Pegaswitch is a tool for working in the domain of native code on the Nintendo Switch. It takes advantage of an exploit that utilizes WebKit's CVE-2016-4657 vulnerability.

This tool, and its exploit code, lives at https://github.com/reswitched/Pegaswitch.

We use an Array object as the stale one (garbage collected) and then write a large number of Uint32Array views (of a single ArrayBuffer object) to memory to try to get an overlap. From there, we can both traverse object values, read/write from pointers, and more.

• Node 7
• UDP 53 and TCP 80/81 open on your machine's firewall
• A Nintendo Switch running on system firmware 2.0.0 (the Day One update)

• Node: $ npm install

1. Use $ git clone [email protected]:reswitched/Pegaswitch.git to clone the repo
2. $ npm install to install dependencies
3. $ npm start to start the server
4. Set your current Switch connection's primary and secondary DNS servers to your computer's local IP
5. Use one of the following methods to trigger the captive portal browser:
   • Hover over a game, press + to open the game menu, then update “Via the Internet”
   • Go to the settings, internet settings, your connection, then “Connect to this Network”
   • Attempt to access the eShop, then select “Sign In and Link” or “Create Account”
     • Note that this will only work for Local Users who have not already linked to a Nintendo Account
     • Note that the eShop applet is slightly different to the Captive Portal applet (see browser)
6. The node shell should give you a command prompt
7. Type help in the shell to see available commands