Progress on Switch hacks, and how Nintendo attempts to slow it down
Hackers Derrek, Yellows8, Plutoo, as well as SciresM have been sharing lots of progress on the hacking side of the Nintendo Switch.
A couple days ago, Derrek twitted “we got the kernel”, a statement that yellows8 later confirmed means the kernel has been dumped rather than exploited. Dumping a decrypted version of the kernel is of course a massive step, as it pretty much a requirement to start reverse engineering the Switch firmware in search for exploits.
we got the kernel.@qlutoo @ylws8#NintendoSwitch #Haxx
— derrek (@derrekr6) July 9, 2017
Plutoo mentioned the Switch does not have kaslr, meaning exploits will be easier to write in kernel mode, once found.
no kalsr
— plutoo (@qlutoo) July 9, 2017
Nintendo are prepared to some extent against hacking. In particular, SciresM gave details on the crash reports being logged back to Nintendo. These logs contain lots of details, and will help the company patch potential exploits before they’re even distributed, if hackers are not careful enough and let the console communicate back with the Nintendo servers. We’ve already suspected similar activity from Sony early in the PS Vita days.
A list of the data being sent to Nintendo in crash reports, courtesy of SciresM
AbortFlag
AbortType
AccessPointSSID
AccessPointSecurityType
AlternateDNSIPAddress
ApplicationID
ApplicationStorageLocation
ApplicationTitle
ApplicationVersion
BatteryAge
BatteryChargePercent
BatteryChargeVoltage
BatteryTemperature
BoostModeCurrentLimit
ChargeConfiguration
ChargeEnabled
ChargeVoltageLimit
ConnectAutomaticallyFlag
ConnectionStatus
ConsoleModeTimeToScreenSleep
ControllerPowerSupplyAcquired
ControllerVibrationVolume
CreateProcessFailureFlag
CurrentFanDuty
CurrentIPAddress
CurrentLanguage
CurrentSystemPowerState
DNSType
DestinationSystemPowerState
EdidBlock
EdidExtensionBlock
EnableBluetoothFlag
EnableNFCFlag
EnableWifiFlag
EncryptedExceptionInfo
EncryptionKey
ErrorCode
FastBatteryChargingEnabled
FastChargeCurrentLimit
FatalFlag
FocusedAppletHistory
FsRemountForDataCorruptCount
FsRemountForDataCorruptRetryOutCount
GameCardAsicCrcErrorCount
GameCardCID
GameCardCrcErrorCount
GameCardReadRetryCount
GameCardRefreshCount
GameCardTimeoutRetryErrorCount
GatewayIPAddress
GeneralRegisterAarch64
HandheldModeTimeToScreenSleep
HdmiAudioOutputMode
HizMode
IPAddressAcquisitionMethod
InputCurrentLimit
InternalBatteryLotNumber
LastDvfsThresholdTripped
LimitHighCapacityFlag
LockScreenFlag
MTU
MicroSDCID
MicroSDSpeedMode
MuteOnHeadsetUnpluggedFlag
NANDCID
NANDDeviceLifeTimeEstTypA
NANDDeviceLifeTimeEstTypB
NANDFreeSpace
NANDNumActivationErrorCorrections
NANDNumActivationFailures
NANDNumReadWriteErrorCorrections
NANDNumReadWriteFailures
NANDPatrolCount
NANDPreEolInfo
NANDSpeedMode
NXMacAddress
NintendoZoneConnectedFlag
NintendoZoneSSIDListVersion
NotificationSoundFlag
NotifyInGameDownloadCompletionFlag
OccurrenceTimestamp
OccurrenceTimestampNet
OsVersion
OtgRequested
PerformanceConfiguration
PerformanceMode
PowerRole
PowerSupplyCurrent
PowerSupplyPath
PowerSupplyType
PowerSupplyVoltage
PreviousSystemPowerState
PriorityDNSIPAddress
PrivateOsVersion
ProductModel
ProgramId
ProgramMappedAddr64
RGBRangeSetting
RadioStrength
ReduceScreenBurnFlag
RegionSetting
RegisterSetFlag64
ReportIdentifier
ReportVisibilityFlag
RunningAppletList
RunningApplicationId
RunningApplicationStorageLocation
RunningApplicationTitle
RunningApplicationVersion
SDCardFreeSpace
ScreenBrightnessAutoAdjustFlag
ScreenBrightnessLevel
SdCardNumActivationErrorCorrections
SdCardNumActivationFailures
SdCardNumReadWriteErrorCorrections
SdCardNumReadWriteFailures
SdCardProtectedAreaSize
SdCardUserAreaSize
SerialNumber
SpeakerAudioOutputMode
StackBacktrace64
StopAutoSleepDuringContentPlayFlag
StorageAutoOrganizeFlag
SubnetMask
TVAllowsCecFlag
TVResolutionSetting
TemperaturePcb
TemperatureSoc
Throttled
ThrottlingDuration
ThrottlingTimestamp
TimeZone
USB3AvailableFlag
UseNetworkTimeProtocolFlag
UseProxyFlag
UseStealthNetworkFlag
VideoOutputSetting
WirelessAPMacAddress
Nintendo didn’t stop here of course, they’ve recently added the Switch to their bug bounty program, to give an incentive to security researchers to report bugs and vulnerabilities rather than use them to exploit the console.
Since the launch of the console, it seems Switch hackers have made steady progress on breaking the console open, which seems to imply Nintendo is still not at Sony or Microsoft’s levels when it comes to securing their console. It’s an exciting time to be on the scene.
First!
Last!
Second last!
This is good news, the more code they add to their checks, the easier to add those reporting functions to unsigned code. Every module they utilise gives devs a running start to homebrew rather than coding them and adding them from scratch on an undocumented architecture.
Not that freebsd is but you get the point.
For the record admin team, the amount of posts i have deleted in the approval process is getting to a point where i have almost gone hermit. The political correctness or whatever you label it here is becoming quite silly. You don’t know me or my contributions and i have never walked over any line other than indirectly pointing people at their self offense. I never call you a fool, i show you your own fool and let you take from the mirror what you like.
This made me laugh so hard! Thank you sir.
Nintendo still behind the curve XD
Can’t wait for my Switch to be hacked!
cant they just disable wifi, so the switch does not send log files
Depends on how it’s setup, its possible that the console stores the logs, then sends them when it gets a connection.
If that’s the case we need to block the console from sending logs, then figure out how to clear out any stored logs before we can bring the console online again, or find a more permanent way of blocking crash report sending.
Pretty easy to just use custom DNS server which blocks all communications to Nintendo domains. I’m sure that all of these so called hackers have this already set up.
Pretty sure that would mean they couldn’t receive updates either though.
pretty sure updates are to be avoided at all cost when hacking anyway.
the older the firmware,. the better… 99.99% of the time anyway.
I think you misunderstand – the crash logs referred to are coming from normal users, not from the hackers. Basically if you (a normal user) manage to crash your switch, then there is possibly a bug in the switchs code. The crash report from your switch then allows Nintendo to fix the bug. If the bug is left unfixed, then a hacker could potentially use it to bypass the switchs security measures.
The log report can easily be bypass with a simple IPtable setting.
And this is why i have not bought a Switch yet, if it got hacked now then it will be a paperweight since there is very few games out atm
I know its a race as to who gets to be the first. But all i see a dying new born honestly. Its really sad.
Yes cause the almost unhackable vita has sooooo many games to choose from. Unlike the PSP which was hacked almost immediately and barely has any games. Hacking has almost 0 to do with how a console progresses. But don’t take my word for it. Do some research.
The pic looks like a list of functions.