2,787
edits
Changes
Jump to navigation
Jump to search
Line 1:
Line 1: + − System Flaws are used to execute unofficial code (homebrew) on the Nintendo Switch. This page is a list of known and public Switch System Flaws.+ − + + + + + − == Hardware == Line 13:
Line 17: + + + + + + + + Line 19:
Line 31: − + Line 31:
Line 43: − + Line 46:
Line 58: − + Line 52:
Line 64: − + − + + − === Stage 1 Bootloader === Line 97:
Line 109: + + Line 146:
Line 160: + + Line 217:
Line 233: + + Line 259:
Line 277: − |- Line 279:
Line 296: + + Line 307:
Line 326: − +
Shameless boasting
Exploits are used to execute unofficial code (homebrew) on the Nintendo Switch. This page is a list of publicly known Switch system flaws.
For userland applications/applets flaws see [[Switch_Userland_Flaws|here]].
=List of Switch System Flaws=
= System flaws =
== Hardware ==
Flaws in this category pertain to the underlying hardware that powers the Switch.
This includes components shared across Tegra based devices such as the [[TSEC]], the [[Security_Engine|Security Engine]], the [[GPU]] and so on.
{| class="wikitable" border="1"
{| class="wikitable" border="1"
! Summary
! Summary
! Public disclosure timeframe
! Public disclosure timeframe
! Discovered by
! Discovered by
|-
| CVE-2018-6242 (leveraged by the ShofEL2 and Fusée Gelée exploits)
| The USB software stack provided inside the boot instruction rom (IROM/bootROM) contains a copy operation whose length can be controlled by an attacker. By carefully constructing a USB control request, an attacker can leverage this vulnerability to copy the contents of an attacker-controlled buffer over the active execution stack, gaining control of the Boot and Power Management processor (BPMP) before any lock-outs or privilege reductions occur. This execution can then be used to exfiltrate secrets and to load arbitrary code onto the main CPU Complex (CCPLEX) "application processors" at the highest possible level of privilege (typically as the TrustZone Secure Monitor at PL3/EL3).
| Unknown (Tegra186 and Tegra214)
| HAC-001 (Tegra210)
| January 2018
| April 23, 2018
| [[User:Shuffle2|shuffle2]] and fail0verflow (originally),<br> [[User:Ktemkin|ktemkin]] and ReSwitched Team (independently),<br> [[User:Naehrwert|naehrwert]] (independently),<br> [[User:Hexkyz|hexkyz]] (independently),<br> st4rk with [[User:Shinyquagsire23|Shiny Quagsire]] and Dazzozo (independently),<br> and many others (independently).
|-
|-
| GMMU DMA attack
| GMMU DMA attack
[5.0.0+] Works around this hardware flaw by using memory pool partitioning. You can no longer escalate into sysmodules with GPU DMA because all their memory is allocated using heap that's carved out.
[5.0.0+] Works around this hardware flaw by using memory pool partitioning. You can no longer escalate into sysmodules with GPU DMA because all their memory is allocated using heap that's carved out.
| None
| None
| HAC-001
| HAC-001 (Tegra210)
| Summer 2017
| Summer 2017
| December 28, 2017
| December 28, 2017
This also bypasses the SBK protection of the bootROM: indeed, at warmboot, bootROM will always clear keyslot 0xE to prevent malicious code from saving the SBK. Moving the SBK to another keyslot in the saved context renders this protection moot.
This also bypasses the SBK protection of the bootROM: indeed, at warmboot, bootROM will always clear keyslot 0xE to prevent malicious code from saving the SBK. Moving the SBK to another keyslot in the saved context renders this protection moot.
| None
| None
| HAC-001
| HAC-001 (Tegra210)
| December 2017
| December 2017
| January 20, 2018
| January 20, 2018
However, the Security Engine flushes writes to the internal key tables immediately when AES_KEYTABLE_DATA is written -- this allows one to overwrite a single dword of a key at a time, and thus brute force the contents of keyslots in time (2^32 * 8) = 2^35 instead of 2^256.
However, the Security Engine flushes writes to the internal key tables immediately when AES_KEYTABLE_DATA is written -- this allows one to overwrite a single dword of a key at a time, and thus brute force the contents of keyslots in time (2^32 * 8) = 2^35 instead of 2^256.
| None
| None
| HAC-001
| HAC-001 (Tegra210)
| Theorized Summer 2017 due to suggestive syntax, confirmed April 9, 2018
| Theorized Summer 2017 due to suggestive syntax, confirmed April 9, 2018
| April 9, 2018
| April 9, 2018
|}
|}
== System software ==
== Software ==
=== Bootloader ===
Flaws in this category pertain to any bootloader component such as the [[Package1#Package1ldr|package1ldr]], the [[Package1#Section_1|NX bootloader]] or the [[Package1#Section_0|warmboot binary]].
{| class="wikitable" border="1"
{| class="wikitable" border="1"
|-
|-
=== TrustZone ===
=== TrustZone ===
Flaws in this category pertain exclusively to the [[Package1#Section_2|Secure Monitor]].
{| class="wikitable" border="1"
{| class="wikitable" border="1"
|-
|-
=== Kernel ===
=== Kernel ===
Flaws in this category pertain exclusively to the [[Package2#Section_0|HorizonOS Kernel]].
{| class="wikitable" border="1"
{| class="wikitable" border="1"
|-
|-
=== FIRM-package System Modules ===
=== FIRM-package System Modules ===
Flaws in this category pertain to any of the [[Package2#Section_1|built-in system modules]].
{| class="wikitable" border="1"
{| class="wikitable" border="1"
|-
|-
| December 30, 2017
| December 30, 2017
| Everyone
| Everyone
|-
|-
| nspwn
| nspwn
=== System Modules ===
=== System Modules ===
Flaws in this category pertain to any non-built-in system module.
{| class="wikitable" border="1"
{| class="wikitable" border="1"
|-
|-
| April 2017
| April 2017
| On exploit's fix in [[3.0.0]]
| On exploit's fix in [[3.0.0]]
| [[User:qlutoo|qlutoo]], Reswitched team (independently)
| [[User:qlutoo|qlutoo]], ReSwitched Team (independently)
|-
|-
| Unchecked domain ID in common IPC code
| Unchecked domain ID in common IPC code