Nintendo Switch: SciresM hints at a hack for the current hardware model “Mariko”
A few hours ago, Switch hacker SciresM, known among other things for the Atmosphere Custom Firmware, has posted details on the boot encryption keys of the “Mariko” Nintendo Switch Motherboards.
“Mariko” is the second (and current) retail version of the Nintendo Switch, which patches the hardware security vulnerability used for Nintendo Switch hacks. Long story short, if you own a “Mariko” version of the Nintendo Switch (and, if you bought it semi-recently, it’s practically guaranteed this is the case), your device cannot be hacked today, with the same tools that owners of a first-generation Switch can enjoy.
This could change soon, as it seems hackers have been able to access early stages of the console’s boot process, and might be able to port the existing selection of hacking tools to the console.
SHA256(Mariko Boot Encryption Key) = 491A836813E0733A0697B2FA27D0922D3D6325CE3C6BBEA982CF4691FAF6451A
SHA256(Mariko Key Encryption Key) = ACEA0798A729E8E0B3EF6D83CF7F345537E41ACCCCCAD8686D35E3F5454D5132 pic.twitter.com/lx1whXMcS3
— Michael (@SciresM) May 31, 2020
The hacker added details on how the Mariko boot process attempts to prevent injection of code, such as memory being intialized with bits that would be interpreted as an infinite loop if jumped into by an attack attempt.
Unironically loving this Mariko bootrom strat: all of IRAM is initialized to 0xEAFFFFFE (arm infinite loop instruction).
I think the idea is that if some arbitrary bit of iram is jumped to it infloops instead of NOP sliding to attacker code.
Super good *** imo
— Michael (@SciresM) May 31, 2020
It is not known certain at the moment how SciresM has accessed the boot process of the Mariko units, whether it is through a hardware of software vulnerability*. In any case, the race might be on between the open source community and for-profit Team-Xecuter, who already started taking preorders for a dongle that allegedly hacks the latest Mariko units and Switch Lite consoles.
Stay tuned.
Source: SciresM on Twitter
* update: some of his previous tweets imply that he might have leveraged Team-Xecuter’s upcoming dongle to look into the console’s firmware.
First
Die
Tres?
When you say leveraged, do you mean got the tx core which was supposed to be for testers only and used it to get access? Yeah i think thats what you mean.
Copying i guess goes both ways.. they i’m sure Team-X is using some of SciresM work. Just glad to hear there will be possible a free alternative to run homebrew on the Switch Lite!
Would be hilarious if the scene devs were just waiting on xecuter to try and make money to drop a softmod.
lol I bet this is exactly what will happen
always does
Neat. So SX used atmosphere code in SX OS, now SciresM is using TX code.
It’s said that guy reverse engineered the SX Core sample products. Not confirmed though.
This is article is totally wrong. Both hexkyz and SciresM have stated publicly that there is not likely to be a softmod for the newer units. Also, Team Xecuter’s product is not a “dongle,” it is a soldered modchip. Solderless clip-on versions are expected to be on the horizon soon. All of the information hexkyz and SciresM have been posting was obtained by decrypting SXOS. Funny how no one is accusing them of stealing code though.
I don’t see how this translates into a softmod. Maybe clones of the chip will get on the market faster, but softmod?
Have to wait and see I guess.
Next TX is gonna sue him for misuse of intellectual property *manages to facepalm and roll eyes up at the same time*
What the heck is going up with Wololo’s font on blog post pages? They’re looking super jagged on my 4K display, antialiasing is clearly not working for them
They work just fine on the replies text box (like this one) and the main page though; the issue is exclusively with blog post body.
Probably because your computer is a P.O.S
Funny how when tx steals from mike it’s a big no no and they get hated for it. But when he does it to them, people act like he’s a god.