The Nintendo Switch is, basically, a game console made out of smartphone parts. The quad-core Nvidia Tegra X1 ARM SoC would be right at home in a smartphone or tablet, along with the 4GB of RAM, a 720p touchscreen, and a 4310mAh battery. Really, the only things that make the Switch a game console are the sweet slide-on controllers and the fact that it is blessed by Nintendo, with actually good AAA games, ecosystem support, and developer outreach.
With such a close relation to smartphone hardware, it only makes sense that people would eventually load some smartphone software onto the Nintendo Switch—and around Ars, we’ve recently made everyone’s favorite handheld run Android. Such a thing might sound like a hardware hacker’s pipe dream, but thanks to work from a group called “Switchroot,” you can now get a pretty good build of Android up and running on Nintendo’s console.
A project like this is only possible thanks to two of the Internet’s biggest hacking communities joining forces—you’ve got the best of the Nintendo Homebrew scene combining with the best of the Android custom ROM community. And as we recently discovered, getting Android running on the Switch is a whirlwind tour of huge community projects and discoveries all in the name of doing whatever you want with hardware you own.
Currently, we don’t have a strong argument for why anyone would want to run Android on the Switch, other than it’s super fun, and walking through the process is a great way to learn more about the Switch and Android. And if you’ve been disappointed with Nintendo’s lack of an official Virtual Console on the Switch, you’ll be able to blow open the doors to classic gaming, both with Android ports of titles for sale on the Play Store and access to about a million emulators.
But before we worry about loading Android onto the Switch, the first step is a getaway: we have to break out of Nintendo’s sandbox.
The Homebrew basics
While you might think running Android on a thing made out of smartphone parts was inevitable, the road to getting Android on the Switch first had to be paved by the Switch homebrew community. Out of the box, game consoles are locked down to only run software the manufacturer wants them to run. So before anyone can even think about running something like Android, a group of dedicated hackers first had to document how the Switch worked, hunt down exploits, develop software, and probably destroy some devices in order to figure out how to actually run arbitrary code on the Switch.
In this case, Nintendo’s use of an off-the-shelf Nvidia Tegra SoC gave the hackers a good starting point. As a commercial product, the Tegra SoC has a ton of documentation and even readily available developer kits. Early Switch hacking attempts started on one of these development kits, and documentation from Nvidia even detailed how to bypass memory management and kick off the first exploit. As one of the hackers behind the exploit said, “Nvidia backdoored themselves.”
Since then a number of vulnerabilities have been discovered in the Switch’s hardware and software, but the biggest is “Fusée Gelée,” an exploit in the recovery mode of the Switch’s Tegra X1 SoC. Of all the fun and interesting ways you could break the security of a video game console, a recovery mode vulnerability is pretty handy.
Like many ARM-based computers, the Nintendo Switch has a built-in recovery mode that it can be booted into instead of the OS. This mode is meant for the initial flashing of the consumer OS, and it’s used for recovery in the event of a damaged operating system. The consumer OS is meant to be frequently updated and changed over the life of the console, but if anything goes wrong and the main OS stops working, this recovery mode is your only way to possibly recover the system. Since it is very important that this recovery mode never gets damaged or maliciously modified, it is completely independent of the main OS, and it’s read only—it can never be changed or updated once the device leaves the factory.
An exploit in the recovery mode is seriously bad news for a company like Nintendo that wants to lock down its hardware. For devices that have already left the factory, recovery mode can’t be patched with a system update. The whole point of the recovery mode is that it always works and never changes, so that it can never be broken by a dumb user, a malicious program, or a bad update. So shortly after the disclosure of Fusée Gelée, Nintendo reportedly started producing new Switches that were immune to the vulnerability, but there are still 15 million-ish devices out there with a unpatchable recovery mode. Any Switch purchased before mid-2018 should be vulnerable, and you can compare your serial number against this list if curious. You can also just give the exploit a shot and see if it works. A detailed step-by-step guide on how to do this is here—we’re just giving a brief overview.
The process of triggering Fusée Gelée and loading homebrew on your Switch is, frankly, pretty cool. First you have to boot into the Tegra’s ReCovery Mode (called “Tegra RCM”), which, just like on a smartphone, is done with a secret key combination. On the Switch, recovery mode requires you to turn off the system and hold the buttons for “Volume Up,” “Home,” and “Power” on the body of the Switch, not the Joy Cons. This is kind of a problem, because if you detach the Joy Cons and just hold the Switch body in your hands, you’ll find a volume rocker and power button on the top edge, but you won’t find a home button anywhere.
In the name of Android, we’re still going to trigger the home button, though, even if a home button doesn’t physically exist. The system-defining Joy Con rails on the sides of the console have an electrical connector tucked into the bottom of the rail. This set of ten gold connectors is normally used for charging the controllers and passing data back and forth, but during the initial simplified boot-up state, the Tegra SoC has the rear-most pin on the right joycon rail (usually referred to as “Pin 10”) mapped to the system’s “Home” button. Just bridge Pin 10 to ground (via any of the rail screws or the ground Joy Con pin), and you’ve got yourself a system home button.
These pins are pretty small, about the size of a MicroUSB pin, and they are tucked away in the bottom of the rail, so they can be tough to get at. The homebrew community has been coming up with all sorts of fun and creative ways to make what is referred to as an “RCM Jig”—a tool that connects Pin 10 to ground. I’ve seen everything from artisanally crafted paper clips to safety pins to sacrificial Joy Con connectors. The nicest and most repeatable way, though, is to buy or 3D-print a plastic cap that smoothly slides into the Joy Con rails and bridges Pin 10 to Pin 1.
Going the DIY route for an RCM jig can be dangerous, since shorting the wrong pins or damaging the pins can damage your Switch. Buying a pre-made jig has much less room for error and less risk of damage, and shorting the pins correctly is really the only hard part of modding the Switch—from here on out it’s all software work. Compared to some of the old-school console mods where you would have to open the system and solder a modchip to the CD drive, being able to break into the Switch without even picking up a screw driver is pretty easy.
Now that we have a way to press our non-existent system home button, turn the Switch off all the way, and it’s time for the magic key combination. Slide in your RCM jig, hold “volume up” and “power” at the top of the Switch, and, if you did it right, uh, nothing will happen. The Tegra’s recovery mode on the Switch does not have any fancy graphics or even a text message confirming the mode is on—the Switch just looks like it is off. So a completely blank screen after pressing the power button is a good thing—that or the random bits of metal you jammed into your Switch killed it and you’ll have to go back to playing the Wii U. (As always, with great power comes great responsibility—proceed with projects like this at your own risk.)
If successful, now we have theoretically entered recovery mode, so we should probably talk about the exploit we’re going to do. Fusée Gelée is a USB-based exploit, so we’re going to plug the Switch into something and send it some magic exploit-packing software. The way these recovery modes are supposed to work is that they should only accept a signed software package from the system manufacturer, thereby allowing you to do something like re-flash the system software—but only approved system software from the vendor.
Nvidia’s recovery mode contains a copy operation that did not quite get coded correctly, though, and by sending it a bad “length” argument you can trigger a buffer overflow and gain control of the Tegra’s “Boot and Power Management processor (BPMP).” “BPMP” is a Tegra-specific design flourish, and it’s a tiny ARM7 “boot cpu” designed to get the system up and running. Because BPMP is the very first step in the Tegra boot-up process, taking control of this means you’ve owned the system before any security lockout procedures start. From here, it’s possible to exfiltrate secrets and make the main CPU do whatever you want, which gets executed at the highest possible privilege level. Again this is all from recovery mode and completely unpatchable via the consumer update system, so it’s pretty bad news for Nintendo’s security.
Once you have your MicroSD card flashed, pop it in the Nintendo Switch, slide in your RCM Jig, boot into RCM mode with the special key combo, plug in a USB cord and push the Hekate bootloader as your payload, and you’ll see an actual user interface. From here, hit “More Configs” and you should see an option to launch your build of Android.