How Nintendo stopped Switch hacking in its tracks
In 2018, the Fusée Gelée hack for Nintendo Switch, released by hacker Kate Temkin, blew open the doors to Switch hacks for all users. Based on a hardware vulnerability of the NVidia Tegra GPU on the console, the exploit was virtually unpatchable for Nintendo. The simplicity of the hack (from end users’ perspective), as well as the huge tinkerer community, have made the Nintendo Switch homebrew scene the most lively of this generation. All Switch consoles were exploitable at the time of the release, and will remain so forever.
That is, all consoles that were manufactured before Nintendo came up with a hardware revision, of course.
Newly produced Nintendo Switch consoles, under the codename Mariko, as well as the Nintendo Switch Lite, do not have the same hardware vulnerability. Referred to as “patched consoles”, recently purchased Nintendo Switch cannot be hacked through the dead simple “clip” trick that everybody else enjoys. There is no software means to hack the console either, on any reasonably recent firmware.
Piracy group Team Xecuter (a.k.a. Gateway), infamously known for their piracy modchips on numerous consoles, came up with a hardware solution for the new Switch hardware. Initially touted around the end of 2019, the modchips nicknamed SX Core (for classic size) and SX Lite (for Switch Lite) started reaching end users around mid 2020.
A lot of people on the scene were reluctant to get the modchips from Team Xecuter, for various reasons. The piracy group was known for shipping malware in their products (designed to target clones and competitors, but that has in more than one occasion backfired on their actual customers) and being generally more expensive than the competition (to their credit, in many cases they have been the pioneers, competitors were often clones of their product). But it’s likely a lot of people were waiting for either cheaper clones of the SX modchip to surface, or for an open source / community driven / free solution.
But something big happened: in October, Nintendo got 3 of the main Team Xecuter folks arrested, some of whom had been involved with console piracy in a commercial way for at least 20 years.
The Team Xecuter website got shutdown, and it appears production of the SX Core and SX Lite stopped as well:
In November 2020, it was still possible, but quite hard, to find resellers for the modchips. By January 2021, SX Core and SX Lite were virtually impossible to find: asking around, it seems a few resellers have remaining stock, and some obscure shops will even sell the chip plus do the soldering as a paid service, but the Team Xecuter chips have become so rare they are sold at prohibitive prices, if you’re lucky enough to find them. Even places that historically were lenient regarding piracy devices, seem to have shut down resellers of SX modchips: When such a reseller is spotted on Aliexpress for example, they either run out of stock or get shut down before most people notice.
The clones, or the “free solution” lots of people were hoping for, never came (update: we were given a bit more details on an open source, reverse engineered version of the SX firmware, see below). Back in October, Hexkyz confirmed he and other hackers had managed to dump the SX Core firmware, through a vulnerability in the generic chip used on the Team Xecuter device.
After stumbling upon this tweet, we were able to use this bug to dump the Gateway/TX modchip’s firmware. It’s important to remember that this is the exact same issue that led to fusee-gelee/shofel2, but on a different USB stack, meaning this might be even more widespread. https://t.co/OLYfB6zn4F
— Mike Heskin (@hexkyz) October 8, 2020
Since then however, hackers involved in the Nintendo Switch have been radio silent on the status of this effort. Possibly due to legal and or ethical concerns, but that’s just a wild guess (we’ll update if we hear anything). Update: after we published this article, hacker balika011 reached out to mention that the SX Firmware has not only been reverse engineered, but that the result of this work, known as Spacecraft-NX, has been published as an open source alternative to the SX Firmware, capable of booting Hekate and Atmosphere. In other words, it’s a replacement firmware for people who already have a modchip. It doesn’t take additional people any closer to getting their consoles hacked, however, as the SX Core/SX Lite modchips are still a prerequesite today. Nonetheless, this is great progress.
Clones of the SX chips are nowhere to be found however, which tells us that either clone manufacturers are concerned about Nintendo’s legal arm,
or simply haven’t been able to reverse engineer the SX Core modchips and/or firmware. Update: this is what balika011 had to say on this topic:
The clones are very hard to make because of the missing bitstream (aka firmware of the fpga). This is a replacement firmware that lets you run other payloads like atmo on your switch. Has no drm at all, so it doesn’t work with sx os.
— Triszka Balázs (@balika011) February 21, 2021
The result, in 2021, is that it is practically impossible to hack a (patched) Nintendo Switch. It is also getting harder and harder to buy unpatched Switch models, given that those have been out of production since 2018. It is still possible to find modded consoles, or first gen (unpatched) consoles, at inflated prices on eBay and other marketplaces. Some might still consider this a good deal, depending on how hard they’ve been looking for ways to hack their Switch.
There are still a lot of people with hacked Nintendo Switch out there, meaning the homebrew scene remains extremely lively. But more and more people trying to join the fun are now realizing the doors are closed to them, until a hacking solution is made widely available.