How the Nintendo Switch Security was defeated | MVG 

MISTAKES WERE MADE.

Modding systems is more important than ever before. Especially now... As backwards compatibility is being thrown to the wayside and digital storefronts (3DS, Wii, and Wii U) go permanently offline.

Security is one of those amazing things. You can spend millions securing a system and forget the most simple of access points. Like adding bars to windows but having the gap large enough to get through.

You forgot a really important aspect of the story. Docs contained in the gigaleak reviled that Nintendo knew about the exploit before the switch was released to the market and was working on a patch with Nvidia.

Nintendo's security model for the Wii and Switch are actually extremely advanced. The Wii had the Starlet, a dedicated security ARM coprocessor that would moderate all Wii hardware accesses in 2006. For comparison, Intel ME released in 2008, AMD PSP released in 2013, and the Apple T1 chip released in 2016. Unfortunately, their implementation of RSA had a critical bug that completely nullified the security aspects of the Starlet for all intents and purposes. Even when the Trucha Bug was patched, AHBPROT was discovered which made it possible to restore the bug and it was ultimately futile. As for the Nintendo Switch, well, current versions of Horizon OS (that is the internal name of the Nintendo Switch firmware) are the first of Nintendo's to have 100% flawless security on the software side. Unlike other console firmwares which are usually based off of FreeBSD, Nintendo's Horizon OS was fully developed in-house with a microkernel design. Even the hardware drivers run sandboxed as regular userspace programs, massively reducing the attack surface and making it possible to write a kernel that can perfectly maintain core OS security under every scenario, since the range of possibilities have been kept small enough at the core to make testing every single possible input to the security engine in depth (including testing all possible invalid inputs) a reasonable endeavor. This microkernel has been completely reverse-engineered, every single function and instruction has been combed through and deeply analyzed by the community, and there are zero vulnerabilities on it. This isn't zero known vulnerabilities, there are no software vulnerabilities, period. The sandbox simply cannot be broken once established using current available software and hardware methods and technologies. So finding bugs in games and even hardware drivers is useless, because there's no privilege escalation without a bug in privileged code, and no privilege escalation, no full system takeover. Unfortunately (or rather fortunately for us), NVIDIA made three oopsies while designing the Tegra X1 that would go on the Switch and the NVIDIA bootROM Nintendo had to rely on. The first is fusée-gelée. The second is exposing the button pin that gets the bootROM in RCM state on the right Joycon rail so people wouldn't have to open up the console and do microsoldering to enter RCM mode. And the third oopsie and final nail in the coffin for Nintendo's security model is the CPU itself being vulnerable to voltage glitching, a physical manipulation of the Switch's power circuit where a very controlled electrical spike can make the CPU skip lines of code much like how an old car CD player would skip when you hit a bump in the road. These were all abused by hackers to skip right past the initial bootloader signature check and load a custom boot manager, breaking the security model extremely early in the Switch's startup sequence, long before any Horizon OS firmware code is ready to execute, and even longer before it could set up its perfect, impenetrable barriers. But the story doesn't end here. And I hate that this next part doesn't get told more often. As it turns out, Horizon OS 5.0.0 would include a hardware exploit from Nintendo themselves, a curveball designed to counter fusée-gelée and prevent its use for piracy. They changed their key derivation processes, and then significantly modified the TSEC firmware code to halt the CPU if a modified version of Horizon OS was detected. It is impossible to run modern versions of Horizon OS without the TSEC or on the old TSEC firmware, because it needs the derived hardware keys the new TSEC firmware provides to decrypt all sorts of data. And hackers wouldn't be able to write a custom TSEC program, since the signature check for its firmware was actually never broken. This wouldn't stop modders from running other operating systems on the Switch with a fully disabled TSEC, but it was an effective patch against the unpatchable that would've stopped people from booting stock firmware > 5.0.0 under fusée completely... If the private Nintendo signature required to sign a Switch TSEC firmware with hadn't leaked to SciresM through an unknown channel. Truly a 'my uncle works at Nintendo' moment. If not for that, the Switch security model would still be fairly rigid on all fronts, and Horizon OS homebrew (not to mention piracy) on the system would still be extremely limited and practically nonexistent. As part of the microkernel research efforts, SciresM has written a reimplementation of the whole thing. This is a testament to both the Nintendo hacker community's stubbornness, and the microkernel itself being small enough for a single person to be able to wrap their head around it in its entirety. This custom kernel, now named mesosphére, is the default kernel used by the Atmosphére custom firmware. Atmosphére by itself doesn't provide any means to override the DRM enforced when running official Switch software. That job is left to the aptly named sigpatches, a set of separate, additional binary patches that the user has to install and which Atmosphére has no involvement with. Modern Nintendo security is less about their own technical failures, and more about the extremely determined nature of their attackers, the obsessive, unstoppable fanbase they have.

Previously: Nintendo vs Tweezers Now: Nintendo vs Paperclips

The total cost for adding a modchip has dramatically dropped recently (at least in China) thanks to the recent discovery that PIO on RP2040 (a general purpose chip that's extremely cheap) can reliably glitch the CPU, and open-source firmware has been released.

With Nintendo being backwards with preservation this was a good thing

If I got a nickel every time a Nintendo console was cracked using a paperclip I would have 2 nickels. Which isn't a lot, but it's funny that it happened twice

3DS has a VERY interesting hacking history. I hope I see it one day in this channel!

Pitty they have not been so quick to resolve the pro controller and joy con drift

"All the way back in April 2016"... Still feels like yesterday tho. 7 years and counting😮

The first 5 seconds of an MVG video hit so nostalgic. Like an oldschool keygen song that's blasting max volume out of your speakers

Absolutely love these kinds of videos from you. Love seeing how companies locked down their systems and how the fanbase blew the doors wide open again.

It’s funny how absolutely brutal Nintendo are on the homebrew and preservation community, in frankly unwarranted way, how easy they make exploiting each of their systems.

I love how the Wii was compromised with a pair of tweezers and the Switch with a paperclip.

A small inaccuracy - Mariko/Red Box Switches were not the first time the RCM exploit was patched. It was patched soon after release by including an updated bootrom from the factory that simply disabled USB access in RCM. (so called iPatched switches) But it was Mariko that fixed it properly, by fixing the vulnerability that allowed unsigned code to be ran in the first place. Still, both variants of patched units have yet to have their RCM mode exploited so it seems both are equally secure.

Finally a new security video. Please make more of these and piracy videos too. They are the best!

the best series returned!! i simply love these security/mistakes were made series!! keep it up mate!

I dont tend to mod my systems until they've reached the end of their life cycle. Generally too much hassle for not enough pay off, at least for me. The mini consoles were a nice change of pace because there were no system updates and they provided a nice hardware organization for my backup ROMs. 😊

The Nintendo Switch security measures are fascinating. I wish you had spoken more about the anti-hombrew measures within the OS and online. My first hacked Switch got banned from accessing any Nintendo servers online, and therefore I was banned from making purchases on the eShop. Seems counterintuitive to me, but clearly effective as a deterrent.

Security and piracy: definitely my favourite MVG subjects!

I'll be interested to see how the hacking scene develops for the later hardware revisions. It's unfortunate that there seems to be little effort going towards hacking those simply because the launch model exists.

Interesting fact: Most people exploit with jigs and paperclips, but apparently it's doable with tinfoil (aluminium foil) which ironically is the name of a piece of homebrew software which allows for the installation of NSP and XCI files.

The nVidia Tegra family bootroms were part of the chip designs. Each would read some on chip fuse bits (PROM) to decide if and what digital signature to require on the first off-chip code loaded into on chip boot RAM . The details were never properly documented, thus making it difficult to do recovery repairs on Tegra based phones and tablets from LG, Acer etc. I remember struggling for days to work around damaged flash sectors in a friends Acer tablet (even though the formula for converting its hardware serial number into the secret boot key had been published years earlier).

I do secretly still hope that one day there will be a software based exploit for the Switch Lite even though that seems like a far away dream. That device just begs to be an amazing retro emulator.

Then the Atmosphere became clear

The original unpatched Switches will forever hold a special place in homebrewing history.

Any chance you could do a mini-update to this video and talk about Nintendos “software fix” to their hardware issue with their use of e-fuses? I initially thought this is what you were going to chat about. These exploits are always a game of cat and mouse. Don’t want you to risk your channel as I know how Nintendo can be. Would just love your impression on their attempt to software patch the hardware issue. Lots of groups gave Nintendo massive props for even being able to do it! 😊

I'll deal with the Switch the same way I did for Wii U- and it will depend on whether Nintendo provides forward compatibility support for their next Switch console. I have like a mini Steam collection of paid for games on Switch- if they jerk us around like they did for Wii U (expecting us to rebuy launch games again during the transition period at full price instead of offering an actual discount), I'll go ahead and defeat the security during my next winter break and download everything else I haven't purchased yet.

as someone who isn’t tech savy at all & doesn’t understand a lot of terms in each video it fascinates me how smart people are with devices & able to work around any parameters in their way. I just know if I was educated more in it I would appreciate that much more

Im always more interested not only HOW the exploit works but WHY & how did they FIND the exploit? If possible could you try including the path taken to finding various console exploits? Im just curious of the mentality of the hackers who search for these treasures.

Such a great security video as always! Makes me feel like lucky one having unpatches switch.

Nintendo attempts to silence this video in 3... 2... 1...

Even though I've heard this of course before along with every other mod that has happened throughout the years hearing you tell it, especially when you do a video on it, I always learn something new you have the best console mod RU-vid channel out there man. Im always thoroughly entertained by your descriptions! 🎉

the background music fits really well in all of these types of videos. great video overall well done MVG!

To protect your privacy, you should willingly route all of your internet traffic through a random company's proxy servers. That way, you can have peace of mind that your ISP isnt spying on you, instead, we are.

I happened to get one of those RCM vulnerable units, and it’s served me very well with all the homebrew ports and emulation I could ever want in a tablet. Of course, I do have switch games on cartridges because I had this unit before the exploit was disclosed, but thanks to a decently sized MicroSD card I have gone more digital thanks to the eShop and retro community

The process for jailbreaking Nintendo consoles reminds me of the Lockpicking Lawyer breaking into his hotel room using nothing but a "Do Not Disturb" card.

It's always interesting to watch security related videos. Thanks for this one! 👌

crazy you can emulate switch this early getting 1400p over 60 on pc

I hope he covers the Modchip glitch hack for the switch in detail in the future, I know you mentioned it in passing but it might be interesting to showcase how it works in detail like how you did with describing the original Bootrom exploit.

Users should never need to hack their own hardware. What you own shouldn't be locked nor controlled by the manufacturer

It’s so crazy to me that something as simple and small as a paper clip got past the switch security

Great Video MVG! Video game preservation is becoming so important as physical copies of games are going by the wayside. Digital backup is an absolute must.

the paperclip exploit was such a lucky mistake hackers exploited

Been waiting for this one for a while, great vid!

Great video man. I saw that stick of Palo Santo wood resting on your desk.

What I learned from doing some software security testing previously is that your security is only as strong as your weakest link.

Finally!! I really love all your videos on security. The old school strange anti piracy all the way up to the most "secure" heavy handed DRM methods. Thanks for finally covering the switch. Now let's pray Nintendo doesn't try to crap on it.

Always enjoy your videos about console security

Still waiting for a Switch OLED Jailbreak. Would be awesome to run Homebrew apps on it, as the screen is just gorgeous.

Should've called it Operation Paperclip.

Yo, the rare MVG Video that isn't at that magical monetization 10-minute mark, and the highlight only goes to the five minute marker? We take those, I miss when MVG put out content in a vein like this. Good video too after watching, was worth the watch.

I love this series. I hope we continue to get videos like these.

It may only be a small part of the sold systems, but the fact that 15 million consoles are exploitable and with hackers being able to understand the hardware, lead to some brilliant emulators such as Yuzu or Ryujinx which makes hacking the real Nintendo Switch hardware more or less obsolete, with devices around such as the Steam Deck. I still own a Switch OLED, but the fact it propably never gets software exploited doesn't matter that much to me as long as I can use said devices to upscale and get more out of my games library... anyway, great video!

Joined this cannel because of the history of videogames security have been breaken, and here we are again. Without doubt this is the best content of the channel.

Would have been nice if you went more into detail on how the modchips work as that is kind of newer less known information. But cool that you mention it.

A return to form with this mate. nice one!

I still highly believe we are going to find a software exploit again in the future. We just haven’t found it yet.

The only reason I haven't traded in my near-first-release Nintendo Switch is for this very reason, even though it's starting to show its age by having the right joycon fail to dock sometimes. If I ever get one of those OLED Switches, the old reliable is getting the modded treatment through and through.

Brilliant presentation on this. Thank you again for dropping the knowledge! ❤

I recently got a Switch OLED and put my launch model switch into retirement. I'm thinking about using it to experiment with homebrew stuff and will be revisiting some of your older videos, MVG.

I held a presentation of this topic in my it class and got an A+ for it

If I knew without a shadow of a doubt I wouldn't get banned I'd do this to my switch in a heartbeat. Certain things like backing up Pokemon Scarlet/Violet save data in the event of a corrupted save are huge benefits.

i can remember buying a first gen switch about a year ago. i asked the poor guy in the shop to bring out all the switch they had in stock and i was stood there, checking all the serial numbers of each switch till a found one that was unpatched, and to this day i still have that switch and wont be selling it any time soon. its my portable retro gaming console, runs retroarch and thats about it

Very informative. Thank you! I learned a lot

Nintendo hates piracy but does nothing to better their consoles to fight against it.

Still rocking my launch switch! Don't plan on breaking it until the next Console is on the way.

Kinda funny to think about how the amount of stock Nintendo Switch units and Wii U units that are softmod-ready are roughly the same (~15 million Switches vs. all 13.56 million Wii Us)

I love this channel so much, I do not know why I wasnt already subbed even though I follow you on twitter and have watched most of these style videos from you

It's insane the amount of effort Nintendo put into the security of the Switch. If only I could say the same about Joycon drifting...

The real scare came from hoping you did not ruin your joycon rail with the tinfoil

This is one of my favorite channels. It makes me so happy to hear you talk about hacking these consoles. I grew up buying Gamesharks and Action Replays for my Gameboys, N64, and Gamecube (all of which I still have because Game Stop wouldnt buy them from me, thank god). I think the original Xbox was my first console hack, doing the Mech Assault Soft Mod so that I could mod Halo 2. I was addicted. Since then I've added PSPs, PSVita, X360, PS3, (never modded my XB1 though), GameCube, DS, 3DS, all of my phones, and finally my Switch. Watching these gives me the weirdest nostalgia.

The paperclip in the tumbnail is pretty hilarious :)

While a lot of people are happy keeping their launch Switch consoles and working homebrew on them, I feel like in the future people are going to find a soft mod method for all Switch revisions. Don't know how or if it's even actually going to happen (I'm not knowledgeable enough to say "yes" for certain), but people are stubborn enough to find a backdoor.

Can't wait to play new Zelda at 4k 120 fps , on emulator day one.

MVG you have no idea how excited I am to hear about "How the Nintendo *Switch 2* Security was defeated"

This was a fantastic video. Extremely interesting and informative. Have a thumbs up 👍

Can you make a video about hacked mariko switches ? it has more room to overclocking compared to launch switches

funny how almost every major security issue on the switch is the fault of nvidia

If memory serves me right, fusee gelee still isn't considered cold boot, since it needs the maintenance mode of the switch. Cold boot would be something that is more persistent. 3.0.0 should have the option, but it has not been explored in years iirc.

Excited for the Datel video in the future too

Okay, if nintendo name is in a video talking about security and home brew, This means I will download this video before it gets deleted. 😂😂

if i had a nickel for every time a nintendo consoles security was bypassed by a small piece of metal , i would have two nickels, which isnt alot but its weird its happened twice

Been waiting for this video for too long

Thanks for the information. I have a modded one myself I overclock to get better performance. Thanks for the video MVG

The Switch OLED would be an emulation dream whenever they find an easier way to hack it

How I've missed Mistakes Were Made!

Looking forward to this one!

When you hear that music in the intro .. you know the video is gonna be legendary.

Nintendo doesn’t focus on game preservation is why there’s lots of motivation for hackers to mod their consoles since Nintendo is limiting their ability to play old games legally! My friend was to mod the Switch lite because he wants to add more games like from the GameCube that never got rereleased!

Make a video on how the Steam Deck security was defeated. - "there's none" *rolls credits*

Great info! Thank you for the insights!

Always love learning about this stuff. I have an OG switch maybe whenever the next generation comes I’ll do it

I think the game card slot is the angle of attack honestly. I keep seeing game cards that have exposed tracers and wonder what it would take to rig something like a game genie then card that pretends to be legit then whatever card is plugged into that . I'm sure youd need some sig key or some shit.

I love this series, it's my favourite video series on the channel, keep up the great work MVG :)

I love those documental-like videos. Good video MVG!

This is the best series in your channel

Be hackable is a feature, not a total disaster