Crazy Hacks #3: How 3 of Nintendo’s consoles got defeated by everyday-life household items
Each one of these hacks deserves its own article, and many things have been said about them already, but the unreal aspect of being able to defeat software security with very simple objects means we had to bundle these three together: This is the story of how the Nintendo’s Wii, 3DS, and Nintendo Switch each got hacked with a magnet, a pair of tweezers, and a paperclip, respectively.
Crazy Hacks – What’s this all about?
In this series of articles, we’ll be discussing imaginative hacks for various consoles and devices. Some became instantly popular at the time of their release, others were a bit obscure or got forgotten with time, but all of them were really crazy in this writer’s humble opinion. From “It’s so dumb it can’t possibly work” to “wait, how did they even think of that?” and everything in between, we hope you’ll enjoy this series.
Wii: Pwned by a pair of tweezers
It’s 2008. The Wii has only been released for a bit more than a year, but team Twiizers demonstrate at hacker conference 24c3 that they’ve already managed to acquire its encryption keys. The tool they used for that: a pair of tweezers.
The Wii was fully backward-compatible with the Gamecube, and the early days of Wii Homebrew were 100% based on existing Gamecube hacks. It was “easy” to run Gamecube homebrew on the Wii, but the “Gamecube mode” of the Wii was limited, and (of course) did not allow to run Wii binaries, or benefit from the extra power of the Wii mode. To put it simply, Gamecube mode was sandboxed…
…except it wasn’t totally sandboxed. What hackers Bushing, Marcan, Segher and tmbinc found was that when running Gamecube mode, the Wii wasn’t properly cleaning up all its RAM beforehand: the Gamecube was constrained to only use the first 16MB of the total 64MB of Ram on the console. But the Wii OS didn’t bother to clear the remaining 48MB of Ram before launching Gamecube mode. By using a pair of tweezers to physically bridge parts of the memory, the hackers were able to change addresses and trick the system into reading Wii-reserved parts of the RAM, from within the GameCube mode, 16MB chunks by 16 MB chunks.
Being able to read those portions of RAM wouldn’t had been a problem if it had been cleaned up by the Wii before booting Gamecube mode, but as we saw above, the Wii OS didn’t bother to do that. And it turns out that memory had a lot of information: the full OS, some encryption keys, and more, which opened the gates to Wii homebrew!
The Twiizers presentation was quickly followed by their release of the Twilight Hack, a buffer overflow exploit in Zelda Twilight princess, that allowed Wii users to enjoy a Homebrew loader, for the first time on the console, without any hardware modification.
Today, the Twilight hack has been replaced by more advanced and modern techniques. Hacking one’s Wii is basically as simple as visiting specific websites, that will hack the wii for you by simply sending your Wii a specifically crafted message. but it’s fair to say most of these Wii hack built on the shoulders of giants, the giant in these case being a pair of Tweezers… and yeah, maybe a bit the humans who decided to hold the tweezers in the first place ;).
Nintendo 3Ds: defeated by a magnet
Let’s move on from the Wii, to focus on Nintendo’s handhelds, starting with the 3DS!
Putting magnets in close proximity to your electronic devices is always a great idea, so that’s what hackers did to exploit the 3DS.
Well, it’s not as simple as that, of course.
Just like other gaming consoles, the hacking process of the 3DS has been a progressive thing. Hacks for the console were available fairly early in the console’s life (the 3DS was released in 2011, Gateway3DS was made available in 2013, and Ninjhax came out in 2014), but there were things that couldn’t be done early on. Unbricking dead consoles in particular is always a challenge for any hacking scene, because it requires to be able to get control of the code very early in the console’s startup process, typically at boot time.
It wasn’t until 2017, 6 years after the console’s launch, that 3DS hackers SciresM, Myriachan, Normmatt, TuxSH, and Hedgeberg introduced bootrom hax: By exploiting a flawed factory firmware of the 3DS, the hackers were able to extract and reverse engineer the bootrom (the piece of code that runs at the console startup) of the 3DS. during the reverse engineering process, they found a very interesting “feature” in the bootrom code:
Upon disassembling boot9, we notice another huge flaw in the bootrom: Before trying to boot from NAND, the bootrom checks to see if a key combination (Start + Select + X) is being held, and whether the shell is closed. If so, it tries to boot from an inserted NTR (Nintendo DS) cartridge. – SciresM
In other words, the console can load a “service mode” boot binary from a cartridge, by pressing the right key combination (very reminiscent of the PSP’s pandora battery). And by 2017, NDS flashcarts were very widespread on the 3DS scene, so the “how do I put code on an NDS cartridge” problem was a solved one.
This feature was probably put in there for testing or official unbricking purposes. The “cute” part is the test to make sure that the console’s shell is closed. It is believed that this was a “security” to prevent regular gamers from triggering that boot sequence (by mistake or intentionally).
This is where the magnet comes in: by hovering a regular magnet over the console’s buttons, it is tricked into believing the shell is closed, which then allows us to press the buttons to our heart’s content. And so was born “magnethax“, now actually known as “ntrboot”, a technique that allows us to unbrick and/or hack the 3DS with a magnet.
For those interested to dive deeper on this hack, Sciresm’s presentation is a great (technical) start: https://sciresm.github.io/33-and-a-half-c3/
NTRboot is still to this day a reasonable way to hack a 3DS (although other software methods exist and are recommended if possible), and a good method to unbrick 3DS consoles.
Nintendo Switch: Death by a thousand paper clips
Fast forward to 2018. The Nintendo Switch has been one of the most popular gaming systems out there since its launch in 2017. Nintendo’s console hasn’t proven to be super secure, with the Pegaswitch hack released mere days after the console’s launch. But it is Nintendo’s partnership with Nvidia that will prove to be the console’s downfall. (dun dun dun…)
By January 2018, multiple trusted hacking teams claimed they had “unpatchable” exploits for the Nintendo Switch. From Fail0verflow (remember team Twiizers above? Same folks) to infamous Team Xecuter, the race was on to be the “first ones”. Ultimately, it was Team Reswitched and hacker Kate Temkin who released the “fusée gelée” exploit, relying on a critical flaw on the Switch’s Nvidia Tegra SoC. The exploit, being a coldboot was indeed unpatchable without a hardware revision of the Nintendo Switch. The Nintendo Switch was fully owned, less than a year after its release.
A bit of trivia here: Kate Temkin and Team reswitched had planned to release the exploit in June 2018, but a leak of the Tegra exploit precipitated all those releases to April. Fail0verflow ended up releasing their own implementation of the exploit within hours of the fusée gelée release.
But wait, where are the paper clips?
The hack, like many successful console hacks before, relied on a “Service mode” of the Tegra (or “Recovery Mode” aka RCM), which allowed to load some code at boot time via a USB key for servicing purposes.
Although the servicing code is supposed to be signed, there were fundamental flaws in the implementation of the USB protocol, which allowed for a buffer overflow. More can be read on that in Temkin’s writeup.
Technicalities set aside, the question for the end user was “how to enter service mode”? It turns out pressing the “home”, “volume up” and “power” buttons simultaneously allowed to enter RCM mode on the Nintendo Switch. The Switch doesn’t have access to its joycon “home” button at startup, so it was required to send the home signal “another way”, which is done by shorting some joycon lines directly on the switch. This is done, this time not with tweezers, but with a paper clip, which turn out to be the exact needed size.
“Cleaner” devices were designed to do that signal shortcut properly, but the technique remains the same. At the time of this writing, the “paperclip jig” Nvidia Tegra hack remains the best way to hack a Nintendo Switch.
Nintendo has since then released hardware revisions, and as such only older Switch models can be hacked through this technique, making them pretty valuable on the secondhand market. Hacking modern Nintendo Switch consoles requires modchips, which are expensive and somewhat difficult to install.
Nintendo Hackers. Where are they now?
Team twiiizers, the folks behind the Tweezer Wii hack, went on to be known as Fail0verflow, and if you’ve been on any console hacking scene, you’ve probably heard of them. They have been very active into Nintendo and PlayStation reverse engineering, although they haven’t technically released any Jailbreak in a long time, staying reasonably away from the noise of the scene. Sadly, hacker bushing of team Twiizers/Fail0verflow passed away in 2016. Marcan and Sven, other members of the team, have been key drivers of porting Linux to the Apple Silicon Macs.
Hedgeberg and SciresM have smoothly transitioned from 3DS magnet hacks to Switch hacks (both were involved with the Fusée gelée hack above), and SciresM in particular being the main developer of Nintendo Switch’s most popular Custom Firmware Atmosphère since 2018.
Kate Temkin has kept working on hardware hacks and reverse engineering after the Nintendo Switch hack, but has generally stayed away from the scene (at least publicly).
Team Xecuter, the piracy group that had also leveraged the Tegra Bootrom exploit before it was made public, got arrested in 2020 for their many ties to commercial software piracy.
More from the “Crazy Hacks” Series
If you enjoyed this article, please check all articles in the series:
- Crazy hacks #1 – What do you mean I have to die to hack my PSP? (PSP)
- Crazy hacks #2 – Drill a hole in your chip and find out (XBox 360)
- Crazy Hacks #3: How 3 of Nintendo’s consoles got defeated by everyday-life household items (Wii, 3DS, Nintendo Switch)
- Crazy Hacks #4: When the PS3 was so weak you could even hack it with a Ham and Cheese sandwich (PS3)
Crazy hacks – What’s coming next for Nintendo?
There is something really fascinating about Nintendo’s weakness against very common objects. Who knows if their next console will be hacked with a pen and a stick of gum. What other crazy hacks have you witnessed? Let us know in the comments!
These are very interesting.
I now know where the name Team Twiizers came from!
Really nice write up. I didn’t know about the tweezer hack.
I couldn’t help but notice that the image shows Nintendo v. Toothbrush, yet no where in the article was a toothbrush was mentioned.
It was just a joke based on the “household items”
I once hacked an ICBM with a paperclip and a spork…