Hacking Speculations about Switch 2 hacking

[The Real Jdbye]

No
Games are sandboxed from the actual switch os

We're gonna have to break out of the sandbox one way or another unless we find another boot exploit. The sandbox is a much bigger attack surface than the bootloader but that doesn't make it easy as there are multiple layers to it. Still either could happen.

KASLR is the real problem with game based exploits. Makes it hard to get ROP and you need ROP before you can do anything else.

 

[emmauss]

What about news feed?

Same. Applets are even more restricted. They can't even be suspended or stay in the background.

 

[Vixi]

Maybe we dont need to break out of the sandbox. Maybe we just need to exploit an app to run homebrew within the app's sandbox

 

[Reecey]

Won't security measures from today be outdated in 2035?

I am being realistic! the security on consoles for example the xbox 360 or the Wii or Playstation 2 back in the early 2000's wasnt very good because of the technology so modchips could easily be developed and hack these systems but we are now at a point where new consoles or handhelds have security measures that are really complicated and high tech so that era of hacking consoles and handhelds has now seen its day. It was fun while it lasted the fusee gelee hack on the switch 1 that was found quickly was because it was reversed engineered and this glitch could be found and this is usually the case with new consoles when they are first released a team will have it reversed engineered and this is extremelly expensive so to have something like that done on the Switch 2 would out weight the cost and the results would be obvious so know one is going to go to that expense when they already know the Switch revison 2 cannot be hacked without a modchip install like I say which now cannot be done. You have to be realistic in life "hope" can be a dangerous thing and by keeping a brand new expensive 2025 hadheld/console in a box hoping for that eventuality one day is ridiclous

 

[ihaveahax]

Maybe we dont need to break out of the sandbox. Maybe we just need to exploit an app to run homebrew within the app's sandbox

This isn't very useful because the sandbox restricts what games have access to. Most, if not all, games cannot directly access the SD card because of it. To break out of this sandbox, you'd have to exploit the kernel, and this is already known to be extremely unlikely.

 

[Reecey]

This isn't very useful because the sandbox restricts what games have access to. Most, if not all, games cannot directly access the SD card because of it. To break out of this sandbox, you'd have to exploit the kernel, and this is already known to be extremely unlikely.

You’re right say for example we did have the full KFC Kernal access and for the most people who want the Switch 2 for piracy reasons who’s saying we can even bypass the security checks on booting up a backup on the Switch 2 that’s probably not even possible anymore. If I remember rightly we saw Switch 1 backups in the wild almost straight away there hasn’t been one released yet which sort of tells a story on how good the security measures are with the Switch 2 games

 

[yankii]

Modchip eta wen?

 

[Darth Meteos]

based on my experiences with the people in the switch modding scene, i would be extremely unsurprised if there is an exploit for the original switch that has been discovered for a good amount of time, but they're not releasing it until the console is eol
the people involved have long term intentions

 

[pogisanpolo]

I am being realistic! the security on consoles for example the xbox 360 or the Wii or Playstation 2 back in the early 2000's wasnt very good because of the technology so modchips could easily be developed and hack these systems but we are now at a point where new consoles or handhelds have security measures that are really complicated and high tech so that era of hacking consoles and handhelds has now seen its day. It was fun while it lasted the fusee gelee hack on the switch 1 that was found quickly was because it was reversed engineered and this glitch could be found and this is usually the case with new consoles when they are first released a team will have it reversed engineered and this is extremelly expensive so to have something like that done on the Switch 2 would out weight the cost and the results would be obvious so know one is going to go to that expense when they already know the Switch revison 2 cannot be hacked without a modchip install like I say which now cannot be done. You have to be realistic in life "hope" can be a dangerous thing and by keeping a brand new expensive 2025 hadheld/console in a box hoping for that eventuality one day is ridiclous

It's a matter of when, not if. Given enough time and motivation, any security system can and will fall, especially if the user has physical access to the device. The best they can do is make breaking the security as annoying as possible to delay the inevitable. Their ideal scenario is it gets broken by the time they've already dropped support for it entirely in favour of new hardware.

 

[M7L7NK7]

based on my experiences with the people in the switch modding scene, i would be extremely unsurprised if there is an exploit for the original switch that has been discovered for a good amount of time, but they're not releasing it until the console is eol
the people involved have long term intentions

What experiences make you believe that

 

[Darth Meteos]

What experiences make you believe that

talking to the people, reading what they post, just my general impression of them
i don't know anything to be clear. i would just be unsurprised if that was the case.

 

[ldeveraux]

Modchip eta wen?

You're what's wrong with gbat.

 

[jmsons]

Hi everyone,

I'm pretty new to the scene, so sorry if I'm saying something dumb or off-topic here! I'm curious about what's going on with Nintendo Switch 2 homebrew or jailbreaking efforts. Are there any active groups or communities working on exploits, custom firmware, or modchips for the Switch 2? I know of some teams from the original Switch days, like ReSwitched (homebrew, bootROM exploits, jailbreak), SciresM (Fusée Gelée, Atmosphère CFW), Team Xecuter (modchips, SX Core), FailOverflow (kernel/bootROM exploits), Atmosphère Team (custom firmware), Ninji/ReSwitched members (exploits and patches), and even older 3DS/Wii U teams like Team Xecuter and SciresM + Marex. Are any of these groups still active or tackling Switch 2 projects, or are there new names in the scene? Any info or updates would be really appreciated, and sorry again if I got anything wrong!

 

[M7L7NK7]

Hi everyone,

I'm pretty new to the scene, so sorry if I'm saying something dumb or off-topic here! I'm curious about what's going on with Nintendo Switch 2 homebrew or jailbreaking efforts. Are there any active groups or communities working on exploits, custom firmware, or modchips for the Switch 2? I know of some teams from the original Switch days, like ReSwitched (homebrew, bootROM exploits, jailbreak), SciresM (Fusée Gelée, Atmosphère CFW), Team Xecuter (modchips, SX Core), FailOverflow (kernel/bootROM exploits), Atmosphère Team (custom firmware), Ninji/ReSwitched members (exploits and patches), and even older 3DS/Wii U teams like Team Xecuter and SciresM + Marex. Are any of these groups still active or tackling Switch 2 projects, or are there new names in the scene? Any info or updates would be really appreciated, and sorry again if I got anything wrong!

There isn't going to be an exploit

 

[Renos44]

Hi everyone,

I'm pretty new to the scene, so sorry if I'm saying something dumb or off-topic here! I'm curious about what's going on with Nintendo Switch 2 homebrew or jailbreaking efforts. Are there any active groups or communities working on exploits, custom firmware, or modchips for the Switch 2? I know of some teams from the original Switch days, like ReSwitched (homebrew, bootROM exploits, jailbreak), SciresM (Fusée Gelée, Atmosphère CFW), Team Xecuter (modchips, SX Core), FailOverflow (kernel/bootROM exploits), Atmosphère Team (custom firmware), Ninji/ReSwitched members (exploits and patches), and even older 3DS/Wii U teams like Team Xecuter and SciresM + Marex. Are any of these groups still active or tackling Switch 2 projects, or are there new names in the scene? Any info or updates would be really appreciated, and sorry again if I got anything wrong!

Well i'm certain there will always be people poking at the switch 2.
As for notable people working on it AFAIK SciresM has no interest in working on the switch 2 unless something comes up,
Team Xecuter often just copies work discovered by other people and rebrand it, Don't expect any remaning members to hack the console on their own,
Failoverflow will always be around to poke around with anything as they are security researchers its kinda what they do,



As of now we have nothing to go off of hacking wise. It might be another Xbox one situation where its so complicated to even approach the only way it gets hacked is if Nintendo themselves ship an exploitable firmware, Or we fast forward 10 -20 years and use some undiscovered hacking methods,

Lets start from the software side of things,
Switch 1 has no known kernel exploit and potential entry points are very limited, Multiple people have reversed engineered the OS and came the same conclusion and this has been the case for years, Switch 2 looks to have a similar OS but who knows what its actually like under the hood , Likely will also never have a viable kernel exploit unless nintendo themselves ship a bad update,

While yes its possible to get a hacked save file from a modded switch 1 to a switch 2 via cloud saves and system transfers. AFAIK nobody has discovered a method to use an explotable game to start an exploit chain all the way to the kernel. And nintendo could easily kill this by disabling save transfers or adding the game to the switch 2's BC blacklist, effecitvely killing this if something is discovered,


Hardware side of things,
Don't expect another easy bootrom exploit, Nintendo and Nvidia learned their lesson,
like the xbox one and series line and modern apple devices, the switch 2 feratures its own custom security processor. These things are the bane of any hardware hacking and if done properly are kinda undefeatable for your average person.

Modchips are likely also a thing of the past as the new processor has various anti glitching measures,

 

[jmsons]

Well i'm certain there will always be people poking at the switch 2.
As for notable people working on it AFAIK SciresM has no interest in working on the switch 2 unless something comes up,
Team Xecuter often just copies work discovered by other people and rebrand it, Don't expect any remaning members to hack the console on their own,
Failoverflow will always be around to poke around with anything as they are security researchers its kinda what they do,



As of now we have nothing to go off of hacking wise. It might be another Xbox one situation where its so complicated to even approach the only way it gets hacked is if Nintendo themselves ship an exploitable firmware, Or we fast forward 10 -20 years and use some undiscovered hacking methods,

Lets start from the software side of things,
Switch 1 has no known kernel exploit and potential entry points are very limited, Multiple people have reversed engineered the OS and came the same conclusion and this has been the case for years, Switch 2 looks to have a similar OS but who knows what its actually like under the hood , Likely will also never have a viable kernel exploit unless nintendo themselves ship a bad update,

While yes its possible to get a hacked save file from a modded switch 1 to a switch 2 via cloud saves and system transfers. AFAIK nobody has discovered a method to use an explotable game to start an exploit chain all the way to the kernel. And nintendo could easily kill this by disabling save transfers or adding the game to the switch 2's BC blacklist, effecitvely killing this if something is discovered,


Hardware side of things,
Don't expect another easy bootrom exploit, Nintendo and Nvidia learned their lesson,
like the xbox one and series line and modern apple devices, the switch 2 feratures its own custom security processor. These things are the bane of any hardware hacking and if done properly are kinda undefeatable for your average person.

Modchips are likely also a thing of the past as the new processor has various anti glitching measures,

Thanks for the detailed response! I really appreciate you taking the time to break down the current state of Switch 2 hacking and the challenges involved. It’s super helpful to get a clearer picture of what’s going on (or not going on) in the scene. I’ll keep an eye out for any updates, and thanks again for sharing your knowledge!

I'm still getting to know the notable figures in this scene, so I'm not quite familiar with their main communication channels yet. That makes it a bit hard to keep up with what they're working on or thinking about. Any tips on where to follow updates or discussions from these groups or individuals would be awesome!

 

[alula]

Maybe we dont need to break out of the sandbox. Maybe we just need to exploit an app to run homebrew within the app's sandbox

If it was that easy, we would have a homebrew loader on day one.

However, Horizon, just like other locked-down platforms like iOS has heavy restrictions on writable code regions, and the only official ways to dynamically load code are:
- an NRO file (Horizon equivalent of a .dll file) signed by Nintendo for a specific game - not possible unless you find a way to bypass the verification (signature check implementation bug, somehow finding a way to disable signing)
- exploiting a game that has access to JIT (hint: there's not many, only first-party titles) and making it's JIT plugin (because trusting a game with writing to code memory is dangerous, so there's an extra layer of indirection) write arbitrary code to the process memory (most realistic, but also easy to patch by Nintendo, and if done will just strengthen their fear of JIT)
- having access to required SVCs and being able to write into code memory from your target process (how HBL currently works on the Switch) - if we'd ever get to do that, we'd have much more powerful exploits, right?

 

[Boomerams]

I saw an episode of McGuyver once so I'm obviously an expert...why can't we just upside down can of air freeze security chip to slow it down before it blows up. Wouldn't the sandbox be easier to smash with a sledge if frozen? No response needed, I completely just rocked the hacking scene...YOU ARE WELCOME!

 

[Skelletonike]

I saw an episode of McGuyver once so I'm obviously an expert...why can't we just upside down can of air freeze security chip to slow it down before it blows up. Wouldn't the sandbox be easier to smash with a sledge if frozen? No response needed, I completely just rocked the hacking scene...YOU ARE WELCOME!

Bubblegum should do the trick.

 

[TheStonedModder]

Someone port the YouTube hack to switch 2 pls /s