Since a few days, the scene underground of the Nintendo Switch is in the boil. Since the 21st of last April, more specifically. On this day, a group of anonymous posts online, a file named Tegra X1 Boot ROM on the platform of sharing text Pastebin. This event is going to be at the origin of an avalanche of releases and information of the share of the three largest groups of hackers that were working on the new console of Nintendo.
If you have not been able to track what has happened, or if you just want to have a summary of everything that was poured for almost two weeks, you are on the right page. The folder summary will first back on the trigger of the whole affair, and then linger on a point by point on the multiple publications that have emanated, and finally do the review on the possibilities currently offered, on the future of the hack of the Nintendo Switch as well as on the way in which Nintendo could respond.
Good read ! 🙂
If you notice an error, an oversight or an inaccuracy, please do not hesitate to tell me in a comment !
October 2017 : a info passed almost unnoticed
On October 15, 2017, the hacker SciresM informs on the social network Twitter that he managed to make a dump (a ” copy data “) from the Tegra 210 Boot ROM with the help of the Team ReSwitched.
Under this name a bit barbaric Tegra X1 Boot ROM (or Tegra 210 Boot ROM) hides in fact a processor all-in-one (also referred to as a “system on a chip” or ” SoC “), produced by NVIDIA and used on all models of Nintendo Switch current.
The ad isn’t making a lot of noise, although she signed a new step in the hack of the Switch : in effect, the hackers would be able to do the “retro-engineering” with these data in order to find a vulnerability in the boot process of the console. And as a general rule, when such a vulnerability is discovered, this translates into a possibility of taking full control of the console, and therefore all that flows from it : installing a Custom Firmware, to launch homebrews (programs non-signed), etc.
But all this is relatively remained in the shadow of the news, because a few days later the same Team ReSwitched announced the online release of its toolbox PegaSwitch for consoles in version 3.0.0…
January to April 2018 : promises in you want in here
The day following the day of the year and a few days following the Chaos Communication Congress (which was held at the end of the year 2017), 2 January 2018, the Team Xecuter reveals on its website that it holds “the solution” for the Nintendo Switch and that she will share soon, in the current spring 2018.
This famous ” solution “, which nobody knows what is the exact form, seems all the more attractive she is certified compatible with all versions of the console. In addition, despite the lucrative nature claimed the Team-Xecuter, the latter is already well established in the field of hack of consoles and is, therefore, a priori free from all suspicion of fake. In short, all the elements are gathered in order to believe in a future and a real revolution in the hack of the Nintendo Switch.
After this bombastic announcement, everyone thinks that it remains only to quietly wait for the upcoming releases of Team-Xecuter, which also informs the 15th January on his forums that the solution will be available in two versions : one with the weld, and one without. But it is without counting on the third and famous team of hackers named Fail0verflow…
Indeed, it is January 7, 2018, is less than a week after the event created by the members of the group Xecuter, the Team Fail0verflow puts it online on his account Twitter a short video showing the proof that it holds a feat coldboot, baptized shofEL2, thanks to the NVIDIA Tegra. This famous processor that we had discussed quietly in October 2017…
The questions abound : is the Team Fail0verflow, known to share almost none of his discoveries, does it have to intent to do a release ? Thefeat is compatible with all versions of the Switch ? What are the limits ? A few questions will get a response, but one thing is almost certain : given that theexploit uses a flaw in the CPU (processor), this means that it is most certainly compatible with all the versions of the firmware…
While the Team-Xecuter and Team Fail0verflow occupy the whole front of the scene underground, the Team ReSwitched decides she too is out of the shadow, February 17, 2018 by announcing on the account Twitter of Kate Temkin that she is also in possession of a writ of the same kind, nicknamed Rocket Jelly. The announcement is accompanied by a video put online on the platform YouTube , as well as a text file revealing, among others, that of images not signed could be executed and that theexploit took advantage of the processor Tegra. Wish, as it is found…
The “general public” begins to understand that a growing number of hackers has managed to get their hands on the data of this famous processor Tegra , and that flaws have been found above. Perhaps is it one and the same flaw ? One thing seems certain, at least three large groups of hackers have engaged secretly in a kind of “race” to publish in the first something solid and functional :
- The Team-Xecuter, which promises a release next but certainly pay off ;
- The Team Fail0verflow, who remains, as usual, be very discreet about any possibility of release ;
- The Team ReSwitched, who has not given details as to a possible release.
The weeks that followed the great events of the beginning of the year 2018 were relatively calm, without being totally devoid of news. As well, the Team Fail0verflow demonstrated the 6 February 2018 than it was in the ability to run Linux thanks to his feat, Ktemkin and the Team Reswitched promised in a F. A. Q., published on April 4, 2018 an output for the summer of a string offeat and a Custom Firmware called Atmosphere, while the Team-Xecuter pushed aside the February 15, 2018 the initial release scheduled for the spring of communicating that they wanted to “finalize” their product (or the secure as much as possible to avoid any retro-engineering).
In short, everything seemed more or less peaceful, until the day when…
April 21, 2018 : the day of the leak
The future seemed bright for the scene underground Switch, the general public knew that he could rely on the for-profit group Xecuter for an impending commercialization of their “solution” as well as on the alliance ReSwitched–Ktemkin for an alternative Open-Source to the summer of 2018. On the side of Fail0verflow on the other hand, there was still little hope to see any release.
Then the leak happened… One fine day, without warning… A 21 April, the “day of the oak” in the republican calendar. A day that has seen a lot of unexpected events and/or landmarks, such as the agreement of the right to vote to women in 1944 by Charles de Gaulle, the putsch of the generals in Algiers in 1961, but also the first issue of the journal de Spirou in 1938, the release of the Game Boy in 1989, and more recently the death of the singer Prince in 2016.
A group of hackers, already known for having put online the keys to the dump of games Switch, has in fact leaked on April 21, 2018 the Tegra X1 Boot ROM, the famous file that is used by the three teams of hackers to find vulnerabilities in the start-up of the console. Although it was not a leak from a feat or a Custom Firmware, the leak of this file has all the same made available to all developers what had secretly worked hard a large number of hackers.
Neither one, nor two, lots of programmers have started to take an interest in all of this, and a large number of releases from different sources have quickly followed, such as scripts to debug the bootrom with popular tools of reverse engineering. Then, just two days after the leak, that is, 23 April 2018, another anonymous source has shared this time the bug of the Tegra X1 is used by the Teams of hackers, with a tone deliberately provocative.
And because piracy is easy, here is the bug Tegra X1.
The Tegra X1 RCM forget to limit the scope wLength 8 byte long Setup Packet in some control transfers USB. The query endpoint standard GET_STATUS (0x00) can be used to implement memcpy (copies memory) arbitrary from a command RCM malicious and overwrite the stack of boot ROM (the stack of Boot ROM) before signing checks, and after that the Boot ROM sends the UID. It takes a USB connection and a way to get in the RCM (the keys ” Power “, “Home” and “volume +” must be pressed simultaneously).
- Team Xecuter
- Team SALT
Reminder : The real hackers hack in silence. You are all zero.
23 & 24 April : the avalanche of releases
By learning this news, the Team ReSwitched and Ktemkin have then decided to open up their repository GitHub project for their Rocket Launcher earlier than the date provided at the base, on the 15th of June this year, 2018. This loader, which takes advantage of thefeat Rocket Jelly (CVE-2018-6242), allows you to load small pieces of code (called payloads) on devices with a processor Tegra X1 via USB.
Quickly, she was followed to the general surprise by the Team Fail0verflow, who had the initial objective of any publish on the 25th of April, only 2 days after the revelation of the hack. In a first time, the ads are a little weird about a technology called SwitchX so-called “revolutionary” for the change of Nintendo Switch, while their illustrations suggested a huge joke, were communicated from the account Twitter of the group.
A few moments later, they were no less than four repositories on GitHub related to the hack of the processor Tegra X1 included in the Switch that the Team Fail0verflow has decided to open to the general public : switch-linux ; -switch u-boot ; switch-coreboot and switch-arm-trusted-firmware. The latter proved especially useful to boot Linux on the Nintendo Switch through the hack recently discovered.
The same day, the famous developer Plutoo (also known under the pseudonym of qlutoo) came out of his den to deliver his ultimate release, the source code of his exploit discovered on firmware 3.0.0. Ultimate, because it was followed bya tweet from the author announcing his withdrawal from the scene Switch.
It is the day that the Team Fail0verflow finally decided to share his feat ShofEL2 as well asa long post on his blog detailing all the steps of installation and use.
… and I’m out! no more switch for me. was damn fun though
— plutoo (@qlutoo) April 23, 2018
The announcement and the release of quasi-simultaneous exploits Rocket Jelly and ShofEL2 were an important event for the users. In fact, not only we had the confirmation that both teams used the same vulnerability, but in addition we learned how easy it was to activate the mode RCM (Reliability-Centered Maintenance), also called Recovery, and use it to run code not signed. In addition, we had tangible, something testable and usable ! What more can one ask ?
Don’t worry, I’m preparing a tutorial to learn how to activate the mode RCM of your Nintendo Switch ! 😉
23 & 24 : the avalanche of info
While the multiple releases were pouring and were the developers, the general public – who didn’t really know what to make of all this – had the right to diverse information on the hack of the Nintendo Switch.
This is the project Atmosphere which attracted the attention. If you don’t know what it is, know that this sweet name has been chosen to be the code name of the first Custom Firmware from the Team ReSwitched (and therefore very probably the first of the Nintendo Switch also), which was scheduled to be put online the 15th of June next, at the same time as Rocket Jelly. If the recent events have precipitated the release of thefeat, it has not been the same for Atmosphere : the development of a Custom Firmware is actually complex and requires many beta-testing, to ensure that the chances of a brick (to break his console) are minimal.
In contrast, and as pointed out the developer SciresM working on it hard, the repository GitHub has been open to the public and so the project is now Open-Source. Which means that everyone can contribute to the design of this Custom Firmware ! SciresM has also advised for the persons concerned to perform a dump of the NAND of the console as soon as the tools to be made available, in order to have a chance to restore the console in case of a technical problem.
Also information has been revealed on the power of the Tegra X1. In fact, the Team Fail0verflow has given to some nice tests from a Linux running on their Switch. Among other things, it has been confirmed that the famous emulator of the GameCube/Wii Dolphin could be launched, and that the game The Legend of Zelda: Wind Waker was running at 20-25 frames per second. The team is also a great time to launch the emulator to Switch Yuzu since their Switch, emulating a Nintendo Switch from a Linux launched on a Nintendo Switch !
All these stories have in any case been very well received, since they confirmed all the potential and robustness of the latest console of Nintendo, and they bring hope to one day be able to take advantage of the emulators of Wii, nintendo GameCube, but also old other consoles.
From 25 April to now
Since the two main team of hackers have published all the codes and instructions necessary for the launch of payloads and exploitation of the flaw of the Tegra X1, many developers have followed and have started a large number of projects, which are available in the “releases” below.
If you want to skip directly to the balance sheet of the whole affair, you can click here.
Rocket Jelly and Rocket Launcher, Team ReSwitched & ktemkin
The first release comes to us from the collaboration between the Team ReSwitched and ktemkin. This is thefeat Rocket Jelly and the program of loading of payloads Rocket Launcher. This last is not compatible yet with Linux and Mac, which must be equipped with Python 3 as well as some of the other packages (tutorial to come very soon).
ShofEL2 by Team Fail0verflow
Thefeat ShofEL2 uses the same flaw that Rocket Jelly, but is signed by Team Fail0verflow, which is not known to share its work. The instructions for install and use are quite technical and require some knowledge. They are available on the repository on GitHub, which can be visited by clicking on the button below.
nx-hbl by Plutoo
At the sight of this new era in the hack of the Nintendo Switch, the famous developer Plutoo has decided to leave the scene and publish the source code of his latest work, thefeat is homebrew compatible with the versions of the firmware lower or equal to 3.0.0 of the Nintendo Switch. No documentation has unfortunately been provided, not even comments in the code… Whatever it is, we can only wish a good luck to Plutoo !
IDC files by SciresM
The developer SciresM, a member of the Team ReSwitched, has put online a copy of his file tz_5x.idc to allow developers to focus on the Secure Monitor (TruztZone) of the firmware 5.0.0. He has also advised on her Twitter, take a look at Exosphere for people curious about how the SecMon to work and not wanting to do of RE (?).
This is not all, the same hacker then shared his IDC files for the system module “Loader“ Nintendo Switch, on firmware 1.0.0, 3.0.0 and 5.0.0. And like the last one, he advises the curious to go for a ride on the side of the Stratosphere. Oh, and small note : these files are more than 30 000 lines, do not be surprised therefore if your tab takes a little time to load !
Web Rocket Launcher by ksamj202
The developer atlas44 is fun to make a small version web the Rocket Launcher of the Team ReSwitched. Soberly baptized Web Rocket Launcher, this small tool allows you to simply launch payloads for the internet browser rather than going through a terminal.
Rocket Jelly with Raspberry Pi 3-by-DarkMelman
DarkMelman, a member of the forums of GBAtemp, announced the successful launch of payloads since its Raspberry Pi 3 and shared his script on GitHub.
NXLoader by DavidBuchanan314
This time, it is the turn of DavidBuchanan314 us to deliver a tool that allows you to launch payloads from an Android device ! The author states that it is his first Android application, and that, because of this, it is still ” alpha “, that is to say that it is not a final version.
Moonflower by moriczgergo
Here is the first payload to actually “useful” for the Nintendo Switch. Developed by moriczgergo, moonflower allows you to perform a dump (a copy of the data) of the fuses and the GPIO. The developer says that it has completed its payload through the branch “poc_nvidia” the filing ofAtmosphere.
Rocket to the Raspberry by moriczgergo
The same programmer moriczgergo has shared little time after his other project, a Rocket to the Raspberry, which is just an image “Raspbienne” looping Rocket Jelly to the infinite in order to be able to launch a payload on its Switch by simply connecting his console to his nano-computer. The script is supposed to work on all models of the Raspberry, but the author states that it is better to have a Raspberry Pi Zero.
Hecate is by naehrwert
The developer naehrwert has posted online April 30, the first payload quality : hekate_ipl. Under this name hides a small swiss army knife, which can among other things replace the bootloader/package1 in order to load a Custom Firmware (only works, however, that on firmware 2.0.0 and lower), and display the information of the fuses and the keys of the console.
Hecate is also allows the backup of the module to eMMC on the microSD card inserted in the console (formatted in FAT32), but taking only the main partitions of the system found in the NAND (32 Gb) and jumping to the section “user/game” (26 Gb). This can always be useful in cases where you will need to generate future configurations emuNAND, exploring its eMMC and make changes. However, any manipulation of theeMMC is at your own risk !
Two forks of hecate is have been made by the programmers rajkosto and sweetlilmre, in order to allow the dump of all possible partitions on a microSD card formatted in FAT32 or exFAT. Note that older versions of the firmware of the Nintendo Switch does not support microSD cards that have a volume too large and/or formatted in exFAT.
Finally, the fork most comprehensive to date has been achieved by CTCaer, which combines optimizations and bug bug.
TegraRcmSmash by rajkosto
When Rocket Launcher was shared and that the community has realized that Windows was not supported as it is the operating system most used on the planet, it didn’t take long before developers are just starting to do. It is the developer rajkosto who was the fastest with his TegraRcmSmash, re-implementation of Rocket Launcher coded in C++.
biskeydump by rajkosto
Decidedly, rajkosto is in shape ! The latter has put online a small payload, biskeydump, which, as its name indicates performs a dump of the key BIS of the Switch on which it is loaded. These keys could be used later with the decryption of the content eMMC on their desktop computer or laptop.
rocontrol by moriczgergo
This new project rocontrol directed by moriczgergo allows all the user is allergic to the terminals of enjoying a simple and effective graphical interface for the launch of its payloads on its Nintendo Switch..
SwitchImageViewer by LetsPlentendo
Here is a payload not very useful, but which has at least the merit to exist and to perhaps help new programmers interested in the design of payloads ! SwitchImageViewer is developed by LetsPlentendo and, once loaded on the Nintendo Switch, displays an image. Yes, that’s all. Finally, you do have the option to choose the image to be displayed, by following the instructions on the repository GitHub of the project.
Painless Linux for natinusala
Difficult to follow the requirements of the Team Fail0verflow for a novice… Fortunately, there are developers such as natinusala ! Its payload Painless Linux allows to run quite easily Linux on its Nintendo Switch, provided you have a microSD card flashed with an image of a distribution of Linux and inserted into the Nintendo Switch at the time of loading of the payload.
What can we currently do ?
The question that everyone asks, of course, after such releases, it is : “concretely, what is it that I can do with it today ? “.
Well, for the moment, not much else to wait for, unless you’re a developer… It must be remembered that the leakage of the data file of the Tegra X1 Boot ROM has precipitated things, and that the hacker group Fail0verflow and ReSwitched had in mind to make their release at a specified later date. For example, the Custom Firmware Atmosphere was supposed to come out June 15 in conjunction with the Rocket Launcher, currently its repository GitHub has been opened publicly, but there are still tweaks to be done before a possible release.
We cannot say that we can do nothing at all : all the payloads listed above are loadable and it is also possible to start on a Linux since its Switch. But this boils down to this, at the present time.
What future for the hack of the Nintendo Switch ?
The future of the scene underground Switch looks fairly good : while the Custom Firmware Atmosphere should make its appearance in the coming weeks, the Team ReSwitched also works to side on his Homebrew Launcher (code name: nx-hbl) to make a port of it on the 5.0.x. A video of SciresM has been shared on their channel in YouTube in order to prove the real progress of the job.
It now remains to hope that the moments of euphoria experienced by the stage are not ephemeral and that the developers just like the hackers will continue to work and exploit all the new possibilities offered by the vulnerability of the NVIDIA Tegra X1.
How Nintendo can he retaliate ?
Many major newspapers, always looking for the sensationel, have titrated that this feat would be “impatchable” by Nintendo. I am not an expert on the matter, but I’m almost sure that, for once, it is true. At least for the consoles produced and purchased before April 23, 2018. I see indeed difficult to see how Nintendo could fix a flaw, which is located at the start and at the processor level to its console.
In other words, exploits, Rocket Jelly, ShofEL2 and other will theoretically be usable on your console, and this regardless of the version of the firmware !
On the other hand, it is certain that all the information that I’ve outlined here have been lifts to the japanese company, and that future models of Switch are likely to have a Tegra patched. If you still have not provided the new small for Big N and that you are interested in his hack, I believe that the time is now or never…
Hey, can you write me the tutorials, I understand anything !
But of course, I work there ! ;D The first one, which should be released Friday or Saturday, you will learn to activate the RCM of your Switch, and will be followed by another tutorial released probably this week-end to run a Linux from your console. So I advise you follow either of our accounts on your favorite social network (Twitter, Facebook, Google+ or even FlickR) or our RSS feed ! 😀
Thus ends (finally ?) this folder summary of the last events of the scene underground Switch. The error is human, please do not hesitate to catch up with me in the comment if you see a fault or anything ! And do not hesitate to ask your questions, we’ll try to answer to the extent possible ! 🙂
Finally, to finish off in good and due form, we wish you, as always, a good hack !