It's happening, Switch Homebrew Launcher released for 3.0.0 plus other Switch hacking news

[Master Disaster]

Last week (and into today) has been a big week for the Switch hacking scene with lots happening.

 

First we'll go back about 3 weeks when hacker Qlutoo announced (to much criticism) that his Switch Homebrew Launcher wouldn't be ready for his deadline and was delayed. I won't bother including the link as it's only included for the sake of thoroughouness.

 

On Thursday hacking group Team Xecuter announced their upcoming Switch modchip was delayed due to prototyping issues with the access point

Quote

Here is a quick update on our product status:

 

After a few days delay due to Chinese New Year, we have finally received our prototype boards, as can be expected from any development cycle, we have experienced a few issues with reliability of our entry point, we will work on refining our method and keep you posted, stay tuned for more exciting news and videos in the coming weeks.

 

We are sorry for the delay, but we are also sure all Switch owners will be delighted by our product. It is worth the wait!"

http://gbatemp.net/threads/team-xecuter-delay-switch-modchip.496739/

 

Less than 24 hours later group ReSwitched announced some VERY BIG news, they have managed to gain Trustzone access to Switch firmware 4.1.0. Trustzone is the Switches equivalent of Kernelmode and this news means that FULL ACCESS exploits now exist for up to the very latest Switch Firmware however don't expect a release of this exploit for a long time.

Quote

The ReSwitched Hacking Team has done it again. motezazer, ktemkin and SciresM have achieved code execution on 4.1.0, the latest version at the time of writing this, via deja vu at TrustZone level. This means devices on 4.1.0 and below will be able to gain access to the whole system. SciresM strongly advises to not update in the future.

 

After less than a year, the Switch hacking team has moved extremely fast and now have got full access on the latest version. The progress being made is incredible, and in comparison, the 3DS took around 2 years to get ARM9 access. The scene is looking very promising so far and we are very lucky to have such talented people working on the Switch.

 

If you are on 4.x or below, you will be able to gain access to the whole system's hardware. Users on lower firmwares will get CFW first. If you're on 4.0.0/4.0.1, just update to 4.1.0.

 

http://gbatemp.net/threads/switch-trustzonehax-on-4-x.496799/

 

The very next day we got 3 big stories, first SciriesM, a member of the ReSwitched team announced he was starting development on the first Switch Custom Firmware, called Atmosphere-NX it will be unique in that he is doing the entire process open source on GitHub and he is targeting Switches upto 4.1.0 using the exploit his group announced.

Quote

My focus will be shifting towards spending all my time working on Atmosphere until it's usable (with a diversion to get a publically usable jamais vu PoC once some of the basic building blocks are in place).

I've put up a roadmap in the issues/projects section -- all of my development will be open source and done via commits to that repo. I don't want a repeat of previous consoles where CFWs get worked on behind closed doors before their initial releases -- all of atmosphere's broken, WIP code will be available as it's written.

 

http://gbatemp.net/threads/atmosphere-nx-custom-firmware-in-development-by-sciresm.496832/

 

Then another member of ReSwitched showed off a proof of concept cold boot code execution method that seems to affect all Tegra based devices and apparently cannot ever be patched. It's speculated that this is a CPU bug that is present in all Tegra chips and it's unconfirmed but it's thought to be the same bug Fail0verFlow used to boot Linux on the Switch a few weeks ago.

 

Not to be outdoors Fail0verFlow came out with a fresh Linux on Switch video showing a fully working UI with touchscreen support, panel driver and basic 3D support too showing their Switch Kernel is maturing very rapidly.

This brings us on to today where hacker Qlutoo has dropped the bomb everyone has been waiting for, the first fully working Switch Homebrew Launcher is now available. Currently it only supports 3.0.0 which is fine as that's the only hackable firmware right now anyway but he has pledged to update it to support all future releases and exploits. This marks the beginning of the Switches public hacking scene.

Quote

As with any new exploitative software, don't install it unless you know what you are doing

http://gbatemp.net/threads/switch-homebrew-launcher-3-0-0-released.496987

 

Well I guess it's time to update my switch to 4.1.0 and wait patiently because it's happening.

[Levent]

teamxecuter has a long history of hacking,I believe they were the first to utilize reset glitch hack on the xbox 360s, I might actually get a switch now.

[deXxterlab97]

6 minutes ago, huilun02 said:

Can't wait to see Windows/Linux/Android running on the thing. Or my dream of dual boot into either original software or Android. That would make it a whole lot more appealing purchase. The selling point of the Switch is portability, but I'm not carrying it around if all it does is play the few games that I would get.

Install Origin > Install Crysis 3 > Can it run it?

[GoodBytes]

1 hour ago, deXxterlab97 said:

Install Origin > Install Crysis 3 > Can it run it?

No. The game needs to be compiled for ARM CPUs

[GoodBytes]

For those who wonder. the hack applies to Switch 3.0

Current the Switch is on version 4.1

[Sniperfox47]

1 hour ago, GoodBytes said:

For those who wonder. the hack applies to Switch 3.0

Current the Switch is on version 4.1

There is a confirmed exploit for the TrustZone hyperkernel on 4.1 though. Nintendo seems to be having trouble with secure ARM development.

 

The whole point of TrustZone is that this kind of stuff shouldn't be happening. It's entire purpose is to establish a TEE for your secure kernels and then run untrusted code outside that to prevent kernel level exploits.

 

I get that part of this was the result of nVidia debugging code, and I'm really glad we get to see a homebrew scene on the switch, but damn Nintendo why is all your software so vulnerable?

[GoodBytes]

6 minutes ago, Sniperfox47 said:

I get that part of this was the result of nVidia debugging code, and I'm really glad we get to see a homebrew scene on the switch, but damn Nintendo why is all your software so vulnerable?

If it were my guess, and this is by no mean defending Nintendo, just sense.

 - Microsoft has deep OS experience (obviously)

 - Sony has the talent from making firmware and OS for all their electronic devices since ages (TV, VCRs, DVDs, Blueray player, Smartphones, etc).

 

Nintendo has only game console experience. Mind you, their knowledge has increased substantially over the years. For example, if you have the old DS, you can't switch a game cartridge without restarting the console. The WiiU.... had the slowest OS ever created (World Record?) I mean it took ages to load the Settings panels.

 

[Sniperfox47]

19 minutes ago, GoodBytes said:

If it were my guess, and this is by no mean defending Nintendo, just sense.

 - Microsoft has deep OS experience (obviously)

 - Sony has the talent from making firmware and OS for all their electronic devices since ages (TV, VCRs, DVDs, Blueray player, Smartphones, etc).

 

Nintendo has only game console experience. Mind you, their knowledge has increased substantially over the years. For example, if you have the old DS, you can't switch a game cartridge without restarting the console. The WiiU.... had the slowest OS ever created (World Record?) I mean it took ages to load the Settings panels.

 

Yeah, I know. It was mostly rhetoric. They also haven't dealt with dedicated security hardware like TrustZone before.

 

And there's also the fact that their development practices are significantly more "Japanese" than Sony's. (Not to be racist, there's just no other way I could think to phrase that.) In the same vein as "Splatoon Maps rotate because that's the way we made it, and you'll settle for that because it's our product, not yours", I'm sure there are a number of cultural ideosyncracies in their hardware teams too.

 

But some of the stuff, like their coded note in the NES/SNES Classic firmware, makes me wonder if maybe their game of cat and mouse isn't their engineers just having some fun intentionally leaving hidden vulnerabilities in their kernel code to give the homebrew community something to work towards

[Master Disaster]

2 hours ago, Sniperfox47 said:

Yeah, I know. It was mostly rhetoric. They also haven't dealt with dedicated security hardware like TrustZone before.

 

And there's also the fact that their development practices are significantly more "Japanese" than Sony's. (Not to be racist, there's just no other way I could think to phrase that.) In the same vein as "Splatoon Maps rotate because that's the way we made it, and you'll settle for that because it's our product, not yours", I'm sure there are a number of cultural ideosyncracies in their hardware teams too.

 

But some of the stuff, like their coded note in the NES/SNES Classic firmware, makes me wonder if maybe their game of cat and mouse isn't their engineers just having some fun intentionally leaving hidden vulnerabilities in their kernel code to give the homebrew community something to work towards

The cold boot code execution exploit is apparently a CPU bug, my (very limited) understanding is that it would take a new Tegra revision to fix it but yeah, Trustzones in every firmware version are currently exploited and as quick as Nintendo patch them the groups are breaking them again.

 

As it is now users on 3.0.0 can look forward to Trustzone access very soon with userland access being already available.

 

3.x users should be getting userland very soon with Trustzone coming some time after.

 

4.x users are waiting for a while longer but know they can play everything currently available to buy and that userland and Trustzone both exist now. It's only a matter of time.

 

5 hours ago, huilun02 said:

Haha I doubt demanding PC games will run on a Switch. What I'm interested is for the device to do more than just gaming.

The thought of Kodi & RetroArch on my Switch is making me moist tbh. The quicker it happens the better.

[Master Disaster]

6 hours ago, huilun02 said:

Can't wait to see Windows/Linux/Android running on the thing. Or my dream of dual boot into either original software or Android. That would make it a whole lot more appealing purchase. The selling point of the Switch is portability, but I'm not carrying it around if all it does is play the few games that I would get.

There's literally a video of Switch Linux in the OP dude.

[Dabombinable]

Lol, another way to exploit my Tegra 3 tablets is my main take away from this article..

[Zodiark1593]

6 hours ago, Sniperfox47 said:

There is a confirmed exploit for the TrustZone hyperkernel on 4.1 though. Nintendo seems to be having trouble with secure ARM development.

 

The whole point of TrustZone is that this kind of stuff shouldn't be happening. It's entire purpose is to establish a TEE for your secure kernels and then run untrusted code outside that to prevent kernel level exploits.

 

I get that part of this was the result of nVidia debugging code, and I'm really glad we get to see a homebrew scene on the switch, but damn Nintendo why is all your software so vulnerable?

As far as I'm aware, the hacking scene on the 3DS has progressed a heck of a lot slower, probably owing to the unknown GPU hardware vs the relatively standardized Tegra chip being employed in the Switch.