While prospects for homebrew on newer Nintendo Switch hardware, "ipatched" units, have been fairly bleak, it appears that a new exploit will be here soon. Mike Heskin (hexkyz) has confirmed that a method for users on current Switch hardware is set to be released later this week. Browserhax + nvhax will allow for ipatched systems below OFW 6.2.0 to access userland and use homebrew. This is far more limited than what can be done on unpatched units, but it marks the first breakthrough for newer hardware. Projects that work through userland mode can be found in GBAtemp's emulation, homebrew, and software projects section, and this also means you'll be able to utilize homebrew made for the bounty.

Anyway, browserhax + nvhax for < 6.2.0 will be released later this week (along with the writeup) so people with ipatched units can play around a bit in userland. It's not much, but hopefully will lead to more people researching other attack vectors in the latest firmwares.

— Mike Heskin (@hexkyz) December 17, 2018

​

 

[PedroKeitawa]

I assume if you use this exploit you still need to take your console offline right? Even if is just userland.

 

[aos10]

how you can use the browser in the switch?

 

[Dontwait00]

Needs to be clear that this is only a USERLAND exploit. As in you can only play around with the perms userland apps get. (normal apps) this is not CFW.

So yes you can play around with emulators, and most stuff found on the homebrew appstore, but this does not allow mods, piracy, themes and other more advanced homebrew / patches to HOS.

wasnt there a SXOS ROMENU .nro version? if yes, is it useful?

--------------------- MERGED ---------------------------

how you can use the browser in the switch?

With very limited ways.
1) - throw a game; (very unlikely)
2) - throw a custom DNS which connects to a server hosting the payload & exploit

edit: if you want, you can join in my server which im making a guide for exploiting in different ways.

 

[_hexkyz_]

Just to provide a bit more context and hopefully clear some doubts:
- The déjà-vu exploit chain goes browserhax > nvhax > gmmuhax > nspwn > [undisclosed] > warmboothax;
- What is going to be released is a browser exploit for firmware versions 4.0.0 to 6.0.1 and the "nvhax" exploit which allows you to take over the nvservices' process and access the GPU MMU (which we used for gmmuhax).

I know it's not much yet, but this will grant those with ipatched units the ability to explore the system further and look for even more vulnerabilities on a higher privilege level.
For general users (with ipatched units), the benefits will depend on the firmware version you are on:
- 4.1.0: vulnerable to the entire déjà-vu chain so it can go up to nspwn right away (full userland takeover and therefore, homebrew);
- 5.0.0 to 5.1.0: nspwn was patched in this version, but workarounds are possible by abusing gmmuhax;
- 6.0.0 to 6.0.1: many changes made exploitation really hard to achieve, but there are still workarounds.

6.1.0 patched the browser exploit that will be released (others are already being worked on) and 6.2.0 patched "nvhax" (closing down the current exploit chain).

 

[PatrickD85]

Thanks for that @_hexkyz_
Bummer then, already on 6.2 with the ipatched switch. So no options for now ... and thus no checkpoint acces.
Ah well ... still great to see this coming though for others

 

[THYPLEX]

It will require some sort of accessories or nothing but the switch and the software that Will be released soon ?

--------------------- MERGED ---------------------------

If i'm already at 6.2 , i can't do this exploit ?

 

[SexiestManAlive]

luckily im on 5.1.0 although i might have burned some fuses when i updated my emunand

 

[aos10]

so, anytime now?

 

[henkp]

It will require some sort of accessories or nothing but the switch and the software that Will be released soon ?

If i'm already at 6.2 , i can't do this exploit ?

It will require nothing, and correct, you can't do it on 6.2 (hence <6.2 instead of =<6.2)/

 

[Deleted User]

The switch has a web browser?

I guess not

 

[THYPLEX]

It will require nothing, and correct, you can't do it on 6.2 (hence <6.2 instead of =<6.2)/

Oh man...

 

[Deleted_444986]

Where is it ?
We are last day of week

 

[Keylogger]

I guess not

Oh ok so we have a web browser exploit but the switch has no web browser

I understand now...

 

[Deleted_444986]

With a DNS we can

 

[M7L7NK7]

June 15th

 

[itsjch]

ETA 5 hours!

 

[gnmmarechal]

Browsers are very complex pieces of software with the ability to run arbitrary scripts. The Vita and PS4 had(/have?) browser-based hacks too. Barring the RCM thing, which is more of an overlooked feature on Nvidia's side than an actual bug, the Switch is a lot more secure than past Nintendo consoles, so yes, they do learn.

Erm, RCM itself is an intended feature. It's definitely a bug's fault that we can run arbitrary code with it.

 

[Kioku]

Erm, RCM itself is an intended feature. It's definitely a bug's fault that we can run arbitrary code with it.

I think that's what they were referring to. Not the ability to enter RCM, but the fact that we can run code through it.

 

[gnmmarechal]

I think that's what they were referring to. Not the ability to enter RCM, but the fact that we can run code through it.

That's totally a bug and not an overlooked feature.

 

[Deleted member 457158]

so could this be used with "lockpick" and dump keys? prob not, but if we manage to get kernel access thru browserhax, it could be possible (maybe), and what also might be possible, anybody willing to do a hardmod nand backup with an ipatched switch and decrypt using these keys, i think it might be possible to inject nsps into the nand backup or something like an nsp forwarder to the hbmenu. this is just a guess, idk if this would actually be true or not