Hacking qlutoo got a talk at 34c3's console hacking/security section!

[V-Temp]

I think that there is no reason in buying Japanese Puyo Pugo, right? It was only as example...

PPT(JPN) is only an example used because, as it happens, is how you also got access to the 1.0.0 browser which was otherwise not 'active'. On higher firmwares, it is unnecessary, we all have easy access to the browser.

--------------------- MERGED ---------------------------

"I dont belive in fate, but [...]" - Plutoo as he found an out of bounds read in the pl microservice.

The entire hack (as i see it) currently bases on the sm service to escalate to kernel... In case they dont find a practical way to escalate from an universal usermode applet (preferably webkit) we are stuck at 3.0.0

This was likely what was reported in the 3.0.0 HackerOne submission that brought on the complete key-revoke in 3.0.1, since the issues go well beyond ROhan's weird access conditional with the Mii's but all of it ties into a strange escalation of permissions to gain control of sm and then the kernel.

 

[Deleted User]

Plutoo also said that its not important which game to launch the Applet , more important is to know that they can injected a code inside the Warm Boot and bypass the ASLR

 

[ken28]

"I dont belive in fate, but [...]" - Plutoo as he found an out of bounds read in the pl microservice.

The entire hack (as i see it) currently bases on the sm service to escalate to kernel... In case they dont find a practical way to escalate from an universal usermode applet (preferably webkit) we are stuck at 3.0.0

As of now yes but it seems like they have atleast one another broken service.
It went like this:
Guest ask what changed in 3.0.1.
Pluto talks about the pid = 0 thing being fixed and tries to think about something. Another of hacker starts to mention something to which pluto interrupts and says that they can't say anything more then that at the moment

 

[DSpider]

I think that there is no reason in buying Japanese Puyo Pugo, right? It was only as example...

That game was used because 1.0.0 didn't have a browser. But if you're on 2.0.0 and above, you already have a web browser.

 

[Tempest228]

This was likely what was reported in the 3.0.0 HackerOne submission that brought on the complete key-revoke in 3.0.1, since the issues go well beyond ROhan's weird access conditional with the Mii's but all of it ties into a strange escalation of permissions to gain control of sm and then the kernel.

Interesting. Would Plutoo just be doing a diff in order to see stuff such as VC code or removal of flog in 4.0.0? Would the access in 3.0.0 be enough to cement them inside, past updates to see code changes like that?

 

[Resaec]

You have to admit that they had real problems understanding what the questions were

 

[DSpider]

You have to admit that they had real problems understanding what the questions were

Plutoo said at some point that there were crappy speakers in the room. They probably heard the audience muffled, while the stream had direct access to the microphones.

 

[V-Temp]

Interesting. Would Plutoo just be doing a diff in order to see stuff such as VC code or removal of flog in 4.0.0? Would the access in 3.0.0 be enough to cement them inside, past updates to see code changes like that?

He likely has a private exploit, or a way to dump and parse the update to monitor changes. Without being him, it'd be hard to answer, hah.

As of now yes but it seems like they have atleast one another broken service.
It went like this:
Guest ask what changed in 3.0.1.
Pluto talks about the pid = 0 thing being fixed and tries to think about something. Another of hacker starts to mention something to which pluto interrupts and says that they can't say anything more then that at the moment

I think there is some issue with the general audio from questions and what they heard/understood. Poor speakers or something.

 

[Deleted User]

if i am not mistaken they was telling there is no gpu acceleration yet ?

 

[Resaec]

He likely has a private exploit, or a way to dump and parse the update to monitor changes. Without being him, it'd be hard to answer, hah.

I hope he does not go online or at least prevent dump/log upload as this probably is a thing... Nintendo would be stupid not to implement this

if i am not mistaken they was telling there is no gpu acceleration yet ?

No accel right now, right.

 

[Deleted User]

I hope he does not go online or at least prevent dump/log upload as this probably is a thing... Nintendo would be stupid not to implement this

No accel right now, right.

Strange is that they released an SNES and Retroarch Emulator (maybe its Software Based) also he was speaking about the Homebrew Channel ?

 

[SoslanVanWieren]

weres the video of it

 

[LukySplatoon]

Why people who have switch 1.0 have to get PPT (jp) and not pokken to update to 3.0?

 

[SoslanVanWieren]

Yes - everyone below 3.0.0 can use the web-sigining from the browser
everyone on 3.0.0 needs to use puyo puyo tetris to start the applet which is running in user-service mode and can elevate everything.
dunno if you can use any version but if every version uses the same way for openening the applet-browser - gg

switches in stores now are over 3.00 they are going to have to move on some point because 3.0.0 switches are going to end up going for alot of money

 

[Deleted User]

Please god i hope i will find an 3.0 switch on the store tomorrow

 

[Resaec]

switches in stores now are over 3.00 they are going to have to move on some point because 3.0.0 switches are going to end up going for alot of money

Sure they will move on if there is an exploit thats usable. But my main fear is that there will be piracy way to quickly. This always discurages hb hackers to advance (publicly)

 

[SoslanVanWieren]

well fuck those on 3.0.1 and above >

they will have to move on for 3.0.0 those systems are going to be expensive as hell once the exploit comes out and if you ge

If you wanted homebrew why would you leave 3.0.0 where ROhan already enabled homebrew?

my switch came with a newer firmware and theres a no return poilcy after opening the box plus i wanted to play newer games anyways

 

[ken28]

He likely has a private exploit, or a way to dump and parse the update to monitor changes. Without being him, it'd be hard to answer, hah.



I think there is some issue with the general audio from questions and what they heard/understood. Poor speakers or something.

Not in that instance. He repeated the question himself just fine

 

[LukySplatoon]

Please god i hope i will find an 3.0 switch on the store tomorrow

Maybe look on Ebay

 

[SoslanVanWieren]

were is the video of it missed it