It’s been revealed that the piracy-enabling firmware recently launched for Nintendo Switch contains ‘brick code’ that can render the device inoperable, designed to stop it from being copied – a somewhat ironic state of affairs. Security researcher Mike Heskin took to Twitter to reveal the findings of his analysis of Team Xecutor’s ‘SX OS’ custom firmware. It’s a software patch for the Switch’s operating system, released in tandem with a hardware dongle that opens the door to running unsigned code – ie homebrew – but also enables copied games to run.
So why wilfully introduce code into the firmware that can render the device useless? As Heskin points out, this is actually nothing new – a 3DS hack did exactly the same thing. Hardware-based hacks can be easily cloned (indeed, ‘open source’ piracy-free Switch hacks based on the same exploit are already available) and Team Xecutor’s proprietary work comes in the way it has adjusted Switch’s OS to allow copied software to run. Heskin says that he actually bricked his own console – deliberately – during his research, presumably to see what Team Xecutor’s countermeasures actually do.
The bricking code is designed to halt users – or more likely, Xecutor’s rivals – looking to reverse-engineer and copy the piracy-enabling portions of the firmware. In normal usage, it should sit in the background and not do anything, though Heskin reckons there’s a very small chance that users of the firmware could accidentally trigger the code. In this scenario, Switch’s 32GB of NAND memory is locked based on a dynamically generated password created by the brick code, making the console useless. Only by reflashing the NAND externally can the console be restored – hardly an easy task.
PSA: SX OS contains brick code. How do I know this? Take a guess… :/
Anyway, the concept is the same that was used by Gateway for the 3DS: your eMMC will be locked with a specific password. Sadly, in my case, the password was generated from random garbage on the stack. 🙁
— Mike Heskin (@hexkyz) June 24, 2018
The launch of Team Xecutor’s custom firmware has been met with some controversy, with users pointing out that the piracy functions don’t work on all titles. Meanwhile, other reverse-engineering work has revealed that every physical and digital release for Switch has a unique serial number, meaning that copied versions with the same ID will be easily detectable by Nintendo if you take a hacked console online with a pirate game.
However, in the here and now, Team Xecutor itself says that the firmware is safe and that it has not had one single report of its code causing issues. The drama continues to unfold, however, with Mike Heskin suggesting that TX is using open source code from other Switch exploits (which do not support piracy) in its monetised product. It’s a scenario that usually motivates other hackers to reverse-engineer the paid-for software and to give it away for free.
The current Switch exploit is based on a hardware-based vulnerability that Nintendo cannot patch without releasing a new version of the console, meaning that the battle to keep piracy off the system and to ensure that online gaming remains secure will be waged in the software space. Nintendo has already issued bans to hackers experimenting with compromised consoles, but a firmware update to patch up its OS hasn’t happened – yet.