smhax, the huge Nintendo Switch vulnerability that’s both good and bad news
Good news, smhax is probably one of the biggest vulnerabilities discovered so far on the Nintendo Switch, and will probably pave the way for homebrews on the device in the months to come. Bad news, Nintendo fixed it last month with the latest firmware update, Switch 3.0.1.
What’s Nintendo Switch smhax?
smhax is the informal name of a vulnerability discovered by multiple hackers on the Nintendo Switch. The bug, when fully exploited, appears to be a privilege escalation which allows the attacker to register and run arbitrary services on the console. Specifically, according to the switchbrew wiki:
Prior to 3.0.1, the service manager (sm) built-in system module treats a user as though it has full permissions if the user creates a new “sm:” port session but bypasses initialization. This is due to the other sm commands skipping the service ACL check for Pids <= 7 (i.e. all kernel bundled modules) and that skipping the initialization command leaves the Pid field uninitialized. Successful exploitation results in Acquisition, registering, and unregistering of arbitrary services
In other words, coupled with a userland entry point (typically a webkit vulnerability), this could probably be used to gain full access to the console.
What does smhax mean to the end user for Nintendo Switch hacks?
Hacker SciresM has confirmed on GBATemp that all firmwares up to 3.0.0 included could leverage this exploit once the necessary tools are made available. Technically, if you know your basics in hacking, the information on the switchbrew wiki should almost be enough to get loooking into this specific vulnerability
However the Switch homebrew scene is still an embryo at the point, and many people are mentioning that the latest 3.0.1 firmware is required to play AAA titles such as Splatoon 2. It’s unlikely that many of us will stay on a low firmware at the moment, even if it’s important to emphasize how big of a bug this was, and how unlikely the scene will be to have such a lucky break any time soon.
3DS hacker Smealum also mentioned that a similar vulnerability existed for a long time on the 3DS, and had been leverage by the infamous Gateway 3DS.
Nintendo have been ramping up their game against hacking in the past few years, mostly with tight monitoring of what’s happening on the console (for those who are tinkering but are not very careful about it, their hacks might be patched before they even realize they have a hack), but also with a bounty program that incentivizes hackers to report vulnerabilities to Nintendo directly.
For now, this information about smhax is mostly interesting for those of you who are interested in hacking the device themselves and were looking for pointers. However, now that it’s out in the open, there’s a possibility this will lead to more releases for the scene.