
PegaSwitch: Exploit Toolkit for Nintendo Switch - daeken
https://pegaswitch.com/
======
LiveOverflow
I'm really interested in some technical tidbits :)

Quickly looking over the code I think you use a slightly different way to
achieve the r/w than qwerty - you don't misalign a pointer, correct? Can you
give a short description how you do it?

I wondered how to not crash the switch when done, and you seem to simply set
everything to 0 `this.bufs[i] = 0;` and that solves that issue. Could you say
a few words on why that is the case?

Any information yet you want to share about the execution environment? Is
there some kind of sandbox? Anything interesting you can already access, or
surprisingly not access?

Edit: One more question. Did you guys get to play any BotW yet? :D

I really love the overengineering of this toolkit <3

~~~
Operyl
There are around 30 or so people contributing ideas and what have you to the
project, or wherever we can. Those listed on the actual site are just people
who committed code to the repo. A lot of us play BotW though :p.

~~~
Retr0spectrum
Slightly random question, how did the group form? Have you been working
together on previous consoles?

~~~
daeken
Actually, this one grew totally organically. I used to do console hacking many
years ago, and decided I wanted to get back into it with the Switch. People
just started joining up, and bringing in trusted folks with them. A comment I
made on HN a month ago or so really accelerated this.

~~~
joshschreuder
Are you guys related to /r/switchhacks on Reddit? I see it's private but I
still check every day or two hoping there'll be a big announcement :)

~~~
daeken
IIRC, there are several folks from /r/switchhacks around our server. I imagine
the subreddit will get big once someone drops an end-user exploit.

------
daeken
Several of the developers of PegaSwitch are watching this thread. If you have
any questions, shoot!

~~~
grawlinson
That was amazingly quick. The Switch hasn't been out that long. Kudos!

I understand that console hackers are notoriously secretive, but what are your
plan(s) in the short and long term? Fostering the eventual homebrew community?
Improving upon the OS? etc.

~~~
daeken
It's insane how much progress we made in a short time. I got the core of the
exploit working within 36 hours of release, and then everyone's been working
super hard to make it useful and awesome. I couldn't be more proud of this
team!

In terms of our plans, it's pretty simple: learn more about the system,
escalate privileges where we can, and eventually be able to run our own code.

Personally, I really want Linux running. With the things we know now, we'll
almost certainly have Linux as soon as the kernel is under our control.

~~~
crooked-v
It would be an amazing hardware platform to get some classic PC games running
on (with aid of DOSBox, etc). Commander Keen and the original Doom both come
to mind.

~~~
daeken
I totally agree! The hardware is so close to Tegra dev boards that if/when we
break the Switch kernel, we'll likely have full-blown Linux (or Android) in no
time at all. I can't wait to be able to play SNES, PC, and more on this.

~~~
Razengan
While a custom OS and home-brew will be great and increase overall hardware
sales, I really hope the Switch doesn't develop a reputation for vulnerability
to piracy and turn away third-party game developers so soon..

~~~
daeken
I agree, very much. What I'm hoping for (and currently have no reason to think
otherwise) is that they're using TrustZone to handle all the DRM, which will
make piracy a huge, huge amount of work. It may also prevent us from totally
owning the console, but we'll see.

------
perardi
I've seen "it's the 3DS OS, but maybe rewritten" several times now.

I'm interested to learn more about this. Not for any practical use (well,
maybe hacked Pokémon), but just to understand the choice. I naively figured
this would be locked-down Android, but it's neat to see that it's FreeBSD +
something.

~~~
SciresM
Let me assure you, hacked Pokémon is an extremely practical use.

~~~
cookiecaper
This may be a joke, but it actually can be very useful. Save backups, sharing
cartridges/games among family members, etc.

My 6-year-old son accidentally threw away his event Munchlax in Pokemon Sun,
which led me down the path of installing a full custom firmware on my 3DS and
using PokeHex to restore the event card and get Munchlax back. He went from
depressed to ecstatic. Now we can both have saves on our Pokemon games and he
loves to show me how to get past gyms and other stuff. Great bonding
experience.

A little bit further down this path, it's been amazing to be able to play
classics like Super Mario Sunshine with real GameCube controllers and updated
4K textures via Dolphin. It looks like a brand new game, and again, my son
loves hearing about how I played through it 15 years ago on the original
GameCube. We just went on a short trip and we were able to play Super Smash
Brothers Brawl on my laptop during the flight.

These experiences really underscore the power and importance of hacking
communities. I'd love to see modifications to the legal structures to keep
emulation, hacking, and modding communities out of the legal grey area and
allow them to more fully flesh out their products. Their work is a _vastly_
understated boon to our cultural heritage, and it allows it to be enjoyed and
improved for generations. These people are heroes. The way we treat them is a
shame.

~~~
voltagex_
The emulation and homebrew scene is at a crossroads now. cemu [1] is on track
to earn 250k through Patreon (h/t byuu), which is a good way to get stomped on
by Nintendo legal.

Open source is critical for the success of projects like Dolphin, but what do
you think the emulator developers of the future are going to do when they see
the cash they can earn by being secretive?

[1]: cemu.info

~~~
cookiecaper
I just started playing with CEMU, very exciting piece of software.

I'm looking forward to a world where systems have workable emulators within
several months of release, not several years. That will only bring the legal
issues into more stark relief. So few of us realize that our intellectual
property regime is holding back a lot of major accessibility and practicality
improvements.

We need to fix it. Amazing projects like CEMU should not have to live in fear
that someone is going to squash them and cause a lot of real harm just to
protect someone else's bottom line.

~~~
Retr0spectrum
I think emulators are great, but I'm certainly not excited by for-profit(?)
proprietary emulators like CEMU.

------
synicalx
Really? Already? Is this for the purposes of alerting Nintendo to
vulnerabilities or is it just part of a quest to run "homebrew and definitely
not pirated ohh no not at all" games on the Switch?

~~~
daeken
The vulnerability used is a very well-known one in WebKit from last year.
Additionally, news articles about this vulnerability being present were
already out there, so we saw no harm in releasing this.

I can't speak for others, but I have no intention of enabling piracy in any
way; I just want Linux on it. Others will most likely abuse this for piracy at
some point, which I personally find sad, but I don't control others.

~~~
developer2
The mildly unfortunate part is that you disclose the details of the exploit
which only serves to allow Nintendo to patch it faster, without them having to
invest the time to reverse engineer it themselves. Odds are this method of
rooting won't survive the Switch's first patch release, and someone else will
have to find a new loophole. If you had kept the exploit private, we may have
gotten away with 2-3 patches' worth of time.

Whether the details are published by the developers of the exploit themselves
or by a 3rd party, it's frustrating to see the hubris of proving one's ability
to explain the exploit winning out over actually helping the users hold onto
the ability to root for as long as possible.

~~~
daeken
I think you may be misunderstanding this -- greatly. The details of the
exploit (that is, the part that Nintendo cares about -- the vulnerability)
have been public since May of last year. The fact that the Switch is
vulnerable to it (and it's being actively exploited by people) has been known
by the public for at least two days. We decided to release this once the
vulnerability was already going to be dead, not to accelerate its demise.

Additionally, this isn't a root, nor is it even close. This is the first
stepping stone to be used by researchers to get deeper into the Switch and
find new bugs. In no way will this impede the homebrew community; it will only
serve to empower it.

