Nintendo Switch Jailbreak: Nintendo Switch is an all in one video gaming console developed specifically for the purpose of optimal gaming, be it in the comfort of your house or on the move. It was released back on March 3, 2017, by Nintendo.
Capable of being used as both a stationary and a portable device, Nintendo Switch games won the hearts of almost every customer who held it.
The console basically comes in three parts. In the simplest of languages, one is the screen which is basically the main part along with two Joy-Con controllers attached to the side of the screen.
These controllers can be removed and attached to each other as well, along with being able to use them individually.
How To Do Jailbreaking The Device
This was about the Nintendo Switch as a hardware device. If you are reading this blog you must already own one and are looking for a way to jailbreak your device. Sure it is not easy and has many risks involved.
However, before we move into the ways of jailbreaking the device, let’s understand what exactly jailbreaking is and how it is beneficial.
In the simplest of terms, Jailbreaking refers to tampering or modifying with the software of your device, (be it an iPhone, ps4, Nintendo Switch or a multitude of others), in order to remove some default restrictions that are imposed by the manufacturer or operator and in turn open your device to its full potential.
Mostly the devices are made to undergo jailbreak in order to download unauthorized software and more along with being able to run full operating systems on Nintendo etc. or play hacked games for free.
There is a huge debate between the legality of this process, also referred to as rooting for android devices. If done through legally acquired apps, the process is legal otherwise it’s not.
Nintendo has tried with its updates and more to keep the device unbreakable but has failed miserably at doing so. After almost each of their updates, Nintendo Switch was hacked by someone and the hash keys (the SHA256) for the same were shared all of the internets via twitter within just a few hours of the update.
This was their Tweet Following the Update:
Motezazer@elmirorac
7.0.0 cracked
Here are some SHA256 hashes in celebration 🙂
PK11:
434FA7D07A8D4FDFD8630AC40FF9BC697E0DE40E0041E225F154BEB9571044E9
Masterkey:
4EC96B8CB01B8DCE382149443430B2B6EBCB2983348AFA04A25E53609DABEDF6
That is the power of the internet and the Nintendo community.
Let us now start with the process of jailbreaking your device. If you are a complete noob to this sort of process, you might want to stick around and read all the terminology that we are going to be using. Trust me, it’s a lot to take in, so buckle up.
Let’s get started
This section of the guide will teach you basic information about the terminology used, what you will be able to do after following this guide, and provide some warnings before you proceed.
What is Homebrew?
Homebrew is the term we use to describe any software that is not authorized by the developers of the Nintendo Switch. It contains everything from games, emulators, tools, custom firmware and much more.
What is a Custom Firmware (CFW)?
Custom Firmware or CFW for short is basically something that helps the Homebrew get more uninterrupted access to the system than the standard homebrew that is available on most of the devices does.
Currently, all Nintendo Switches sold before July 2018 can run custom firmware. Switches sold after this point may only be exploitable if they are on firmware 4.1.0. This guide will include checking if your system is vulnerable.
It is imperative that you understand that all of this requires your Nintendo Switch to be previously untampered.
What is Fusee – Gelee?
The primary exploit is fusee-gelee (sometimes also referred to as ShofEL2 or CVE-2018-6242, these are all the same exploit) which takes advantage of an oversight in the Nintendo Switch built-in recovery mode (DFU).
Fusee-gelee is a tethered, non-persistent exploit, meaning you require a secondary device (such as a PC or Android phone) to enable CFW on every reboot. This is unlike the untethered cold boot exploits available on other systems such as Boot9strap for 3DS and Henkaku Enso for Vita.
If you want to read more about this jailbreak, you can refer to this paper.
The fusee-gelee exploit allows for a full system takeover; the exploit runs before even the normal bootloader code, meaning anything about the normal Switch operating system (named Horizon, or HOS) can be changed. The exploit also allows the dumping of the bootloader and any console unique information.
What is Deja – vu
This exploit group is known to take advantage of an error found in the Nintendo Switch warm boot firmware. Warm boot firmware is the code written in order to help your Switch be put to sleep or woken up after.
This surprising oversight helps in rebooting the system for a complete takeover. However, do note that the Déjà vu is a browser-based software only exploit and hence every time you reboot the system into stock firmware, you must launch the exploit through browser only.
Deja-vu currently only has implementations available from firmware 1.0.0 – 3.0.0 and 4.0.1 – 4.1.0, however, the exploit theoretically works up to firmware 7.0.1 (the exploit was patched in firmware 8.0.0) and support for this higher firmware should be added in the future.
The current Deja-vu implementations are Nereba for firmware 1.0.0, and Caffeine for firmware’s 2.0.0-3.0.0 and 4.0.1 – 4.1.0.
Dangers Associated with the Process of Jailbreak
There are however many dangers associated with the process of jailbreak and some of them are listed below:
- Nintendo is taking no chances with the Nintendo Switch. Permanent console bans can and often do happen. This guide will take many precautions to avoid getting banned, but this site assumes no responsibility if your system is banned.
- There is always a chance that your Nintendo Switch will brick. This is very rare, and often recoverable on fusee-gelee vulnerable Switches. For unpatched Switches, extra precautions will be taken to avoid bricking as much as possible.
- Due to the level of access these exploits provide, malicious homebrew exists. These can brick your Switch or otherwise render your Switch inoperable. You should only ever run homebrew from trusted sources.
Just follow the guide perfectly and you should be more than fine.
Step 0: What You Will Need
A way to ground pin 10 on the right joy-con rail
To access RCM, you must hold down volume up, power and the home button. The home button described here is not the home button on the joy-con, but instead a hardware home button (think of the physical home button found on smartphones).
The Nintendo Switch doesn’t have this button, but you can simulate pressing it down by grounding pin 10 of the right joy-con rail.
There are many ways to do this. You can pick any method listed here. Some of these options are permanent hard mods, others are temporary.
Later in the guide, you will learn of a way to have the Switch automatically enter RCM on every boot through a software mod, so don’t worry about hard modding or purchasing anything if you don’t want to.
Payload Sender
This guide will cover options for Windows, OSX, Linux, and Android, though note that options exist for Chromebooks and jailbroken iOS devices.
You can also use a dedicated payload sending device (a “dongle” or modchip) if you have one. Instructions will not be provided on how to use these as each device is different. Check the manufacturers’ website.
USB Type C to A/Micro USB/USB Type C cable/adapter
- Some kind of cable to connect your Switch to your payload sender of choice.
- You can usually chain cables and adapters if necessary.
- This is not needed if you are using a dedicated payload sending device.
A payload sending application (Download and install one now)
- Windows, you can use TegraRcmGUI by eliboa and rajkosto.
- OSX and Linux, you can use fusee-launcher by ReSwitched.
- Android, you can use Rekado by MenosGrante.
If you don’t already have one, after determining if your Switch is vulnerable to fusee-gelee, you can also choose to purchase any number of dedicated payload sending dongles, or purchase and install a modchip.
Micro SD Card
You should have a MicroSD card for Nintendo Switch at least 4GB in size (64GB or higher is recommended, however). A small SD card is enough to get CFW running, but larger ones are preferred for installing games, performing NAND backups efficiently, and creating emuMMCs.
This test payload downloaded to your payload sender device to verify if your Switch is vulnerable to fusee-gelee.
Step 1: Accessing RCM
- Completely power off your Switch
- Hold the power button on your Switch for 3 seconds and choose to power down in the menu
- Ground pin 10 of your right Joy-con rail
- Using a method from the guide linked above, ground pin 10. Be very careful, bridging the wrong pins can fry your Switch!
- Press Volume Up + Power
- While you’re grounding pin 10, hold down Volume Up and then hold down Power.
- You will know you are successful if the Switch seemingly does not turn on.
- If your Switch turns on, try again. This does not mean fusee-gelee is patched as RCM is still available on patched Switches.
Step 2: Checking if the Nintendo Switch is vulnerable to Fusee – Gelee
If you are using TegraRcmGUI, follow these instructions:
1. Open TegraRCMGUI
2. Navigate to the Settings tab.
3. Click on Install Driver (this will install the driver required to communicate with your Switch).
4. After the driver is installed, navigate to the Payload tab.
5. Plug your Switch into your PC using your USB cable
Your PC should play the device connected sound and your Switch should not turn on. If your Switch turns on, repeat Step 1 to enter RCM.
6. Once your Switch is plugged in, you should see a green icon with the message “RCM OK”.
7. Select the fusee-test.bin test payload you downloaded earlier
8. Select “Inject Payload” if the payload has not already been injected.
If you get the error “RC=-50”, restart the application and try again.
Important
A success message should now be displayed on your Switch.
Error
If the application says the payload launch was successful, but nothing appears on your screen, unfortunately, your Nintendo Switch is likely patched. You should try a few more times to be certain, and consider trying another USB cable.
If you are using Fusee-launcher, follow these instructions:
1. Open a terminal in the Fusee-launcher directory.
2. Copy the fusee-test.bin file to this directory.
3. Plug your Switch into your PC using your USB cable.
4. Your Switch should not turn on. If your Switch turns on, repeat Step 1 to enter RCM.
5. Run the command ‘sudo python3 ./fusee-launcher.py ./fusee-test.bin’
Important
A success message should now be displayed on your Switch.
Error
If the application says the payload launch was successful, but nothing appears on your screen, unfortunately, your Nintendo Switch is likely patched. You should try a few more times to be certain, and consider trying another USB cable.
If you are using Rekado, follow these instructions:
1. Open Rekado on your Android device.
2. Navigate to the Payloads section of the app and allow it to request storage.
3. Click the ‘+’ button and select the fusee-test.bin file.
4. Plug your Switch into your Android device using a USB cable/adapter.
5. Your phone should give you a prompt to open Rekado with the option to use by default. Accept and press OK.
6. Under the Select Injector menu, touch Boot Payload and fusee-test.bin
Important
A success message should now be displayed on your Switch.
Error
If the application says the payload launch was successful, but nothing appears on your screen, unfortunately, your Nintendo Switch is likely patched. You should try a few more times to be certain, and consider trying another USB cable.
Wait for your Switch to shut down before continuing. This should happen automatically. If the payload failed to launch, hold the power button for 15 seconds to be sure.
Step 3: Choosing an Exploit
After you are done checking your RCM, it is time you picked an exploit that you plan on running on your device.
There are various options you could choose from and we have compiled a list of everything that each of them can or cannot do and the characteristics they need.
We recommend you to try out Fusee – Gelee as it is the most robust and easy to use, hack and understand all three provided your RCM is able to launch payloads. This method provides the best compatibility for all of the firmware versions along with being incredibly easy to use with almost any payloads.
Caffeine is generally used for when you cannot launch payload using RCM and are using firmware version 4.1.0
Just read the tables provided below to make up your mind as to which to choose.
Fusee-gelee
| DETAILS | |
| Software Only Exploit | NO |
| Coldboot | OPTIONAL, requires hardmod |
| Supported Firmware Versions | ALL |
| Exploitable RCM Required | YES |
| Requires a USB-C cable and a PC or phone, or a dongle | |
| Recommended for users with exploitable RCM
(Hardmod method not detailed in this guide) |
|
Caffeine
| DETAILS | |
| Software Only Exploit | YES |
| Coldboot | NO |
| Supported Firmware Versions | 2.0.0 – 3.0.0 & 4.0.1 – 4.1.0 |
| Exploitable RCM Required | NO |
| No additional tools required | |
| Use only if you really want CFW without RCM
or if your system is IPATCHED on firmware 4.1.0 Can be used to boot emuMMC with higher firmware version |
|
Nereba
| DETAILS | |
| Software Only Exploit | YES |
| Coldboot | NO |
| Supported Firmware Versions | 1.0.0 ONLY |
| Exploitable RCM Required | NO |
| Requires JP Puyo Puyo Tetris, or one time access to CFW
via RCM (USB-C cable and a PC or phone, or a dongle) |
|
| Use only if you really want CFW without RCM
Can be used to boot emuMMC with higher firmware version |
|
SD Card Setup
Fusee – Gelee
Downloading The Software
Here we are assuming that you have with a sound mind decided to go forth with Fusee – Gelee to run your CFW. All we have to do now is prepare your SD Card for the process and after that, we are technically done.
In this guide, we are using the Homebrew setup from the website
There are other options however like Team Atlas NX’s Kosmos which you could use too. We, however, recommend you use the setup of SD Card.
Let us begin with the steps you would be following in order to set up your SD card.
1. Visit the website given above.
2. You will find an option for Nintendo Switch. Select it.
3. Select the package titled Kosmos Defaults.
4. There are other homebrew packages available as well that you can select from.
5. Each of the packages has a description of what it can or cannot do and you can read it all by simply hovering your mouse pointer over the package.
6. Click on the Download your Zip. This contains a zip file of all the homebrew packages that you selected.
Preparing The Software
1. The first step would obviously be to extract the zip from the folder onto your laptop or PC.
2. There are different folder names like SD, payloads, PC, android, licenses, readmes and more.
3. The SD folder contains all the things that should be on your SD card. You are to copy all the contents of this folder to the root of your SD card
4. The payloads folder contains all of the fusee-gelee payloads which can be launched with TegraRcmGui/Rekado/Fusee-launcher/etc. that you selected.
5. Other folders contain different tools and such that you selected.
For ex –
PC folder has all the selected PC tools.
Android folder has all the selected Android tools.
Licenses folder has all the licenses distributed for downloading.
6. After you are done copying all the folders to their respective destinations in the SD card as mentioned, place the sd card back in the Nintendo Switch.
CONGRATULATIONS! You have successfully executed your Nintendo Switch Jailbreak.
Caffeine
Downloading The Software
Here we are assuming that you have with a sound mind decided to go forth with Caffeine to run your CFW. For the process, we need to prepare your SD Card and after that, we are technically done.
In this guide, we are using the Homebrew setup from the website.
There are other options however like Team Atlas NX’s Kosmos which you could use too. We, however, recommend you use the setup of sdsetup
Let us begin with the steps you would be following in order to setup your SD card.
1. Visit the website given above.
2. You will find an option Nintendo Switch. Select it.
3. Select the package titled Kosmos + PegaScape.
4. There are other homebrew packages available as well that you can select from.
5. Each of the package has a description of what it can or cannot do and you can read it all by simply hovering your mouse pointer over the package.
6. Click on the Download your Zip. This contains a zip file of all the homebrew packages that you selected.
Preparing The Software
1. The first step would obviously be to extract the zip from the folder onto your laptop or PC.
2. There are different folder names like SD, payloads, PC, android, licenses, readmes and more.
3. The SD folder contains all the things that should be on your SD card. You are to copy all the contents of this folder to the root of your SD card
4. The payloads folder contains all of the fusee-gelee payloads which can be launched with Tegra Rcm Gui / Rekado / Fusee-launcher / etc. that you selected.
5. In this folder, there should be a file. Move this to sd:/bootloader/payloads/lockpick_RCM.binon your SD card, it will be used later.
6. The other folders contain different tools and such that you selected.
For ex –
PC folder has all the selected PC tools.
Android folder has all the selected Android tools.
Licenses folder has all the licenses distributed for downloading.
7. After you are done copying all the folders to their respective destinations in the SD card as mentioned, place the SD card back in the Nintendo Switch.
Now, you will also have to configure your Switch to be able to Access the PegaScape DNS Server.
Since firmware 2.0.0, the Nintendo Switch Jailbreak has two ways to access the browser, both of which are free.
The first browser is the Wifi Authentication Prompt. This is accessed when trying to connect to a wireless network in Internet settings which does not pass the connection test, or by attempting to link a Nintendo Account on a wireless network that does not pass the connection test.
The prompt to link a Nintendo account is accessed by tapping the eShop icon on the home menu when you do not already have an account linked.
The second browser is through the News applet. Most news entries use HTTPS, so we cannot redirect them with a DNS. However, we can inject our own News entry which points to a normal HTTP URL, which can be redirected. This entry point is “Fake News”.
This guide will first have you access PegaScape through the Wifi Authentication Prompt to install Fake News, then change your DNS to allow the use of Fake News.
Furthermore, follow the steps in the link provided here in order to complete the entire process.
Nereba
Downloading The Software
Here we are assuming that you have with a sound mind decided to go forth with Caffeine to run your CFW. We prepare your SD Card for the process and after that, we are technically done.
In this guide, we are using the Homebrew setup from the website
There are other options however like Team Atlas NX’s Kosmos which you could use too. We, however, recommend you use the setup of SD Card.
Let us begin with the steps you would be following in order to set up your SD card.
1. Visit the website given above.
2. You will find an option for Nintendo Switch. Select it.
3. Select the package titled Kosmos + PegaScape.
4. There are other homebrew packages available as well that you can select from.
5. Each of the packages has a description of what it can or cannot do and you can read it all by simply hovering your mouse pointer over the package.
6. Click on the Download your Zip. This contains a zip file of all the homebrew packages that you selected.
Preparing The Software
1. First step would obviously be to extract the zip from the folder onto your laptop or PC.
2. There are different folder names like SD, payloads, PC, android, licenses, readmes and more.
3. The SD folder contains all the things that should be on your SD card. You are to copy all the contents of this folder to the root of your SD card
4. The payloads folder contains all of the fusee-gelee payloads which can be launched with Tegra Rcm Gui / Rekado / Fusee-launcher / etc. that you selected.
5. There is a file of the bin in this folder. Move this to sd:/bootloader/payloads/lockpick_RCM.binon your SD card, it will be used later.
6. The other folders contain different tools and such that you selected.
For ex –
PC folder has all the selected PC tools.
Android folder has all the selected Android tools.
Licenses folder has all the licenses distributed for downloading.
7. Place the SD card back in the Nintendo Switch, when you are done copying all the folders to their respective destinations in the SD card as mentioned
Since firmware 2.0.0, the Nintendo Switch has two ways to access the browser, both of which are free.
The first browser is the Wi-Fi Authentication Prompt. This is accessed when trying to connect to a wireless network in Internet settings which does not pass the connection test, or by attempting to link a Nintendo Account on a wireless network that does not pass the connection test.
The prompt to link a Nintendo account can be accessed by tapping the shop icon on the home menu when you do not already have an account linked.
The second browser is through the News applet. Most news entries use HTTPS, so we cannot redirect them with a DNS. However, we can inject our own News entry which points to a normal HTTP URL, which can be redirected. This entry point is known as “Fake News”.
This guide will first have you access PegaScape through the Wi-Fi Authentication Prompt to install Fake News, then change your DNS to allow the use of Fake News.
Now, in order to get the PegaScape DNS server working follow the steps here.
Configuring PegaScape DNS Settings
1. Power on your Switch normally.
2. Open settings and go to the Internet tab
3. Delete your existing Wi-Fi connection configuration if you have one for the network you want to connect to
4. Add your Wi-Fi network, but type in a long, wrong password fail the connection test.
5. After the connection test fails, choose to change settings.
6. DNS Settings to Manual
7. Set ‘Primary DNS’to ‘163.172.181.170’
8. Set ‘Secondary DNS’to ‘163.172.141.219’
9. Re-enter your Wi-Fi password, correctly this time.
10. Save and perform the connection test. The connection test should pass.
Furthermore, follow the steps given on the website for more information.
