Nintendo Switch (Homebrew)

From Halcove
Revision as of 03:26, 4 April 2022 by Ha1vorsen (talk | contribs)

The Nintendo Switch is home to a vast community dedicated to repurposing its hardware for home-made applications and operating systems. This is collectively referred to as homebrew, and Horizon OS patches/custom OSes are both referred to as custom firmwares (CFWs).

Atmosphere, specifically, has not been on record to cause a single Nintendo network ban to date. This is corroborated by this spreadsheet, developer testing, and feedback from banned users invariably pinpointing a catalyst stemming from user error and not the use of CFW itself.

Using custom firmware on the Nintendo Switch is considered safe, as long as certain actions are avoided. Contrary to popular rhetoric, Nintendo has shown a distinct tolerance to homebrew users and seems to actively allow their presence, as they are able to detect any console running a custom firmware. Nintendo chooses to ban specific bad actors such as pirates and online cheaters, and this remains true to this day.

These actions, for the most part, are disruptive to Nintendo's online infrastructure or sales strategy, and are generally actions that go outside of the scope of legitimate custom firmware usage. These actions also setting a custom avatar, which have been the subject of controversy due to adult content being uploaded by CFW users in the past, and eShop financial fraud, which constitutes a Nintendo Account ban entirely, forfeiting any digital collections held by the account. However, Nintendo account integrity is not a concern for console bans stemming solely via CFW.

CFW.png

Shown to the right is a general community guideline post, further defining what is or isn't safe with the functionalities granted by custom firmware.

Contrary to popular rhetoric, Nintendo has not and cannot knowingly brick a console of any type due to the presence of unauthorised software. This has never happened in the past, despite any ignorant press and website reportings. However, they are fully within their rights to restrict the console from online functionality, and this is clearly defined in any end-user license agreement. In addition, Nintendo is not responsible for incompatibilities caused by a system update, such as Atmosphere and Hekate failing to boot after a package1loader update. This is due to the nature of homebrew and not indicative of ill action from Nintendo.

For example, I have primarily used custom firmware while online on every Switch unit I've had since 2019, without any issues following these guidelines. None of my consoles have been banned.

My setup

Sysmodules

These are sysmodules that I consider essential to the usage of my console.

sys-ftpd-light - FTP server running at all times, allowing remote access to the microSD's files. Can be toggled on or off via controller inputs and starts alongside the console. Access to the FTP server can be restricted via user-defined credentials defined in a configuration file on the microSD card.

Tesla-Menu - Overlay menu allowing the use of cheats and advanced sysmodules in real-time, alongside currently running software. Overlays are distributed via .ovl files and installable in /switch.

sys-screenuploader - System module which uploads all screenshots taken by the Switch to a remote server in real time. This can be configured to be sent to a local folder on your PC, onto a Discord channel on Discord, or a self-hosted server with these software examples.

Mission Control - Allows most common third-party controllers, like the DualSense, to function natively within the Switch's OS via Bluetooth connection. The wired counterpart to this software is sys-con.

ReverseNX-RT - Allows the Nintendo Switch to run software in handheld or docked mode on-demand, regardless of the physical location of the console. This is useful to achieve higher graphical fidelity in handheld mode alongside sys-clk in handheld mode. This is best done using Mariko hardware, which is more power efficient.

Homebrew Software

I use Homebrew Details 0.95[1] as my primary homebrew browser. I plan to patch it to allow touchscreen input, as this layout and design is unmatchable for me and has, unfortunately, drastically changed ever since the 1.0 release. The title I use to serve as the homebrew browser via title takeover is Rogue Bit - this way, I can simply launch Rogue Bit straight from the HOME Menu to get into a fully escalated homebrew menu.

Custom firmwares

Atmosphère

Atmosphère is the main custom firmware for Nintendo Switch, developed primarily by SciresM of the ReSwitched team. The name is a allusion; Atmosphère runs on top of Horizon, referencing how the atmosphere rests on top of the horizon.

ReiNX

A deprecated fork of Atmosphère , ReiNX generally does not offer exclusive features over Atmosphère itself, and has not been updated since May of 2020.

SXOS

A commercial fork of Atmosphère, SXOS is primarily developed for game piracy groups on the Nintendo Switch.

SX OS software and its modchips (which are bundled with SX OS) are illegal to manufacture, purchase, or own in the US due to multiple violations of copyright law, specifically due to hardcoding Nintendo's firmware decryption keys in their software (in an attempt to avoid showing Atmosphère branding during sept, and also due to failure to release source code, in violation of Atmosphère's GPLv2 license, which requires derivative works to disclose its full source code to the public.

Like ReiNX, SX OS has not been updated in years after a successful litigation attempt by Nintendo and the FBI, where the team was labelled as a piracy group due to directly supplementing piracy repositories within its custom firmware.

Exploits

Several writeups and conferences have been created in regard to the Switch console's reverse-engineering efforts.

Hardware

Hardware exploits exist either due to physical exploits with the console components, or within software burned into read-only/write-once portions of the console; e.g, the bootROM. Hardware exploits can never be patched out without physical access to the console (and by replacing said console's hardware).

There is external hardware that can be used alongside fusee, including dongles such as the DragonInjector.

A late-stage production of a DragonInjector.
DragonInjector

DragonInjector, or DI for short, was a small dongle for the Nintendo Switch designed to fit inside the card slot. On July 13, 2020, it was pursued by Nintendo primarily on a Canadian copyright infringement[2].

Fusee Gelee

Fusee gelee translates to "frozen rocket" from French, referencing the coldboot nature of the exploit.

This is an unpatchable, tethered bootROM exploit, which takes advantage of the Switch console's boot and power management chip (BPMP), and is leveraged by copying a payload into executable portion of memory (jokingly referred to as a memecpy by members involved in its development).

Approximately thirty to forty million consoles are vulnerable to this. These consoles will become a rarity as time passes on.

This exploit requires physical access to the console's USB-C port, injecting a custom payload after entering a compromised recovery mode (RCM). RCM is a factory mode intended for maintenance and repair of damaged consoles, or initial factory setup of devices. Fusee gelee effectively bypasses verification for signed payloads and allows an attacker to bypass every single technological protection measure present on the console at boottime with minimal external hardware.

Technical writeup presented to Nvidia (PDF)

Nintendo Homebrew's custom firmware guide for Atmosphère

Fusee-gelee can be leveraged into an untethered coldboot exploit by wiring a Trinket M0-based board with specialised software onto the USB lanes on the Switch mainboard. The Trinket will then be able to automatically inject a self-contained payload as soon as an APX device is detected.

Jamais Vu

Jamais Vu translates to "never seen". This is a purely software-based warmboot TrustZone exploit for a prerelease version of Horizon. Namely, version 1.0, which became outdated on the day the Nintendo Switch launched. More information can be found on SciresM's announcement post.

Software

General

The console's current version of its operating system does not seem to contain noteworthy bugs that can lead to homebrew or custom firmware. Previous versions of Horizon were vulnerable to a limited number of flaws, none of which enabled TrustZone access purely due to security issues from Nintendo's fault. Every known entrypoint (which grants full system access) is the result of a flaw originating with Nvidia.

34C3

My contributions

Restoring Balrog's iconic line

Intending to settle down after participating in the Nintendo 3DS homebrew community, I still have ended up developing a small number of mods for the Nintendo Switch.

The largest one is the restoration of the Aeon Genesis translation of Cave Story to the official port of Cave Story+ on the Switch. As Cave Story was originally a Japanese exclusive game, a number of community translations of the game have appeared, before it was officially published by Nicalis in 2010. The Aeon Genesis translation is one of them. This was done to combine the improved visuals and extra modes of Cave Story+ with a different interpretation of the story and its characters. It was published on 10/20/2020 as a customary habit to have releases and actions historically linked to rare days on the Gregorian calendar. For example, 10/20/2020 was the last day in the current millennium to repeat the number 20 at least three times.

After developing this patch and witnessing how flexible Cave Story's scripting engine is, I plan to eventually create a simple game using it.

The Aeon Genesis translation patch for Cave Story+ is available to download.

Much easier on the eyes

I also have created a small number of mods for Super Smash Bros. Ultimate, a game with a heavy and well-known modding community. This Super Smash Bros. Melee-inspired Victory screen was created as a desire to rid the game of the personally distracting flash that occurs on freeze-frames of a victor's celebration animation. I eventually intend to privately research into what is needed to manipulate other UI assets in the game.

These themes were published, despite intending for them to be private.

I also help with maintaining this Nintendo Switch custom firmware setup guide.

Trivia

  • Nintendo Switch's BPMP is the ARM7TDMI, also known as the processor that powered the Game Boy Advance and the hardware mapper of the Nintendo DS family.
  • Nintendo was aware of the ramifications and the existence of an RCM-based exploit well before the console released in 2017, however, it's unclear which RCM-based exploit that they are referencing.
  • The Nintendo Switch OS is a major rewrite of the Nintendo 3DS operating system of the same name.

Troubleshooting

Software

  • Nintendo Switch does not boot past Nintendo Switch logo! One of these things are likely busted: PRODINFO, your USER partition, your SYSTEM partition, your partition table is messed up. If you run atmosphere, a rogue sysmodule or corrupt microSD may also be to blame.
  • Nintendo Switch does not boot past Nintendo logo! You may have corrupted one of the boot stage slots. Restore a BCPKG2 backup.
  • After injecting a payload and booting, an error about an unknown package1 version appears! Your homebrew software does not support the Horizon firmware you are trying to run. Update your homebrew, or wait for a new release.
  • My homebrew software has a NOFAT error message! Your microSD is corrupt. Reformat it, or obtain a new card.

Hardware

  • Nintendo Switch does not boot past Nintendo Switch logo, does not display on the dock, or does not charge! It is highly likely that the M92T36 chip has been blown out by overvoltage, or a physical short. Common causes are using an uncertified USB-A to USB-C cable to charge the unit, or using a third party dock. Third party AC adapters which don't utilise USB also can cause this. Your Switch will likely need to have the M92T36 replaced.
  • Screen shows ink-like blotches that obstruct gameplay! Replace the screen. Duh.
  • Nintendo Switch emits a grinding or sawing noise when pressed together! This is the fan scraping against the console's metal backplate. Please do not press the console together.
  • Nintendo Switch turns off abruptly, even with remaining battery! The battery may be decalibrated. This can happen to any device with a battery. This occurs when the battery percentage is not synchronised with the physical amount of remaining power. This can be solved by charging the device for double the amount of time it normally takes to reach 100%, and draining it down to zero before fully charging it again. The battery is now calibrated.
  • Nintendo Switch does not turn on! Is the unit in RCM? Is the unit fully charged? Have you a modchip installed? If so, check the FAQ of the RCMX86 install guide.
  • Nintendo Switch does not enter RCM!  All consoles can enter RCM, regardless of whether or not you're able to exploit RCM itself. If the console cannot enter RCM, it is never the fault of software. Instead, a dirty or defective bridging device ("jig"), a dirty or defective console-side slot, or torn ribbon cables will always be the culprit, if the user is following the correct steps to enter RCM (VOL+, Power, Home).
Retrieved from "https://wiki.halcove.com/index.php?title=Nintendo_Switch_(Homebrew)&oldid=509"