Hacking Discussion Will we ever see an untethered Switch hack?

[subcon959]

But can you update the payload on a modchip after it's installed?

It's been a few years so I can't remember what I did, but I know my trinket m0 simply looks for payload.bin on the sd card. So updating is as easy as renaming the latest fuse-primary.bin to payload.bin and copying it to the card.

There is only one downside and it's the same for autorcm in general.. if for some reason the Switch didn't shutdown properly then the battery will drain faster than normal.

 

[Gep_Etto]

I see. Thanks.

 

[Gvaz]

Considering how easy and powerful the exploit is, the incentive to discover an untethered coldboot is low to zero. Hackers and developers couldn't care less as long as they get full access to the console. There is more to be gained by discovering an exploit that works on units with Fusee Gelee patched. SciresM himself posted a bounty for a potential untethered coldboot exploit 3 years ago which nobody has followed up on. None of us can say whether we will or will not get an untethered coldboot hack but chances aren't looking good to say the least.

This kind of mentality never makes sense to me.

You wouldn't want a way to do what you want to do easier and with less steps? WTF

 

[Draxzelex]

This kind of mentality never makes sense to me.

You wouldn't want a way to do what you want to do easier and with less steps? WTF

• The dilemma is not as simple as "less steps". You act like people aren't finding another exploit out of laziness when in reality, its not worth the effort to find another exploit because it requires too much time to find one for little payoff
• Its not even that many steps. With AutoRCM and a dongle, you can access CFW in the blink of an eye

 

[Gvaz]

I guess I wouldn't be a good engineer because that wouldn't satisfy me. I'd want to be able to press a button and get what I want without other devices or effort.

 

[M7L7NK7]

I used to be a massive advocate for untethered coldboot, but now I've realised I don't even turn my switch off lol

 

[fst312]

I used to be a massive advocate for untethered coldboot, but now I've realised I don't even turn my switch off lol

My switch is open most of the time too, can’t remember when I last turned it off. I can’t remember but I think turning off the switch and reopening it hurts the battery more somehow or is keeping open the thing that really does that. Whatever the case is my switch is mostly open.

 

[JackTheFroster]

Just wondering, what is with the coldboot exploit from fail0verflow "shofEL2"? in the video it seemed like they booted up the switch without any payload injection...

edit: yeah... it seems like it is the same rcm exploit. still wondering if the video shows a way of consistent boot or if its "fake" (payload injected before).

 

[M7L7NK7]

They strategically placed the switch so you can't see the usb cord, it's tethered

 

[JackTheFroster]

They strategically placed the switch so you can't see the usb cord, it's tethered

aah ok. thought of that too, but thanks for confirming

 

[VeniaSilente]

I guess I wouldn't be a good engineer because that wouldn't satisfy me. I'd want to be able to press a button and get what I want without other devices or effort.

You wouldn't be a good engineer but not because of that tho; a good engineer does get to look at both / all sides of the equation and consider the total cost involved in the system. Sure, you'd get to save yourself a grand total of one (1) and about 5 minutes of tinkering per power-up (which for eg.: non-Caffeine units means exactly the same as zero marginal time, at current time the only absolute benefit would be for Caffeine units), but that's largely offset by the 10~15 years time of R&D required to find an exploit and make it happen, and the risks in doing so (bricking machines? bad soldering? buying blueprints from totally reputable russian FTP sites? Nintendo ninjas?) and that is assuming there's even actually an exploit to take advantage from.

As a 86% engineer myself (covid has made last years of classes weird), my take is if (big if) there is currently a known exploit left, it's still bound enough to software (browser? gallery?) that the smartest thing to do for the devs is to observe Nintendo's behaviour for a couple more years and see if it's more feasible to release such method into the open once the Switch is EOL'd.

 

[xdMatthewbx]

You wouldn't be a good engineer but not because of that tho; a good engineer does get to look at both / all sides of the equation and consider the total cost involved in the system. Sure, you'd get to save yourself a grand total of one (1) and about 5 minutes of tinkering per power-up (which for eg.: non-Caffeine units means exactly the same as zero marginal time, at current time the only absolute benefit would be for Caffeine units), but that's largely offset by the 10~15 years time of R&D required to find an exploit and make it happen, and the risks in doing so (bricking machines? bad soldering? buying blueprints from totally reputable russian FTP sites? Nintendo ninjas?) and that is assuming there's even actually an exploit to take advantage from.

As a 86% engineer myself (covid has made last years of classes weird), my take is if (big if) there is currently a known exploit left, it's still bound enough to software (browser? gallery?) that the smartest thing to do for the devs is to observe Nintendo's behaviour for a couple more years and see if it's more feasible to release such method into the open once the Switch is EOL'd.

The last point specifically is my thought as well. Someone who has the knowledge to find a vulnerability that isn't another hardware exploit like fusee-gelee (the unpatched Switch exploit) likely has the foresight to hold on to it until EOL now. Release it now and Nintendo will patch it almost immediately, and it's effectively wasted. Wait until EOL and there's a decent chance that like with the Wii U and 3DS (referring to SeedMiner, NTRBoot is just as unpatchable as RCM) Nintendo won't bother to fix it since it's not their flagship console anymore, and then the Switch is easily hackable without a hardware mod forever. Much better in my opinion.

In the mean time, modchips (while overpriced right now) are easy to use once installed and basically exactly what you're looking for. The price of modchips is likely to go down as competitors enter the market and I'm hopeful an open-source (ie orderable off of PCBWay or any other PCB printing service) with a full list of components to use which will lead to these chips being sold eventually almost at cost, which shouldn't be more than 30$ (the cost of making them, that is. I expect the price to be at least 20$ more than that for pre-assembled ones, which is fair). There are plenty of people offering installation (including myself, and ModzvilleUSA, who takes send-ins) for these chips. Additionally, unpatched units are easy enough to obtain, and can also be almost as good as one of the glitch modchips using a Trinket (a hardware limitation of a Trinket is that it can't inject the payload while anything is plugged in, which means if the console is plugged in powered off it will boot RCM and then just sit there, but not a huge deal if you're aware of it), which costs no more than 15$ if you have soldering experience, similarly booting directly to a payload on your SD card (which Homlet's AIO Switch Updater automatically replaces when it installs updates). I recommend looking in to a modchip if you aren't on an unpatched, or a Trinket if you are on an unpatched, as I still think it makes life much easier even considering the above mentioned hardware limitation.

TL;DR wait for EOL or get a modchip, otherwise no

 

[JackTheFroster]

The last point specifically is my thought as well. Someone who has the knowledge to find a vulnerability that isn't another hardware exploit like fusee-gelee (the unpatched Switch exploit) likely has the foresight to hold on to it until EOL now. Release it now and Nintendo will patch it almost immediately, and it's effectively wasted. Wait until EOL and there's a decent chance that like with the Wii U and 3DS (referring to SeedMiner, NTRBoot is just as unpatchable as RCM) Nintendo won't bother to fix it since it's not their flagship console anymore, and then the Switch is easily hackable without a hardware mod forever. Much better in my opinion.

In the mean time, modchips (while overpriced right now) are easy to use once installed and basically exactly what you're looking for. The price of modchips is likely to go down as competitors enter the market and I'm hopeful an open-source (ie orderable off of PCBWay or any other PCB printing service) with a full list of components to use which will lead to these chips being sold eventually almost at cost, which shouldn't be more than 30$ (the cost of making them, that is. I expect the price to be at least 20$ more than that for pre-assembled ones, which is fair). There are plenty of people offering installation (including myself, and ModzvilleUSA, who takes send-ins) for these chips. Additionally, unpatched units are easy enough to obtain, and can also be almost as good as one of the glitch modchips using a Trinket (a hardware limitation of a Trinket is that it can't inject the payload while anything is plugged in, which means if the console is plugged in powered off it will boot RCM and then just sit there, but not a huge deal if you're aware of it), which costs no more than 15$ if you have soldering experience, similarly booting directly to a payload on your SD card (which Homlet's AIO Switch Updater automatically replaces when it installs updates). I recommend looking in to a modchip if you aren't on an unpatched, or a Trinket if you are on an unpatched, as I still think it makes life much easier even considering the above mentioned hardware limitation.

TL;DR wait for EOL or get a modchip, otherwise no

Also, when you have an unpatched one, using an android payload sender like NXLoader is fairly easier than always using a pc. Using an usb c to usb c cable is fairly cheaper than using a dongle.

Still, when it comes to exploits like the Tegra one, fail0verflow stated that they "release" exploits not that often since piracy can mostly profit from that. And while in that time TeamXecuter was announcing a paid method and others finding that same exploit pretty fast, they ended up releasing it too so others wont make money out of it or at least reducing the "damage". So if an exploit is fairly "easy" to find, hackers will probably find it and it depends on which person it is, they could release it or not. Having such talanted hackers which are also not releasing anything that fast earn much respect.