The following is a write-up of how I initially achieved kernel code execution on the Nintendo Switch, very much inspired by hexkyz's write-ups. The work discussed was completed over the course of a single conversation between hthh and I during the evening of November 21st, 2017. A number of snippets are attached from that conversation as inline links, in the hopes that they'll be interesting to readers.
I would recommend one read hexkyz's recent write-up on how the switch was broken into via GPU DMA attacks. It's a great read!
In particular, he describes:
Additionally, the kernel itself would start allocating memory outside of the carveout region