Line 1: |
Line 1: |
− | Exploits are used to execute unofficial code (homebrew) on the Nintendo Switch. This page is a list of publicly known Switch system flaws.
| + | This page is a list of publicly known Switch flaws. |
| | | |
| = Hardware = | | = Hardware = |
Line 464: |
Line 464: |
| |} | | |} |
| | | |
− | == FIRM-package System Modules == | + | == BootImagePackage System Modules == |
| Flaws in this category pertain to any of the [[Package2#Section_1|built-in system modules]]. | | Flaws in this category pertain to any of the [[Package2#Section_1|built-in system modules]]. |
| | | |
Line 994: |
Line 994: |
| | January 13, 2023 | | | January 13, 2023 |
| | October 20, 2023 | | | October 20, 2023 |
| + | | [[User:Yellows8|yellows8]] |
| + | |- |
| + | | [[NV_services|nv]] NVGPU_GPU_IOCTL_GET_CHARACTERISTICS Ioctl3 infoleak |
| + | | The handler code for NVGPU_GPU_IOCTL_GET_CHARACTERISTICS for Ioctl/Ioctl3 are essentially the same, except for the value used for the max-size clamp: Ioctl uses constant 0xA0, while Ioctl3 uses the outbuf1_size. So if one uses this with Ioctl3 and a large outbuf1, this will memcpy data OOB from the source buffer, hence infoleak. |
| + | With [17.0.0+] the second block of csel code which previouly essentially used the clamped size from above, was replaced with code which properly clamps to the max-size constant. |
| + | | nvservices-sysmodule infoleak, which allows defeating ASLR. |
| + | | [[17.0.0]] |
| + | | [[17.0.0]] |
| + | | February 25, 2022 |
| + | | October 24, 2023 |
| + | | [[User:Yellows8|yellows8]] |
| + | |- |
| + | | [[Audio_services|audctl]] GetTargetDeviceInfo infoleak |
| + | | audctl GetTargetDeviceInfo calls an impl func with a ptr to a stackbuf, then if successful memcpys the 0x100-bytes from that buffer to output. This stackbuf is not memset. This func (after doing various state checks) copies a string to output, other than always writing a NUL-terminator there's no clearing of the buffer. |
| + | |
| + | This will leak audio-sysmodule stack into the output buffer as long as the state/input checks pass (for the remainder of the buffer following the string NUL-terminator). |
| + | |
| + | With [18.0.0+] data is written directly to the outbuf instead of the stack tmpbuf. |
| + | | audio-sysmodule infoleak, which allows defeating ASLR. |
| + | | [[18.0.0]] |
| + | | [[18.0.0]] |
| + | | December 24, 2022 |
| + | | March 26, 2024 |
| + | | [[User:Yellows8|yellows8]] |
| + | |- |
| + | | [[Audio_services|audctl]] GetSystemInformationForDebug infoleak / buffer overflow |
| + | | audctl GetSystemInformationForDebug calls a func with a 0x1000-byte stack tmpbuf, then afterwards that buffer is memcpy'd into the cmd outbuf. This called func doesn't clear the buffer. This func eventually uses [[BTM_services|btm]] cmd75 with outarray={global ptr} and count=10. Then if the outcount is s32 >=1, it loops through the output using the outcount, without validating it besides the <1 check. Data from that outarray is copied into the array in the func output buffer (tmpbuf above). |
| + | |
| + | With btm comprimised, one could return a large output count and trigger a stack buffer overflow with data following that global array, however exploiting this would be difficult since that data would be uncontrolled (can't directly control it from this cmd at least). |
| + | |
| + | A stack infoleak can be obtained with this as well (assuming the above output array isn't full). |
| + | |
| + | Even though the name has "ForDebug", there's no checks which would trigger an error / return early (this also always returns 0). |
| + | |
| + | [18.0.0+] now clears the output buffer, and also now prints strings into the buffer instead of writing binary data (overflow no longer possible). |
| + | | audio-sysmodule infoleak, which allows defeating ASLR. Also audio-sysmodule memory corruption, likely not useful unless there's a way to control the data. |
| + | | [[18.0.0]] |
| + | | [[18.0.0]] |
| + | | December 7, 2022 |
| + | | March 27, 2024 |
| | [[User:Yellows8|yellows8]] | | | [[User:Yellows8|yellows8]] |
| |} | | |} |