The switch hacking scene has sprouted a lot of useful tools and documentation, but those can be fairly hard to find due to being posted left and right without a central repository to list it all. But no more! This awesome list will attempt to be a complete list of all the useful things that the switch hacking community created.
If you see something missing, feel free to leave a comment here so I can add it in.
Resources
Documentation
- SwitchBrew Wiki - A wiki with a lot of information, from SVC docs to file format descriptions.
- SwIPC - (Almost) complete documentation for the switch’s IPC services.
- SwIPC diff - Switch IPC changes for major versions between 1.0.0 and 7.0.0
Video
- 34C3 - Console Security - Switch - An introduction of the software stack that powers the Switch, with a heavy look at its security systems and how they were compromised.
Writeups
- Jamais Vu - A warmboot code execution exploit.
- Nintendo Switch RSA-PKCS#1 Public Key Recovery - A short writeup of a fun (but ultimately pretty useless) attack resulting in the recovery of some otherwise unobtainable RSA public keys.
- The eShop and CDN explained: Switch Edition - Everything you need to know about the eShop is explained in this writeup!
- Anti-piracy measures on the Nintendo Switch - A followup to the above writeup explaining the measures Nintendo uses to prevent piracy.
- Fusee-Gelee - A coldboot vulnerability that allows full, unauthenticated arbcode execution from an early bootROM context via RCM mode on Tegra embedded processors.
- transfermeme - Nintendo Switch nvservices Info Leak.
- The Switch - A Memoir - Full writeup of the nvhax chain.
- Kernel Writeup - A write-up of how @SciresM initially achieved kernel code execution on the Nintendo Switch.
Tutorials
- Reverse Engineering Sysmodules - A quick start guide for the specifics on reverse engineering a sysmodule on the Nintendo Switch.
- Switch SD Dumping 101 - How to dump digital games from your sd card.
- Dump Gamecard Guide - How to dump games physical games.
- How to install/run ANY Switch firmware (without burning fuses)
Toolchains
- libtransistor - A C/C++ toolchain based on clang.
- libnx - A C/C++ toolchain based on devkitPro/gcc.
- Megaton-Hammer - A Rust toolchain
- Hydrosphère - A work in progress C++ toolchain targeting the Nintendo Switch userland, with 32-bit and 64-bit support.
Language Support
- PyNX - A Python port, based on libnx.
- LovePotion - A Lua port, based on libnx.
- Brew.js - A JavaScript port, based on libnx.
Emulators
- RyujiNX - An innovative emulator written in C# (using dotnetcore, supports Windows/Mac/Linux)
- Yuzu - An emulator written in C++
- Mephisto - A simple emulator written to assist debugging and reverse engineering.
Tools
- hactoolnet/LibHac - An alternative to hactool that supports more formats, and a C# library for reading file formats used by the Nintendo Switch OS.
- hactool - A tool to view informataion about, decrypt, and extract common file formats.
- nx2elf - convert Switch binaries to ELFs for easy loading in IDA
- HacDiskMount - Allows to open Switch eMMC RawNand dumps and mount them as a drive letter in Windows
- ninfs - FUSE scripts for Nintendo Switch files, similar to HacDiskMount but cross-platform.
- SwIPC - IPC code and documentation generator. Auto-generated from swipc-gen.
- ilia - An IPC Logger for the switch, so you can spy on all the IPC calls.
- switch_cert.py - Convert nintendo’s raw client certificate into an openssl cert.
- hthh’s switch-reversing - Various Switch reversing scripts.
Homebrew Launchers
CFW/Reimplementations
- Atmosphere - A WIP customized firmware for the Switch.
- Hekate - CTCaer’s mod - A complete NX bootloader reimplementation. Functionally equivalent to Atmosphere’s Fusee.
- oss-rtld - A complete reimplementation of RTLD.
Reverse Engineering Corner
Loaders
- Loaders - IDA Loaders for NRO/NSO/KIP1
- Ghidra Switch Loaders - A loader for Ghidra supporting a variety of Nintendo Switch file formats.
- Kernel Loader 5.x - IDA Loader for Kernels 5.x
- Kernel Loader 8.x - IDA Loader for Kernels 8.x
- NX-010Editor - 010Editor templates for various switch formats.
IDCs
- Loader 1.0.0 IDC - An IDC for the Loader sysmodule on 1.0.0
- tz_5x.idc - An IDC for the Secure Monitor on 5.0.0
- tz 6x.idc - An IDC for the Secure Monitor on 6.0.0
- tz_620.idc - An IDC for the Secure Monitor on 6.2.0
- tz_700.idc - An IDC for the Secure Monitor on 7.0.0
- tz_800.idc - An IDC for the Secure Monitor on 8.0.0
- tz_20160928.idc - An IDC for Secure Monitor on 1.0.0-7 (pre-release 1.0.0).
- psc-9.0.0.idc - An IDC for PSC on 9.0.0
- package1_4.0.0.idc - An IDC for the pk1ldr on 4.0.0
- bootrom.idc - An IDC for the Tegra X1 BootROM
- Kernel_1.0.0.idc - An IDC for the Kernel 1.0.0.
Useful Plugins
- FRIEND - An IDA Plugin that (among other things) names system registers.
- hnight7 - An IDA plugin that fixes system register names in hexray view.
- Diaphora - A Free and Open Source diffing tool. Use this to match functions with their named equivalent from an SDK binary.
- idb2pat - Similar to diaphora, idb2pat.py generates IDA Pro FLAIR patterns from existing IDB files, which help IDA Pro recognize common functions in compiled programs and automatically rename them for the reverse engineer