34C3: Hacking the Nintendo Switch

There’s a natural order to the world of game console hacking: every time a manufacturer releases a new game console they work in security measures that prevent the end user from running anything but commercially released games, and in turn every hacker worth his or her salt tries to break through. The end goal, despite what the manufacturers may have you believe, is not to run “bootleg” games, but rather to enable what is colloquially referred to as “homebrew”. That is to say, enabling the novel concept of actually running software of your choice on the hardware you paid for.

At 34C3, noted console hackers [Plutoo], [Derrek], and [Naehrwert] have demonstrated unsigned code running on Nintendo’s latest and greatest and while they are keeping the actual exploit to themselves for now, they’ve promised that a platform for launching homebrew is coming shortly for those who are on firmware version 3.0.0. From the sound of it, after 9 months on the market, Switch owners will finally have complete access to the hardware they purchased.

The key to running the team’s own code was through a WebKit exploit that was already months old by the time the Switch was released. Loading up an arbitrary webpage was the tricky part, as the Switch generally uses its web browser for accessing official sources (like the online game store). But hidden away in the help menus of Tetris, the developers helpfully put a link to their website which the Switch will dutifully open if you select it. From there it’s just a matter of network redirection to get the Switch loading a webpage from your computer rather than the Internet.

It’s easier to ask for forgiveness than permission.

But as the more security-minded of our readers may have guessed already, that just gets you into the browser’s sandbox. The team now had to figure out a way to break out and get full control of the hardware. Through a series of clever hacks the team was able to learn more about the Switch’s internal layout and operating system, slowly working their way up the ladder.

A particularly interesting hack was used to get around a part of the Switch’s OS that is designed to check which services code is allowed to access. It turns out that if code doesn’t provide this function with its own process ID (PID), the system defaults to PID 0 because the variable is not initialized. In other words, if you don’t ask the operating system which functions you have access to, you will get access to them all. This is a classic programming mistake, and a developer at Nintendo HQ is likely getting a very stern talking to right about now.

But not everything was so easy. When trying to get access to the boot loader, the team sniffed the eMMC bus and timed the commands to determine when it was checking the encryption keys. They were then able to assemble a “glitcher” which fiddled with the CPU’s power using FPGA controlled MOFSETs during this critical time in an attempt to confuse the system.

The rabbit hole is pretty deep on this one, so we’d recommend you set aside an hour to watch the entire presentation to see the long road it took to go from a browser bug to running their first complete demo. It’s as much a testament to the skill of  [Plutoo], [Derrek], and [Naehrwert] as it is the lengths at which Nintendo went to keep people out.

We’ve seen other attempts at reverse engineering Nintendo’s hardware, but by the looks of it, the Switch has put up a much harder fight than previous console generations. Makes you wonder what tricks Nintendo will have up their sleeves for the next generation.

37 thoughts on “34C3: Hacking the Nintendo Switch

      1. Thanks for totally missing the point. The people who find ways to bypass console security tend to be techies, doing it for the challenge, kudos and being able to add it to their resume/CV.

        The main use of hacked consoles is for piracy, not to run homebrew.

        1. I wouldn’t say it is missing the point. There is a huge difference between directly performing an act of piracy, and performing an act that indirectly enables piracy.

          While there is no doubt people out there just as smart as these guys who do specifically break a consoles security for the purpose of performing piracy, these guys (and historically most often the first people on the scene to do this) are doing it specifically to use homebrew. This distinction is important.

          The fact other people may re-purpose ideas, knowledge, tools, and even software created by homebrew enthusiasts for other purposes such as piracy, this doesn’t make them responsible for said piracy.
          These guys are not responsible for piracy and more than nintendo is responsible for piracy by selling the console in the first place, which is only one additional step removed, but without such an act being performed by nintendo then piracy would also not be possible.

          The responsibility for piracy falls square on the shoulders of those who pirate and no one else.

          1. I’m a bit confused, I worked as a freelance optimizer for independent developers on Nintendo platforms for a while. The problem was never the licensing, it was the devkit. However, the kits were priced pretty reasonably and were available on payment plans.

            Even if a independent developer couldn’t afford a devkit, typically someone who did have one was willing to test code for them. All in all the WiiU and 3DS cycle weren’t to cost prohibitive. Granted, I don’t know what the Switch environment is like since I haven’t been doing that work for the last year or so. Have things changed?

          2. As you can’t just throw a binary file up on your website or hand it to your mates on a USB stick (perhaps belonging to the mate in question) … publishing a game in a form that is immediately playable is always going to be non-zero. Likely significantly so.

            This is reflected in the costs involved in buying one of these dev kits.

    1. If you seriously think these obviously very skilled engineers spent hundreds (thousands?) of their valuable man-hours just to find a way to save $60 bucks on a copy of Zelda, I don’t know what to tell you.

      Maybe instead of claiming others are naive about the goals of the homebrew scene, you should consider if you’re not laboring under a guilty conscience about this kind of thing.

    2. You are 100% correct. I’ve worked in the games industry for over 25 years, software piracy is killing the smaller developers.

      Although the people doing the hacking are probably doing it for their own fun the end result is a tool to allow games to be pirated and uploaded to a never ending list of websites. It’s why the mobile market moved to advertising and in application purchases. What effect it has on sales I don’t know, I guess that most who steal games would not be buying them anyway.

      1. PIracy’s been killing the games industry since the early 1980s, the beginning of the games industry. The way it’s going, Sony will be down to their last hundred billion in a year or two.

    3. I can a sure you that the last thing they want to do is enable piracy. First off they tell at the end of the presentation to update to 3.0.0 inspite of all the good stuff I. E. the kernel and trust zone exploits being 1.0.0 only. Plus the fact they have no plans to release it.

  1. I’m excited. Hacks like this are essential for the long term usability of the console. I like owning physical games but digital download is more convenient than carry cartridges for mobile consoles. Best of both worlds now. The emulators available now might even convince one of my friends to buy a Switch.

    On top of that, the Nintendo homebrew scene is phenomenal. I’m hoping somebody will make a chat app that runs side-by-side with games and combines the audio. I’m looking at YOU, Splatoon 2

  2. This may well help them get a job, If they don’t have one already. The devotion, creativity, and understanding required to pull something like this off is impressive. All this hack does is allow for arbitrary code execution, freeing up the device for other unconventional uses that expand the capability of the devce. A side intent of such a project is to also prevent Nintendo from carrying out such orwellian actions as remotely bricking the devices of dissedents.

    But then again, I’m just feeding trolls.

    1. Mother Of Fail Safe Eradication Technologies?
      You know the massively awesome technologies that eradicate fail safe mechanisms…
      LOLOLOLOL,

      It is good that the console scene doesn’t get much of a mention on HackAday. I’ve seen the sites and people are split in a three-way*.
      You’ve got those whom want to steal everything… like they’ve got a theft-fetish of some kind,
      then those whom moan about how doomed to piracy all the economies are gonna be and then,
      there are those whom want their stuff to just be theirs: Both physically and mentally (mentally as in both software and grey-matter)

      It is like these idiots are just saying:
      “Someone has just enabled piracy on some android phone because they’ve rooted it… THEY’VE ROOTED IT!!!! NOOOOOO!!!!”

      The thing is, the choice is given for the rest of the world:
      Play the legitimate games with a wide community or be a pathetic loner stuck on pirated multi-player games no-one is playing anymore (hence why you can only do the 5-minute story-lines).
      A thief will be a thief, an SJW will be an SJW and then, those whom have their fun learning and trying will be those whom will truly know

      * OK, I admit, there is a 4th kind of person… that completely out of place person whom writes comments like I’ve just done.

    1. Traditionally it’s been to try and slow down the manufacturer from fixing the issue and pushing out a firmware update before the community gets a chance to actually use it.

      That said, seems like at least the PID issue has already been fixed in firmware past 3.0.0, so some of this Nintendo was already aware of.

  3. It’s being done because it can be done. Whether it’s for piracy or homebrew is irrelevant. Complaining or worrying about it does nothing but take seconds off of your lifespan. You all preach like someone’s watching or out to get you. Years later when the switch fades into console history you’ll be glad there’s an easy and convenient way to preserve video game history and that you have the freedom to do other things with the hardware not originally intended or modify the games to your liking and extend it’s playability.

    1. anyone care to guess what happens after the dvds are worn or destroyed by UV and there is no distribution for the title?

      That’s right.. you either crack AAA game DRM or console firmware or your investment vanishes like dust in the wind..

Leave a Reply to Ostracus Cancel reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s