Throughout 2017 hackers had been recording partial vunerablities on the firmware but had no joy at completely knocking it over.
Now according to Ars Technica, hackers have discovered a Webkit flaw that allows for basic "user level" access to some portions of the underlying system and a service-level initialisation flaw that gives hackers slightly more control over the Switch OS. Last month at the 34th Chaos Communication Congress (34C3) in Leipzig Germany, hackers Plutoo, Derrek, and Naehrwert outlined an intricate method for gaining kernel-level access and nearly full control of the Switch hardware.
They worked out a few basic exploits discussed above as a wedge to dig deep into how the Switch works at the most basic level. They also managed to sniff data coming through the Switch's memory bus to figure out the timing for an important security check. They also solder an FPGA onto the Switch's ARM chip and bit-bang their way to decoding the secret key that unlocks all of the Switch's encrypted system binaries.
Oddly, though, the hackers efforts received an unexpected hand from chipmaker Nvidia. The "custom chip" inside the Switch is apparently so similar to an off-the-shelf Nvidia Tegra X1 that a $700 Jetson TX1 development kit let the hackers get significant insight into the Switch's innards.
More than that, amid the thousand of pages of Nvidia's public documentation for the X1 is a section on how to "bypass the SMMU" (the System Memory Management Unit), which gave the hackers a viable method to copy and write a modified kernel to the Switch's system RAM. As Plutoo put it in the talk, "Nvidia backdoored themselves".