Difference between revisions of "Nintendo Switch (Homebrew)"

Custom firmwares

Atmosphère

Atmosphère is the main custom firmware for Nintendo Switch, developed primarily by SciresM of the ReSwitched team. The name is a allusion; Atmosphère runs on top of Horizon, referencing how the atmosphere rests on top of the horizon.

ReiNX

A deprecated fork of Atmosphère , ReiNX generally does not offer exclusive features over Atmosphère itself, and has not been updated since May of 2020.

SXOS

A commercial fork of Atmosphère, SXOS is primarily developed for game piracy groups on the Nintendo Switch.

SX OS software and its modchips (which are bundled with SX OS) are illegal to manufacture, purchase, or own in the US due to multiple violations of copyright law, specifically due to hardcoding Nintendo's firmware decryption keys in their software (in an attempt to avoid showing Atmosphère branding during sept, and also due to failure to release source code, in violation of Atmosphère's GPLv2 license, which requires derivative works to disclose its full source code to the public.

Like ReiNX, SX OS has not been updated in years after a successful litigation attempt by Nintendo and the FBI, where the team was labelled as a piracy group.

Exploits

Several writeups and conferences have been created in regard to the Switch console's reverse-engineering efforts.

Hardware

Hardware exploits exist either due to physical exploits with the console components, or within software burned into read-only/write-once portions of the console; e.g, the bootROM. Hardware exploits can never be patched out without physical access to the console (and by replacing said console's hardware).

Fusee Gelee

Fusee gelee translates to "frozen rocket" from French, referencing the coldboot nature of the exploit.

This is an unpatchable, tethered bootROM exploit, which takes advantage of the Switch console's boot and power management chip (BPMP), and is leveraged by copying a payload into executable portion of memory (jokingly referred to as a memecpy by members involved in its development).

Approximately thirty to forty million consoles are vulnerable to this. These consoles will become a rarity as time passes on.

This exploit requires physical access to the console's USB-C port, injecting a custom payload after entering a compromised recovery mode (RCM). RCM is a factory mode intended for maintenance and repair of damaged consoles, or initial factory setup of devices. Fusee gelee effectively bypasses verification for signed payloads and allows an attacker to bypass every single technological protection measure present on the console at boottime with minimal external hardware.

Technical writeup presented to Nvidia (PDF)

Nintendo Homebrew's custom firmware guide for Atmosphère

Fusee-gelee can be leveraged into an untethered coldboot exploit by wiring a Trinket M0-based board with specialised software onto the USB lanes on the Switch mainboard. The Trinket will then be able to automatically inject a self-contained payload as soon as an APX device is detected.

Jamais Vu

Jamais Vu translates to "never seen". This is a purely software-based warmboot TrustZone exploit for a prerelease version of Horizon. Namely, version 1.0, which became outdated on the day the Nintendo Switch launched. More information can be found on SciresM's announcement post.

Software

General

The console's current version of its operating system does not seem to contain noteworthy bugs that can lead to homebrew or custom firmware. Previous versions of Horizon were vulnerable to a limited number of flaws, none of which enabled TrustZone access purely due to security issues from Nintendo's fault. Every known entrypoint (which grants full system access) is the result of a flaw originating with Nvidia.

34C3

My contributions

Restoring Balrog's iconic line

Intending to settle down after participating in the Nintendo 3DS homebrew community, I still have ended up developing a small number of mods for the Nintendo Switch.

The largest one is the restoration of the Aeon Genesis translation of Cave Story to the official port of Cave Story+ on the Switch. As Cave Story was originally a Japanese exclusive game, a number of community translations of the game have appeared, before it was officially published by Nicalis in 2010. The Aeon Genesis translation is one of them. This was done to combine the improved visuals and extra modes of Cave Story+ with a different interpretation of the story and its characters. It was published on 10/20/2020 as a customary habit to have releases and actions historically linked to rare days on the Gregorian calendar. For example, 10/20/2020 was the last day in the current millennium to repeat the number 20 at least three times.

After developing this patch and witnessing how flexible Cave Story's scripting engine is, I plan to eventually create a simple game using it.

The Aeon Genesis translation patch for Cave Story+ is available to download.

Much easier on the eyes

I also have created a small number of mods for Super Smash Bros. Ultimate, a game with a heavy and well-known modding community. This Super Smash Bros. Melee-inspired Victory screen was created as a desire to rid the game of the personally distracting flash that occurs on freeze-frames of a victor's celebration animation. I eventually intend to privately research into what is needed to manipulate other UI assets in the game.

These themes were published, despite intending for them to be private.

I also help with maintaining this Nintendo Switch custom firmware setup guide.

Trivia

• Nintendo Switch's BPMP is the ARM7TDMI, also known as the processor that powered the Game Boy Advance and the hardware mapper of the Nintendo DS family.
• Nintendo was aware of the ramifications and the existence of an RCM-based exploit well before the console released in 2017, however, it's unclear which RCM-based exploit that they are referencing.
• The Nintendo Switch OS is a major rewrite of the Nintendo 3DS operating system of the same name.

Troubleshooting

Software

• Nintendo Switch does not boot past Nintendo Switch logo! One of these things are likely busted: PRODINFO, your USER partition, your SYSTEM partition, your partition table is messed up. If you run atmosphere, a rogue sysmodule or corrupt microSD may also be to blame.
• Nintendo Switch does not boot past Nintendo logo! You may have corrupted one of the boot stage slots. Restore a BCPKG2 backup.
• After injecting a payload and booting, an error about an unknown package1 version appears! Your homebrew software does not support the Horizon firmware you are trying to run. Update your homebrew, or wait for a new release.
• My homebrew software has a NOFAT error message! Your microSD is corrupt. Reformat it, or obtain a new card.

Hardware

• Nintendo Switch does not boot past Nintendo Switch logo, does not display on the dock, or does not charge! It is highly likely that the M92T36 chip has been blown out by overvoltage, or a physical short. Common causes are using an uncertified USB-A to USB-C cable to charge the unit, or using a third party dock. Third party AC adapters which don't utilise USB also can cause this. Your Switch will likely need to have the M92T36 replaced.
• Screen shows ink-like blotches that obstruct gameplay! Replace the screen. Duh.
• Nintendo Switch emits a grinding or sawing noise when pressed together! This is the fan scraping against the console's metal backplate. Please do not press the console together.
• Nintendo Switch turns off abruptly, even with remaining battery! The battery may be decalibrated. This can happen to any device with a battery. This occurs when the battery percentage is not synchronised with the physical amount of remaining power. This can be solved by charging the device for double the amount of time it normally takes to reach 100%, and draining it down to zero before fully charging it again. The battery is now calibrated.
• Nintendo Switch does not turn on! Is the unit in RCM? Is the unit fully charged? Have you a modchip installed? If so, check the FAQ of the RCMX86 install guide.
• Nintendo Switch does not enter RCM! 　All consoles can enter RCM, regardless of whether or not you're able to exploit RCM itself. If the console cannot enter RCM, it is never the fault of software. Instead, a dirty or defective bridging device ("jig"), a dirty or defective console-side slot, or torn ribbon cables will always be the culprit, if the user is following the correct steps to enter RCM (VOL+, Power, Home).