How the security of the Nintendo Switch was broken with the aid of a paperclip

Blogger man
Home


How the security of the Nintendo Switch was broken with the aid of a paperclip

How the security of the Nintendo Switch was broken with the aid of a paperclip

Important Takeaways: - 

Critical unpatchable bug circumvents security 

- Nintendo Switch security flaw led to piracy It is anticipated that Switch 2 would have more security.

For several reasons, the Nintendo Switch launch was a significant occasion. Not only was it a tale of redemption for Nintendo after the dismal Wii U sales, but it also served as a guarantee to developers that piracy on Nintendo systems would never again be an issue. Piracy plagued every product in the company's lineup, including the Nintendo DS, Wii, Wii U, and Nintendo 3DS. But it soon turned into an issue for the Switch as well—and this time, Nintendo was not actually to blame.

To put things in perspective, the Nintendo Switch debuted with the Nvidia Tegra X1 chip, an Arm-based SoC with potent Maxwell graphics and, all things considered, a very significant leap over Nintendo's previous portable hardware ventures. As the Switch was also a dockable system, that was its greatest asset and the reason it required the extra power. However, an unpatched hardware exploit meant that another Nintendo console piracy incident had occurred.

Someone tried to run Windows 11 on a Switch despite its tight hardware requirements, but the results were not fantastic.  

Nintendo's demise was caused by Fusée Gelée, an unpatched hardware flaw that Nvidia



A coldboot vulnerability was discovered and reported to Nintendo and Nvidia in 2018 by hardware hacker Katherine Temkin and the ReSwitched team, a hacking group dedicated to the Nintendo Switch. The attack occurred in the boot ROM, a tiny chip that stores code that is run first when the device is powered on, making this vulnerability rather significant as it permits unsigned code to be run at boot time. Since read-only memory, or ROM, cannot be changed or replaced, this exploit cannot be patched and has not yet been corrected on the vulnerable consoles.


It operates in a very basic way. When the Switch is booted into Tegra X1 recovery mode (RCM), commands can be sent to it over USB. The rcm_read_command_and_payload function is the source of the specific issue because, prior to verifying the amount of the data being supplied into it, it reads input data into a global buffer and copies it into a memory region. 

The memory location where the USB Direct Memory Access buffers are stored (0x40010000) is in close proximity to the boot ROM stack. An attacker can manipulate the USB control request length to overflow the stack because the memory is not secured.


An attacker may substitute their payload for the function's return address if they are able to overflow the stack. This allows a user to boot anything they want on the device and provides the attacker total control over it before any security features activate. 

Despite being a serious security flaw, console hackers can use this to boot custom firmware in a way that prevents Nintendo from taking action. Since this vulnerability can take over the Switch's whole boot process, users can also use it to boot Linux and Android apps on their Nintendo Switch.


If you have ever modded a Wii, you should know the origin story is quite fascinating.

How a paperclip was able to circumvent the Switch's security It all comes down to entering RCM mode.


With its Tegra X1 SoC, the Nintendo Switch is also susceptible to this attack; however, there is a catch. 

There are just three methods on a Tegra X1-powered device to enter RCM mode:  Should the CPU be unable to locate a legitimate Boot Control Table (BCT) along with the bootloader on its boot media When the processor's straps are pulled to a specific value, like when you hold a set of buttons, if a specific value is entered into the scratch register of a power management controller and the processor is then rebooted.

With the Switch, pressing the "Home," "Volume Up," and "Power" buttons simultaneously would bring up the RCM. However, with the Switch, you can not hit the Home button early enough in the boot process to access RCM because it does not connect to the Joycons until later in the boot-up process. 

That is the use of a paperclip. The Home button on the Switch might be emulated by shorting pin 10 with a paperclip on the right Joycon rail. When the Switch was booting up, if you connected Pin 10 to Pin 1 while holding down the Volume Up and Power buttons, it would boot into RCM.


As a result, individuals started making paperclips to join Pins 10 and 1, but you still needed to exercise caution because shorting it out will harm the Joycon rail and make it unusable. As a result, the "RCM jig" was developed. This consisted of a paperclip enclosed in a plastic nub that would accurately short the two pins needed to turn the Switch on to RCM.  

Once the Switch was in RCM and you had a payload that you could send over USB, you could completely bypass the Switch's security and boot any software you desired. It is also not very sophisticated—for example, it is incredibly simple to boot modified software on unpatched Nintendo Switches.


Will handheld PC games become more interesting?

 I have been a huge fan of handheld PC gaming systems for a while now. I have reviewed a number of various ones, including ones from Asus, Lenovo, Ayaneo, and other companies, but they are beginning to feel a lot alike already. 

Even though we have only had one generation, I am concerned that in the near future, they will effectively just be spec increases from year to year with nothing more to show for it. 

Despite having less powerful hardware than the others, I still think the Steam Deck is the greatest. How do you feel?  Most of the original Switch remains undamaged.


Strangely enough, the Switch might have survived the majority of its existence without experiencing any significant security concerns if the hardware attack in the first Switch had not occurred. 

This technique cannot be used to hack "v2" switches because the security hole has been fixed. 

Still, modchips are available, and flashcarts are starting to resurface as well. 

Because of the extraordinary level of access that was obtained very early in the Switch's lifecycle, every component of the system has been documented, which has contributed to the Switch's vulnerability to attack.

But let me be clear. It is ironic to mention that Nintendo will dedicate a great deal of effort to protecting the Nintendo Switch 2, considering similar sentiment has been expressed on every product the company has released since the Nintendo DS. The firm put a lot of work into the Nintendo Switch, so it is perhaps truer than ever; unfortunately, the issues with Nvidia kind of put a stop to those aspirations for a safe device.

Nevertheless, there has also been a decline in the desire to hack the original Switch. 

During the early stages of modders' attempts to gain access, the RCM vulnerability was identified, therefore there was not much of a motivation to look for software exploits at that point. 

After Nintendo eventually launched patched Switch consoles (as well as the Switch OLED), enthusiast interest had substantially decreased. Is it really worth wasting time on an already compromised console? There was not much of a rush to get back into the Switch at this point because whoever wanted to mod even the more recent Switches could get a modchip.


I am curious to see what the Nintendo Switch 2 modding community will create, as I enjoy reading about technology and security. I am looking forward to the Nintendo Switch 2. When they launch, I will most likely buy one, but I will wait patiently to see whether there is a method to have customized software on one after that.


These are some of the things the Nintendo Switch 2 could pick up from the PC handheld gaming market when it launches in the next year or two.

google-playkhamsatmostaqltradent