Hackers seem close to publicly unlocking the Nintendo Switch

  News
image_pdfimage_print
Enlarge / At the 34C3 conference, hacker Derrek shows the soldered FPGA setup that helped him find the decryption key necessary to unlock the system’s binaries.

When it comes to video game consoles, it’s only a matter of time before even the most locked-down system gets unlocked by hackers for homebrew coding (and, potentially, piracy). The goal for most console makers is to hold off that day for as long as possible, to maintain their total control over the console’s software ecosystem as long as they can.

For Nintendo and the nearly year-old Switch, that control seems in imminent danger of slipping away.

Hackers have been finding partial vulnerabilities in early versions of the Switch firmware throughout 2017. Their discoveries include a Webkit flaw that allowed for basic “user level” access to some portions of the underlying system and a service-level initialization flaw that gave hackers slightly more control over the Switch OS. But the potential for running arbitrary homebrew code on the Switch really started looking promising late last month, with a talk at the 34th Chaos Communication Congress (34C3) in Leipzig Germany. In that talk, hackers Plutoo, Derrek, and Naehrwert outlined an intricate method for gaining kernel-level access and nearly full control of the Switch hardware.

This 34C3 talk on hacking the Nintendo Switch gives an in-depth look at how Nintendo’s various security methods have been circumvented.

The full 45-minute talk is worth a watch for the technically inclined, it describes using the basic exploits discussed above as a wedge to dig deep into how the Switch works at the most basic level. At one point, the hackers sniff data coming through the Switch’s memory bus to figure out the timing for an important security check. At another, they solder an FPGA onto the Switch’s ARM chip and bit-bang their way to decoding the secret key that unlocks all of the Switch’s encrypted system binaries.

The team of Switch hackers even got an unexpected assist in its hacking efforts from chipmaker Nvidia. The “custom chip” inside the Switch is apparently so similar to an off-the-shelf Nvidia Tegra X1 that a $700 Jetson TX1 development kit let the hackers get significant insight into the Switch’s innards. More than that, amid the thousand of pages of Nvidia’s public documentation for the X1 is a section on how to “bypass the SMMU” (the System Memory Management Unit), which gave the hackers a viable method to copy and write a modified kernel to the Switch’s system RAM. As Plutoo put it in the talk, “Nvidia backdoored themselves.”

The floodgates are open

While the 34C3 hackers didn’t release a version of their exploit to the public at the conference, they promised they were working in conjunction with documentation group ReSwitched to release a public homebrew method soon (a cryptic tweet from Plutoo shows a rudimentary homebrew launcher on a Switch with the date “Feb 1st.”) Other groups have not been content to wait, though, and seem to be jumping off of the 34C3 talk to develop and tease their own upcoming Switch hacks.

Hacking collective Fail0verflow jumped on the bandwagon earlier this month by posting video evidence on January 7 of a “coldboot exploit” that let the group scroll a message across the Switch’s screen. In a follow-up tweet, Fail0verflow clarified that its hack does not require a modchip and purportedly works on the Switch bootrom in a way that “can’t be patched (in currently released Switches).”

That’s a significant statement, since exploits like those discussed at 34C3 don’t work on Switch firmware past version 3.0.0, which was patched last July (other hackers claim to have privately held methods to run homebrew code on more recent firmware). Fail0verflow’s statement suggests its exploit could work on all Switches currently available in the wild and could be counteracted only if Nintendo made changes at the factory production level.

The hacks being discussed above can be used to run homebrew code on the Switch, which you can start writing right now using open source library libnx (which is currently missing important functions like GPU acceleration and audio playback). Thus far, the hacks don’t seem to be useful for pirating legitimate Switch games, which are protected by an extra layer of security.

But hacking collective Team-Xecuter has publicly hinted at its own “solution” for Switch hacking. The group posted a short video showing the Xecuter logo appearing before the Switch’s usual bootup sequence (and a purported bootloader decryption key to prove its veracity). Team-Xecuter is known for hardware modchips that allow pirated games to run on other consoles, suggesting that it could be releasing a similar modchip for the Switch as soon as spring.

While we’re not quite to the point where any Switch owner can easily install a Wii-like Homebrew Channel on their Switch, that point seems to be fast approaching based on announcements from the hacking community. With the Switch selling at a record-setting clip for Nintendo, such public hacks could have a big impact on the way millions of players use their hardware.

https://arstechnica.com/?p=1245151