Retard-proof Switch Hacking Guide (2019-08-25)

Last updated 3rd Sep 2019

[Changelog]
- 3rd Sep 2019
  * Updated instructions for installing Incognito, somebody reported that you need to launch fusee primary instead of Hekate CFW preset.
- 25th Aug 2019
  * Added the section [Adding a Nintendo linked user account]
- 4th Aug 2019
  * Cleanup and clarification of some sections, especially the intro according to feedback received.
- 3rd Aug 2019
  * Initial release.

For non-retards: Use your own judgment when reading and applying any guide. If you have doubts about the validity
of this (or any other) guide, cross check it with other guides on the internet and figure shit out for yourself.

[Intro and general information]
- This guide is only for Switches with vulnerable hardware. Software exploits exist but are not covered here.
  * The hardware exploit is called fusée gelée, referred to as fusée in this guide.
    ~ See https://www.ktemkin.com/faq-fusee-gelee/ for a FAQ by the researcher who discovered it.
  * Fusée is a tethered, non-persistent exploit that can't be fixed without physical access to the device.
    ~ "Tethered, non-persistent" means that the custom bootloader is lost (non-persistent) when the device is completely
    turned off, requiring you to inject it again using a payload sender (tethered).
    ~ No coldboot solutions currently exist, but you can use AutoRCM to prevent the Switch from booting up without
    injecting a custom bootloader.
  * First patched Switches appeared around July 2018.
  * Check your serial at https://ismyswitchpatched.com/.
  * If your serial reports definitely patched, DO NOT use this guide and DO NOT update your firmware.
    ~ See https://switch.homebrew.guide/gettingstarted/choosinganexploit for software exploits.
  * If your serial reports unpatched or potentially unpatched, you may proceed to see if you can inject payloads.
  * Original thread for serial number ranges: https://gbatemp.net/threads/481215/
- Firmware version does not matter if your Switch is fusée vulnerable. You can always smash
the stack in RCM and completely take over the system.
  * There's one gotcha here if you ever plan on booting without a custom bootloader (i.e. not through RCM).
    Nintendo prevents downgrading the firmware by burning microscopic (non-replaceable) fuses inside the CPU
    (nearly) every time the firmware is updated. The number of fuses burnt determines the minimum version of the
    FW that Nintendo's bootloader will boot into, for example it expects 5 fuses to be burnt when you boot into
    4.1. If less fuses are burnt at this point, it will burn as many as it needs to until 5 are burnt. If more than
    5 fuses are burnt, it'll refuse to boot at all.
  * Knowing this, you may unknowingly render your NAND backup unusable by doing the following:
    ~ Make NAND backup of FW version 4.1, with 5 fuses burnt.
    ~ Update FW to 8.1.0 using ChoiDujourNX, which prevents burning fuses. Still 5 fuses burnt.
    ~ Disable AutoRCM and allow Nintendo's bootloader to load. At this point it will burn all of the fuses
    required by version 8.1.0.
    ~ Restore NAND backup of 4.1, thinking you can bring your Switch back to stock.
    ~ To your surprise, the device refuses to boot up.
  * Basically what this means is, if you care about ever returning your Switch back to its original state,
  you should keep AutoRCM enabled to avoid making this mistake.
  * Booting to stock using a custom bootloader such as Hekate will not burn your fuses.

[Physical stuff you will need]
- An unpatched Switch. See the intro for checking your Switch. To be safe, charge it to 100% before proceeding.
- Payload sender. Most likely you want this to be your computer, Windows/Linux/Mac/Android/iPhone (jailbroken) supported.
You can also get a dedicated payload sending dongle if that's up your alley.
- Micro SD(XC) card, minimum 64GB to properly back up your NAND.
  * Needs to be formatted either as FAT32 or exFAT. FAT32 is recommended.
    ~ FAT32 is the stabler option, but will not allow you to put files larger than ~4GB on the card.
    This usually isn't a problem unless you're storing media such as movies, as you can install
    large games using an USB connection.
    ~ exFAT allows for large files and may be very slightly faster (non-factor mostly), but is
    prone to corruption and can result in files getting lost. The Switch doesn't have exFAT drivers
    by default either, so unless you've updated your firmware to support it using either a game
    cartridge that contains the drivers or a system update, you will NOT be able to use an exFAT
    card until you do. So at the very least you will want to stick to FAT32 until you get your
    exFAT drivers sorted out.
- Micro SD card reader. Required for formatting and partitioning your SD card. If your phone is
rooted, you can use that, otherwise get a cheap USB reader.
- USB-C cable for connecting your payload sender to your Switch. For a computer, get an USB-A
to USB-C cable or an adapter.
- A way to get your Switch into RCM mode. This is done by holding down Home + Vol Up while tapping
the power button. But here's the catch, the Home button is NOT the one on your joy-con, but
on the tablet itself. You can "hold it down" by grounding pin number 10 on the right joy-con rail.
Ground can be found in pins 1 and 9 or, for example, the fan grill on top of the device.
  * There are a multitude of ways of getting your Switch into RCM mode. The easiest and safest way
  is to use a 3D printed "jig" you can insert into the joy-con rail.
    ~ One recommendation I've seen is https://switchjigs.com/
    ~ A dead easy alternative for a jig is to use a piece of tinfoil to bridge pins 9 and 10.
    Good demonstration, also introduces other methods: https://www.youtube.com/watch?v=3-UeB_enPrM&t=30s
    ~ For more methods, check https://gbatemp.net/threads/the-ultimate-list-of-mods-to-enter-rcm.502145/

[Glossary]
- OFW: Official firmware, i.e. Nintendo supported.
- CFW: Custom firmware, required for homebrewing.
- NAND: Internal flash memory (i.e. file storage). Also also referred to as "sysNAND" to disambiguate with emuNAND.
  * Used interchangeably with eMMC. eMMC consists of the flash memory and its controller.
- emuNAND: Emulated version of your sysNAND, running off of the SD card. Using this will leave your sysNAND
untouched.
  * Mostly useful for quickly switching between CFW and OFW without having to restore backups.
    ~ Of course you can fuck around with your sysNAND and boot to stock without restoring the NAND backup,
    but this will most likely get you banned.
  * It's your choice if you want to use emuNAND. Be warned that using a shitty SD card will slow down your
  system. If you're not interested in playing games online (for which you want clean sysNAND), you can skip it.
- emuMMC: Name of the implementation currently used for emulating NAND.

[Software used]
- This is an overview of the most important software you'll be using.
- You don't need to download most of these separately. See the next section for download instructions.
- Kosmos: Compilation of almost everything needed to get your custom firmware up and running, and some extras.
Made by team AtlasNX, who also host a homebrew guide at https://switch.homebrew.guide/.
  * Source: https://github.com/AtlasNX/Kosmos
  * Version used in guide: v13.0.1
- Non-exhaustive list of essential homebrew components and tools:
  * Hekate: Open source custom bootloader. A bootloader instructs the hardware of your device on where to
  find the files necessary for bringing the system up, and also works as a security checkpoint.
  For example, if the bootloader detects that the firmware isn't properly signed, it can refuse
  to boot up the system. Required to boot into custom firmware.
    ~ Source: https://github.com/Joonie86/hekate
    ~ Version used in guide: v5.0.1pre6
  * TegraRcmGUI: Simple graphical user interface for TegraRcmSmash, which is a re-implementation of
  the original fusée launcher. Used to send payloads to your Switch in RCM mode.
    ~ Windows only, for other platforms there are alternatives in the "Software downloads" section.
    ~ Source: https://github.com/eliboa/TegraRcmGUI
    ~ Version used in guide: v2.6
  * Lockpick_RCM : Payload for dumping the encryption keys of your device. You will want to back these up.
    ~ Source: https://github.com/shchmue/Lockpick_RCM
    ~ Version used in guide: v1.3
  * Atmosphère: Open source custom firmware. Firmware works on the lowest levels of your device,
  bridging the gap between hardware and software. Required for running custom software.
    ~ Source: https://github.com/Atmosphere-NX/Atmosphere
    ~ Version used in guide: v0.9.2
  * Homebrew Loader: Facilitates launching custom NROs. NROs are Nintendo's version of executable files.
    ~ Source: https://github.com/switchbrew/nx-hbloader
  * Homebrew Menu: Frontend for launching custom NROs. Provides a nice interface for Homebrew Loader.
    ~ Source: https://github.com/switchbrew/nx-hbmenu
- Essential tools for piracy:
  * Goldleaf: Multipurpose tool for homebrewing. Includes utilities such as a file manager (both for your
  SD card and your internal memory) and a manager for listing, installing, removing and exporting
  content (i.e. games). You will be using this to install your NSPs (Nintendo Submission Package, an
  archival format containing full game data). This is basically equivalent to downloading a game from the eShop
  and installing it to your system. NSPs can be installed either to system memory or an SD card.
    ~ NSPs can be installed from your SD card, but unless your SD card is in exFAT format, you will be unable
    to install anything larger than ~4GB using this method. The preferred method is to use GoldTree.
    ~ Source: https://github.com/XorTroll/Goldleaf
    ~ Version used in guide: v0.5 or v0.6
  * GoldTree: Windows companion executable for Goldleaf. Needs to be running on your computer for Goldleaf's
  PC browser to work. Using the PC browser you can install NSPs directly from your computer via USB.
    ~ PC browser is new in v0.6, v0.5 uses USB installations which are the same thing but the usage is a bit different.
    ~ Source: https://github.com/XorTroll/Goldleaf

[Software downloads]
1. Easy compilation: https://www.sdsetup.com/console?switch
  * You should go through everything available here to get an overview of what you can get.
  * For a piracy homebrew setup, use this: https://www.sdsetup.com/console?switch#atmosphere;atmos_musthave;atmos_bootlogo;kosmos_toolkit;kosmos_updater;atmos_sys-clk;appstorenx;hbmenu;goldleaf;hekate;lockpick_rcm;tegrarcmgui;goldtree;atmos_sigpatch;
    ~ Includes everything needed to run custom firmware and install NSPs.
    ~ Does not include any emulators.
  * You can also just click "Kosmos Defaults" at the top of the page to get some additional shit you probably won't use.
    ~ Also check "TegraRcmGUI" if on Windows and without a payload injector.
    ~ Also check "GoldTree" for USB installations.
2. Payload sender if not using Windows:
  * Android phone: https://github.com/DavidBuchanan314/NXLoader/releases
  * Mac OS/iPhone (Jailbroken): https://mologie.github.io/nxboot/
  * Linux PC: https://github.com/Cease-and-DeSwitch/fusee-launcher
3. (Optional) HacDiskMount: https://switchtools.sshnuke.net
  * Used for verifying your NAND backup. Recommended.

[Downloads for firmware update]
- Skip these if not updating firmware.
1. OFW files: https://darthsternie.net/switch-firmwares/
  * There's no real downside to updating a patched Switch's firmware as long as you don't boot without RCM.
  * Current official firmware is version 8.1.0 and is supported. Once a newer firmware has been released,
  make sure all of the homebrew tools are updated to support it before updating to it.
2. ChoiDujourNX: https://switchtools.sshnuke.net
  * Used for updating your OFW without burning fuses.

[Setting up]
- If you're not sure that your Switch supports the RCM exploit, you can skip this for now and come back once you've verified it.
1. Insert your SD card into your reader.
2. Decide whether or not you want to use emuNAND.
  * If not, simply format the card to FAT32 (unless you have exFAT drivers and want to use it).
    ~ Windows usually won't allow you to do this, you will need dedicated software for it. Check the FAQ.
  * If yes, partition your SD card into two FAT32 partitions.
    ~ This is outside the scope of this guide. See e.g. https://nh-server.github.io/switch-guide/user_guide/emummc/partitioning_sd/
  * Note that if you decide to use emuNAND, then every time you launch CFW from Hekate, you should select "CFW (emuNAND)".
3. Extract the homebrew compilation you downloaded. It should contain three folders:
  - payloads: Injectable using your payload sender.
  - pc: Any additional PC tools you selected (e.g. TegraRcmGUI, GoldTree).
  - android: Any Android tools you selected.
  - sd: Everything you need to put on your SD card, includes CWF and homebrew programs.
4. Move the *contents* of the sd folder to your SD card's root.

[Setup firmware update]
- Skip these if not updating firmware.
1. Extract ChoiDujourNX.nro into the switch folder on the SD card.
2. Extract the firmware files you downloaded, create a folder on the SD card and copy them there.

[First time RCM]
1. Setup the payload sending program. For Windows:
  - Launch TegraRcmGUI.exe from the pc folder you extracted.
  - Go to "Settings" tab, click "Install driver" to install APX drivers required for the USB connection to work.
2. Delete your Switch's Wi-Fi settings and power it off completely. Insert your SD card.
3. Remove right joy-con and insert jig into the rail (or use another method).
4. Hold down the Volume Up button and *tap* the power button.
  - If nothing happens (screen stays black), you've successfully booted into RCM mode. You can remove your jig.
  - If your Switch starts up normally, turn it off and try again. This means pin 10 wasn't properly grounded.
5. Plug in Switch using USB-C cable.
  - TegraRcmGUI should indicate that an RCM device is detected.
6. If you aren't sure that your Switch is vulnerable, try to inject this test payload: https://drive.google.com/open?id=1Bzku9r9GJ4F_3BoCBa-9QsPUav2-_2V4
  - It will print some text on your Switch. If not, it's NOT vulnerable and you don't want to continue using this guide.
  - This will shutdown the device, requiring you to repeat steps 3 and 4 to get back into RCM.
7. Make a NAND backup and enable AutoRCM.
  - Inject "hekate.bin" (actual filename may differ) from the payloads folder.
  - Select "Tools" at the top of the screen.
  - Select "Backup eMMC".
  - Select "eMMC BOOT0 & BOOT1", then wait about half a minute until it says "Finished and verified!"
  - Close the screen, then select "eMMC RAW GPP". This will be nearly 30GB so it'll take a while.
  - Once finished, go back to the "Tools" menu and on the bottom select "Archive bit • AutoRCM".
  - Turn on AutoRCM. This allows you to enter RCM without having to use a jig and is highly recommended
  to avoid accidentally booting into OFW with a dirty sysNAND. Reversing AutoRCM is as simple as tapping
  the button again, so there's no risk.
  - Go back to the "Home" tab and select "Reboot > RCM" to get back to RCM mode.
  - Eject SD card and insert it into PC.
  - Copy the backup folder from the SD card to your PC. Name it "clean-backup-<firmware.version>"
  or something similar so you'll know what your original firmware was.
  - Delete the backup folder on the SD card.
  - Insert SD card back into your Switch.
8. (Optional) Verify your backup.
  - Open HacDiskMount -> File -> Open -> find your backup folder -> rawnand.bin.
  - If it loads without errors it should be good.
9. Inject "Lockpick_RCM.bin" from the payloads folder.
  - This backs up all of your encryption keys, including BIS keys which are useful in case your NAND backup gets
  lost or corrupted, as they can be used to reinstall any firmware version manually.
  - Press the power button to shutdown your Switch.
  - Eject SD card and insert it into PC.
  - Copy the /switch/prod.keys file to the same location where you copied your backup folder. Keep these together.
10. (Optional) Make backups of your backups in an external drive, a cloud service, where ever.
  - The NAND backup is your ticket to restoring your Switch to its original state before any homebrewing.
11. Insert SD card in Switch and inject Hekate again.
12. If you want to use emuNAND, set it up now. This is outside the scope of this guide, so google around.
13. Select Launch -> CFW (sysNAND or emuNAND) in Hekate to boot into Horizon OS.
14. Test the CFW: open up the Homebrew Menu by holding R while opening the Album.

[Updating firmware]
- Skip this if you're not updating your firmware.
1. Open Homebrew Menu (hold R while opening the Album).
2. Select ChoiDujourNX.
3. Navigate to the directory where you placed the firmware files and tap the "Choose" button.
4. Choose the exFAT option, once it's done tap the Reboot button and wait for it to reboot.
  - exFAT simply includes the exFAT drivers. It's never a bad idea to install these even if you're using FAT32 right now.
5. Your console should be in RCM mode now, you can inject Hekate again and select Launch -> CFW.

Note: DO NOT disable AutoRCM if you update. Booting into OFW will burn your fuses, rendering you unable
to restore your NAND backup if it was on a previous firmware version.

[Additional ban protection]
- This clears the identity of your console, including its serial number.
- The theory goes that Nintendo can't ban your Switch when they can't get your S/N.
1. Get into RCM, insert SD card into PC.
2. Download Incognito: https://github.com/blawar/incognito/releases
3. Put the NRO into the switch folder on the SD card.
4. Download ams-mitm: https://gbatemp.net/threads/a-custom-sysmodule-for-atmosphere-that-allows-writing-to-prodinfo.541609/
  - Atmosphere 0.92 blocks attempts to read/write prodinfo for security reasons, requiring you to temporarily
  bypass this security feature by using a sysmodule.
5. Extract "ams_mitm_8.1.0.zip" to your PC.
6. Move the file "ams_mitm.kip" into the "atmosphere/kips" folder. If the folder "kips" doesn't exist, create it.
7. Create a new folder in "atmosphere" called "flags".
8. Create an empty file called "hbl_cal_read.flag" in this folder and plug your SD card back into your Switch.
9. Inject Hekate, go into "Paylods" and select "fusee_primary.bin".
10. Open Homebrew menu (hold R while opening Album).
11. Select Incognito, press A to install it.
12. Turn off device, insert SD card into PC, copy prodinfo.bin to the same place where you keep your NAND backup.
13. On the SD card, delete everything you created in steps 6-8, delete incognito.nro, delete prodinfo.bin.
14. You can check that it worked by going to System Settings -> System -> Serial Numbers, your console S/N should be empty.

[USB installing NSPs]
- You can install NSP files in any order (e.g. update before game itself).
1. Download the NSPs you want (for sources, see other pastebins).
2. Plug in Switch to PC using USB-C cable.
3. Install USB drivers (libusbK):
  - This just needs to be done once.
  - Download Zadig from https://zadig.akeo.ie/
  - Launch it, select Nintendo Switch from the dropdown menu.
  - Select libusbK as the driver, click install, wait for it to finish.
4. Figure out your Goldleaf version by launching it in Homebrew Menu.
5. For Goldleaf v0.5, do this:
  - Change your Switch's sleep settings so it doesn't interfere with installations, as they can take a while.
  - Open Homebrew Menu -> Goldleaf on the Switch.
  - Select USB installation.
  - Launch GoldTree on the PC (if you downloaded the compilation, it will be in the pc folder).
  - In the open file popup, select your NSP.
  - Follow the installation instructions on the Switch, do NOT press anything while installing.
6. For Goldleaf v0.6, do this:
  - v0.6 automatically keeps your device awake during installations, no need to modify settings.
  - Launch GoldTree on the PC (in the pc folder you extracted earlier).
  - Open Homebrew Menu -> Goldleaf on the Switch.
  - Select "Explore content -> Remote PC (via USB)".
  - Open folders with A, go back with B, Y for context sensitive options.
  - Find the NSP you want to install, press A, select "Install", follow instructions, do NOT press anything while installing.
  - If you want to install all NSPs in a folder, select the folder, press Y, select "Extra options -> Install all NSPs".
    ~ The installation prompt will still be shown for each NSP.

[Using internet while blocking Nintendo servers]
- You can use a custom DNS for this: https://gbatemp.net/threads/516234/
  * Please note that there's inherent trust required for the person/people hosting the DNS servers,
  as they can not only monitor what URLs you're requesting but also redirect you maliciously.
  To safely use this solution, verify the source code and host the server yourself. Otherwise
  you'll just have to trust some random dudes on the internet.

[Adding a Nintendo linked user account]
- This section is Windows specific and assumes you're using TegraRcmSmash.
- Some games these days require a Nintendo account linked to your user. You also won't be able to
view your play activity in your profile unless the user is linked.
- You do not have to be/go online to play these games, a linked account is enough.
- It's best to set this up as soon as you've hacked your Switch as it will override your current
user account, meaning you'll lose your save games and you'll have to backup/restore them
manually to the new account.
- You'll need the prod.keys files you dumped earlier using Lockpick_RCM. If you didn't do it then,
you'll have to do it now.
- This assumes you have AutoRCM enabled as it requires you to inject payloads twice. If you don't,
enter RCM manually each time.
- If you've already played on your user, make backups of every save game you care about using
Checkpoint: https://github.com/FlagBrew/Checkpoint/releases
1. Boot your Switch to RCM mode, remove SD card, don't inject anything.
2. Download a linked account from here: https://switch.customfw.xyz/files/8000000000000010
  * For ease of use, download it to the folder with your prod.keys files.
3. Download the latest version of hactoolnet from here: https://github.com/Thealexbarney/LibHac/releases/
  * For ease of use, download it to the folder with your prod.keys files.
4. Download memloader from here: https://switchtools.sshnuke.net/
5. If you didn't already, download HacDiskMount from here: https://switchtools.sshnuke.net/
6. Use hactoolnet to sign the account file using your keys:
  * Open command prompt/PowerShell in the folder where hactoolnet is located in.
    ~ You can easily open PowerShell in Explorer by shift-right clicking the folder background
    and selecting "Open PowerShell window here".
  * Run the following command: .\hactoolnet.exe -k .\prod.keys -t save .\8000000000000010 --sign
    ~ Adjust paths if your prod.keys and save file are in a different folder.
  * You'll see a few "Failed to match key" lines and information about the save file if
  it succeeded. Check the modification timestamp on the file 8000000000000010 to verify it was changed.
7. Unzip memloader.zip, copy the contents of the sample folder to the *root* if your SD card.
8. Insert SD card back into your Switch, open TegraRcmSmash, select memloader.bin as the payload and inject it.
9. Navigate using vol+ and vol- on your Switch, select "ums_emmc.ini", confirm using power button.
The screen will go blank.
10. Connect your Switch to your PC.
11. Run HacDiskMount.exe with administrator privileges (right click, run as administrator).
12. Choose "File > Open Physical", select "UMS Linux Disk 0 (29.121GiB)"
13. From the list of partitions that opened, double click on SYSTEM.
14. Open your prod.keys file and look for the line beginning with "bis_key_02".
15. Take the first 32 characters of the hash after the equals sign and insert it in the "Crypto" input
of HacDiskMount. Take the remaining 32 characters and insert them in the "Tweak" input.
16. Click the "Test" button, you'll get a green "OK!" if you did it correctly.
17. In the section labeled "Virtual drive", check if it says "Driver not installed", in which case click "Install".
18. Once the section says "Driver installed, service is running", select an unused drive letter and check the
box "Passthrough zeroes", then click "Mount".
19. Press Win+E to open explorer, you should see the drive letter you selected. Open it.
20. Go to the "save" folder, find the file named 8000000000000010 and take a backup of it.
21. Overwrite the 8000000000000010 file in the "save" folder with the file we signed earlier.
22. Click "Unmount" in HacDiskMount to unmount the drive.
23. Hold the power button for a while to turn off the console, tap it to get into RCM mode.
24. Inject Hekate and boot into CFW, go to your profile to verify that it's linked.
25. Restore savegame backups using Checkpoint if you have them.

[General Use]
- It's recommended to keep your switch in sleep mode instead of powering it off. Every time you power
off you have to inject Hekate using a payload sender to boot back into CFW.
- To get back into Hekate from Horizon without having to inject the payload again, open
Homebrew Menu -> Kosmos Toolbox and select "Reboot to Hekate" -> "Reboot now!".

[FAQ]
Q: Will I get banned if I follow this guide?
A: Not necessarily, but going online with CFW/NSPs will likely flag your switch for a ban.
If you want to go online and not be banned, restore the NAND backup you made at the start of this
guide to wipe all traces of CFW and NSPs. If you're using emuNAND and are sure you haven't touched
sysNAND, you won't need to restore backups when using OFW.

Q: Isn't AutoRCM dangerous? What if my battery is completely dead?
A: No. AutoRCM is easily reversible. If your battery is completely dead, you'll need to charge it
for several hours due to RCM having a slow charge speed. You just need enough of a charge to boot into Hekate.

Q: NSP files aren't installing or throwing me errors! What do?
A: First check if you have enough space on your SD. If you do, try renaming the filename of the NSP to something shorter
and without characters such as "é". If you've just updated your firmware, make sure you have the correct
sigpatches.

Q: I keep getting prompts to update my joycons, is this safe?
A: Yes, it's safe.

Q: I can't format my SD card to FAT32, what do I do?
A: Use this program: http://www.ridgecrop.demon.co.uk/index.htm?guiformat.htm