Hacking Switch Recognised Through USB

[NekoMichi]

Preface: This is not a hack or anything, just something I observed. Might be useful for homebrew, might be useless.

When plugged into a PC via a USB cable, the Switch console isn't just drawing power to charge, but actually seems to communicate with Windows. When connected via a USB 3 port, under the Devices and Printers section of the Control Panel it is recognised as a Nintendo Switch whereas when I plug it into a USB 2 port it only shows up as an "Unknown Device".

​

The console is recognised as an input device and information such hardware ID is obtainable under the properties menu.

What's interesting about the Switch is that it's the first Nintendo console to use standard connectors instead of proprietary ports and that it allows direct wired communication with a PC.

Again, I'd like to reiterate that this isn't going to let you run unsigned code (i.e. Homebrew) on the Switch. The USB connection does not allow access to the on-board storage or sending commands to the system, but it might be useful for diagnostics. In the past we didn't have direct access to the system so homebrew had to be achieved through indirect vectors such as extdata on an SD card. In the case of the Switch, a direct USB connection may be a potential entrypoint that we didn't have access to in previous generation consoles.

 

[Gnarmagon]

It's usefully when you later want to transfer things to the internal storage :3

 

[TiMeBoMb4u2]

It would sure be nice to have access to the microSD in this manner.

 

[Toad King]

// USB Descriptor

0x12,        // bLength
0x01,        // bDescriptorType (Device)
0x00, 0x02,  // bcdUSB 2.00
0x00,        // bDeviceClass (Use class information in the Interface Descriptors)
0x00,        // bDeviceSubClass
0x00,        // bDeviceProtocol
0x40,        // bMaxPacketSize0 64
0x7E, 0x05,  // idVendor 0x057E
0x00, 0x20,  // idProduct 0x2000
0x00, 0x01,  // bcdDevice 2.00
0x01,        // iManufacturer (String Index)
0x02,        // iProduct (String Index)
0x03,        // iSerialNumber (String Index)
0x01,        // bNumConfigurations 1

// Manufacturer String: Nintendo
// Product String: Nintendo Switch
// SerialNumber String: SerialNumber

// Config 1 Descriptor

0x09,        // bLength
0x02,        // bDescriptorType (Configuration)
0x22, 0x00,  // wTotalLength 34
0x01,        // bNumInterfaces 1
0x01,        // bConfigurationValue
0x00,        // iConfiguration (String Index)
0xC0,        // bmAttributes Self Powered
0xFA,        // bMaxPower 500mA

0x09,        // bLength
0x04,        // bDescriptorType (Interface)
0x00,        // bInterfaceNumber 0
0x00,        // bAlternateSetting
0x01,        // bNumEndpoints 1
0x03,        // bInterfaceClass
0x00,        // bInterfaceSubClass
0x00,        // bInterfaceProtocol
0x00,        // iInterface (String Index)

0x09,        // bLength
0x21,        // bDescriptorType (HID)
0x00, 0x02,  // bcdHID 2.00
0x00,        // bCountryCode
0x01,        // bNumDescriptors
0x22,        // bDescriptorType[0] (HID)
0x1A, 0x00,  // wDescriptorLength[0] 26

0x07,        // bLength
0x05,        // bDescriptorType (Endpoint)
0x81,        // bEndpointAddress (IN/D2H)
0x03,        // bmAttributes (Interrupt)
0x01, 0x00,  // wMaxPacketSize 1
0x10,        // bInterval 16 (unit depends on device speed)

// HID 1 Descriptor

0x05, 0x06,        // Usage Page (Generic Dev Ctrls)
0x09, 0x20,        // Usage (Battery Strength)
0xA1, 0x01,        // Collection (Application)
0x09, 0x20,        //   Usage (Battery Strength)
0xA1, 0x00,        //   Collection (Physical)
0x05, 0x06,        //     Usage Page (Generic Dev Ctrls)
0x09, 0x20,        //     Usage (Battery Strength)
0x15, 0x81,        //     Logical Minimum (-127)
0x25, 0x7F,        //     Logical Maximum (127)
0x75, 0x08,        //     Report Size (8)
0x95, 0x01,        //     Report Count (1)
0x81, 0x06,        //     Input (Data,Var,Rel,No Wrap,Linear,Preferred State,No Null Position)
0xC0,              //   End Collection
0xC0,              // End Collection

So it's just a USB device with one IN endpoint that only sends a single byte, so no controlling the Switch from this. Doesn't look like any developer debug stuff either. There is always the possibility that there's a debug specific USB device mode with completely different capabilities though.

The HID descriptor makes it sound like it's battery status but I'm not familiar with that particular usage stuff in USB so I'm not sure. On my fully-charged Switch I only ever got one packet of 0x00.

 

[linuxares]

Tried putting it in recovery mode and plugged it in?

 

[Toad King]

Tried putting it in recovery mode and plugged it in?

Nothing in the USB descriptors change.

 

[linuxares]

Nothing in the USB descriptors change.

dang it

 

[Pippin666]

Again, I'd like to reiterate that this isn't going to let you run unsigned code (i.e. Homebrew) on the Switch.

Huh yea, we figured that much pretty early in the text lol. No need to say

Pip'

 

[NekoMichi]

Huh yea, we figured that much pretty early in the text lol. No need to say

Pip'

It's just to safeguard against someone skimming through the text and then running off and claiming "Switch jailbrek through USB!!!" and misleading others.

 

[megahog2012]

I have a question, were you able to use any pc apps with the switch or no

 

[ARVI80]

Has anyone tried vcp drivers to access the usb as a standard com port to see what happens.

See if you can interface and putty the bitch....

 

[TheCyberQuake]

did you try going to a proper usb 3.1 type c connection on a computer to see if anything changes? I would test myself but I'm away from home for a week with no access to my desktop (the only device I have with a USB 3.1 C connection.