The Switch Flashcart Thread (Mig Switch etc.)

[SecureBoot]

Maybe we can add a FAQ to the main post? This must be a pretty high Google result based on the number of repeated questions

 

[abyss1ne]

Is it possible to with this dump to run unsigned certificates like homebrew?

just imagine people running nsp on it, but hard to tell since the main goal behind the Mig is works like a real nintendo xci game, hard to tell anything, who knows

 

[impeeza]

just imagine people running nsp on it, but hard to tell since the main goal behind the Mig is works like a real nintendo xci game, hard to tell anything, who knows

Seriously, read at least the OPs. Nobody has been able to crack LOTUS, so you can no run unsigned sofware via the cartdrige. and even if you manage to do it, the LOTUS have a backup on firmware which lead you to a ban.

 

[abyss1ne]

Seriously, read at least the OPs. Nobody has been able to crack LOTUS, so you can no run unsigned sofware via the cartdrige. and even if you manage to do it, the LOTUS have a backup on firmware which lead you to a ban.

Understandable, i said it because some people don't care about the ban at all. It's always interesting to see everything the community is capable of doing.

 

[Timbo303]

Seriously, read at least the OPs. Nobody has been able to crack LOTUS, so you can no run unsigned sofware via the cartdrige. and even if you manage to do it, the LOTUS have a backup on firmware which lead you to a ban.

There is a point i would like to make.

Running nsp on mig switch on an already banned switch. That would be a game changer for certain situations.

 

[Blythe93]

There is a point i would like to make.

Running nsp on mig switch on an already banned switch. That would be a game changer for certain situations.

From what I've gathered, gamecard is kinda sandboxed from the rest of the system. Even if you somehow crack it, it'll still be isolated from the rest of the system. Definitely would be a game changer but, apparently, that's not how it works. Maybe someone will come up with something else entirely, remains to be seen in the future.

Right now, the best you can do is run unmodified XCIs and that's about it and possibly get your console banned while doing so if you're not careful enough.

 

[SciresM]

because MIG contains leaked N secrets like Lotus 3 key, etc

If this is something you care about, you may want to be aware that the firmware.bin you put on GitHub contains previously un-leaked N hardware secrets that can otherwise only be obtained via lotus3/gamecard decap (there is no DFA/DPA attack in literature for the specific hardware secret present in that firmware binary).

 

[cearp]

Sounds like a good idea to download a local copy of the repo, thanks for the heads up!

 

[SylverReZ]

If this is something you care about, you may want to be aware that the firmware.bin you put on GitHub contains previously un-leaked N hardware secrets that can otherwise only be obtained via lotus3/gamecard decap (there is no DFA/DPA attack in literature for the specific hardware secret present in that firmware binary).

Now this looks like a job for me to download it locally. Interesting stuff.

 

[ccfman2004]

Without a vulnerability in the Lotus chip firmware, a MIG Flash or other Flash cart will never be able to run unsigned code.

If your Switch is already banned that means it probably ran a CFW at some point and ran a illegitimate NSP like an XCI converted to NSP or an NSP homebrew. If that is the case, then just install the NSP to the system or internal microSD card and run it in CFW mode.

 

[FR0ZN]

Without a vulnerability in the Lotus chip firmware, a MIG Flash or other Flash cart will never be able to run unsigned code.

If your Switch is already banned that means it probably ran a CFW at some point and ran a illegitimate NSP like an XCI converted to NSP or an NSP homebrew. If that is the case, then just install the NSP to the system or internal microSD card and run it in CFW mode.

I'm pretty sure that a vulnerability in Lotus3 will not grant you unsigned code execution.
You would need a chain of exploits for the entire software stack that comes after the cart reader.
If you accomplish this, you wouldn't need a MIG Switch at all.

 

[ccfman2004]

I'm pretty sure that a vulnerability in Lotus3 will not grant you unsigned code execution.
You would need a chain of exploits for the entire software stack that comes after the cart reader.
If you accomplish this, you wouldn't need a MIG Switch at all.

I'm well aware of that. I'm just trying to be as simple as I can be for those who aren't technical enough.

 

[gexgamingyt]

Without a vulnerability in the Lotus chip firmware, a MIG Flash or other Flash cart will never be able to run unsigned code.

If your Switch is already banned that means it probably ran a CFW at some point and ran a illegitimate NSP like an XCI converted to NSP or an NSP homebrew. If that is the case, then just install the NSP to the system or internal microSD card and run it in CFW mode.

Indeed, it needs to be noted that this is only an entry point into the MiG, so it's kinda like the PS4 LUA sandbox used to be, except they also did the E3 Flasher firmware too.

 

[cuberwr]

Hello everyone,

I've been spending some time recently doing a deep dive into the M1gSwitch hardware, and I took a few hours to measure and completely redraw the PCB. After I finished, I discovered that another member of the community had already done the same work, haha.

But since the project is complete, I wanted to share my version and my thoughts on what could be done next.

1. My Replicated PCB Design

My goal was to create a low-cost version, so the design is based on JLC's free prototyping service, using 0402 components to match the original's form factor.

• I've created two versions of the board: one minimalist version without a physical button, and a second version that includes one for switching games.
• I also designed a 3D-printable shell to house the board and protect it.

2. Theory on the FPGA Firmware

I haven't been able to find any public firmware dumps for the FPGA. However, after analyzing the connections between the ESP32 and the FPGA, I saw that the layout perfectly matches the standard for an FPGA's slave configuration mode.

Combined with the fact that the MigSwitch team has released firmware updates, this leads me to a theory: The FPGA chip likely arrives blank from the factory. On each power-up, the ESP32 is responsible for loading the firmware directly onto the FPGA.

To test this theory, I've ordered new, blank FPGA chips of the same model. There's a slight shipping delay, but I will post an update here as soon as they arrive and I've had a chance to test them.

3. Offering Help to the Community

I'm based near Shenzhen, which allows me to source a wide variety of electronic components and get PCBs manufactured quickly and at a very low cost.

If anyone in the community has a new concept or needs assistance with hardware validation, I'm happy to help.

4. Next Steps: Side-Channel Analysis

Beyond just verifying the FPGA theory, I have some further plans.

• Development Board: I have already created a custom Switch cartridge-style dev board that breaks out all the key interfaces (Power, JTAG, USB, GPIOs) to make debugging and analysis easier.
• Tools: I'm planning to acquire a good oscilloscope and a ChipWhisperer-Husky for this purpose.
• Goal: My objective is to use this setup to perform side-channel analysis and attempt to extract the firmware via non-invasive methods.
• Promise: If I successfully extract a usable firmware, I will release it publicly for the community.

As a side note, the total hardware cost for this replication project is under 40 RMB (about $5-6 USD), making it very accessible.

5. A Long-Term "Moonshot" Idea

Finally, there's a more ambitious, long-term idea. A friend of mine who works in the semiconductor industry suggested that we could potentially use their lab's FIB (Focused Ion Beam) and electron microscope to directly read the eFuse data from the chip's die. This is a highly advanced physical attack. Their equipment is in constant use, so this is more of a future possibility than a concrete plan, but it remains an interesting option.

 

[impeeza]

Hello everyone,

I've been spending some time recently doing a deep dive into the M1gSwitch hardware, and I took a few hours to measure and completely redraw the PCB. After I finished, I discovered that another member of the community had already done the same work, haha.

But since the project is complete, I wanted to share my version and my thoughts on what could be done next.

1. My Replicated PCB Design

My goal was to create a low-cost version, so the design is based on JLC's free prototyping service, using 0402 components to match the original's form factor.

• I've created two versions of the board: one minimalist version without a physical button, and a second version that includes one for switching games.
• I also designed a 3D-printable shell to house the board and protect it.

View attachment 525921View attachment 525922View attachment 525924View attachment 525926View attachment 525927View attachment 525928

2. Theory on the FPGA Firmware

I haven't been able to find any public firmware dumps for the FPGA. However, after analyzing the connections between the ESP32 and the FPGA, I saw that the layout perfectly matches the standard for an FPGA's slave configuration mode.

Combined with the fact that the MigSwitch team has released firmware updates, this leads me to a theory: The FPGA chip likely arrives blank from the factory. On each power-up, the ESP32 is responsible for loading the firmware directly onto the FPGA.

To test this theory, I've ordered new, blank FPGA chips of the same model. There's a slight shipping delay, but I will post an update here as soon as they arrive and I've had a chance to test them.

3. Offering Help to the Community

I'm based near Shenzhen, which allows me to source a wide variety of electronic components and get PCBs manufactured quickly and at a very low cost.

If anyone in the community has a new concept or needs assistance with hardware validation, I'm happy to help.

4. Next Steps: Side-Channel Analysis

Beyond just verifying the FPGA theory, I have some further plans.

• Development Board: I have already created a custom Switch cartridge-style dev board that breaks out all the key interfaces (Power, JTAG, USB, GPIOs) to make debugging and analysis easier.
• Tools: I'm planning to acquire a good oscilloscope and a ChipWhisperer-Husky for this purpose.
• Goal: My objective is to use this setup to perform side-channel analysis and attempt to extract the firmware via non-invasive methods.
• Promise: If I successfully extract a usable firmware, I will release it publicly for the community.

As a side note, the total hardware cost for this replication project is under 40 RMB (about $5-6 USD), making it very accessible.

5. A Long-Term "Moonshot" Idea

Finally, there's a more ambitious, long-term idea. A friend of mine who works in the semiconductor industry suggested that we could potentially use their lab's FIB (Focused Ion Beam) and electron microscope to directly read the eFuse data from the chip's die. This is a highly advanced physical attack. Their equipment is in constant use, so this is more of a future possibility than a concrete plan, but it remains an interesting option.

are you willing to share the current files you have with the community?

 

[cuberwr]

Of course!

Good timing, actually. The first batch of PCBs just arrived today. My plan is to assemble one and test it thoroughly over the next few days to make sure there are no issues with the design.

Once I can confirm that everything is working as expected, I'll upload all the files (Gerbers, PCB project files, 3D shell model, etc.) for everyone. If I run into any problems during testing, I'll make the necessary revisions before releasing them.

On a side note, the turnaround time for the PCBs was impressive. I finished the design on the evening of the 2nd, and they were delivered by noon today (the 4th). It was incredibly fast, and best of all, the boards and the shipping were completely free.

 

[15432]

The FPGA chip likely arrives blank from the factory. On each power-up, the ESP32 is responsible for loading the firmware directly onto the FPGA.

The bootloader has an option to load FPGA firmware, probably for initial debug during development. But the firmware I dumped does not contain FPGA firmware, so the interface is used for communication only

Post automatically merged: Sep 4, 2025

Tools: I'm planning to acquire a good oscilloscope and a ChipWhisperer-Husky for this purpose

I used the courk.cc side channel hardware to dump the ESP32

 

[cuberwr]

The bootloader has an option to load FPGA firmware, probably for initial debug during development. But the firmware I dumped does not contain FPGA firmware, so the interface is used for communication only

Post automatically merged: Sep 4, 2025

I used the courk.cc side channel hardware to dump the ESP32

so glad to find you here! I was really looking forward to your OFFZONE talk, "Hacking devices with an oscilloscope and a transistor," but I couldn't make it. I've been searching for the slides or a recording but found nothing.

Since the topic is super relevant to my interests, would you be willing to share some of the technical details or key takeaways from your presentation? Any information would be greatly appreciated. Thanks!

 

[15432]

I was really looking forward to your OFFZONE talk

Afaik, the video and slides will be published on the talk page within a week or two

 

[TheStonedModder]

Of course!

Good timing, actually. The first batch of PCBs just arrived today. My plan is to assemble one and test it thoroughly over the next few days to make sure there are no issues with the design.

Once I can confirm that everything is working as expected, I'll upload all the files (Gerbers, PCB project files, 3D shell model, etc.) for everyone. If I run into any problems during testing, I'll make the necessary revisions before releasing them.

On a side note, the turnaround time for the PCBs was impressive. I finished the design on the evening of the 2nd, and they were delivered by noon today (the 4th). It was incredibly fast, and best of all, the boards and the shipping were completely free.View attachment 525945

I’m curious to see how you designed the shell to actually attach together and still be easily printable

See if you took a different approach. I took all of my replacement files down after people where selling them on Etsy