeg and use the switch image viewer to access the program.​
     
  2. Jhynjhiruu

    Jhynjhiruu GBAtemp Fan

    Member
    466
    98
    Dec 31, 2016
    People have already tried this.
     
    Zidapi likes this.
  3. KiiWii

    KiiWii GBAtemp Psycho!

    Member
    3,784
    1,323
    Nov 17, 2008
    United Kingdom
    How have you "developed" this?
     
  4. robingilh

    robingilh GBAtemp Regular

    Member
    120
    85
    Dec 21, 2009
    France
    not far from a computer
    JPEG is a VERY well-tested file format. It wont happen.
     
  5. SkyQueen
    This message by SkyQueen has been removed from public view by Issac, Aug 4, 2017, Reason: Cleaning up.
    Aug 4, 2017
  6. BlackWizzard17

    BlackWizzard17 Don't worry Captin we'll buff out those scratches.

    Member
    1,147
    393
    Dec 1, 2012
    United States
    E-Arth
    How have you been browsing the forums for a long time yet failed to notice that this was already mentioned not only in regards to the switch but to other systems as well such as the Wii u and 3DS.
     
    DaMan, ShadyGame, Marxally and 3 others like this.
  7. froggestspirit

    froggestspirit D/P/Pt Demix Guy

    Member
    1,075
    528
    Jul 28, 2011
    United States
    jpeg of all things. Maybe if nintendo had a highschool student code the jpeg parser?
     
    Scrlklk, WeedZ and Subtle Demise like this.
  8. Sonic Angel Knight

    Sonic Angel Knight GBAtemp Guru

    Member
    9,842
    4,924
    May 27, 2016
    United States
    New York
    Sounds like psp Chicken hen exploit.... Would that really work a second time, especially on a console 10 years later? :blink:
    (Not denying the possibility, just was curious what others thinks)
     
  9. Urbanshadow

    Urbanshadow GBAtemp Maniac

    Member
    1,294
    472
    Oct 16, 2015
    I'd honestly try malforming a .tiff header like was done to the PSP, or malform a .svg to load it from the "browser" but I'm sure it doesn't lead anywhere.

    — Posts automatically merged - Please don't double post! —

    Oh the ninja. That was a .tiff file preview, back in the day.
     
    WeedZ likes this.
  10. Mnecraft368

    Mnecraft368 GBAtemp Advanced Fan

    Member
    899
    215
    Aug 8, 2015
  11. Sonic Angel Knight

    Sonic Angel Knight GBAtemp Guru

    Member
    9,842
    4,924
    May 27, 2016
    United States
    New York
    I dunno what it was to be exact, I just now every video i watched was someone opening the picture folder filled with images, and scrolling to the bottom one, and enable homebrew. BAM! I'm batman... err Chicken hen! :P
     
  12. Urbanshadow

    Urbanshadow GBAtemp Maniac

    Member
    1,294
    472
    Oct 16, 2015
    The tiff header is limited in size, the tiff header reader for psp was coded by sony, they didn't check the size. It was really cheap and dirty. The hit and miss part was depending on what was after the tiff header in memory and if it corrupts the xmb menu memory. After that went the hen payload and the rest is history.
     
  13. 8BitWonder

    8BitWonder Small Homebrew Dev

    Member
    748
    520
    Jan 23, 2016
    United States
    47 4F 54 20 45 45 4D
    A for effort, and welcome officially to gbatemp!

    People here like to lynch anyone that has an idea about an exploit but no PoC.
    Try not to take it to heart.
     
  14. Hiccup

    Hiccup GBAtemp Advanced Fan

    Member
    905
    271
    Nov 21, 2009
    you don't edit binary files using text editors. :P
     
    Last edited by Hiccup, Aug 4, 2017
  15. yardie
    This message by yardie has been removed from public view by Issac, Aug 4, 2017, Reason: Cleaning up.
    Aug 4, 2017
  16. Meeooww
    This message by Meeooww has been removed from public view by Issac, Aug 4, 2017, Reason: Cleaning up.
    Aug 4, 2017
  17. DKB
    This message by DKB has been removed from public view by Issac, Aug 4, 2017, Reason: Cleaning up.
    Aug 4, 2017
  18. DarkOrb

    DarkOrb Advanced Member

    Newcomer
    91
    85
    Oct 11, 2013
    Gambia, The
    That won't work. This way the file will be corrupt and not readable anymore. You have to edit the file in a special way, so it's still readable AND will cause a buffer overflow, but this would need an exploit in the Switch image viewer app in the first place. You don't have the slightest chance to make that happen if you're not a very talented dev.
     
  19. blujay

    blujay GBATemp's Official Warthog

    Member
    2,092
    1,862
    Nov 2, 2015
    United States
    Gilbert, Arizona
    In theory it would work if:

    • Somebody could make a tool to re-calculate the hashes for images so that they would be compatible with the Switch (because they are HMAC-SHA256 hash checked)
    • We could patch out the size check on screenshots
    They size check is pretty much impossible to bypass (that we know of right now) because it is coded into the firmware.

    Also, please read the forums like you said you did before posting stuff like this.
     
    Tomato Hentai likes this.
  20. dpad_5678
    This message by dpad_5678 has been removed from public view by Issac, Aug 4, 2017, Reason: Cleaning up.
    Aug 4, 2017
  21. Gamefreakjf11
    This message by Gamefreakjf11 has been removed from public view by Issac, Aug 4, 2017, Reason: Cleaning up.
    Aug 4, 2017
  22. Lilith Valentine

    Lilith Valentine GBATemp's Wolfdog™ Cuddle lesbian

    Member
    19,800
    20,626
    Sep 13, 2009
    Antarctica
    Between insane and insecure
    Honestly I think this thread should be locked until the OP has something to show (though extremely doubtful) If they want to take the time and try something, they are clearly not going to get the support of the community until we have something to see.
     
    Last edited by Lilith Valentine, Aug 4, 2017
    VinsCool likes this.
  23. Beerus
    This message by Beerus has been removed from public view by Issac, Aug 4, 2017, Reason: Cleaning up.
    Aug 4, 2017
  24. gnmmarechal
    This message by gnmmarechal has been removed from public view by Issac, Aug 4, 2017, Reason: Cleaning up.
    Aug 4, 2017
  25. GalladeGuy
    This message by GalladeGuy has been removed from public view by Issac, Aug 4, 2017, Reason: Cleaning up.
    Aug 4, 2017
  26. shinyquagsire23

    shinyquagsire23 SALT/Sm4sh Leak Guy

    Member
    1,962
    3,231
    Nov 18, 2012
    United States
    Las Vegas
    Buffer overflows don't work trivially on Switch, the days of easy savegame exploits are over due to ASLR, basically requires scripting of some sort like JavaScript.
     
  27. lordkaos
    This message by lordkaos has been removed from public view by Issac, Aug 4, 2017, Reason: Cleaning up.
    Aug 4, 2017
  28. linuxares

    linuxares GBAtemp Psycho!

    Member
    3,099
    1,248
    Aug 5, 2007
    And people laught at my "No, no you haven't found an exploit" thread.
     
    blujay likes this.
  29. Issac

    Issac I

    Global Moderator
    GBAtemp Patron
    Issac is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    5,217
    2,311
    Apr 10, 2004
    Sweden
    Sweden
    This has been locked. This has been discussed before, and if you don't have anything new to bring to the table, use any of the old threads.
    If you want this one open again, because you actually have something to show: PM me.
     
Thread Status:
Not open for further replies.