Switch:Modchips

From ConsoleMods Wiki
Jump to navigation Jump to search

This page will cover the various different modchips for the Nintendo Switch, what methods they exploit, and which ones are recommended for users considering on modifying their console.

SAMD21 Modchips

These chips work by utilizing a coldboot exploit called Fusée Gelée that was uncovered publicly by the ReSwitched team for the NVIDIA Tegra X1 line of processors around April 2018. The bootROM is read-only memory which is first loaded into the application stack prior to loading the operating system. A stack buffer overflow is done by sending a specially crafted payload via USB during boot-up, which overrides the application stack holding the bootROM, to which unsigned code can be executed from a frozen state. This can be achieved through an internal recovery mode used by Nintendo for servicing Switch units under the assumption that the console was damaged (named RCM, a shortened form of 'ReCovery Mode'). Holding down Vol (+) and POWER, in conjunction with pins 7 and 10 shorted on the 2nd Joy-Con port, using either a printed/pre-made jig or a paperclip, will enter the recovery state before the bootROM.

After the exploit implementation was released, SAMD21 development boards such as the Trinket M0 were also utilized to make the Fusée Gelée exploit automated, without the user needing to mess with a Joy-Con jig or the volume buttons. Chinese cloners also manufactured pre-flashed SAMD21-based modchips called the "X86".

More info about SAMD21 modchips can be found on GBATemp.[1]

After these findings were discovered, around July 2018, Nintendo began quietly shipping revised new versions of the Nintendo Switch with new Tegra X1 chips that featured an updated irom patch 3 that fixed the RCM exploit through limiting the size of wLength for USB control requests in RCM to only 255 bytes.[2] The only way to exploit a non-RCM vulnerable console would be to install a modchip that uses voltage glitching, which requires hands-on experience with micro soldering.

Voltage Glitching Modchips

These modchips work by using voltage glitching the Tegra X1's BCT (boot configuration table) signature verification to always appear as valid, and temporarily writing the desired payload the place of the BCT on the eMMC. This allows for homebrew and CFW to work on any Switch model, including Mariko-based Switches or patched V1 Switches.

The PicoFly chips are based on the RP2040 microcontroller, and the software is open-source.[3] Since the PicoFly microcontroller is more widely known, some open source modchip designs exist, in addition to generic Chinese made boards, or even just using a generic RP2040 development board. It is the most popular and readily available Switch modchip on the market. While they are commonly accepted, it can be less reliable than the older alternatives, and the quality varies depending on which seller you bought it from.

The INSTINCT NX is based on a clone of the SX-Core chips (clones before the INSTINCT series are known under the HWFLY name, though the INSTINCT chips have a different design) developed by Team Xecuter. These chips use a GigaDevice GD32F3x0 microcontroller paired with a Lattice ICE40LP1K-CM49 FPGA[4], rather than what the PicoFly uses, which is just an RP2040 by itself. While there's open source firmware for the microcontroller of these chips[5], the FPGA firmware is still closed source and has not been publicly reverse engineered. The INSTINCT and HWFLY hardware can be quite hard to come by now, and were much more expensive to produce compared to PicoFly hardware, so trying to seek out one of these modchips for a Switch that has one pre-installed isn't worthwhile anymore due to PicoFly's availability and low cost.

Both modchip types support all Switch models, from V1 up to OLED.