SwitchBrew: Nintendo Switch (almost) cracked

I was watching Chaos Communication Congress (34C3) this night and I saw that the team called ‘SwitchBrew’ bypassed the security mechanism on Nintendo’s latest console – aka Switch. Switch + Homebrew = SwitchBrew.

Official CCC 34C3 Logo

Attacks on the save games or bypassing the console physically isn’t possible, so what the team did here is do gain more trust with each new security zone. Nintendo’s ‘Trust Zone’ includes the save keys and usually prevent every possible attack since it isolates every user level. So what the SwitchBrew team basically did was that they abused some space in the kernel-address field which allowed to execute some code in Nvidia’s System Memory Management Unit (SMMU).

It was possible to manipulate the kernel via power glitching to allow several external keys. The last step was a timing attack which allowed to get a binary key from the eMMC. The entire work wasn’t easy and took months to complete, the team in the meantime released their code on GitHub.

Same like on the Playstation 4 it could give other people and groups now the chance to work based on these leaks a new jailbreak out to – but I wouldn’t expect this very soon. Modern games like Mario Odyssey were unable to start because the current firmware already blocked several attacks.

However it’s a promising start and I think we will see something next year and the interesting in cracking the Playstation 4 and the Nintendo Switch is huge.