That was amazingly quick. The Switch hasn't been out that long. Kudos!
I understand that console hackers are notoriously secretive, but what are your plan(s) in the short and long term? Fostering the eventual homebrew community? Improving upon the OS? etc.
It's insane how much progress we made in a short time. I got the core of the exploit working within 36 hours of release, and then everyone's been working super hard to make it useful and awesome. I couldn't be more proud of this team!
In terms of our plans, it's pretty simple: learn more about the system, escalate privileges where we can, and eventually be able to run our own code.
Personally, I really want Linux running. With the things we know now, we'll almost certainly have Linux as soon as the kernel is under our control.
It would be an amazing hardware platform to get some classic PC games running on (with aid of DOSBox, etc). Commander Keen and the original Doom both come to mind.
I totally agree! The hardware is so close to Tegra dev boards that if/when we break the Switch kernel, we'll likely have full-blown Linux (or Android) in no time at all. I can't wait to be able to play SNES, PC, and more on this.
While a custom OS and home-brew will be great and increase overall hardware sales, I really hope the Switch doesn't develop a reputation for vulnerability to piracy and turn away third-party game developers so soon..
I agree, very much. What I'm hoping for (and currently have no reason to think otherwise) is that they're using TrustZone to handle all the DRM, which will make piracy a huge, huge amount of work. It may also prevent us from totally owning the console, but we'll see.
We generally felt like opening this to the public because we felt enough people had "outed" the WebKit bug used specifically. So it's already going to be fixed, might as well let people play while they can.
> That was amazingly quick. The Switch hasn't been out that long. Kudos!
"We'd like to thank the amazing rockstars at Google and Apple for making WebKit what it is today and following through on their mission to provide millions of people access to otherwise restricting environments. Without your lack of hard work and due diligence, WebKit would be a tied down, secure enclave that would not allow for consumers to exercise their constitutional rights."
Obviously Improving the OS is at least one of the advantages of being able to access everything. Can't see why a NTR styled system couldn't be done for the Switch as well.
It would most likely be much easier to accomplish once we have full access to the system, and hopefully could be branched out much more than what the 3DS does.
I don't know that any of us have really spent too much time with it. I played for about 5 minutes and got frustrated, haha.
In terms of failing to learn their lesson, I think that it actually remains to be seen, to an extent. They failed by including an old WebKit bug, but the bigger failure was outsourcing their browser code in whole; that makes patching things so, so much harder. We'll see how bad the other layers are, but we've barely scratched the surface there.
They didn't exactly fail to learn lessons. They definately did. But it's a learn by experience thing. You can't learn from a mistake you don't know you made. And hackers aren't going to break through the window when the door's unlocked. So until they patch the easy stuff, the hard stuff will never be exploited. Live and learn I guess.
I don't believe Nintendo "failed to learn their lesson" the first time (I'd assume Wii) or second time (3DS?) I believe they were just dismissive of a lot of the things, because they were inexperienced. I still believe they are pretty inexperienced as it stands with a few of the things that they have done recently.
Awesome work. Have you guys looked into potential differences between the captive browser applet and the share applet, which opens when you try to share an image from your album to Facebook? The share applet is locked down to what seems to be a whitelist of URLs it can access.
I noticed on the share applet, there is a JavaScript object: window.nx that exposes some internal functions. However, I have had no luck actually calling those functions. If you want to know more about this, I can show you how I execute JavaScript on it and give you a list of window.nx functions
Yeah, so they're shared codebases (obviously), but they have some different stuff enabled. There's actually more in window.nx than is exposed even with the share applet, but no one has really dug too deep into it yet. I'm fairly certain there's a function to call to enable everything, but given our full access to the process, there's not much incentive there.
That said, I know there are a couple JS projects aiming to build a kind of 'debugger' into the web applets; might help them to know what you know!
You'd have to customize the exploit to the point where you basically need to start from scratch. All of the interesting stuff we have (from getting the stack pointer, to our insane JOP/ROP chain for native function calls) is specific to the Switch, and specific to the exact binary we're running in the context of. That said, the core of the exploit (sploitcore.setup/allocBuffers) probably wouldn't be too hard to port.
