PegaSwitch

PegaSwitch is a developer-focused exploitation toolkit for the Switch developed by ReSwitched. It is compatible with firmware versions 1.0.0 - 3.0.0.

The toolkit uses a combination of vulnerabilities to take over the WebKit-based browser, giving the user a shell which can be used to read / write memory, call native functions, and otherwise explore the functionality of the Switch.

Note that the current homebrew exploit has the side-effect of corrupting your device’s Mii Database. While this effect is harmless, it will result in the loss of any user-created Miis.

What You Need

• A supported operating system
  • MacOS and most linux distributions are supported
  • Windows is best supported using a Windows Subsystem for Linux distribution
• The git version control system

• The Node.JS JavaScript runtime (current release) You will also need to install the base development tools package for your OS, as they are necessary to build some of the PegaSwitch dependencies:

• For ArchLinux: sudo pacman -Syu base-devel
• For Ubuntu/Debian: sudo apt-get install build-essential

Instructions

Section I - Network Configuration

PegaSwitch works by hosting a captive portal using DNS redirection.

For this to work, your device must be able to connect to your PC over the network.

1. Ensure no other applications are bound to UDP port 53 or TCP ports 80 and 8100
   • WSL: look at the “Listening Ports” section of the “Network” tab in resmon.exe
   • Linux / MacOS: view the output of sudo netstat -tulpn
2. Ensure your firewall does not block incoming connections to any of these ports

Section II - Running PegaSwitch

# clone the repository
git clone https://github.com/reswitched/pegaswitch

# install dependencies
cd pegaswitch
npm install

# start PegaSwitch
# Windows users: omit the 'sudo'
sudo node start.js

Section III - DNS Configuration

Note that these DNS servers will need to be set on each network you connect your device to for it to be able to trigger the exploit.

1. Launch System Settings on your device
2. Navigate to Internet -> Internet Settings
3. Select your current network
   • This is signified by a green check mark next to the network
4. Select “Change Settings”
5. Set “DNS Settings” to “Manual”
6. Set “Primary DNS” and “Secondary DNS” to your PC’s IP address
   • This will be displayed in PegaSwitch
7. Save the network settings
8. Return to Internet Settings

Section IV - Initial Connection

1. Navigate to Internet -> Internet Settings
2. Select your current network
3. Select “Connect to this Network”
4. If the DNS connection was successful, you will see the message “Registration is required to use this network.”
5. Select “Next”
6. The PegaSwitch webpage will load
7. If the exploit was successful, you will now have a PegaSwitch shell connected to your console

Section V - Alternative Browser Applets (Optional)

There are actually multiple internet browsers on the Switch, and any of them can be used to trigger the browser exploit.

While we used the connection test browser applet to initially trigger the exploit, it may be more convenient in the future to use another browser applet.

Triggering the browser exploit using either of these methods will have the same effect as triggering the exploit through the Connection Test method we used before.

eShop Sign In Prompt

To use this method, create a second account on your device. Do not connect it to a Nintendo Account.

1. Launch Nintendo eShop
2. Select the second account
3. Select “Sign In and link”
4. The browser applet will launch

Game Update Prompt

To use this method, you must have at least one game on your home screen.

Note that, if you were not connected to the correct DNS servers, this method would update your device. It is dangerous!

1. Press (+) with any game highlighted
2. In the “Software Update” tab, select “Via the Internet”
3. The browser applet will launch

git clone https://github.com/reswitched/pegaswitch
cd pegaswitch
# Install the pegaswitch dependencies
npm i
# Start pegaswitch
sudo node start.js

This will create a DNS and HTTP server on your computer, that your switch needs to connect to.

Troubleshooting:

• PegaSwitch requires use of UDP port 53 and TCP ports 80 and 8100 in order to run. If another application is using any of those ports, or they are blocked by your firewall, PegaSwitch will not work.

• My Switch forces me to update before starting the browser !

  To fix this, you need to restart your switch in Recovery Mode/Maintenance Mode. Doing so will make your switch forget there is an existing update. To reboot in this mode, power off your switch completely (press power multiple seconds, and press “Power options” -> “Power off”). Then, hold Volume Down/Volume Up buttons, and press power while keeping those buttons held. Once in Recovery mode, just press power to restart your switch, and try connecting to Pegaswitch again.

Things to expect:

• Once you exit PegaSwitch on your console, the console will probably crash. This is normal.
• You will also see an error when you reboot about your mii database being corrupted. This is also normal. Yes, all of your miis have been deleted too.

Enable Extra Error Info

This script will enable the displaying of extra error info when a fatal error is encountered. It may be useful for debugging purposes.

1. Copy extraerrorinfo.js to the /usefulscripts/ folder in PegaSwitch
2. Connect to your device using PegaSwitch
3. Run evalfile usefulscripts/extraerrorinfo.js

Ace Loader

Ace Loader is the first “Homebrew” that you should launch on your switch. It has three jobs :

• Clean up the browser and everything else so your Homebrew gets a clean environment to run in
• Set up stdio redirections to a TCP server, so you can get some debug output.
• Create a server on which you can push NROs to load, or run some simple commands.

To get Ace Loader download libtransistor releases and dowload wk_ace.nro. Put it in the pegaswitch directory. In pegaswitch run runnro wk_ace.nro.

If you want to get stdout from a homebrew application, you should run the command nc -v -l -p 2991 in another terminal BEFORE loading ace.nro. When ace.nro first starts, it will attempt to connect to the PC running PegaSwitch on port 2991 in order to send all output via the network. Once ace.nro has finished loading, you will see your Switch’s ip address in the log.

To run other NROs afterward, you’ll need to connect on your switch IP, port 2991. You can use the following command to run the helloworld example : ncat --send-only switchip 2991 < build/tests/test_helloworld.nro.

Troubleshooting:

• Command ncat / nc not found?

  Try installing nmap. sudo apt-get install nmap on Ubuntu/Debian, or sudo pacman -Syu nmap on ArchLinux.

• I’m not getting any output from the switch when I run nc -v -l -p 2991?

  Make sure TCP port 2991 isn’t blocked on any firewalls. Stdout in this way is only supported if you load nro files through ace_loader.

Last Updated: 2018/04/23