Let me save you the suspense; the Switch 2 won't get hacked

  • Thread starter Thread starter FernandoRocker
  • Start date Start date
  • Views Views 55,582
  • Replies Replies 305
  • Likes Likes 24

FernandoRocker

Well-Known Member
Member
Joined
Apr 11, 2025
Messages
124
Reaction score
309
Trophies
1
Age
42
XP
777
Country
Mexico
First off: outside of very early firmwares, the original Switch doesn’t have any exploitable kernel bugs. There are entry points, but nothing that hands you a full custom firmware. So why does hacking still happen? Because Nvidia screwed up.

Early Switch units became infamous because a simple hardware trick could get you into the device. That “paper-clip” entry point wasn’t some accidental miracle: the Tegra X1 has a recovery mode Nintendo and Nvidia actually use for servicing and flashing. Hackers found two big problems there: recovery mode didn’t check how big a payload was (so it could overflow), and memory wasn’t cleared. Those flaws let attackers run code at the very earliest stage, before Nintendo’s software even starts, and it was devastating. Nintendo fixed it in later chips and changed the USB stack, so that particular exploit (RCM) is a non-starter on newer hardware and won’t be coming back on Switch 2.

The other big class of attacks is voltage glitching. The idea is simple: briefly disturb the CPU’s power so it skips an instruction, and if you hit the right instruction, you can skip crucial checks like signature verification. That’s why early modchips could halt the CPU, inject their own boot code, and then glitch the power at just the right moment to bypass signed checks, essentially re-creating the powerful chain that RCM enabled. With the T239 platform, though, Nvidia and Nintendo put a lot of engineering into stopping both RCM-style problems and glitching.

Software exploits look unlikely, NS2 uses the same kernel and firmware lineage as NS1, and RCM-style bugs aren’t present on T239. Voltage glitching faces two major, practical hurdles. The first is dual-core lockstep: two cores run the same instructions and a comparator checks they match. If one core is fudged, the chip notices and locks down. To beat that you’d need to glitch both cores simultaneously with extreme precision, not easy and not reliable. The second is that the boot/power-management processor is now explicitly untrusted on NS2: anything you could do on that processor won’t let you initialize the rest of the system. You might be able to dump something interesting, but it won’t get you to a usable custom firmware.

That basically leaves two other, much harder targets: NVRISCV (Nvidia’s mostly undocumented security processor) and CCPLEX, the cluster of CPU cores themselves. NVRISCV was designed to resist glitching and to be a sealed black box; attacking it would be like finding a needle in a haystack. CCPLEX attacks would be thwarted in theory by firmware updates and other protections. In short, there’s no obvious silver bullet for NS2, whatever breaks it is likely to be far more sophisticated than what we saw with the 360 hypervisor.

Here is a video from NVIDAI where they talk about this:

 
First off: outside of very early firmwares, the original Switch doesn’t have any exploitable kernel bugs. There are entry points, but nothing that hands you a full custom firmware. So why does hacking still happen? Because Nvidia screwed up.

Early Switch units became infamous because a simple hardware trick could get you into the device. That “paper-clip” entry point wasn’t some accidental miracle: the Tegra X1 has a recovery mode Nintendo and Nvidia actually use for servicing and flashing. Hackers found two big problems there: recovery mode didn’t check how big a payload was (so it could overflow), and memory wasn’t cleared. Those flaws let attackers run code at the very earliest stage, before Nintendo’s software even starts, and it was devastating. Nintendo fixed it in later chips and changed the USB stack, so that particular exploit (RCM) is a non-starter on newer hardware and won’t be coming back on Switch 2.

The other big class of attacks is voltage glitching. The idea is simple: briefly disturb the CPU’s power so it skips an instruction, and if you hit the right instruction, you can skip crucial checks like signature verification. That’s why early modchips could halt the CPU, inject their own boot code, and then glitch the power at just the right moment to bypass signed checks, essentially re-creating the powerful chain that RCM enabled. With the T239 platform, though, Nvidia and Nintendo put a lot of engineering into stopping both RCM-style problems and glitching.


Software exploits look unlikely, NS2 uses the same kernel and firmware lineage as NS1, and RCM-style bugs aren’t present on T239. Voltage glitching faces two major, practical hurdles. The first is dual-core lockstep: two cores run the same instructions and a comparator checks they match. If one core is fudged, the chip notices and locks down. To beat that you’d need to glitch both cores simultaneously with extreme precision, not easy and not reliable. The second is that the boot/power-management processor is now explicitly untrusted on NS2: anything you could do on that processor won’t let you initialize the rest of the system. You might be able to dump something interesting, but it won’t get you to a usable custom firmware.


That basically leaves two other, much harder targets: NVRISCV (Nvidia’s mostly undocumented security processor) and CCPLEX, the cluster of CPU cores themselves. NVRISCV was designed to resist glitching and to be a sealed black box; attacking it would be like finding a needle in a haystack. CCPLEX attacks would be thwarted in theory by firmware updates and other protections. In short, there’s no obvious silver bullet for NS2, whatever breaks it is likely to be far more sophisticated than what we saw with the 360 hypervisor.

Here is a video from NVIDAI where they talk about this:

youtube.com/watch?si=-l565IVgDihCNvh0&v=7Lx3692cbAg&feature=youtu.be
May I remind you of the Xbox 360? People said it would never get a softmod, and the creator himself said that BadUpdate's reliability/speed could not be improved. And both were proven wrong, the latter in a very short time.

Everything gets hacked eventually. From everything we know about past history, it is simply not possible to design a 100% secure software. It just takes the right person with the right idea looking in the right place. And while the software architecture of the Switch (2) does make it challenging, it is just that - a challenge.
 
May I remind you of the Xbox 360? People said it would never get a softmod, and the creator himself said that BadUpdate's reliability/speed could not be improved. And both were proven wrong.

Everything gets hacked eventually. From everything we know about past history, it is simply not possible to design a 100% secure software. It just takes the right person with the right idea looking in the right place. And while the software architecture of the Switch (2) does make it challenging, it is just that - a challenge.
Well, set up a reminder, come back here in a few years, and see it yourself.
 
May I remind you of the Xbox 360? People said it would never get a softmod, and the creator himself said that BadUpdate's reliability/speed could not be improved. And both were proven wrong, the latter in a very short time.

Everything gets hacked eventually. From everything we know about past history, it is simply not possible to design a 100% secure software. It just takes the right person with the right idea looking in the right place. And while the software architecture of the Switch (2) does make it challenging, it is just that - a challenge.
I think using bad update from the 360 is not a good comparison here.

To even reverse engineer the 360 to begin with it took years of prior hacks existing that allowed for that. Also to even start that chain it relies on the unique quirk of the 360 allowing to install free demos and save files from any usb device. We don't even have that for the switch consoles.

And lets be honest if the 360 was still priority for MS the exploit would have been quietly fixed in a dashboard update before any of us even knew about it.
 
I think using bad update from the 360 is not a good comparison here.

To even reverse engineer the 360 to begin with it took years of prior hacks existing that allowed for that. Also to even start that chain it relies on the unique quirk of the 360 allowing to install free demos and save files from any usb device. We don't even have that for the switch consoles.

And lets be honest if the 360 was still priority for MS the exploit would have been quietly fixed in a dashboard update before any of us even knew about it.
We havd already had years of prior hacks existing. Switch 2 runs largely the same HOS as the OG Switch as far as we know. And HOS is quite well understood. Most of the research that has been done on OG Switch applies to Switch 2 as well. And the Switch receives the same updates as the Switch 2.

The Switch 2 still has the captive browser. It's been used as an entry point before, and it could potentially be used again. Finding an entrypoint isn't the problem.
We also have the ability to transfer saves between Switch and Switch 2, including modified save data. So that's something we do have that we can potentially take advantage of. But again, the entrypoint is the easy part.

Don't get me wrong, I'm not saying a softmod will happen any time soon. It could be 1 year, or 10, but probably somewhere in the middle. It almost certainly won't be hacked anywhere near as quickly as the OG Switch.

What will probably be the first thing to happen is a hardmod, and that will blow the door open for softmod research and reverse engineering efforts that couldn't easily be done without already having code execution capabilities.
 
Last edited by The Real Jdbye,
Doesn't matter if it's unexploitable or unglitchable. There will be a leak because Nintendo is Nintendo.
Having a leak won't help. Even if you know the source code of something, breaking into it is a different matter. We know the source of pretty much any open encryption standard, but that doesn't make them easily breakable.

Think of it like a bank that has had multiple break-ins. Each break-in forces the bank to up its security. It won't make sense for the bank to keep being hacked or robbed from, even after so many security updates, especially when every possible entry point has multiple layers of locks. The entry points are also few. Even if you have the security plan of the whole bank, finding a way inside would just be as difficult as when you didn't know the plan. That's because they also have security auditors analyzing their own plans each day.

To my knowledge, and correct me if I'm wrong, there has not been any exploit discovered because of a data leak, of any kind, ever since the internet became wide spread.
 
  • Love
Reactions: ChibiMofo
Having a leak won't help. Even if you know the source code of something, breaking into it is a different matter. We know the source of pretty much any open encryption standard, but that doesn't make them easily breakable.

Think of it like a bank that has had multiple break-ins. Each break-in forces the bank to up its security. It won't make sense for the bank to keep being hacked or robbed from, even after so many security updates, especially when every possible entry point has multiple layers of locks. The entry points are also few. Even if you have the security plan of the whole bank, finding a way inside would just be as difficult as when you didn't know the plan. That's because they also have security auditors analyzing their own plans each day.

To my knowledge, and correct me if I'm wrong, there has not been any exploit discovered because of a data leak, of any kind, ever since the internet became wide spread.
Most developers and exploit researchers won't touch leaks because it's bad mojo and anything made using illegal leaks is also illegal. So there could never be a version of Atmosphere made using leaks because it would get taken down and the creators would be sued, fined and/or jailed. Reverse engineering on the other hand is still legal in many parts of the world.
Flashcart and modchip manufacturers are not subject to the same though because most of them are based in China and are anonymous. So they can bribe employees to get the information they need and they're never in much real risk. Whether such a thing happens behind closed doors we'll never know of course, but it's not out of the realm of possibility. You can bet that information is worth a lot to those companies, and one does wonder how especially flashcarts like the Sky3DS and MIG Switch were possible, which fully emulate a real cartridge, with encryption and all.
 
Last edited by The Real Jdbye,
Most developers and exploit researchers won't touch leaks because it's bad mojo and anything made using illegal leaks is also illegal. So there could never be a version of Atmosphere made using leaks because it would get taken down and the creators would be sued, fined and/or jailed. Reverse engineering on the other hand is still legal in many parts of the world.
Flashcart and modchip manufacturers are not subject to the same though because most of them are based in China and are anonymous. So they can bribe employees to get the information they need and they're never in much real risk. Whether such a thing happens behind closed doors we'll never know of course, but it's not out of the realm of possibility. You can bet that information is worth a lot to those companies, and one does wonder how especially flashcarts like the Sky3DS and MIG Switch were possible, which fully emulate a real cartridge, with encryption and all.
Sky3DS and MIG flashcards were created "after" the system was hacked, not before.

MIG for example: Can't decrypt the games without the encryption keys. And a hack needed to happen first to get the keys.
Post automatically merged:

nope, the real hackers say that in their discord.
We all follow the same Discords.
 
Sky3DS and MIG flashcards were created "after" the system was hacked, not before.

MIG for example: Can't decrypt the games without the encryption keys. And a hack needed to happen first to get the keys.
Post automatically merged:


We all follow the same Discords.
Are the keys for the cartridge side of the encryption even in the OS? You'd think they would use different keys so that even if you have the console keys, you can't "hack" the cartridge side to run ROMs without disabling said encryption (which would only ever work on a modded system). Which was probably why the Gateway 3DS worked the way it did, emulating a cartridge minus the encryption and requiring CFW to actually work.

It's not a much talked about topic because exploit researchers and developers aren't interested in something that is only useful for enabling piracy, so I don't actually know the fine details of how the cartridge communication works on either the 3DS or Switch. But it was mentioned by someone that did look into how the Gateway 3DS worked that it was essentially emulating a cartridge minus the encryption.
 
Last edited by The Real Jdbye,
Are the keys for the cartridge side of the encryption even in the OS? You'd think they would use different keys so that even if you have the console keys, you can't "hack" the cartridge side to run ROMs without disabling said encryption (which would only ever work on a modded system). Which was probably why the Gateway 3DS worked the way it did, emulating a cartridge minus the encryption and requiring CFW to actually work.

It's not a much talked about topic because exploit researchers and developers aren't interested in something that is only useful for enabling piracy, so I don't actually know the fine details of how the cartridge communication works on either the 3DS or Switch. But it was mentioned by someone that did look into how the Gateway 3DS worked that it was essentially emulating a cartridge minus the encryption.
The Switch 2 now has unique keys for each system, I believe.
 
Are the keys for the cartridge side of the encryption even in the OS? You'd think they would use different keys so that even if you have the console keys, you can't "hack" the cartridge side to run ROMs without disabling said encryption (which would only ever work on a modded system). Which was probably why the Gateway 3DS worked the way it did, emulating a cartridge minus the encryption and requiring CFW to actually work.

It's not a much talked about topic because exploit researchers and developers aren't interested in something that is only useful for enabling piracy, so I don't actually know the fine details of how the cartridge communication works on either the 3DS or Switch. But it was mentioned by someone that did look into how the Gateway 3DS worked that it was essentially emulating a cartridge minus the encryption.
all the things related to how carts work is done via the lotus3 chip on the switch 1 board, including verifying the legitimacy of game carts as well as decrypting the contents of them.

It is unknown how MiG actually reverse engineered it, There is 2 theories
1. They successfully decapped the chip and studied it and reverse engineered how it works.
2. Used information straight up stolen from Nintendo.
 
  • Like
  • Haha
Reactions: ChibiMofo and Exnor

Site & Scene News

Popular threads in this forum