Long time lurker here ever since I became interested in r4 cards for my old DS and I feel like I finally have something to contribute (literally created an account today to post this info).
I got a Switch recently and became extremely interested when I heard news that a WebKit exploit still exists in the browser of the console. I watched LiveOverflow's video on this subject like 15 times and studied his code and the code he derived his from (the iOS jailbreak code) and I think I've finally managed to dump some interesting binary data from the browser.
I first tried adapting LiveOverflow's code but after much testing I figured that he cut out a key piece of the exploit. So referencing the original code from qwertyoruiop, I was able to strip out the part that loaded the iOS binary loader, used some of the code from the Phrack article to find memory addresses, and found the exploit can work the exact same way. If we had shellcode to execute to gain root privileges of the Switch, we could do it here and run our arbitrary code in the same way it does for iOS. But, since we don't have shellcode to operate (yet) on the Switch, I just decided to try to dump the browser's executable binary from memory.
I need to take a break from this but I wanted to post my 16 hours of straight research before I did that and post what I believe to be the first 2(1024^2) bytes (~9 MB of data) of the browser's binary (searching through I can find the source code to my webpage in plaintext, too bad I have no general idea of how WebKit looks in binary). Since I'm generally naive when it comes to how WebKit stores executable and JITcompiler code in memory, this could be more than the browser's binary (though I highly doubt it) and is really just the first 2(1024^2) bytes in memory after the calculated executable's address.
It's only the first two parts because the Switch crashes before it can finish reading all of the data. Probably needs some more refining on finding the length of the executable.
TL;DR: I have dumped the beginnings of what I believe to be the Switch's browser binary from memory using the WebKit exploit.
The code and binary parts are on my GitHub:
https://github.com/weelcheel/Switch-Exploit
Feel free to discuss and/or tell me I'm wrong about this (seriously, I'm not 100% sure on what the data I found is).
Edit: Math is hard.
I got a Switch recently and became extremely interested when I heard news that a WebKit exploit still exists in the browser of the console. I watched LiveOverflow's video on this subject like 15 times and studied his code and the code he derived his from (the iOS jailbreak code) and I think I've finally managed to dump some interesting binary data from the browser.
I first tried adapting LiveOverflow's code but after much testing I figured that he cut out a key piece of the exploit. So referencing the original code from qwertyoruiop, I was able to strip out the part that loaded the iOS binary loader, used some of the code from the Phrack article to find memory addresses, and found the exploit can work the exact same way. If we had shellcode to execute to gain root privileges of the Switch, we could do it here and run our arbitrary code in the same way it does for iOS. But, since we don't have shellcode to operate (yet) on the Switch, I just decided to try to dump the browser's executable binary from memory.
I need to take a break from this but I wanted to post my 16 hours of straight research before I did that and post what I believe to be the first 2(1024^2) bytes (~9 MB of data) of the browser's binary (searching through I can find the source code to my webpage in plaintext, too bad I have no general idea of how WebKit looks in binary). Since I'm generally naive when it comes to how WebKit stores executable and JITcompiler code in memory, this could be more than the browser's binary (though I highly doubt it) and is really just the first 2(1024^2) bytes in memory after the calculated executable's address.
It's only the first two parts because the Switch crashes before it can finish reading all of the data. Probably needs some more refining on finding the length of the executable.
TL;DR: I have dumped the beginnings of what I believe to be the Switch's browser binary from memory using the WebKit exploit.
The code and binary parts are on my GitHub:
https://github.com/weelcheel/Switch-Exploit
Feel free to discuss and/or tell me I'm wrong about this (seriously, I'm not 100% sure on what the data I found is).
Edit: Math is hard.
Last edited by chilliam,
