Nintendo Switch nvservices Info Leak
In this post I’m going to discuss a Nintendo Switch bug I submitted to the Nintendo bug bounty program a few months ago, which they fixed recently (in 6.0, I believe, though I haven’t tested this myself).
The Switch runs on a custom OS called Horizon. It’s a really sleek, simple microkernel, and because of that, the majority of key functionality that would normally be in the kernel is actually in a userland service. To communicate between services or from an app/game to services, you use IPC: Get a handle to a service (by an <=8 character name, e.g. ‘ssl’), then send messages to it. Each message consists of some amount of data and some number of objects, which are typically kernel objects. Kernel objects are things like transfer memory, shared memory, event handles, etc. The details here aren’t important, with one exception: transfer memory.
Transfer memory is a...
Continue reading →