Nintendo Switch: SciresM hints at a hack for the current hardware model “Mariko”

A few hours ago, Switch hacker SciresM, known among other things for the Atmosphere Custom Firmware, has posted details on the boot encryption keys of the “Mariko” Nintendo Switch Motherboards.

“Mariko” is the second (and current) retail version of the Nintendo Switch, which patches the hardware security vulnerability used for Nintendo Switch hacks. Long story short, if you own a “Mariko” version of the Nintendo Switch (and, if you bought it semi-recently, it’s practically guaranteed this is the case), your device cannot be hacked today, with the same tools that owners of a first-generation Switch can enjoy.

This could change soon, as it seems hackers have been able to access early stages of the console’s boot process, and might be able to port the existing selection of hacking tools to the console.

Michael@SciresM

SHA256(Mariko Boot Encryption Key) = 491A836813E0733A0697B2FA27D0922D3D6325CE3C6BBEA982CF4691FAF6451A

SHA256(Mariko Key Encryption Key) = ACEA0798A729E8E0B3EF6D83CF7F345537E41ACCCCCAD8686D35E3F5454D5132

View image on Twitter
210 people are talking about this

The hacker added details on how the Mariko boot process attempts to prevent injection of code, such as memory being intialized with bits that would be interpreted as an infinite loop if jumped into by an attack attempt.

Michael@SciresM

Unironically loving this Mariko bootrom strat: all of IRAM is initialized to 0xEAFFFFFE (arm infinite loop instruction).

I think the idea is that if some arbitrary bit of iram is jumped to it infloops instead of NOP sliding to attacker code.

Super good shit imo

35 people are talking about this

It is not known certain at the moment how SciresM has accessed the boot process of the Mariko units, whether it is through a hardware of software vulnerability*. In any case, the race might be on between the open source community and for-profit Team-Xecuter, who already started taking preorders for a dongle that allegedly hacks the latest Mariko units and Switch Lite consoles.

Stay tuned.

Source: SciresM on Twitter

* update: some of his previous tweets imply that he might have leveraged Team-Xecuter’s upcoming dongle to look into the console’s firmware.