An Interview with a Switch Hacker

Discussion in 'Switch - Exploits, Custom Firmwares & Soft Mods' started by T-hug, Apr 10, 2018.


    28,202

    100
    Front-page
    There have been a lot of developments in the Switch homebrew scene in the last 12 months, and we wanted to talk to someone who is at the forefront of it all, someone who is actively hacking the Nintendo Switch platform.
    Capture.PNG

    What follows is an unedited interview from March 2018 with 'Michael' - otherwise known as SciresM.

    INTERVIEW START


    [GBAtemp] Hi SciresM, thanks for agreeing to talk to us. How long have you been a hacker, and how did you start?

    Since early 2014, when datel added support for Pokemon X/Y to their Powersaves device.
    I joined ProjectPokemon's IRC, and eventually found a flaw in their product that allowed for resigning arbitrary 3DS savedata (this was before the 3DS had been blown open). I then started doing game reverse engineering to aid development of PKHeX, and eventually transitioned to doing actual exploit dev work near the end of the 3DS's lifecycle.



    [GBAtemp] Were you involved in the 3DS hacking scene, and to what capacity?

    Yes -- as above, I joined the 3DS scene in 2014, and made a number of savegame editors in 2014/2015, and datamined all Pokemon titles/demos as they released until they stopped being made for the platform. I also implemented the first "OTPless" arm9loaderhax solution in winter of 2016, and released boot9strap in May of 2017.



    [GBAtemp] Why do you hack the Nintendo Switch?

    There are three main reasons:
    -I love Nintendo's hardware and custom software, and I want to understand how all of it works.
    -I want to have arbitrary code execution on the hardware that I own.
    -There are Pokemon games releasing for the Nintendo Switch.



    [GBAtemp] Are you a solo hacker or part of a larger group?

    I'm a member of ReSwitched, a team with the aim of enabling public homebrew solutions for the Switch. I don't think being a solo hacker is really feasible -- getting a group of talented people together to share thoughts and work together is how you get good outcomes, and I love the team/community we've created.

    I should note that pretty much all the active groups share information and work together, to some extent, though -- we work
    pretty closely with other people like qlutoo, yellows8, and hexkyz.



    [GBAtemp] How long did it take from the March 2017 retail release of the Switch for you to gain access to the firmware?

    It depends on what you mean by "firmware". We first managed to break into the web browser's sandbox when Schala implemented the "Pegasus" vulnerability the day after the console released, but we didn't manage to break into the code for the OS's system modules until Misson20000 and Schala found the winning pair of vulnerabilities in June, 2017. It's also possible by "firmware" you mean "kernel" or "TrustZone" code, in which case the answer would be that Motezazer and I got code execution at those levels (and thus dumped their code for the first time) in November and December 2017, respectively.



    [GBAtemp] Can you tell me about the nature of any current exploits? (not asking for exact specific detail, just layman's
    terms of what is allowing you to compromise the Switch's security).

    Our TrustZone exploits all fundamentally rely on a Tegra design flaw: the system's go-to-sleep-and-wake-up process is dangerous. You can read more about one way of exploiting that in our Jamais Vu writeup from earlier this year: https://www.reddit.com/r/SwitchHack...is_vu_a_100_trustzone_code_execution_exploit/



    [GBAtemp] What do you think of Nintendo's efforts to secure the Switch?

    I think that software-wise, Nintendo has done a really great job. Their operating system, Horizon, is a new, updated version of the OS on the 3DS -- with all of the hardening that has come from the 3DS's years of security issues. There have been a few unfortunate mistakes on their part, but by and large HOS is extremely secure. We've still not seen even one traditional exploitable vulnerability in the HOS kernel, which I think speaks well of the investment Nintendo has been making into securing their platform. I think that the Switch's biggest weakness, security-wise, is that it's running on (and has to be designed around) the Tegra X1 hardware.



    [GBAtemp] At what level do you have control over the Switch, is it completely compromised?

    The switch has been completely compromised.



    [GBAtemp] Did the recently discovered flaw in Intel chips have anything to do with the current Switch exploits?

    To my knowledge, nobody has used the Spectre or Meltdown vulnerabilities to do anything interesting on the Switch. I think it's theoretically vulnerable to a Spectre variant, though.



    [GBAtemp] Can Nintendo counter your findings?

    All current hardware can be compromised. They can mitigate vulnerabilities in newer units, though, either via a hardware revision or updating the bootrom patches written at the factory.



    [GBAtemp] Can you see Nintendo releasing Switch hardware revisions in the future to try and fix this?

    Yes, they're currently in the process of doing so with a new SoC called "Mariko". I expect this will be a "silent revision", where newer units will start being sold using
    the newer hardware without any special marketing.



    [GBAtemp] What is your end goal with Switch hacking?

    We want to create an engaged homebrew scene and do our best to foster a good, healthy community around it.

    My personal goal is to continue hacking Pokemon games on the Switch (adding support for save editing via PKHeX, enable custom ROM hack content, etc).



    [GBAtemp] What do you think about Team Xecuter's announcement of a solder and solderless Switch modchip?

    I think it's irresponsible of them to try to profit off of a bootrom 0-day vulnerability that affects more products than just the Switch, and I don't think they provide anything of value to the community.



    INTERVIEW END


    So there we have it, a bit of insight into how someone can end up hacking a video game system. It's kind of ironic, how the love of a game, in this case Pokemon, can inadvertently lead to Nintendo's latest gaming platform becoming completely compromised.

    Thanks to SciresM, for talking to us for the purpose of this article.

    We wanted different perspectives from different groups for this piece, so we also contacted Team Xecuter, who declined to comment and answer the same set of questions for this article.

    We also contacted fail0verflow, who also declined to comment on a set of questions for this article.


    :arrow:Contact GBAtemp
     
    Discussion (100 replies)
  1. BlueFox gui
    This message by BlueFox gui has been removed from public view by Minox, Apr 14, 2018, Reason: Offtopic/responses to deleted post.
    Apr 10, 2018
  2. pandavova
    This message by pandavova has been removed from public view by Minox, Apr 14, 2018, Reason: Offtopic/responses to deleted post.
    Apr 10, 2018
  3. BlueFox gui
    This message by BlueFox gui has been removed from public view by Minox, Apr 14, 2018, Reason: Offtopic/responses to deleted post.
    Apr 10, 2018
  4. Chary

    Chary Never sleeps.

    pip Senior Editor
    32
    GBAtemp Patron
    Chary is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    Oct 2, 2012
    United States
    That looks like a fun interview! Neat to see his perspective on all the Switch stuff going on lately. Seems like he really knows what he's doing in terms of understanding what makes the system tick, too, which is impressive stuff.
     
    damiano2712, Red771, lordelan and 2 others like this.
  5. pandavova

    pandavova @pandavova FOLLOW ME ON TWITTER

    Member
    5
    Oct 27, 2015
    Germany
    Windows 10 Pro
    if you want, am i right?

    I guess slightly offtopic but I would never played so many 3ds games i wouldn't visited this site.

    But im more "scared" of the Switch Piracy then on the 3DS. Mostly im scared of bans. You dont really care today if you get a eshop ban on the 3ds (which is 3ds only), but you would care if you just bought something for like ~300€ and it's lifetime just begins.

    Im really struggling, if i should buy a switch or not, i don't have 300€+ laying around. I guess i need to buy it (if i will) this summer, hopefully there won't be new switches that fast.
     
  6. OctolingRift
    This message by OctolingRift has been removed from public view by Minox, Apr 14, 2018, Reason: Offtopic/responses to deleted post.
    Apr 10, 2018
  7. BlueFox gui

    BlueFox gui SOMEONE

    Member
    9
    Feb 4, 2016
    Brazil
    NAS TERRAS DE HUE BR
    well i have reasons to pirate, if i could buy games i would but meh, also just like 3DS i guess there are ways to not get banned on switch, idk
     
    pandavova likes this.
  8. pandavova

    pandavova @pandavova FOLLOW ME ON TWITTER

    Member
    5
    Oct 27, 2015
    Germany
    Windows 10 Pro
    For now its just a big mystery, we can only hope, that they won't shooting bans.

    But i hope that the homebrew-game community will make some nice games/ports to the switch too.
    Example: Super Mario War on the Switch. One JoyCon = One Player.
    I would love it.
     
    zeveroth, lordelan and BlueFox gui like this.
  9. BlueFox gui

    BlueFox gui SOMEONE

    Member
    9
    Feb 4, 2016
    Brazil
    NAS TERRAS DE HUE BR
    maybe, i don't have switch so i just want things for 3DS lol
     
    pandavova likes this.
  10. DinohScene

    DinohScene Feed Dino to the Sharks

    Moderator
    21
    GBAtemp Patron
    DinohScene is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    Oct 11, 2011
    Antarctica
    Восторг
    Hm, interesting TX has no comment on it n neither does f0f.
    Can kinda understand their motives.
     
    x65943, CptPotato, Riyaz and 2 others like this.
  11. guily6669

    guily6669 GbaTemp is my Drug

    Member
    5
    Jun 3, 2013
    United States
    Doomed Island
    Same here... I almost had no money for the console it self... I bought it in a promotion 80€ less for 250€ instead of 330€.

    And anyway most nintendo games don't please me much too, I'm more interested in the multiplatform games. I wonder why would I pay 50€ for a bomberman that is not even as good as Neo Bomberman, I love that game...

    Even the same game that could be 2€ on steam would be already 20€ on the Switch, too expensive...

    I usually buy like a game each year for my PS4, but for like 20€ can buy almost any triple A game from the console a few months to around a year after the game releases in promotions and I like more simulation games on the PC.
    TX actually already told on latest posts about Kate Temkin (Fusee Gelee) that she has no clue at all on how their product works and that a lot of her faq is kinda wrong...

    ██ TX ADMIN
    ██ TX users


    We can only wait to see what will TX really do, it might also be glitching the CPU to crash it, but if the chip already have flaws I bet they are actually doing something similiar as Kate, but just in a all-in-one chip, however it may bring a nand chip or other special features, can't wait to see what they will come out with.

    ps: I have nothing to say about any hack\hacking group other than I like them all :D...
     
    Last edited by guily6669, Apr 10, 2018
  12. VinsCool

    VinsCool Cattus Ambiguus

    Member
    24
    GBAtemp Patron
    VinsCool is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    Jan 7, 2014
    Canada
    Another World
    That's really kind of them to get interviewed :)
     
    Xzi likes this.
  13. Don Jon

    Don Jon GBAtemp Advanced Fan

    Member
    6
    Nov 20, 2015
    United States

    its the butterfly effect
     
    Xzi and pandavova like this.
  14. Subtle Demise

    Subtle Demise h

    Member
    8
    Sep 17, 2009
    United States
    Oh like the media center on tesla cars, nvidia shield and a small number of android phones? This is getting blown out of proportion.
     
    CallmeBerto, zfreeman and cots like this.
  15. normal19

    normal19 GBAtemp Regular

    Member
    3
    Aug 23, 2014
    Afghanistan
    nice
     
    Pluupy and Subtle Demise like this.
  16. Giga_Gaia

    Giga_Gaia GBAtemp Maniac

    Member
    4
    Sep 12, 2006
    Canada
    Quebec, Canada
    It doesn't matter to me, since I won't get banned because I won't go online on my Switch anymore. Why would you anyway, you'd still need to pay $20 a year for it and if you just want to buy stuff from eshop, just do like everyone else and pirate it.

    I don't think you will need to pay the $20 for the yearly subscription to their online service to trade pokemon when the games release, but I don't care if I miss on that, PKHex or something similar make it unnecessary to even go online and do any trading.

    I really don't feel any remorse on pirating anything from Nintendo here. They're unbelievably greedy. Their games are never on sale and when they are, the sales are garbage. Their games take forever to drop in price. Their accessories are far too expensive. The Pro Controller is more expensive than a PS4 or Xbox One controller and it really doesn't offer more. You also need to fork out $29.99 for another Switch charger if you want one and they're basically robbing you because the thing probably cost close to nothing to produce.

    You could tell someone to use third party docks, chargers and controllers, but someone would have to be insane to do so because third party accessories are always very poorly made and the quality is terrible.
     
    Last edited by Giga_Gaia, Apr 10, 2018
  17. Darkyose

    Darkyose Mysterious

    Member
    4
    Jan 26, 2016
    United States
    Home Alone Somewhere.
    Nice information. Hope they can do cfw soon.
     
    kai_dranzer2003 likes this.
  18. zoogie

    zoogie playing around in the dsiware

    Member
    20
    Nov 30, 2014
    Micronesia, Federated States of
    It's a nice surpise to see community focused content like this, @T-hug .
    Would be really cool if you could get more hacker interviews, namely long-time gbatemper @smealum , for instance.

    Very nice job.
     
  19. cots

    cots GBAtemp Advanced Fan

    Member
    6
    Dec 29, 2014
    United States
    I don't agree with the Team Xecuter response. If TX is providing an alternative way to run homebrew on all released Switch consoles then that's a good thing. I would have rather spent $60 on a modchip for the 3DS then spend 8 hours installing a9lh. Something stable that won't get fixed on the current hardware is more important to me then some finicky software method that will probably require you to buy stuff anyways to get it working.
     
    CallmeBerto and TGLaw like this.
  20. guily6669

    guily6669 GbaTemp is my Drug

    Member
    5
    Jun 3, 2013
    United States
    Doomed Island
    I vote for squeezing TX team :) plz get them on phone.
    No one can be 100% sure about TX, only after release... But I agree with them in the part that there's no need to attack as they have also released nice things before... The rest again I have no idea, they might be also attacking Kate in response...

    Anyway you will have the choice, so only buy who wants... Even if they offer something beyond amazing I will first try CFW and keep waiting for ppl reports on TX device, if the community's consoles don't die after like 1 or 2 months then I might buy a TX chip if it really offers anything more like a nand chip or some other crap...
     
    Last edited by guily6669, Apr 10, 2018
    zoogie likes this.
  21. zoogie

    zoogie playing around in the dsiware

    Member
    20
    Nov 30, 2014
    Micronesia, Federated States of
    That would be entertaining from a shitshow perspective. :P
     
  22. Rune

    Rune GBAtemp Fan

    Member
    5
    Feb 15, 2017
    Thats the best news so far.
    [​IMG]
     
    Last edited by Rune, Apr 11, 2018
    CallmeBerto and charlieb like this.
  23. untok

    untok GBAtemp Regular

    Member
    3
    Dec 25, 2012
    Finland
    Silent revision to switch new marico unit. Interesting to know that otp:less 3ds hacking that he is part of too. Remember that otp downgrade time that was scary on new 3ds and 2ds. :ohnoes:
     
    Ericjwg likes this.
Loading...