An Interview with a Switch Hacker

There have been a lot of developments in the Switch homebrew scene in the last 12 months, and we wanted to talk to someone who is at the forefront of it all, someone who is actively hacking the Nintendo Switch platform.
​

​

What follows is an unedited interview from March 2018 with 'Michael' - otherwise known as SciresM.

INTERVIEW START

[GBAtemp] Hi SciresM, thanks for agreeing to talk to us. How long have you been a hacker, and how did you start?

Since early 2014, when datel added support for Pokemon X/Y to their Powersaves device.
I joined ProjectPokemon's IRC, and eventually found a flaw in their product that allowed for resigning arbitrary 3DS savedata (this was before the 3DS had been blown open). I then started doing game reverse engineering to aid development of PKHeX, and eventually transitioned to doing actual exploit dev work near the end of the 3DS's lifecycle.

[GBAtemp] Were you involved in the 3DS hacking scene, and to what capacity?

Yes -- as above, I joined the 3DS scene in 2014, and made a number of savegame editors in 2014/2015, and datamined all Pokemon titles/demos as they released until they stopped being made for the platform. I also implemented the first "OTPless" arm9loaderhax solution in winter of 2016, and released boot9strap in May of 2017.

[GBAtemp] Why do you hack the Nintendo Switch?

There are three main reasons:
-I love Nintendo's hardware and custom software, and I want to understand how all of it works.
-I want to have arbitrary code execution on the hardware that I own.
-There are Pokemon games releasing for the Nintendo Switch.

[GBAtemp] Are you a solo hacker or part of a larger group?

I'm a member of ReSwitched, a team with the aim of enabling public homebrew solutions for the Switch. I don't think being a solo hacker is really feasible -- getting a group of talented people together to share thoughts and work together is how you get good outcomes, and I love the team/community we've created.

I should note that pretty much all the active groups share information and work together, to some extent, though -- we work
pretty closely with other people like qlutoo, yellows8, and hexkyz.

[GBAtemp] How long did it take from the March 2017 retail release of the Switch for you to gain access to the firmware?

It depends on what you mean by "firmware". We first managed to break into the web browser's sandbox when Schala implemented the "Pegasus" vulnerability the day after the console released, but we didn't manage to break into the code for the OS's system modules until Misson20000 and Schala found the winning pair of vulnerabilities in June, 2017. It's also possible by "firmware" you mean "kernel" or "TrustZone" code, in which case the answer would be that Motezazer and I got code execution at those levels (and thus dumped their code for the first time) in November and December 2017, respectively.

[GBAtemp] Can you tell me about the nature of any current exploits? (not asking for exact specific detail, just layman's
terms of what is allowing you to compromise the Switch's security).

Our TrustZone exploits all fundamentally rely on a Tegra design flaw: the system's go-to-sleep-and-wake-up process is dangerous. You can read more about one way of exploiting that in our Jamais Vu writeup from earlier this year: https://www.reddit.com/r/SwitchHack...is_vu_a_100_trustzone_code_execution_exploit/

[GBAtemp] What do you think of Nintendo's efforts to secure the Switch?

I think that software-wise, Nintendo has done a really great job. Their operating system, Horizon, is a new, updated version of the OS on the 3DS -- with all of the hardening that has come from the 3DS's years of security issues. There have been a few unfortunate mistakes on their part, but by and large HOS is extremely secure. We've still not seen even one traditional exploitable vulnerability in the HOS kernel, which I think speaks well of the investment Nintendo has been making into securing their platform. I think that the Switch's biggest weakness, security-wise, is that it's running on (and has to be designed around) the Tegra X1 hardware.

[GBAtemp] At what level do you have control over the Switch, is it completely compromised?

The switch has been completely compromised.

[GBAtemp] Did the recently discovered flaw in Intel chips have anything to do with the current Switch exploits?

To my knowledge, nobody has used the Spectre or Meltdown vulnerabilities to do anything interesting on the Switch. I think it's theoretically vulnerable to a Spectre variant, though.

[GBAtemp] Can Nintendo counter your findings?

All current hardware can be compromised. They can mitigate vulnerabilities in newer units, though, either via a hardware revision or updating the bootrom patches written at the factory.

[GBAtemp] Can you see Nintendo releasing Switch hardware revisions in the future to try and fix this?

Yes, they're currently in the process of doing so with a new SoC called "Mariko". I expect this will be a "silent revision", where newer units will start being sold using
the newer hardware without any special marketing.

[GBAtemp] What is your end goal with Switch hacking?

We want to create an engaged homebrew scene and do our best to foster a good, healthy community around it.

My personal goal is to continue hacking Pokemon games on the Switch (adding support for save editing via PKHeX, enable custom ROM hack content, etc).

[GBAtemp] What do you think about Team Xecuter's announcement of a solder and solderless Switch modchip?

I think it's irresponsible of them to try to profit off of a bootrom 0-day vulnerability that affects more products than just the Switch, and I don't think they provide anything of value to the community.

INTERVIEW END

So there we have it, a bit of insight into how someone can end up hacking a video game system. It's kind of ironic, how the love of a game, in this case Pokemon, can inadvertently lead to Nintendo's latest gaming platform becoming completely compromised.

Thanks to SciresM, for talking to us for the purpose of this article.

We wanted different perspectives from different groups for this piece, so we also contacted Team Xecuter, who declined to comment and answer the same set of questions for this article.

We also contacted fail0verflow, who also declined to comment on a set of questions for this article.


Contact GBAtemp