Nintendo Switch

46 Articles

34C3: Hacking The Nintendo Switch

December 29, 2017 by 37 Comments

There’s a natural order to the world of game console hacking: every time a manufacturer releases a new game console they work in security measures that prevent the end user from running anything but commercially released games, and in turn every hacker worth his or her salt tries to break through. The end goal, despite what the manufacturers may have you believe, is not to run “bootleg” games, but rather to enable what is colloquially referred to as “homebrew”. That is to say, enabling the novel concept of actually running software of your choice on the hardware you paid for.

At 34C3, noted console hackers [Plutoo], [Derrek], and [Naehrwert] have demonstrated unsigned code running on Nintendo’s latest and greatest and while they are keeping the actual exploit to themselves for now, they’ve promised that a platform for launching homebrew is coming shortly for those who are on firmware version 3.0.0. From the sound of it, after 9 months on the market, Switch owners will finally have complete access to the hardware they purchased.

The key to running the team’s own code was through a WebKit exploit that was already months old by the time the Switch was released. Loading up an arbitrary webpage was the tricky part, as the Switch generally uses its web browser for accessing official sources (like the online game store). But hidden away in the help menus of Tetris, the developers helpfully put a link to their website which the Switch will dutifully open if you select it. From there it’s just a matter of network redirection to get the Switch loading a webpage from your computer rather than the Internet.

It’s easier to ask for forgiveness than permission.

But as the more security-minded of our readers may have guessed already, that just gets you into the browser’s sandbox. The team now had to figure out a way to break out and get full control of the hardware. Through a series of clever hacks the team was able to learn more about the Switch’s internal layout and operating system, slowly working their way up the ladder.

A particularly interesting hack was used to get around a part of the Switch’s OS that is designed to check which services code is allowed to access. It turns out that if code doesn’t provide this function with its own process ID (PID), the system defaults to PID 0 because the variable is not initialized. In other words, if you don’t ask the operating system which functions you have access to, you will get access to them all. This is a classic programming mistake, and a developer at Nintendo HQ is likely getting a very stern talking to right about now.

But not everything was so easy. When trying to get access to the boot loader, the team sniffed the eMMC bus and timed the commands to determine when it was checking the encryption keys. They were then able to assemble a “glitcher” which fiddled with the CPU’s power using FPGA controlled MOFSETs during this critical time in an attempt to confuse the system.

The rabbit hole is pretty deep on this one, so we’d recommend you set aside an hour to watch the entire presentation to see the long road it took to go from a browser bug to running their first complete demo. It’s as much a testament to the skill of  [Plutoo], [Derrek], and [Naehrwert] as it is the lengths at which Nintendo went to keep people out.

We’ve seen other attempts at reverse engineering Nintendo’s hardware, but by the looks of it, the Switch has put up a much harder fight than previous console generations. Makes you wonder what tricks Nintendo will have up their sleeves for the next generation.

Continue reading “34C3: Hacking The Nintendo Switch”

Reverse Engineering The Nintendo Switch Joy-Cons

November 6, 2017 by 26 Comments

The Switch is Nintendo’s latest effort in the console world. One of its unique features is the Joy-Cons, a pair of controllers that can either attach directly to the console’s screen or be removed and used individually. But how do they work? [dekuNukem] decided to find out.

The reverse engineering efforts begin with disassembly. Surprisingly, there is no silkscreen present on the board to highlight test points or part numbers. This is likely to conflate intended to stymie community efforts to work with the hardware, as different teams may create their own designations for components. Conversely, the chips inside still have their identifying markings present, which does ease identification somewhat.

There are some interesting choices made – the majority of the buttons are scanned in a matrix configuration by the on-board microcontroller, making it harder to spoof button presses. The controllers communicate over Bluetooth, switching to a physical serial connection when attached directly to the screen. This runs at a blistering 3,125,000 BPS after the initial handshake is completed.

Overall it’s a fairly comprehensive reverse engineering effort, and [dekuNukem] has provided excellent detail in the writeup for anyone else looking to get involved. There’s still some work left to do, like investigating the rumble messages, but it’s an excellent start and very comprehensive.

Perhaps you’re more interested in older Nintendo hardware? Check out this comprehensive effort to figure out NES console-to-cartridge security methods.

Teensy Script Plays Nintendo Switch, Strikes Out

October 25, 2017 by 9 Comments

The most recent of the Zelda franchise, Breath of the Wild, is known for its many, many puzzles.  One of the more frustrating ones involved bowling with a giant snowball at the top of a hillside.  [Bertrand] did not like this, so he cheated the system hacked the Nintendo Switch so that he “genuinely earned” a strike every time he played.  He achieved this by writing a script for a Teensy module that got him those sweet rupees.

The Teensy houses an Atmel 90USB1286 microcontroller.  When paired with LUFA software, it can emulate numerous controllers including keyboards, joysticks, etc.  It also handily has a Mini-B USB connector located on its rear, allowing it to communicate to the Switch with ease.  After confirming the hardware was compatible, [Bertrand] looked towards the software side noticing the similarity between what already existed and what he was attempting to accomplish.  He happened upon this in a Splatoon 2 fork that allows players to draw posts. 

In essence, it takes image files as input and emulates the controls and buttons to draw a 1-bit version of the image automatically.  This takes care of syncing the hardware as well as how to simulate the button presses.  But instead of reading an image file, it needed to take a custom script as the input.  This required starting from scratch.  The first logical step — of course — was to create a language similar to Logo, a name that surely brings back memories of the time of big hair and shoulder pads.  He only needed a handful of simple commands to control Link:

typedef enum {
	UP,
	DOWN,
	LEFT,
	RIGHT,
	X,
	Y,
	A,
	B,
	L,
	R,
	THROW,
	NOTHING,
	TRIGGERS
} Buttons_t;

Continue reading “Teensy Script Plays Nintendo Switch, Strikes Out”

A Switched Game Boy Advance SP

June 26, 2017 by 10 Comments

After Nintendo’s wild success with the Wii U, Nintendo released it’s Nintendo Switch. The switch functions primarily as a home console, stagnantly connected to a display. However, Nintendo switched things up a bit: the Switch can be removed from its dock for standalone tablet-like use. But there’s a slight problem: when the Switch is in portable mode, it leaves behind a bleak and black box. What’s one to do? Worry not: [Alexander Blake] is here to save the day with a Game Boy Advance SP and an X-Acto knife.

After casually noting that the main control board of the Switch was roughly Game Boy Advance SP sized, [Alexander Blake], aka [cptnalex], knew it was meant to be. After retrieving his broken Game Boy Advance SP from his closet, [cptnalex] set to work turning his Game Boy into a Nintendo Switch dock. When he was done, the results were stunning, especially considering the fact that this is his first console mod. Moreover, the very fact that he did it all with an X-Acto knife rather than a Dremel is astounding.

With the screen providing support to the Switch, [cptnalex’s] design leaves some to be desired for long term use. But we know for sure that [cptnalex’s] design does, in fact, work. Due to naysayers of the internetTM, [cptnalex] filmed a video of his dock in uses (embedded after the break). But, what the design lacks in structural stability, it more than makes up for in aesthetics. On the device itself, [cptnalex’s] history with controller painting shines through.

If you want to see more of [cptnalex’s] work, you can follow him on Instagram. For more console mods that will take your breath away, look no farther than [Bungle’s] vacuum formed portable N64.

Continue reading “A Switched Game Boy Advance SP”