Hackers make progress on Nintendo Switch hack
Since the webkit vulnerability and Pegaswitch were released on the Nintendo Switch a few day after the console’s launch, several hackers have been digging into the internals of the console to learn about its system.
Hacker Plutoo of 3DS/Wii U Fame confirmed yesterday that he has been able to grab what appears to be data/API call names from one of the modules on the Nintendo Switch. The module in question, according to the hacker, is NS, which might be the equivalent of the module of the same name on the 3DS. Plutoo has however stated that given the differences in API names, it appears that this is not based on 3DS firmware code.
The webkit exploit lets hackers look at some parts of the RAM (and of the filesystem) of the Nintendo Switch, the same RAM that was accessible to the webkit process. In that RAM, some modules of the system have been loaded for webkit to interact with the system, and that’s what hackers can poke within the Webkit exploit.
I like to picture this exercise as trying to draw a map of an entire house. The webkit exploit puts you inside one of the rooms, and it’s dark. You have to feel the objects around you to start drawing the map. And you’re going to need to find a way out of that room to be able to inspect the entire house. (and duh, the doors are locked).
Hackers are interested in knowing what’s in RAM, not only to “draw the map” but because one of the modules accessible to Webkit can potentially be leveraged to break out of the webkit process. Typically with a privilege escalation vulnerability. So the idea here is to reverse engineer the modules loaded in ram, understand what they do, and find a bug in one of them.
There’s nothing of use for the typical end user yet. But if you’re interested in how systems get hacked from scratch, you’re at the right point in time to watch this evolve for the Nintendo Switch.
As a reminder, the webkit exploit was patched in Nintendo Switch Firmware update 2.1.