Difference between revisions of "List of Switch exploits"
(→List of Switch's Exploits: changed exploit order based on console firmware) |
(→List of Switch's Exploits: updated compatible versions) |
||
(9 intermediate revisions by the same user not shown) | |||
Line 10: | Line 10: | ||
! style="width:8%" | Link | ! style="width:8%" | Link | ||
! style="width:8%" | Status | ! style="width:8%" | Status | ||
+ | |- | ||
+ | | Jamais vu | ||
+ | | 1.0.0 | ||
+ | | ReSwitched Team (SciresM, and Motezazer) | ||
+ | | [https://gbatemp.net/threads/494712/ Thread], [https://www.reddit.com/r/SwitchHacks/comments/7rq0cu/jamais_vu_a_100_trustzone_code_execution_exploit/ reddit] | ||
+ | | Fixed | ||
|- | |- | ||
| PegaSwitch | | PegaSwitch | ||
Line 17: | Line 23: | ||
| Fixed | | Fixed | ||
|- | |- | ||
− | | | + | | Nereba |
− | | 1.0.0 - 4.1.0 | + | | 1.0.0 - 3.0.0 |
+ | | ReSwitched Team (Stuckpixel) | ||
+ | | [https://gbatemp.net/threads/536409/ Unofficial Thread], [https://github.com/pixel-stuck/nereba/ Sources] | ||
+ | | Fixed | ||
+ | |- | ||
+ | | Déjà Vu / Caffeine | ||
+ | | 1.0.0 - 4.1.0, partially up to 7.0.1 | ||
| SciresM | | SciresM | ||
− | | | + | | [https://gbatemp.net/threads/496799/ Unofficial Thread], [https://gbatemp.net/threads/537361/ Unofficial Thread], [https://github.com/liuervehc/caffeine github for 3.0.0], [https://gbatemp.net/threads/541826/ unofficial thread caffeine for 4.1.0 released] |
− | | | + | | Fixed |
|- | |- | ||
| Fusée Gelée | | Fusée Gelée | ||
− | | | + | | All (non iPatched consoles only) |
| Independently discovered by ReSwitched Team (Kate Temkin), fail0verflow (shuffle2). | | Independently discovered by ReSwitched Team (Kate Temkin), fail0verflow (shuffle2). | ||
− | | | + | | [https://gbatemp.net/threads/496838/ Unofficial Thread] |
| Fixed, june2018 | | Fixed, june2018 | ||
|} | |} | ||
+ | |||
+ | ==Jamais vu== | ||
+ | Jamais vu exploit a warmboot vulnerability in the TrustZone to allow code execution. | ||
==PegaSwitch== | ==PegaSwitch== | ||
Line 35: | Line 50: | ||
PegaSwitch is triggered by using a computer's program serving as DNS server. | PegaSwitch is triggered by using a computer's program serving as DNS server. | ||
+ | ==Nereba== | ||
+ | released in April 2019, this exploit is compatible with old firmwares 1.0.0 to 3.0.0 only. | ||
+ | |||
+ | It's exploiting a warm boot RAM access vulnerability which allows the console to reboot from OFW to any Fusée Gelée payloads using the web applet. | ||
+ | |||
+ | |||
+ | ==Déjà vu== | ||
+ | |||
+ | Déjà vu was an old known but unreleased exploit. It has finally been released in April 2019. | ||
+ | |||
+ | Compatible firmwares from 1.0.0 up to 4.1.0. The vulnerability was only partially fixed in 6.0.0. The vulnerability was kept secret as long as it wasn't fully fixed in eventuality that it could be useful later to exploit units with patched known exploits. | ||
+ | |||
+ | Nintendo definitely [https://twitter.com/SciresM/status/1117955638863130624 fixed that vulnerability] in 2019 with firmware 8.x | ||
Line 43: | Line 71: | ||
Fusée gélée exploit a vulnerability in the Recovery mode of the Nintendo Switch, allowing early code execution on the console. The Recovery mode is launched before Horizon OS, the switch's operating system (the user interface). | Fusée gélée exploit a vulnerability in the Recovery mode of the Nintendo Switch, allowing early code execution on the console. The Recovery mode is launched before Horizon OS, the switch's operating system (the user interface). | ||
− | + | A ''simplified'' graphical representation of the launch sequence: | |
Cold boot > Recovery mode > Boot loader > Horizon OS | Cold boot > Recovery mode > Boot loader > Horizon OS | ||
This might not be the exact launch sequence, but it's good enough to get a quick understanding of what happens before the main console's interface is displayed. | This might not be the exact launch sequence, but it's good enough to get a quick understanding of what happens before the main console's interface is displayed. | ||
Line 57: | Line 85: | ||
'''Q.''' Why use Fusée gelée to boot an official firmware? | '''Q.''' Why use Fusée gelée to boot an official firmware? | ||
− | '''A.''' The official Nintendo's bootloader is responsible for checking and burning eFuse. eFuses are burned when upgrading the firmware to prevent you to downgrade your console. | + | '''A.''' The official Nintendo's bootloader is responsible for checking and burning [https://switchbrew.org/wiki/Fuses#Anti-downgrade eFuse]. eFuses are burned when upgrading the firmware to prevent you to downgrade your console. |
Horizon checks how many eFuses has been burned, if it doesn't match the expected eFuse number the OS will refuse to launch. | Horizon checks how many eFuses has been burned, if it doesn't match the expected eFuse number the OS will refuse to launch. | ||
Bypassing the official bootloader prevents eFuse burning when booting a higher (official or patched) firmware version, allowing the user to return to the lowest installed fused firmware (eMMC restoration or firmware downgrade). | Bypassing the official bootloader prevents eFuse burning when booting a higher (official or patched) firmware version, allowing the user to return to the lowest installed fused firmware (eMMC restoration or firmware downgrade). | ||
Line 101: | Line 129: | ||
When the console is in RCM, waiting for USB data reception, you can use a payload launcher to send a non signed payload binaries (program) to the Switch. | When the console is in RCM, waiting for USB data reception, you can use a payload launcher to send a non signed payload binaries (program) to the Switch. | ||
− | There are different payload launchers program (on computers, | + | There are different payload launchers program (on computers, Phones or standalone dongles), and different payload binaries which can be sent to the console. |
Line 109: | Line 137: | ||
* Run the payload Launcher and select the payload to send to the console, or let the dongle do it automatically. | * Run the payload Launcher and select the payload to send to the console, or let the dongle do it automatically. | ||
− | + | A list of Fusée Gelée Code launchers, dongles and payloads are available [[List of Switch payloads|here]] | |
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + |
Latest revision as of 10:36, 7 August 2019
Switch Homebrew | |
---|---|
Introduction • Homebrew Development • Homebrew Bounty • Glossary | |
Release Lists | All Homebrew • Applications • Games • Emulators • Demos • Exploits • Payloads • CFWs • Development libraries & tools • PC Utilities |
Information | • Homebrew TitleID • Game patches and mods • Savegames • Websites |
*Draft page* please help improving and fixing missing information.
List of Switch's Exploits
Name | Compatible firmware versions | Author(s) | Link | Status |
---|---|---|---|---|
Jamais vu | 1.0.0 | ReSwitched Team (SciresM, and Motezazer) | Thread, reddit | Fixed |
PegaSwitch | 1.0.0 - 3.0.0 | ReSwitched Team (SciresM, and more) | website, Sources | Fixed |
Nereba | 1.0.0 - 3.0.0 | ReSwitched Team (Stuckpixel) | Unofficial Thread, Sources | Fixed |
Déjà Vu / Caffeine | 1.0.0 - 4.1.0, partially up to 7.0.1 | SciresM | Unofficial Thread, Unofficial Thread, github for 3.0.0, unofficial thread caffeine for 4.1.0 released | Fixed |
Fusée Gelée | All (non iPatched consoles only) | Independently discovered by ReSwitched Team (Kate Temkin), fail0verflow (shuffle2). | Unofficial Thread | Fixed, june2018 |
Jamais vu
Jamais vu exploit a warmboot vulnerability in the TrustZone to allow code execution.
PegaSwitch
PegaSwitch exploit a vulnerability in the Internet navigator WebKit module. PegaSwitch does not allow homebrew launching.
PegaSwitch is triggered by using a computer's program serving as DNS server.
Nereba
released in April 2019, this exploit is compatible with old firmwares 1.0.0 to 3.0.0 only.
It's exploiting a warm boot RAM access vulnerability which allows the console to reboot from OFW to any Fusée Gelée payloads using the web applet.
Déjà vu
Déjà vu was an old known but unreleased exploit. It has finally been released in April 2019.
Compatible firmwares from 1.0.0 up to 4.1.0. The vulnerability was only partially fixed in 6.0.0. The vulnerability was kept secret as long as it wasn't fully fixed in eventuality that it could be useful later to exploit units with patched known exploits.
Nintendo definitely fixed that vulnerability in 2019 with firmware 8.x
Fusée gelée
(en: Frozen Space Rocket)
Fusée gélée exploit a vulnerability in the Recovery mode of the Nintendo Switch, allowing early code execution on the console. The Recovery mode is launched before Horizon OS, the switch's operating system (the user interface).
A simplified graphical representation of the launch sequence:
Cold boot > Recovery mode > Boot loader > Horizon OS
This might not be the exact launch sequence, but it's good enough to get a quick understanding of what happens before the main console's interface is displayed.
Fusée Gelée runs in the Recovery mode step and allows code execution before the Boot loader.
It can be used to either:
- Run standalone applications (key dumpers, display console information, etc.),
- Replace the bootloader and allows launching of custom OS running on native tegra chipset (Linux, Lakka, etc.)
- Act as a bootloader and launches Horizon OS, stock (OFW) or with temporary memory patches (CFW),
Q. Why use Fusée gelée to boot an official firmware?
A. The official Nintendo's bootloader is responsible for checking and burning eFuse. eFuses are burned when upgrading the firmware to prevent you to downgrade your console. Horizon checks how many eFuses has been burned, if it doesn't match the expected eFuse number the OS will refuse to launch. Bypassing the official bootloader prevents eFuse burning when booting a higher (official or patched) firmware version, allowing the user to return to the lowest installed fused firmware (eMMC restoration or firmware downgrade).
Boot modes
There are different Boot Modes the console can access: Normal launch, Recovery mode, Maintenance mode, Safe mode. Fusée gelée uses the Recovery Mode, commonly called "RCM".
Recovery mode
The console enters this Recovery mode for three different reasons:
- The internal memory is corrupted or the entire eMMC board is missing ;
- The bootloader program is corrupted ;
- A specific key combination is pressed on cold boot : with the console fully shutdown, keep pressed both Vol+ while bridging right joycon's pin 10 with Ground (with pin1, 7 or 9) and switch on the console.
Entering this recovery mode (RCM) puts the console on a black screen, where the console waits for USB sent signed commands for secure communication. Fusée gelée uses a vulnerability in the command verification process to send non signed data and execute unsigned code.
This vulnerability has been fixed on consoles sold after june 2018.
Maintenance mode
There is another menu called Recovery Mode, also known as Maintenance Mode. The maintenance mode is part of the Horizon OS, and can be launched after RCM, for example, after choosing which firmware to launch from Hekate in RCM.
It has an onscreen menu to update the console, format and delete user preferences, or just exit and launch Horizon OS. Additionally, entering this menu automatically clears temporarily downloaded files, such as a complete or partial system update.
A different pressed buttons combination is used to boot into this menu.
Console power OFF : keep pressed Vol+ and Vol-, press and release Power button or Just after selecting Launch Firmware from RCM's custom bootloader : keep pressed Vol+ and Vol-
Accessing this Maintenance mode screen has the effect of deleting temporary downloaded update files and stop displaying the update nag on Horizon OS.
Safe mode
Safe mode is used to boot Horizon OS using a slightly different firmware. You can see this mode like booting into Windows' safe mode on your computer to disable drivers and network configuration to resolve conflicts.
There is no reason to use this mode for homebrew or Fusée Gelée. For more information, read switchbrew's boot modes page.
Usage
When the console is in RCM, waiting for USB data reception, you can use a payload launcher to send a non signed payload binaries (program) to the Switch.
There are different payload launchers program (on computers, Phones or standalone dongles), and different payload binaries which can be sent to the console.
- Fully shutdown the console (not in sleep mode)
- Launch RCM (shortcut joycon pin10 with any GND pin, press Vol+ and power button)
- Plug your Nintendo Switch through USB OTG compatible device (computer, phone or dongle)
- Run the payload Launcher and select the payload to send to the console, or let the dongle do it automatically.
A list of Fusée Gelée Code launchers, dongles and payloads are available here