How Nintendo stopped Switch hacking in its tracks
In 2018, the Fusée Gelée hack for Nintendo Switch, released by hacker Kate Temkin, blew open the doors to Switch hacks for all users. Based on a hardware vulnerability of the NVidia Tegra GPU on the console, the exploit was virtually unpatchable for Nintendo. The simplicity of the hack (from end users’ perspective), as well as the huge tinkerer community, have made the Nintendo Switch homebrew scene the most lively of this generation. All Switch consoles were exploitable at the time of the release, and will remain so forever.
That is, all consoles that were manufactured before Nintendo came up with a hardware revision, of course.
Newly produced Nintendo Switch consoles, under the codename Mariko, as well as the Nintendo Switch Lite, do not have the same hardware vulnerability. Referred to as “patched consoles”, recently purchased Nintendo Switch cannot be hacked through the dead simple “clip” trick that everybody else enjoys. There is no software means to hack the console either, on any reasonably recent firmware.
Piracy group Team Xecuter (a.k.a. Gateway), infamously known for their piracy modchips on numerous consoles, came up with a hardware solution for the new Switch hardware. Initially touted around the end of 2019, the modchips nicknamed SX Core (for classic size) and SX Lite (for Switch Lite) started reaching end users around mid 2020.
A lot of people on the scene were reluctant to get the modchips from Team Xecuter, for various reasons. The piracy group was known for shipping malware in their products (designed to target clones and competitors, but that has in more than one occasion backfired on their actual customers) and being generally more expensive than the competition (to their credit, in many cases they have been the pioneers, competitors were often clones of their product). But it’s likely a lot of people were waiting for either cheaper clones of the SX modchip to surface, or for an open source / community driven / free solution.
But something big happened: in October, Nintendo got 3 of the main Team Xecuter folks arrested, some of whom had been involved with console piracy in a commercial way for at least 20 years.
The Team Xecuter website got shutdown, and it appears production of the SX Core and SX Lite stopped as well:
In November 2020, it was still possible, but quite hard, to find resellers for the modchips. By January 2021, SX Core and SX Lite were virtually impossible to find: asking around, it seems a few resellers have remaining stock, and some obscure shops will even sell the chip plus do the soldering as a paid service, but the Team Xecuter chips have become so rare they are sold at prohibitive prices, if you’re lucky enough to find them. Even places that historically were lenient regarding piracy devices, seem to have shut down resellers of SX modchips: When such a reseller is spotted on Aliexpress for example, they either run out of stock or get shut down before most people notice.
The clones, or the “free solution” lots of people were hoping for, never came (update: we were given a bit more details on an open source, reverse engineered version of the SX firmware, see below). Back in October, Hexkyz confirmed he and other hackers had managed to dump the SX Core firmware, through a vulnerability in the generic chip used on the Team Xecuter device.
After stumbling upon this tweet, we were able to use this bug to dump the Gateway/TX modchip’s firmware. It’s important to remember that this is the exact same issue that led to fusee-gelee/shofel2, but on a different USB stack, meaning this might be even more widespread. https://t.co/OLYfB6zn4F
— Mike Heskin (@hexkyz) October 8, 2020
Since then however, hackers involved in the Nintendo Switch have been radio silent on the status of this effort. Possibly due to legal and or ethical concerns, but that’s just a wild guess (we’ll update if we hear anything). Update: after we published this article, hacker balika011 reached out to mention that the SX Firmware has not only been reverse engineered, but that the result of this work, known as Spacecraft-NX, has been published as an open source alternative to the SX Firmware, capable of booting Hekate and Atmosphere. In other words, it’s a replacement firmware for people who already have a modchip. It doesn’t take additional people any closer to getting their consoles hacked, however, as the SX Core/SX Lite modchips are still a prerequesite today. Nonetheless, this is great progress.
Clones of the SX chips are nowhere to be found however, which tells us that either clone manufacturers are concerned about Nintendo’s legal arm,
or simply haven’t been able to reverse engineer the SX Core modchips and/or firmware. Update: this is what balika011 had to say on this topic:
The clones are very hard to make because of the missing bitstream (aka firmware of the fpga). This is a replacement firmware that lets you run other payloads like atmo on your switch. Has no drm at all, so it doesn’t work with sx os.
— Triszka Balázs (@balika011) February 21, 2021
The result, in 2021, is that it is practically impossible to hack a (patched) Nintendo Switch. It is also getting harder and harder to buy unpatched Switch models, given that those have been out of production since 2018. It is still possible to find modded consoles, or first gen (unpatched) consoles, at inflated prices on eBay and other marketplaces. Some might still consider this a good deal, depending on how hard they’ve been looking for ways to hack their Switch.
There are still a lot of people with hacked Nintendo Switch out there, meaning the homebrew scene remains extremely lively. But more and more people trying to join the fun are now realizing the doors are closed to them, until a hacking solution is made widely available.
theres a talk at gb@temp regarding sam21 and rcmx86 same way these sxc0res are doing… u guys better check it out since might become an alternative to sxc0re/lite but am not so sure… it was like a diy modchip… i am just waiting as i believe that it is inevitable for a new exploit or clones coming out…
Samd21 and rcmx86 are just payload injectors for unpatched consoles. They physically lack the hardware required to be able to voltage glitch the cpu.
Got my old Switch hacked years ago and hacked my Lite the moment I heard about the TE arrests. It cost me some extra cash back in late 2020 but seeing what is now it was a great investment.
Just like the 3ds and the Wii u, we already have an entry point to the system so till we have a software exploit is only a matter of time.
So far people have only been able to modify Team Xecuters work and not produce *** themselves. Funny how Atmosphere fuckboys were relentlessly shitting on the SX modchip and Team Xecuter, and now the Switch scene has slowed down to a crawl without them…
Thank you for the wholesome update on that matter, @wololo 🙂
I’m thinking of jumping ship on SX OS. I think Xecuter are finished in ways of keeping this thing alive, as the remaining members are probably weary of the FBI monitoring releases. Meanwhile Atmos is working on the newest firmware revision and seems to be better supported. Still, it was nice while it lasted.
Wow, I haven’t visited in a while and the quality in these blog posts has truly evolved over the years, thanks for keeping us informed with quality and concise posts! I’ve been a huge fan since I got into the PSP scene as a kid and I’m so glad to see this site flourishing, keep up the great work!
To think I used to believe getting a 2nd OG Switch was a mistake when the newer models came out for longer battery life.
So glad I have 2 OG switch 1 for sxos the 2nd for Atmosphere/Online Play. The sxos maybe dead, but im still in a good position b/c I have options.
Unfortunately only new games can be played on Atmo, but honestly I only care for jrpg’s which majority of them can be played on PC anyway.