Arbitrary code execution achieved on Switch firmware 4.x [Mod Edit - Read OP]

Justin Iacobellis · Feb 16, 2018

SaberVS7 said:
Hmm, though what about games that refuse to run on anything less than the current firmware and come packed with a forced-update for the firmware when ran?

I know that was a thing with the Xbox 360, and apparently for the PS4 too.

But yeah man, I really don't want the Switch to go the way of the PirateStationPortable. System was basically cut short in the west because the industry collectively decided to stop localizing PSP games because of piracy.

That's true, that is one way to circumvent it.

Maybe I'm just being overly cautious about it, the PSP was an entirely different beast compared to the Switch (or any current handheld for that matter). Sony did a piss poor job of combating piracy on the PSP, where it eventually turned into a game of cat and mouse between them and those of the hacking scene whenever there was a new firmware update. The system launched with very little security on 1.0, and getting unsigned code to run on 1.5 proved to be not that much more difficult. Nintendo has shown a higher level of competency in protecting the 3DS and Wii U from exploits.

Plus, handhelds are way more online-focused than they were in 2005. Not being able to play Splatoon 2 multiplayer might sway a substantial number of owners to keep their systems updated.

Vadara · Feb 16, 2018

Not being able to play games released after the homebrew becomes available (since I bet they'll require the newest contemporary firmware like the Vita) is the only downside I see to this.

Deleted member 10737 · Feb 16, 2018

bad news for software sales

SartrG · Feb 16, 2018

Remember people, Homebrew doesn't mean piracy and most people in the scene are against piracy.

So, I'm in 4.1, I deleted the Wi-Fi Connection to my router and I'm in airplane mode. Will that keep me "safe" from automatic updates?

Atolm · Feb 16, 2018

Bah.

If I want a machine for emulators in my home the Raspberry Pi will always be a far superior experience.

And if I wanted them on the go there's a ton of alternatives like the GPD Win and XD machines.

Online requirements have turned homebrew and console hacking into little more than an anecdote imo. It's not like in the times of DS. I sincerely doubt anyone would skip any important first party release that requires an updated firmware to play Mega Drive ROMs.

TheZynster · Feb 16, 2018

Haven't updated my switch since fire emblem......think I'll just set it aside and pick up a new switch when Pokémon comes out

Pooroomoo · Feb 16, 2018

gaiadyne said:
We're definitely due for an update, although I doubt Nintendo is going to give me a reason to update

Well, let's see - how about : new online features will work only if you update.

DOBERMAN INC · Feb 16, 2018

Awaiting the port of VLC/MPC.

gaiadyne · Feb 16, 2018

Pooroomoo said:
Well, let's see - how about : new online features will work only if you update.

We know their online program isn't starting until the fall. I doubt the next update is going to be anything beyond a "stability" update and I have no online Switch games at the moment. We'll see what they bring over the course of the year, but for the foreseeable future I see no reason to update.

Vena · Feb 16, 2018

Also just as an FYI...

This isn't going to release for a looooong time (all work is focused on 1.x and 3.0.0), this is a PoC on a reality we knew was possible for some time (if you follow the scene) but depends almost entirely on vulnerabilities in the Tegra that will not be made public for a long time due to non-Switch ramifications as well as being unpatched at current.

So if you plan on sitting on a 4.x for homebrew, you may also want to pick up buddhism and find inner peace in the interim.

Yarbskoo · Feb 16, 2018

I wonder if it'd be possible to make an amiibo emulator.

Deleted member 15428 · Feb 16, 2018

Alienhated said:
I'm not insinuating anything, i'm asking because i can't remember. I just recall some user telling everyone that the Switch was not going to be cracked due to some "fuses" system, what about that?

Efuses make it near-impossible to downgrade, if anything

Vena · Feb 16, 2018

eFuses are downgrade protection and a way to brick your console. They have nothing to do with firmwares beyond that.

Djkhaled · Feb 16, 2018

My god the people in this thread not understanding what any of this means. The exploit isn't released and won't be for a very long time. The exploit is also an nvidia issue and not a nintendo issue.

Deleted member 11517 · Feb 16, 2018

El Pescado said:
Is this something Nintendo can't fix with a firmware update? I'd rather not have this happen so early in a system's lifetime.

Yes, of course they can "fix" this.

Though the thing is with CFW it's usually easy to spoof the firmware so they system checks "think" the system is up to date even if it's not.

Hate · Feb 16, 2018

They had no browsers to prevent hacking.

Gets hacked anyway.

Vena · Feb 16, 2018

kageroo said:
Yes, of course they can "fix" this.

Though the thing is with CFW it's usually easy to spoof the firmware so they system checks "think" the system is up to date even if it's not.

System checks have telemetry nowadays. You won't be spoofing anything unless you are meticulous in scrubbing and sorting the telemetry, and just turning it off or blocking it is a good way to get banned outright. What you will do is run emunand, and be on the most recent firmware through that solution and use it accordingly. And then you can boot into a 'custom' firmware of a more modded variety for other uses.

True CFW does not really exist any more.

Giever · Feb 16, 2018

I'm excited for the possibility of homebrew allowing me to stream my PC games to my Switch. I don't even care about it being over the internet, really. I just love not being tied to one spot in my house.

Mr.Gamerson · Feb 16, 2018

I just hope this doesn't screw up online gaming more on the switch than it already is because of all the cheaters that might start to pop up.

Vena · Feb 16, 2018

Mr.Gamerson said:
I just hope this doesn't screw up online gaming more on the switch than it already is because of all the cheaters that might start to pop up.

This won't be released for a long, long time. And by then the system's with access to the servers will have long since moved to >4.x, and probably well into 7 or 8.x. People need to realize a PoC and a release are very different things. PoC for hacking a system are released almost routinely post-updates. Look at the PS4, they release a firmware update and a PoC hack is released within a week because Sony can't fix their firmware holes at all.

But PS4 4.05 kernel was only *just* released for public use.

diablogg · Feb 16, 2018

I just want my NES and GBA games on my Switch ><

Deleted member 11517 · Feb 16, 2018

Vena said:
System checks have telemetry nowadays. You won't be spoofing anything unless you are meticulous in scrubbing and sorting the telemetry, and just turning it off or blocking it is a good way to get banned outright. What you will do is run emunand, and be on the most recent firmware through that solution and use it accordingly. And then you can boot into a 'custom' firmware of a more modded variety for other uses.

True CFW does not really exist any more.

Well, I didn't know that - how does this telemetry work? But I knew it probably won't be as easy for current gen systems hence I said usually. :)

I just know one thing, once a system is cracked people will always find a way.

I've seen people "unban" themselves on PS3 and then people outright tell me that's "not possible" lol.

Btw it's remarkable this gen of consoles the hackers seem to hold back for some reason, isn't the PS4 long cracked, but nothing " official" or usable came out of it yet...?

Reinhard · Feb 16, 2018

Pretty horrible for a system to get fully cracked this early into its life cycle. I didn't know a single person who actually bought Dreamcast titles, it was pirate city galore.... It will especially be dire if people will be able to spoof higher firmwares or have the custom firmware EMUNAND match Nintendo's firmware so firmware version 5+ games can be easily pirated.

Vena · Feb 16, 2018

kageroo said:
Well, I didn't know that - how does this telemetry work? But I knew it probably won't be as easy for current gen systems hence I said usually. :)

I just know one thing, once a system is cracked people will always find a way.

I've seen people "unban" themselves on PS3 and then people outright tell me that's "not possible" lol.

Btw it's remarkable this gen of consoles the hackers seem to hold back for some reason, isn't the PS4 long cracked, but nothing " official" or usable came out of it yet...?

PS3s weren't console unique. Switches have console unique IDs, so if its banned, its banned. No way to change a burned in read-only ID. Those IDs are also known at factory, so you cannot make up a fake ID. Its a set pool of real IDs, and they are buried in the system.

Telemetry, otherwise, is a bunch of data the system stores and then sends to the servers whenever they 'meet up', and this is countless amounts of data that would be near impossible to accurately fool long-term because sooner or later some information reaching the server won't agree with what the server knows you've been doing. An example: telemetry on the Switch says you've been playing nothing, servers says: no you haven't, you've been playing Splatoon 2 constantly (because you do connect their servers routinely). Data analysis would pick this up, and you'd get flagged and possibly banned. All consoles do this nowadays, its why Sony can ban things almost immediately and with fairly sharp precisions, because they are constantly getting data from your system when you are online.

PS4 was cracked in 2013, yes. 4.05 releases a month ago. Why do they keep it quiet? Because the moment 4.05 released, the entire scene turned to piracy, openly and loudly. There are already solutions to dumping and running new software on 4.05 on the PS4.

Deleted member 11517 · Feb 16, 2018

Vena said:
PS3s weren't console unique. Switches have console unique IDs, so if its banned, its banned. No way to change a burned in read-only ID. Those IDs are also known at factory, so you cannot make up a fake ID. Its a set pool of real IDs, and they are buried in the system.

Well, I see. If the "unique id" (I suppose that's not a mac address?) is somehow burned into the hardware without any physical write option then I can definitely see this being difficult to circumvent.

Funny enough what they did on PS3, if the console was banned, was to buy or otherwise obtain a new, not faked mac adress from broken PS3's or something similar. That's what my hacker "friends" told me at least and I read similar stuff on respective internet message boards later on. Usually went for 20 bucks, nothing for someone who wanted to keep using their hacked console (mostly to cheat online and play pirated games of course).

Deleted member 4037 · Feb 16, 2018

El Pescado said:
Is this something Nintendo can't fix with a firmware update? I'd rather not have this happen so early in a system's lifetime.

No, they can patch it easily once the actual exploit is out, right now they cant do much. And by that time a lot of people will be doing it anyways, especially when the firmware of the consoles sold in stores will be below too. This isnt going to sink the switch though, 3ds and wii did just fine, nintendo just always has bad security

EightBitNate · Feb 16, 2018

chronic_archaic said:
It's already happening officially.

Xbox One can emulate 360 but I doubt anyone besides MS could get the Jaguar to boot Xenia games.

Point is, hardware makers have a leg up on modders when it comes to emulation.

Serene · Feb 16, 2018

kageroo said:
Yes, of course they can "fix" this.

Though the thing is with CFW it's usually easy to spoof the firmware so they system checks "think" the system is up to date even if it's not.

FWIW, the current 3DS hacks can survive firmware updates pretty much every time.

After you are hacked, you can update freely and you won't lose the CFW.

Vena · Feb 16, 2018

Aigis said:
No, they can patch it easily once the actual exploit is out, right now they cant do much. And by that time a lot of people will be doing it anyways, especially when the firmware of the consoles sold in stores will be below too. This isnt going to sink the switch though, 3ds and wii did just fine, nintendo just always has bad security

Nintendo knows about at least *some* of the major exploits right now, word on the wind would indicate such as bugs are still frequently reported to Nintendo.

There's a reason updating past 4.x, when even this will require a lot of patience to manifest as usable, is a bad idea. Whatever Nintendo has been cooking for the last few months, it will be big in terms of internal security changes and we don't know what to expect but we can expect some major holes getting patched out as has been the case with every update.

Also, these are no Nintendo security flaws. These are Tegra flaws. There have, so far, been no exploits found in Nintendo's software.

Deleted member 31092 · Feb 16, 2018

I see NintenDOOMED is back.

Vena · Feb 16, 2018

Joseki said:
I see NintenDOOMED is back.

Most people would just brick their Switches with any of this. :P

If people are so worried about Switch homebrew and hacking, they should be on red-alarm-fire for PS4. But no one makes threads about that here. /shrug

Gnorman · Feb 16, 2018

If this eventually happens it would make me buy a Switch.

Decarbia · Feb 16, 2018

Vena said:
Most people would just brick their Switches with any of this. :P

If people are so worried about Switch homebrew and hacking, they should be on red-alarm-fire for PS4. But no one makes threads about that here. /shrug

I know. You can literally already run pirated software on PS4 and now you can circumvent fw checks too.

test_account · Feb 16, 2018

Vena said:
Entirely nVidia, has little to do with Nintendo.

How so? You mean that that the use a bug from Nvidia as an entry point?

Vena said:
PS3s weren't console unique. Switches have console unique IDs, so if its banned, its banned. No way to change a burned in read-only ID. Those IDs are also known at factory, so you cannot make up a fake ID. Its a set pool of real IDs, and they are buried in the system.

Telemetry, otherwise, is a bunch of data the system stores and then sends to the servers whenever they 'meet up', and this is countless amounts of data that would be near impossible to accurately fool long-term because sooner or later some information reaching the server won't agree with what the server knows you've been doing. An example: telemetry on the Switch says you've been playing nothing, servers says: no you haven't, you've been playing Splatoon 2 constantly (because you do connect their servers routinely). Data analysis would pick this up, and you'd get flagged and possibly banned. All consoles do this nowadays, its why Sony can ban things almost immediately and with fairly sharp precisions, because they are constantly getting data from your system when you are online.

PS4 was cracked in 2013, yes. 4.05 releases a month ago. Why do they keep it quiet? Because the moment 4.05 released, the entire scene turned to piracy, openly and loudly. There are already solutions to dumping and running new software on 4.05 on the PS4.

PS3 has unique console ID (PSID and IDPS). You need a valid one to connect to PSN, and that is unique to every PS3 console. Its possible to spoof this, but then you need a valid/authentic PSID and IDPS from another PS3 console, it cant just be something random generated. I cant see it be anything different on any other system, but it depends on how much access and information that its available. The checks are done by software, and you need to know what exactly the server checks are looking for on the hardware. Otherwise, you're right that there could be many flags to check for that will get you banned regadless. I dont think its easy to get every piece of infomation on what exactly the servers are checking for.

Vena · Feb 16, 2018

test_account said:
How so? You mean that that the use a bug from Nvidia as an entry point?

Yes, its bugs in nVidia's drivers and architecture.

test_account said:
PS3 has unique console ID (PSID and IDPS). You need a valid one to connect to PSN, and that is unique to every PS3 console. Its possible to spoof this, but then you need a valid/authentic PSID and IDPS from another PS3 console, it cant just be something random generated. I cant see it be anything different on any other system, but it depends on how much access and information that its available. The checks are done by software, and you need to know what exactly the server checks are looking for on the hardware. Otherwise, you're right that there could be many flags to check for that will get you banned regadless. I dont think its easy to get every piece of infomation on what exactly the servers are checking for.

Oh my mistake then! I was for some reason under the impression that the PS3 was completely borked on its identity, like with their RNG generator and the number 4.

test_account · Feb 16, 2018

EDIT: Double post.

Manwell · Feb 16, 2018

mazi said:
bad news for software sales

3DS has been destroyed for years and i have not seen anything about a meaningful drop in software sales.

test_account · Feb 16, 2018

Vena said:
Most people would just brick their Switches with any of this. :P

If people are so worried about Switch homebrew and hacking, they should be on red-alarm-fire for PS4. But no one makes threads about that here. /shrug

Holly said:
I know. You can literally already run pirated software on PS4 and now you can circumvent fw checks too.

People make threads about that too :)

https://www.resetera.com/threads/ps...leased-full-jailbreak-round-the-corner.12829/
https://www.resetera.com/threads/ps...ked-complete-with-ps2-emulation-unlock.18093/

Vena said:
Yes, its bugs in nVidia's drivers and architecture.

I understand, but isnt that basically like using it as an entry point a lá Webkit for example (thats used on PS4)?

Vena said:
Oh my mistake then! I was for some reason under the impression that the PS3 was completely borked on its identity, like with their RNG generator and the number 4.

Yeah, the PS3 is pretty much hacked all the way through. They can get any decryption keys and all that, but PSN still checks for valid console ID, so that must be present. I wouldnt be surprised if its possible to generate some random number that is accepted as a console ID and the system will work fine, but that ID needs to be present at the PSN servers too for online play, thats why valid/authentic keys are needed.

By the way, the picture showing RNG with the number 4 was just as joke :) As far as i know at least. I think was a comic strip/picture taken from somewhere else. It wasnt just a number set to 4, but Sony didnt implement the checks correctly to have a random number being generated each time, and that in itself was a fail. This resulted in that it was possible to calculate the signing keys, so you could make CFW, sign it with the keys, and the PS3 would read it as an official firmware. This was fixed in firmware 3.56, so it wasnt possible to calculate the new signing keys, thats why it wasnt possible to use CFW above firmware 3.55. I know that its possible with firmware 4.82 as well with more recent developement, but that rely on a Webkit exploit. I have no idea how it works beyond that though.

Braaier · Feb 16, 2018

This is awesome. I likely won't partake but I'm excited to see what they come up with.

Too bad no one seems to want to Crack the PS4 or Xbox one. I love all this homebrew stuff

Vena · Feb 16, 2018

test_account said:
People make threads about that too :)

https://www.resetera.com/threads/ps...leased-full-jailbreak-round-the-corner.12829/
https://www.resetera.com/threads/ps...ked-complete-with-ps2-emulation-unlock.18093/

I know they exist, hah. I even partake in some of them. :P I meant that a lot here don't seem aware of the status of the scene because updates are sparse and generally not thorough (also its been a while since those were made, and there's been a lot of progress in pkg decryption and loaders).

As I said, PS4 scene really devolved fast into straight up warez (same thing happened with the 1.76 release, of course, but now we have tools being made to crack/run new software too). Its a full blitz right now, even faster than Switch progress as the Switch has been largely in PoC stages and implementation of a lot of the other bugs >3.x is a lot more in-depth and out of the hands of the general user. (Which largely comes down to Nintendo's own software being considerably more secure, so its a lot of hoops and instabilities to jump through to gain escalated privileges by reading the RAM in real time to find the right points to press.)

I guess it comes with the territory but 4.05 release was like blood in shark infested waters.

test_account said:
I understand, but isnt that basically like using it as an entry point a lá Webkit for example (thats used on PS4)?

Similar, yes. Basically right now Nintendo 'patching' things isn't them patching their own kernel, its them patching the bugs in nVidia's software. :P

test_account said:
Yeah, the PS3 is pretty much hacked all the way through. They can get any decryption keys and all that, but PSN still checks for valid console ID, so that must be present. I wouldnt be surprised if its possible to generate some random number that is accepted as a console ID and the system will work fine, but that ID needs to be present at the PSN servers too for online play, thats why valid/authentic keys are needed.

By the way, the picture showing RNG with the number 4 was just as joke :) As far as i know at least. I think was a comic strip/picture taken from somewhere else. It wasnt just a number set to 4, but Sony didnt implement the checks correctly to have a random number being generated each time, and that in itself was a fail. This resulted in that it was possible to calculate the signing keys, so you could make CFW, sign it with the keys, and the PS3 would read it as an official firmware. This was fixed in firmware 3.56, so it wasnt possible to calculate the new signing keys, thats why it wasnt possible to use CFW above firmware 3.55. I know that its possible with firmware 4.82 as well with more recent developement, but that rely on a Webkit exploit. I have no idea how it works beyond that though.

Was of the impress that the 4 was more indicative of the fact that the PS3 random number generator was accidentally biased and therefore not random (and would bias 4 output, not that it only output 4), that's where the "4" came from, originally at least. Though this stuff is so old, some of it has turned into folklore. :P

Braaier said:
This is awesome. I likely won't partake but I'm excited to see what they come up with.

Too bad no one seems to want to Crack the PS4 or Xbox one. I love all this homebrew stuff

PS4 is completely blown open. Its private post-4.05 but its all pwned.

SeacatsAndCicadas · Feb 16, 2018

Would the switch be powerful enough to emulate ps2?

hibikase · Feb 16, 2018

What annoys me about those hacks is that even if it doesn't enable piracy, it may still discourage people from buying games because they don't want to update their firmware. It's already happened on the Vita, I've heard many times on GAF and here stupid shit along the line of "oh I have henkaku so I can't go to PSN and buy this game". So it does hurt software sales, regardless of piracy or not.

nate · Feb 16, 2018

A year or two before public release?

Maximo · Feb 16, 2018

Manwell said:
3DS has been destroyed for years and i have not seen anything about a meaningful drop in software sales.

Yeah 3DS had its best year for sales last year.

tomofthepops · Feb 16, 2018

How does this keep happening to Nintendo ? After the 100th time your console gets hacked you think they would take the time and make sure the os is secure.

Vena · Feb 16, 2018

tomofthepops said:
How does this keep happening to Nintendo ? After the 100th time your console gets hacked you think they would take the time and make sure the os is secure.

Same way it keeps happening to Sony.

Brhoom · Feb 16, 2018

If hackers can't get games to run with lower FW then I'm not worried.

shuno · Feb 16, 2018

Great, esp so early. Hope we can see more of it in the future.

TripaSeca · Feb 16, 2018

The most hacked systems sell great and SW sales are marginally impacted, if anything. ImI glad Switch is getting open and really hope the scene moves forward with as little drama as possible and we can mod our systems to have it do great things.

FantaSoda · Feb 16, 2018

Yarbskoo said:
I wonder if it'd be possible to make an amiibo emulator.

If you have an Android phone you can spoof amiibo with NTAG 215 stickers (which cost less than a dollar per sticker) and an app. I used it to spoof some of the Zelda: BOTW amiibo, because the actual amiibo were sold out and going for outrageous prices online.

Arbitrary code execution achieved on Switch firmware 4.x [Mod Edit - Read OP]

User requested account closure

Attempted to circumvent ban with alt account

Community Resettler

Community Resettler

User requested account closure

Community Resettler

Community Resettler

User requested account closure

Community Resettler

User requested account closure

User requested account closure

Community Resettler

Community Resettler

User requested account closure

Community Resettler

Community Resettler

Community Resettler

User requested ban

Community Resettler