First usermode exploit and more: Nintendo Switch 2 had a busy (hacking) week for its launch
The Nintendo Switch 2 officially released this week, and if you’re one of the few lucky owners of the device, you might have seen that the console has also been busy on the hacking front. Mig Switch have seen some of their Switch 2 compatibility claims being debunked by testers, a factory firmware was spotted in the wild, and, more importantly, it seems a usermode exploit is already running on the device.
Nintendo apparently shipped some devices with a Factory/Debug Firmware
Some screenshots have been circulating of Switch 2 consoles being shipped with a Debug Firmware, showcasing some QA functionality you’re not supposed to see (instead of the games you’d like to see, btw). Allegedly, some of these devices are already in the hands of hackers for further analysis.
On the screenshots, we can see details of the alleged Debug Firmware, with options to test the hardware as well as battery charge levels, run software tests, or force reboot/shutdown the device.
This could of course be an elaborate prank: please note that I haven’t been able to verify this and GBATemp (the original source) appears to be down at the time of writing.
Mig Switch suggest that their piracy device works on the Switch 2. Testers debunk the claim
Mig Switch have been releasing some confusing marketing material and ads for their piracy cartridge, implying that the controversial device already works on the Switch 2.
Multiple testers have come out of the woods to debunk the claim, and show through multiple screenshots that using a Mig Switch on a Nintendo Switch2 actually doesn’t work. Specifically, the games will display but won’t launch, instead showing an error message when you try to run them.
Switch2 don’t support Migswitch pic.twitter.com/p0rKdEpy7J
— Arizonakk. (@liqihah1) June 4, 2025
This isn’t to say that Mig Switch don’t have an ace up their sleeve, but for now, it doesn’t appear that the device works out of the box on Switch 2. Nevertheless, Mig Switch team explicitly state on their official website that their device is compatible with Switch 2.
Despite multiple issues, in particular with significant delays on delivery for most buyers, Mig Switch have delivered on their claims (for the Switch 1) until now, so they might be up to something. But so far all testers have stated the device fails to run pirated (Switch 1) games on Switch 2.
First Usermode exploit running on the Switch 2, Day 1
Security researcher David Buchanan (aka retr0id) claims he has a ROP chain exploit running on the Nintendo Switch 2, emphasizing that this is not a “native exploit” but “usermode” instead.
Retr0id is known among other things for his work on DeCENC, RootMyTV, or, closer to home, his NXLoader tool for the Switch. He also recently published a proof of concept to gain root access on a laptop via a cigarette lighter.
Personal take: usermode generally *is* native code in my book, it’s just not access to all the libraries that a full kernel exploit would allow. By comparison, I’d say that running PSP exploits on the PS Vita wasn’t “native” because we were only running PSP exploits within the PSP emulator on the Vita. Then again, what do I know. Nothing.
It is actually very possible that the hacker achieved some usermode exploit within the Switch 1 retro compatibility layer.
As “proof” that his exploit is real, retr0id has mentioned the name of a Switch 2 lib “nnCompatTrampoline”, knowledge which he implies one only could access via a hack.
NnCompatTrampoline is a lib used in the Switch 1 emulation/compatibility layer of the Switch 2. (details here .Obviously this wiki page was created *after* Retr0id’s announce)
Make it cost less
I have a link for an ESP32-S2 setup that on top of replacing a popular self hosted exploit for pOOBs4 9.00 also has a Linux internal distro and initramfs and bzImage working for my belize2A0 CUH-7016B and I can launch ps4_linux_4gb_pro.bin from the web browser’s index2.html as ps4.local/index.html hosts the auto exfatHAX process with the latest GoldHEN available.
If Wololo allows it, I will follow-up with a reply.
It’s cheaper I guess…
And more available also…
I plan to upload video usage guide on my channel. It’s small TBH but it will eventually grow I guess…
get a better job
ROP only and you are able to map or access the framebuffer and draw a xor pattern ? WOW, not an easy one, that ROP chain must be biggg
You have no idea how much understanding how difficult this is means. I’m tired of people assuming ROP chains are simplistic or basic. Sometimes a lot can be done with the right libs.
Just wanted to correct the point about the MIG Flash cart – the actual manufacturers of the device (migflash.com) have made no such claims about Switch 2 compatibility. It’s one of their official resellers – MigFlashStore (themigflash.store) – who made the false claims and owns the Twitter handle @MigSwitch.
Yeah this is a big one Wololo. Please correct asap – and add a statement explaining the misunderstanding and correction.
I usually refer to this site as a very trustful source of factual hacking information – but this article just adds to the confusion by spreading misinformation around migswitch, rather than correcting the already circulating misinformation.
It’s always great to see these kind of things but I don’t know if I want to hack (when available) my switch 2.
Then why google it and even comment?
I dont even want a Switch 2. Big N wont see a cent from me ever again
I think the non-native part is because it’s ROP, not because it’s userland.
Can’t wait until the system is cracked open so we can get us some emulation going. The translation layer for Switch 1 games could be the holy grail for native PC ports down the road.
Hey wololo, according to your experience, how much would you say it would take to run backups on Switch 2? As usual there’s people implying that’s gonna be soon because they achieved this on day 1.
ROP is not machine code. Usermode ROP is not usermode native code.
Migflash never claimed support for the Switch 2. The official Migflash website is Migflash.net, not Migflash.store. The @MigFlash twitter account is ran by the latter, which is a known scammer.
I always thought it interesting that there was relatively little (public) use of user-mode hacks on the Switch. The RCM exploit really blew things open, but even once Nintendo fixed that, the field largely switched over to mod chips and the MIG.
I’m not sure if that’s indicative of a weak, easily-compromised hardware design, or a strong OS. Horizon OS is pretty locked down in terms of enabled features.
If one has a launch Switch 2 and given the initial day 1 patch is apparently very important, should one get this day 1 patch and then leave it be, or just leave in the box as is, without any patches whatsoever, if the intention is to run CFW (if that ever happens)?
Nintendo shaking down its customers i hope it gets hacked
first usermode linux … does anybody know this library for this lib linking dev ???
../shared/image-loader.c: In function ‘load_jpeg_icc’:
../shared/image-loader.c:163:14: error: implicit declaration of function ‘jpeg_read_icc_profile’ [-Wimplicit-function-declaration]
163 | if (!jpeg_read_icc_profile(cinfo, &profdata, &proflen)) {
| ^~~~~~~~~~~~~~~~~~~~~
Since this article hasn’t been updated, the official migswitch website posted that the tweet was demoing an in-house beta firmware. Which I thought was obvious but I guess not. As of yesterday said firmware is released to the general public for use playing switch 1 games on Switch 2. Though I cannot personally confirm if it works or not.
I wish you beat other outlets to a story we saw a million times since it happened
And now the mig is banning consoles it’s a shame that these articles come out late with a lack of passion and that gba temp is more active
Ish-psvita runs the alpine iso downloader and unpacks alpine iso to run alpine cmd for psvita
Is there nothing happening in the hacking scene anymore or is this site just dead? :/