Someone spilled the beans earlier today, and took photos of their Switch console with the new TX Switch Modchip installed!

Pictures they say are worth more than 1000 words, and in this case earlier today MaxConsole posted 3 of them, showcasing what appears to be the new TX Switch ModChip installed on console.

From what he agreed to tell us, they are still improving the product on both Mariko and Patched Switch so first shipment will only be after Chinese New Year. Unfortunately a good month away (or more). For information, he added the product also work on unpatched console, so basically all classic models function with this product. Still the product is coming, getting closer, and a separate product for Switch Lite is also underway. I guess we will have to be a bit more patient for more info.

The pictures are only showing part of the installation because he was concerned to be identified by board numbers or such. But he promised he will send us more info in the weeks to come. So probably the next 4 weeks until CNY is over and that we can hopefully also receive our own final review samples!

​

Source: MaxConsole

 

[smf]

RCM is activated (by intercepting eMMC) - Pull your emmc, that activates RCM...

Then, it looks like they are allowing boot0/1/PRODINFO/TSEC/FALCON to do its stuff, as a stock console would, and patching stuff on the fly.

I do wonder whether it is exploiting RCM or standard boot. Probably something dumb like returning the original data when it's being checked and then serving up a buffer overflow exploit.

Why reverse engineer when you can boot other payloads from sx os menu?

To pirate the piracy device. Thing is, by the time someone has done it then Nintendo will have released patched hardware again and TX will have sold modchips to everyone who wants to buy one. So, not sure it's worth it.

You tell us, who else has a working exploit for the new systems?

Nobody knows for sure. However this exploit is likely the one they had working before fusee gelee came out, it would have been really stupid of them to burn another exploit at the time so they put it on hold & released a new dongle.

 

[andyhappypants]

Looks cool, I’ll deffo pick up a switch lite for on the go when this is released! Nice

 

[matias3ds]

it doesnt seems easy for someone without solder skills

 

[gamesquest1]

it doesnt seems easy for someone without solder skills

looks like its a solder less mod chip all done through the nand interface, will have to wait to find out, but iirc they did say it was going to be solderless a while back

if so it will just be a matter of unclipping your nand, clipping it into the mod chip, then clipping the mod chip in its place....ain't no business for tiny soldering guy here

 

[mattytrog]

I do wonder whether it is exploiting RCM or standard boot. Probably something dumb like returning the original data when it's being checked and then serving up a buffer overflow exploit.



To pirate the piracy device.



Nobody knows for sure.

I think RCM is being used. At least to "partially" corrupt the stack, to allow something to be pushed.(this would explain the further problems and delays that are occuring of Mariko). Then the SX firmware needs to hijack what it needs, ie bis keys etc... before TSEC payload is destroyed.

I'm far from an expert on higher level stuff, but I said previously that it could be relying on glitching. However rather than glitching GPIO(as we know it) it is glitching the emmc bus. Something is making the stack at least partially collapse, pre falcon)...

All will be revealed I guess.

I think they are so so close with Mariko, but results are inconsistent. Two different approaches for the different SoC.

Fair play to them for investing the dollars needed to prototype such hacks.

A lot of us probably have a decent knowledge, but lack the means to buy stuff for testing. Especially if it's going to be Foss.

 

[leerpsp]

My plan was to buy a switch with a bigger battery and swap the battery with my hacked one but I think it would be a better ideal to sell the one I have now and get the one with the bigger battery, Although I am thinking I should hold off tell the switch pro (if real) comes out in hopes this will work with it.

 

[smf]

I think RCM is being used. At least to "partially" corrupt the stack, to allow something to be pushed.(this would explain the further problems and delays that are occuring of Mariko). Then the SX firmware needs to hijack what it needs, ie bis keys etc... before TSEC payload is destroyed.

My understanding is that RCM is triggered before any of Nintendo's code is loaded, so there is nothing to be destroyed.

If you can send a command to load code from MMC then there might be a bug in it that allows you to bypass signing, if RCM is doing something stupid. Which would explain their "more than one RCM bug" claim.

 

[8BitWonder]

ok wait. remember how long it took to get piracy without tx

A lot of people seem to forget that we had piracy (albeit very janky) with layeredFS before SX released.

 

[Spider_Man]

I do wonder whether it is exploiting RCM or standard boot. Probably something dumb like returning the original data when it's being checked and then serving up a buffer overflow exploit.



To pirate the piracy device. Thing is, by the time someone has done it then Nintendo will have released patched hardware again and TX will have sold modchips to everyone who wants to buy one. So, not sure it's worth it.



Nobody knows for sure. However this exploit is likely the one they had working before fusee gelee came out, it would have been really stupid of them to burn another exploit at the time so they put it on hold & released a new dongle.

But even if someone else reverse engineers it, its still going to be another hardware mod.

So doing so is pointless as it wont be free.

So you might aswell not bother and the haters stop been cheap, buy the product, support the scene thats made this possible rather than buy a cheap clone.

 

[Kioku]

The only thing preventing me from modding my console is their incessant desire to block you out from EVERYTHING if they find the mods.

 

[Spider_Man]

A lot of people seem to forget that we had piracy (albeit very janky) with layeredFS before SX released.

And everyone remembers no one had piracy on the newer systems until sx

 

[SommaCruz]

As told before in this post, the previous video shows that cfws can be loaded. It makes no sense the mod only loads sx os. There is others cfws and lot's of people prefer them instead of sx os.

 

[stephrk398]

Well played TX, well played.

 

[mattytrog]

My understanding is that RCM is triggered before any of Nintendo's code is loaded, so there is nothing to be destroyed.

If you can send a command to load code from MMC then there might be a bug in it that allows you to bypass signing, if RCM is doing something stupid. Which would explain their "more than one RCM bug" claim.

I should have been clearer sorry!

I meant they are just using RCM to get something to the tegra in the first place.

Anything that comes after (ie Falcon stuff) isn't anything to do with RCM, and as you say, there is nowt to destroy.

Some kind of emmc emulation/hijack is possible too.

Guess we will find out in due course

 

[matias3ds]

looks like its a solder less mod chip all done through the nand interface, will have to wait to find out, but iirc they did say it was going to be solderless a while back

if so it will just be a matter of unclipping your nand, clipping it into the mod chip, then clipping the mod chip in its place....ain't no business for tiny soldering guy here

Let's hope so , it will be much easier

 

[weatMod]

Micro usb port? tf?

View attachment 192856

maybe this is the solder-less version and there is another version that lets you use the type C port on the console to flash the mod chip instead of this micro USB

could be 2 version ,
1) snap in chip no soldering , but requires you to open your console if you need to flash the mod chip with a new firmware or modifiy your case ,make a hole to access the micro USB

2) solder in version , does not require you to open your console or mod the case if you need to re flash the mod chip , no micro USB ,uses the consoles type C port instead of the micro USB
but requires you to solder 2 or 4 extra wires to get access to the switch's type C port

in other words 2 version of the same device, both have the clip on connectors for the NAND passthrough
but the soldered version has 2 or 4 extra wires that let you access the switch's type C port for flashing the mod chip
while the solderless version requires you to open your console and use the micro USB port or drill a hole in your housing

or maybe it is just one version and they give you the micro USB attachment and it just snaps on to the chip
but you have the option to not use it and use solder pads to get access to the type C port instead

1 chip , 2 ways to install it

 

[Trice]

My plan was to buy a switch with a bigger battery and swap the battery with my hacked one but I think it would be a better ideal to sell the one I have now and get the one with the bigger battery, Although I am thinking I should hold off tell the switch pro (if real) comes out in hopes this will work with it.

There is no Switch with a bigger battery. The new model just has a more efficient processor, the battery is the same as in the old model.

 

[RandomUser]

maybe this is the solder-less version and there is another version that lets you use the type C port on the console to flash the mod chip instead of this micro USB

could be 2 version ,
1) snap in chip no soldering , but requires you to open your console if you need to flash the mod chip with a new firmware or modifiy your case ,make a hole to access the micro USB

2) solder in version , does not require you to open your console or mod the case if you need to re flash the mod chip , no micro USB ,uses the consoles type C port instead of the micro USB
but requires you to solder 2 or 4 extra wires to get access to the switch's type C port

in other words 2 version of the same device, both have the clip on connectors for the NAND passthrough
but the soldered version has 2 or 4 extra wires that let you access the switch's type C port for flashing the mod chip
while the solderless version requires you to open your console and use the micro USB port or drill a hole in your housing

or maybe it is just one version and they give you the micro USB attachment and it just snaps on to the chip
but you have the option to not use it and use solder pads to get access to the type C port instead

1 chip , 2 ways to install it

So, how are you going to get it inside your switch? Regardless which option you choose, they both will require you to open your switch to install it .

 

[gamesquest1]

So, how are you going to get it inside your switch? Regardless which option you choose, they both will require you to open your switch to install it .

or mod the case if you need to re flash the mod chip

to install it, yeah you would open it, but to update payloads or whatever

thats just speculation anyway as to the use of the USB port, might be that they only have 1 install method as the payloads or whatever they are using can be updated via the console, the USB port does seem to be on a flex cable, so he may be right as to them offering a soldered solution to hijack the switch USB port and an option to update via flex cable for those who can't/don't want to solder , the inclusion of the USB port does raise a few questions though, as I would assume they would ship it flashed and make it updatable via the EMMC interface to make it more user friendly and reduce costs, unless the payload they are using is FW/console specific and running an update before flashing updates might leave your console bricked without some way of updating via USB

 

[nero99]

If this really works on the Switch Lite, I'm hunting down that Pokemon unit......

theyre on amazon for $243 right now