It's been a whole year since the worldwide launch of the Nintendo Switch - and in record time, the fastest selling console in history has already been cracked wide open, allowing the running of unsigned code on the system that is usually referred to as 'homebrew'.
There was a lot of chatter, pre-launch, surrounding Nintendo's latest hardware and how easy it would be to hack, so let's take a look back over the Switch's first year out in the wild:
2017
On March 14th 2017, less than 2 weeks from when the Nintendo Switch hit store shelves, a webkit exploit named PegaSwitch was released by a team of coders calling themselves ReSwitched. While PegaSwitch didn't allow the loading of homebrew specifically, "By taking over WebKit, we are able to read/write memory, call native functions, and otherwise explore the functionality of the Switch from the domain of the WebKit process." Basically, it was an exploit, a starting point, that anyone could use to try and reach the same end-goal, of enabling the running of homebrew on the Switch.
PegaSwitch - A webkit exploit with support for JOP and function callingWhen a new video game platform releases to the hacking community, the first thing to usually happen is the system's games are ripped from whatever media format they are stored on. Whether it be a DVD, Bluray disc - or as is the case with most of Nintendo's hardware; proprietary cartridges. Being able to look at how the data is structured on a game card gives hackers great insight into how the system's hardware works.
Around 4 months after the launch of the Switch, on July 19th, the piracy scene group known as 'BigBlueBox' (BBB), started uploading data archives created from retail Nintendo Switch cartridges to the internet.
Currently, BigBlueBox is the only group to release any Switch game cartridge 'dumps' onto the web.
First Nintendo Switch Cartridge Dumps ReleasedIn late December, at the annual 34C3 Chaos Communication conference in Leipzig, well-renowned hackers Derrek and plutoo demonstrate unsigned code running on a Nintendo Switch.
34c3 hacker conference starts 27th of December, Switch talk slated2018
Moving into 2018, on Jan 2nd, a well-renowned scene hacking group known as Team Xecuter announce they will be releasing a Nintendo Switch modchip that will be "completely future proof" - a bold claim, but one that is cemented by the team's previous work and reputation in the Xbox hacking and modchip scene. No estimated date of release for the Switch modchip is given.
Team-Xecuter announces future-proof Switch exploitLess than a week from TX's modchip announcement, on Jan 7th, another scene group known as fail0verflow release a video on twitter showing off their coldboot exploit proof of concept. A cold boot attack is a process for obtaining unauthorized access to encryption keys stored in the dynamic random access memory (DRAM) chips of Switch units.
fail0verflow releases coldboot exploit proof of conceptWith Nintendo Switch cartridge data now available on the internet via BigBlueBox, of course, the next logical step is an emulator for PC. On January 14th 2018, Yuzu emulator for PC was revealed to the public, actively being developed by coders who worked on the popular Citra 3DS emulator. Yuzu is currently unable to run any of the BBB Switch cartridge dumps.
Yuzu Switch Emulator ReleasedThe very next day after the Yuzu reveal, on January 15th, Team Xecuter reveal some hot info about their upcoming modchip exclusively to GBAtemp; "there is a solder and solderless version." The news is interesting, catering to both the tech-savvy and those who just want to play 30-year-old games on their 2017 hardware.
Team Xecuter reveal info on upcoming Switch modchipLess than a week later, on January 20th, a TrustZone exploit known as Jemavuis (meaning 'never seen') was released. In layman's terms, having complete control over TrustZone allows the user to tell the Switch that something is legit, even when it isn't. Coupled with full kernel access, this was the beginning of the end of the Switch's security on lower firmware versions.
jamais vu - a 1.0.0 TrustZone Code Execution Exploit for Nintendo SwitchFebruary 2nd saw yet another important milestone for early Switch hacking, when scene release group BBB released a 'master key' within one of their Switch game cartridge dump archives. The key, which is actually a 32 character string of letters and numbers, is useless to the general public, but by releasing this key, BBB is enabling other hackers to decrypt any Switch firmware and game cartridge files, up to firmware version 2.3.0.
Pirate group release Switch Master Keyfail0verflow return on February 6th with another tweet, this time posting a single image, which appears to show Linux running on a Switch. It's significant because it means they now have substantial control over the Switch hardware.
fail0verflow tease Linux on SwitchWhether the fast progress in software hacking was the reason or not, Team Xecuter announce they are delaying their Nintendo Switch modchip on Feb 15th, stating "we have experienced a few issues with the reliability of our entry point". The team go on to reiterate that the Switch modchip will still be released in the future, but no expected release window is given.
Team Xecuter Delay Switch ModchipThe Switch scene is now really heating up, as just 2 days later on Feb 17th, it is announced that TrustZone exploits have now also been achieved on firmware versions 4.x.
Switch TrustZoneHax on 4.xAlso on the 17th, fusée gelée (meaning 'Frozen Rocket') was yet another coldboot exploit revealed, this time by GBAtemp member @ktemkin
fusée gelée -- coldboot proof-of-concept for the Tegra X1Following on from their original tease 11 days earlier, on February 17th fail0verflow now officially show Linux running on Switch with a video released on twitter.
Fail0verflow shows off Linux running on the Nintendo SwitchFebruary was a big month in the Switch hacking scene - 11 months since the Switch released to the public. On the 18th, the goal of running homebrew on retail Switch units was now a reality with the release of an exploitative application known as 'HBL 3.0.0'.
Potentially, any Switch owner can now download the exploit and run unsigned code on their system, such as emulators and ftp clients. But there is one huge caveat; in order to do this, as the filename suggests - Switch owners must not have updated their unit's firmware any higher than version 3.0.0.
Usually homebrew is released as open source, so others can see how it works and help improve the code if they so wish, but HBL was released with its installer code encrypted, to try and thwart other hackers from using the same exploit to enable piracy on the system.
Switch Homebrew Launcher 3.0.0 Released2019?
For now, that is where the Switch hacking scene is up to, at least in the public eye. Behind closed doors, however, there are still lots of teams working on hacking the Switch. Hacking a new system, this early on, is like an elaborate puzzle, where different groups of individuals discover and release snippets of technical information regarding the Switch's security online. Eventually, someone fits all the pieces of the puzzle together and we start to see more exploits appear, at first paving the way for homebrew applications and custom firmwares, but ultimately leading to backup loaders and piracy. It can be fascinating to watch from the sidelines as it's a real show of technical skill, to see who can do it, who is first - but it's also a blatant disregard for the platform holder's security measures and original intentions for the system.
With so much already achieved in just 12 months in the world of Switch hacks, it will be interesting to see what is next for Nintendo's youngest platform, and what state it is in another year from now.
GBAtemp Nintendo Switch Hacking & Homebrew Forum
