More actions
Nereba | |
---|---|
General | |
Author | pixel-stuck |
Type | Exploits |
Version | 0.1 |
License | GPL-2.0 |
Last Updated | 2019/04/19 |
Links | |
Download | |
Website | |
Source | |
Nereba is a warmboot bootrom exploit for the Nintendo Switch.
- The exploit is not a Horizon OS vulnerability, but a vulnerability in the bootrom of the Tegra X.
- The name "nereba" comes from a conjugation of the Japanese verb neru, "to sleep", meaning roughly "if I sleep, then…".
- The exploit works by taking advantage of a vulnerability in the bootrom during the Switch's sleep mode. The bootrom assumes that certain parameters do not change during a "coldboot" (power on reset), but Nvidia forgot to verify them during warmboot.
- The exploit allows for arbitrary writes, which can be used to take control of the bootrom using the built-in ipatch system.
- Exploitation on 1.0 is simple, as the region where the RAM parameters are stored is accessible easily with the nspwn exploit.
- Using this on firmware versions higher than 1.0 requires more complex exploits.
- The initial release of this exploit only works on Switch firmware version 1.0.0.
How To Run
To use this release, extract the zip onto the SD card, add a payload of your liking to the nereba folder and name it "nereba.bin", connect your console to pegaswitch and run nspwn @Sdcard:/nereba.nsp, then press the home button and launch the album applet.
Changelog
v.0.1
- This release works only on Switch firmware version 1.0.0. Eventually, support for 2.0-3.0 will be added.