How the Nintendo Switch Security was defeated | MVG

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] if we go back in time Nintendo has never had a good history with security on their Hardware platforms over the years I can remember the earliest disk based backup devices like the super wild card on the SNES for example and then we moved on to flash cartridges on the Game Boy and GBA the Nintendo 64 introduced CD based backup storage devices and of course the DS 3DS as well as the Nintendo GameCube Wii and Wii U were also systems that suffered at the hands of software-based exploits and I think it's fair to say that Nintendo was woefully unprepared for the different attack vectors hackers would use to break into their Hardware but perhaps none would be as simple as the Nintendo switch on face value it appeared that Nintendo learned nothing from the past but what is considered one of the biggest turnarounds in video game history Nintendo managed to effectively close off only a small percentage of Nintendo switch systems as hackable systems leaving the vast majority as unpatchable at least in software and in today's episode we're going to take a look at security on the Nintendo switch and how Nintendo managed to patch an unpatchable exploit today's video is brought to you by surfsharkvpn with internet privacy being such a huge deal these days it's more important now than ever to protect yourself with surfsharkvpn you can easily hide your IP address and encrypt all data that you send and receive you can easily switch regions to other countries in the world this means not only your true IP address and identity is masked it also means you can get around any annoying geolocation locked video content you know the ones that say this video isn't supported in your country this can get annoying for me when I want to watch local Aussie news with surfsharkvpn I can switch my country to Australia and this problem simply goes away surfsharkvpn also allows you to connect to unlimited devices simultaneously on a single account and this includes Windows devices Linux Android iOS Amazon Fire TV and much more surfsharkvpn has an awesome offer on right now if you sign up at surfshark.deal mvg you'll receive 80 three percent off and receive three extra months for free and if you think it sucks there's a 30-day money-back guarantee which will give you plenty of time to try out surfsharkvpn risk free the Nintendo switch was first unveiled to the world all the way back in April of 2016. at the time its initial announcement wasn't a huge marketing Blitz or a reveal that would come later for signs of the new console that would replace the lackluster Wii U was first announced of all places as a single paragraph in a Nintendo financial report for our dedicated video game platform business Nintendo is currently developing a gaming platform codenamed NX their Brand New Concept NX would be launched in March of 2017 globally this brought a ton of speculation about what the new system would be the Wii U was not the success Nintendo wanted it to be and a pivot was needed to recapture the success of the previous Nintendo Wii many speculated about what the new system was and its specifications and exactly what it would be various sources appeared corroborating information that the new system would be a portable handheld console with detachable controllers that could be docked to a television system system in the end as we know now the main SOC that powers the Nintendo switch is the Nvidia techra X1 and this is the same chip that powers the Nvidia Shield TV and the Google pixel c tablet Eurogamer was the first to break the story on July 30th 2016 and as we know now the information turned out to be correct the Nintendo switch hardware specs features the same Tegra X1 SOC but on the Nintendo website it's labeled as a Nvidia custom Tegra processor which for all intents and purposes is an arm 4 cortex a57 as well as four gigabytes of LP ddr4 Ram 32 gigabytes of storage as well as an SD card slot up to two terabytes and a 1280x720p IPS panel which is at 6.2 inches and of course contains the dockable hardware as well as the detachable joy-cons the system would effectively bridge the gap between portable and traditional gaming with its hybrid concept and this would Mark Nintendo's departure away from the power PC based architecture for the very first time although Nintendo had already used arm-based Hardware in their handheld line ever since the GBA this would be the very first time Nintendo would support arm for their main system line the Tegra X1 was an interesting choice for Nintendo as mentioned it was a departure away from their typical power PC based custom socs but because it was a well-documented chip it meant that data sheets and information about the Integra X1 were readily available unlike custom built socs that have specific Security in place the Tegra X1 is somewhat of a more open environment and this of course got the attention of multiple security researchers however initially the Nintendo switch appeared to be a fairly secure environment this was especially true considering there is no Hardware backward compatibility and a closed off sandbox to play games from the previous generation this was something that in the past security researchers would often start their investigations with for example if you want to hack the Nintendo Wii the best plan of attack is to try to figure out how to exploit the built-in GameCube functionality because that was exploited previously the same applied for the Nintendo 3DS to exploit the 3DS the best place to start is to take a look at the Nintendo DS backward compatibility and to determine if there's any type of bridge between the DS backward compatibility and the 3DS itself but Nintendo had no such backward compatibility on the Nintendo switch this meant basically starting from scratch the first year of the Nintendo switch was relatively quiet with no real exploits that were discovered and things appeared as though they were going along quite smoothly for Nintendo and they had a very secure system but all that would change as early as January of 2018 when the group fail overflow teased something known as show fell 2. this would be a coal boot exploit for the switch which appeared to be running a small home brewproof of concept with the message saying interesting times ahead Anonymous warning to Nintendo that in just 10 months the Nintendo switch was hacked initially failoverflow chose to keep their findings private the group was mainly interested in running Linux however with such a new piece of Hardware as the switch these types of exploits can quickly lead to rampant piracy and groups of individuals that are looking to profit from this exploit failoverflow would then go on to disclose their exploit to various groups however once the deadline passed and they heard nothing back on April 24th of 2018 the floodgates opened and it wouldn't just be fail overflow that were looking to hack the switch other groups were also looking towards a solution and the first publicly released exploit was known as fujoli which would be also the very same cold boot exploit that would be found you see the exploit was so obvious that multiple security researchers all discovered it individually and while it's true fail overflow indeed showed off the exploit first few was public and that was initially reported and responsibly disclosed by Hardware hacker known as Kate temkin and also re-switched a Nintendo switch focused hacking group The exploit was particularly worrisome for Nintendo as it would be unpatchable to best describe how the exploit works when you turn on your switch there is a section of read-only memory that's known as the boot ROM this code runs before anything else including the operating system and even Security on boot up by sending a payload to the system there is an overflow of the direct memory access buffer in the boot ROM in turn allowing data to be copied into its application stack and giving the attacker the ability to run unsigned code the payload itself is sent over USB however there is a very important thing to note here when you power on the switch by normal means the boot ROM is locked out and is not possible to get access to the boot ROM can also not be patched without a hardware revision meaning that all switch units at the time were left vulnerable the boot ROM exploit is one thing but how do you actually get access to an exposed boot ROM well the trick is to use what's known as RCM mode this is short for recovery mode which is a USB based rescue mode intended for fixing bricked switch devices in rcmo it allows for signed images to be loaded but thanks to the exploit unsigned code execution is possible now to access RCA mode on the switch it's quite simple you need to hold down three buttons volume up power and a mystery third button which turns out is when you bridge pin 10s and pin 7 on the right joy-con rail and the best way to do this is to Simply use a paper clip or what's known as a jig to hold the pins in place while you press the other two buttons with a USB connection and a piece of software it's also very easy to determine when your switch is running in RCM mode RCM is used to recover brick devices as we mentioned so it opens up access to the boot ROM the Overflow exploit is all that's needed for the arbitrary code execution and in just 12 months the Nintendo switch was well and truly hacked and it wouldn't be long until various custom firmwares were in development that would assist with the running of Homebrew on the system with the standout being known as atmosphere which is still being supported to this day Nintendo could check the existence of an exploited switch and wiper clean with each firmware update however due to the unpatchable nature it would only require an updated payload and atmosphere custom firmware to effectively re-enable it the unpatchable exploit made its way to around 15 million Nintendo switch systems during its first year of sales every single switch was exploitable and this of course would be a major concern to both Nvidia and Nintendo who somehow were left exposed this in turn led to prominent scene group team executor to build Hardware around the boot ROM RCM exploit and their own custom firmware known as sxos however TX as we will call them would start to sell their products at a premium as well as offering simple tools to allow for dumped games to be easily installed on the switch in short team executor would profit massively from the exploit and was subsequently shut down by Nintendo after a very public legal battle that resulted in jail sentences for some members of the team I've done a long form story about team executor and the origin story and if you want to learn more about the group I'll leave a link to that video in the description below the only way to effectively patch the exploit was to revise the actual Tegra X1 hardware and that's exactly what Nvidia did around June of 2018 a new Switch appeared known as the Redbox model that patched the exploit and future updates to switch Hardware including the light and OLED models that would feature revisions to the Tegra X1 one with the Mariko and Ella chipset that also would lock down this loophole this however would not be 100 foolproof as there are still methods to exploit these models however they all revolve around glitching the CPU into resetting itself to be in a state which allows booting from unsigned payloads this is kind of similar to the reset glitch hack from the 360 days however this approach requires a mod chip and someone who's quite skilled enough to install the chip into a switch which of course has a very small form factor the cost of the Chip And the installation if you weren't experienced enough to solder it yourself would not be cheap and as a result most people didn't bother and resorted to locating an easier unpatchable switch which still can be found on the used Market in the end Nintendo saved the switch from a total disaster 15 million exploitable switches is a lot however with 122 million units in circulation as of the making of this episode it only represents about 12 of total units in existence and while there is a strong and active Homebrew Community making emulators apps and Homebrew games for the hardware Nintendo and Nvidia were very quick to revise their hardware and this undoubtedly saved the Nintendo switch from a total disaster and with that we are going to leave it here for today's episode if you want to learn more about Security on various Hardware platforms over the years I've got a pretty comprehensive list so feel free to check out the channel if you have interest in learning about Security on various consoles but for now we are going to leave it here for today's episode thank you so much for watching if you like this episode please don't forget to leave me a thumbs up and I'll catch you guys in the next video bye for now [Music] thank you

Info

Channel: Modern Vintage Gamer

Views: 509,605

Rating: undefined out of 5

Keywords: switch, nintendo, nintendo switch, nx, nvidia, tegra x1, security, hacking, nintendo switch security, defeated, mvg, modern vintage gamer, exploits, fusee gelee, failoverflow, shofel2, nintendo switch oled, nintendo switch lite, mariko, aula, switch lite, redbox switch

Id: xQmN-cxg21M

Channel Id: undefined

Length: 13min 12sec (792 seconds)

Published: Mon Apr 10 2023