Switch Guide the following

 

Getting Started

Finding your serial number

The first thing to do is determine if your Switch is vulnerable to fusee-gelee, the exploit we will be using to launch CFW.

This vulnerability was independently discovered by several different Switch hacking teams, and multiple variants of it were released to the public in April 2018 after a 90-day disclosure period ended. Nintendo and NVIDIA were made aware of the issue before the public release as a result, and Switch systems that are not vulnerable to the exploit started being spotted in the wild in July 2018. NVIDIA publicly acknowledged the flaw in April as well.

Patched units can be identified by their serial number. This number can be found on the bottom of your Switch adjacent to the USB-C port, or in the Settings applet at System -> Serial Information.



Determining if your Switch is vulnerable

The homebrew community has crowdsourced a list of known serial numbers which are vulnerable to fusee-gelee.

  • If your serial number is on this list as "potentially patched", follow the guide and see if your system works.
  • If your serial number is listed as "patched", there is nothing you can do at this time.
  • If your system is patched, it is highly advised to keep it on 7.0.1 or lower, if possible, as there may be a vulnerability for these versions in the far future. DO NOT update patched consoles past 7.0.1 if you want to ever have a chance of running homebrew and/or CFW on them. 
Notice

If you are unsure if your serial is patched, you can test your console yourself following the instructions here.

List of console serial number ranges

If your serial starts with XAW1:
XAW10000000000 through XAW10074000000 are unpatched
XAW10075000000 through XAW10120000000 are potentially patched
Serials above XAW10120000000 are patched

If your serial starts with XAW4:
XAW40000000000 through XAW40011000000 are unpatched
XAW40011000000 through XAW40012000000 are potentially patched
Serials above XAW40012000000 are patched

If your serial starts with XAW7:
XAW70000000000 through XAW70017800000 are unpatched
XAW70017800000 through XAW70030000000 are potentially patched
Serials above XAW70030000000 are patched

If your serial starts with XAJ1:
XAJ10000000000 through XAJ10020000000 are unpatched
XAJ10020000000 through XAJ10030000000 are potentially patched
Serials above XAJ10030000000 are patched

If your serial starts with XAJ4:
XAJ40000000000 through XAJ40046000000 are unpatched
XAJ40046000000 through XAJ40060000000 are potentially patched
Serials above XAJ40060000000 are patched

If your serial starts with XAJ7:
XAJ70000000000 through XAJ70040000000 are unpatched
XAJ70040000000 through XAJ70050000000 are potentially patched
Serials above XAJ70050000000 are patched

If your serial starts with XAJ9:
These units are refurbished units provided by Nintendo. No information is known yet, but they are potentially patched.

If your serial starts with XAK:

No information is known yet

Console Preparation

Important

Before setting up the console for homebrew, it is important to have at least one eShop game, application (such as Youtube or Hulu), or a game demo such as 10 Second Run RETURNS. A game cartridge will also work, but note that the cartridge will have to be inserted in order to run homebrew if you wish to go this route. Once you have a game or application, you are prepared to continue on with the guide.



SD Preparation

We will now place the required files for the Atmosphere custom firmware and some additional homebrew files on the SD card.

Atmosphere has its own bootloader, called fusee (primary). For the purposes of this guide we will be using Hekate instead, so that we can back up the system's NAND (internal storage) and take advantage of other advanced features in the future.

Notice

Your SD card will need to be formatted as either FAT32 or exFAT. FAT32 is recommended as it is more stable and will work out of the box with the Switch's operating system, but has a file size limit of 4GB. If you plan on using exFAT, you will need to install the exFAT update for your Switch, which is downloaded when you insert an exFAT formatted SD card in to your Switch. Note that this will update your console and requires an internet connection.

NxThemeInstaller

The ban risks of using Switch themes are at this time unknown. Use them at your own risk.

File name extensions

If you use Windows, you should enable file name extensions before continuing.

What you need

  • The latest release of Hekate 
  • The latest release of Atmosphere (You will need to download the release zip.)
  • The latest release of Lockpick_RCM
  • The latest release of Checkpoint (Download the Checkpoint.nro release of Checkpoint)
  • The latest release of FTPD (Download the ftpd.nro release of FTPD)
  • The latest release of NXThemeInstaller (Download the NxThemesInstaller.nro release of NxThemeInstaller)
  • The latest release of NX-Shell
  • The latest release of the hbappstore 
  • hekate_ipl.ini {------ Atmosphere ------}
    {Pick this option to launch CFW.}
    [Atmosphere FSS0]
    fss0=atmosphere/fusee-secondary.bin
    kip1=atmosphere/kips/*
    { }
    {------ Stock ------}
    {NOTE: This option does not launch CFW.}
    [Stock]
    fss0=atmosphere/fusee-secondary.bin
    stock=1
    { }

Instructions

  1. Insert your Switch's SD card into your PC
  2. Copy the contents of the Atmosphere .zip file to the root of your SD card
  3. Copy the bootloader folder from the Hekate .zip file to the root of your SD card
  4. Copy Hekate's .bin file from the Hekate .zip file to the atmosphere folder on your SD card
  5. Delete reboot_payload.bin in the atmosphere folder on your SD card
  6. Rename Hekate's .bin file to reboot_payload.bin
  7. Copy hekate_ipl.ini to the bootloader folder on your SD card
  8. Copy Lockpick_RCM.bin to the /bootloader/payloads folder on your SD card
  9. Create a folder named appstore inside the switch folder on your SD card, and put appstore.nro in it
  10. Copy ftpd.nro , Checkpoint.nro , NX-Shell.nro and NxThemesInstaller.nro to the switch folder on your SD card 

Entering RCM

 As the Switch uses a Tegra X1 processor, it has a special recovery mode that is, in most scenarios, useless for the end-user. Fortunately, due to the fusee-gelee vulnerability, this special mode acts as our gateway into CFW.

There are several methods of entering RCM (ReCovery Mode). The most affordable of these require nothing more than common household items, while the most reliable are very cheap ($10).



Patched Switch

Note that patched units can enter RCM, but it is not possible to send a payload on those systems. Also note that RCM is a different recovery mode than the one accessed by holding Volume Up, Volume Down, and Power.


Note

The order of methods on this page is in the order of ease. The easiest to immediately accomplish are listed at the top, and the most advanced/difficult methods are at the bottom.

Instructions


  1. Power off the Switch and use one of the methods listed below to short the pins.
  2. Hold Volume Up and press the Power button.

If your Switch displays the Nintendo logo and boots normally or immediately shuts down, you didn't successfully enter RCM and should try again.

Tinfoil

Note

This method will result in the right Joy-Con being detected as in wireless mode while attached to the Switch, and this method may result in the Joy-Con being permanently detected as wireless if you update the Joy-Con firmware while this mod is installed. In the latter case, fixing this requires opening up the Joy-Con and reseating the battery. It is recommended that you only use this to get into RCM, and immediately remove it once you're successfully in RCM.



Note

Take care to not short pin 4 by accident while the system is on. This pin provides power to the Joy-Con, so shorting it by accident may damage your Switch permanently.

This method entails putting a thin piece of tinfoil in between pins 9 and 10 (seen below) on the Joy-Con, and the Joy-Con rail, then folding the foil over the back of the rail to tape it in place. This is best done by taking a 1/2 square inch piece of tinfoil (1.25 square cm), and folding it multiple times until it’s around 1 mm wide. Although we normally frown upon the use of video tutorials, we suggest you watch the small instructional video below before performing this task.

Metal Bridge / Paperclip (Not recommended)

Note

This method is not recommended due to having a serious risk of permanently damaging your Switch's right Joy-Con rail. It is listed here as it is utilizing household items, but it is highly recommended to either do the tinfoil method or to order an RCM jig. This risk is made exponentially higher if a tool such as a screwdriver is used instead of a metal wire or paperclip.

Note

Take care to not short pin 4 by accident while the system is on. This pin provides power to the Joy-Con, so shorting it by accident may damage your Switch permanently.

This method entails taking a piece of metal (such as a paperclip or screwdriver) and bending it so that it touches pins 1 and 10, or any other grounded piece of metal and pin 10 (numbered pads shown below).

Here are some examples of shorting pins 1 and 10 using a wire from HowDenKing#0001.

RCM Jig (Easiest for beginners)

Note

Some jig designs use paperclips, inheriting the same risks as the Metal Bridge / Paperclip method. If you would like a safe jig design, we highly recommend switchjigs.com.
This method is similar to the Metal Bridge / Paperclip method, but is more reliable and safer in many cases. Jigs hold a wire in place so the correct pins (10 and a ground) are shorted every time.

Jigs range in price, with the ones we recommend being $5. They're slightly more expensive than some mass produced jigs, however we can guarantee their quality. Also spending $5 on a quality jig using 32-gauge wire is a smaller cost than replacing your entire Joy-Con rail after the pins are scratched off by a paperclip jig.
In the case you plan to make you own jig, this image lays out the pads numbers on the console. Make sure your jig NEVER touches pin 4. Pin 4 provides 5v power to the Joycons, if connected to any other pin you will fry the console.

Bent Joy-With Pins

Note

This method will result in the right Joy-Con being detected as in wireless mode while attached to the Switch, and this method may result in the Joy-Con being permanently detected as wireless if you update the Joy-Con firmware while this mod is installed. In the latter case, fixing this requires opening up the Joy-Con and reseating the battery.

Note

This method requires opening your right Joy-Con, voiding its warranty. Not for the faint of heart.
The goal of this method is to open the right handed Joy-Con to the point that you can reach the contact pads easily, and use a thin object such as a knife to gently bend pin 9 and 10 (shown below) slightly up and towards each other so they touch, shorting them.
Here is an example from Sonlen#0666.

Soldered Joy-Con Pads - 9 & 10

 Note

This method will result in the right Joy-Con being detected as in wireless mode while attached to the Switch, and this method may result in the Joy-Con being permanently detected as wireless if you update the Joy-Con firmware while this mod is installed. In the latter case, fixing this requires opening up the Joy-Con and reseating the battery. It is recommended to solder pads 7 and 10 together with a resistor instead.

Note

This method requires opening your right Joy-Con, voiding its warranty. Not for the faint of heart.
The goal of this method is to open the right handed Joy-Con to the point that you can reach the contact pads easily. This is similar to the previous method, however the goal is to solder pads 9 and 10 (seen below) together. This can either be done using a small wire, or directly bridging the pads with solder.
Here is an example

Soldered Joy-Con Pads - 7 & 10

 Note

This method requires opening your right Joy-Con, voiding its warranty. Not for the faint of heart.
The goal of this method is to open the right handed Joy-Con to the point that you can reach the contact pads easily. This is similar to the previous method, however the goal is to solder pins 7 and 10 (shown below) together with a surface-mount 0805 10k resistor. Apart from using a physical switch/button, this is currently considered the safest method that involves soldering to pads.
Here is an example

Soldered Joy-Con Pads - Physical RCM Button (Safest)

Note
This method requires opening your right Joy-Con, voiding its warranty. Not for the faint of heart.
The goal of this method is to open the right handed Joy-Con to the point that you can reach the contact pads easily. This is similar to the previous method, however you will be soldering wires to pins 7 and 10 (shown below) and wiring them to the "Joycon release button" at the top back of the right hand Joycon.

 
In order to start this method you will want to take two lengths of wire, and wrap one end of each into a small circle.
 
You will then want to take the circular end of one of the wires and add a small amount of solder, keeping it mostly flat (ONLY DO THIS TO ONE OF THE WIRES!). You will then glue this wire down to the below point on the Joycon release button. Make sure glue doesn't cover the top of the solder/wire as it will act as a contact point. Also, ensure that you leave enough space for the button to function correctly. Try pushing the button from the outside and observing its travel path so that you can see where and how you should safely glue the solder glob.

 
 The first wire should now be in place as seen by the green circle below. The second wire does not need any solder, instead you will hold it in place using the screw as shown by the red circle in the picture below.
Pressing the Joycon button in you should now notice the solder point you created making contact with the piece of metal held in by the screw. Once you have these elements in place you want to connect one wire to pad 7 and the other to pad 10 (it doesn't matter which is which). After that you have successfully created an RCM button on your Joycon. You will now need to hold down the Joycon release button when attempting to boot RCM.

Sending a Payload

If you were sent here directly

Make sure you've put your device into RCM, and downloaded Hekate (extract its zip file if necessary) before continuing.

Now that the device is in RCM, we will need to send it a payload. The methods are mostly the same, but slightly differs depending on what hardware you have available.

Windows
What you need
  •  The latest release of TegraRcmGUI (either the MSI or zip)
  • The latest release of Hekate (either the hekate_ctcaer bin or the hekate_ctcaer zip)
  • A USB-A to USB-C cable (or a standard USB-C cable if your computer natively supports USB-C)
Instructions
  1. Install and run TegraRCMGUI
  2. Navigate to the Settings tab, then press Install Driver and follow the on-screen instructions
  3. Connect your Switch in RCM to your PC using the USB cable
  4. Navigate to the Payload tab of TegraRcmGUI
  5. Your Switch should be shown as detected in the bottom left corner
  6. Press the file button next to Inject payload, and navigate to and select your hekate_ctcaer .bin file
  7. Click Inject payload to launch Hekate

Mac / Linux
What you need
  • The latest release of fuse-interface-to 
  • The latest release of Hekate 
  • A USB-A to USB-C cable (or a standard USB-C cable if your computer natively supports USB-C)
Instructions
  1. Download and run the payload injector (if you are on Linux, you will need to run this program as root or use sudo.)
  2. Connect your Switch in RCM to your PC using the USB cable
  3. Wait for your Switch to be shown as found in the injector
  4. Press Select Payload, and navigate to and select your hekate_ctcaer .bin file
  5. Click Send Payload! to launch Hekate
 

Making Essential Backups

Important
It is critical to make these backups. Do not skip these steps.

Making a NAND Backup

Important
A NAND backup is crucial. They can be used to restore the device to a working state in case of emergencies, and will be required in order to migrate to an EmuNAND setup in the near future.
Once the backup is finished, keep it somewhere safe. The best backup is the one you have but never need, and the worst backup is the one you need but never made. To save space, it's recommended to compress the end-result with a .zip file or something similar.
It's highly recommended that you use an SD card that is formatted to FAT32 and has at least 32 gigabytes of space free. This will still work on smaller cards, but it's not ideal.

Instructions
  1. Enter RCM and upload the Hekate payload
  2. Use the volume buttons to navigate to Tools -> Backup, then press the power button
  3. Navigate to Backup eMMC BOOT0/1, then press the power button
  4. This may take a few minutes
  5. Press any key to continue, then navigate to Backup eMMC RAW GPP and press the power button
  • This will take a long time
  • On FAT32 SD cards or cards that have less than 32 gigabytes of space available, the NAND will be split into 1 or 2 gigabyte parts.
  • Hekate will stop producing these parts when it runs out of space. When this happens, do the following:
  • Power off your system
  • Insert your SD card into your PC
  • Move all files from the backup folder on your SD card to a safe location on your PC
  • Insert your SD card into your Switch
  • Enter RCM again, upload Hekate again, and continue by navigating to Tools -> Backup -> Backup eMMC RAW GPP again
  • Repeat the process until the NAND is completely dumped
  1. Press any key to continue, then power off your Switch
  2. Insert your SD card into your PC
  3. Copy the backup folder on your SD card to a safe location on your PC

Getting your Console's Unique Keys

Important
These keys are critical to have. They can be used as another way to restore your device to a working state when paired with other tools, if your NAND backup is not enough.

 
Instructions

  1. Enter RCM and upload the Hekate payload
  2. Use the volume buttons to navigate to Launch -> Payloads..., then press the power button
  3. Navigate to Lockpick_RCM.bin, then press the power button
  4. If Lockpick_RCM prompts you to Reboot to Sept, press power or either volume button to do so. A "sept by Atmosphere" logo will then display, followed by Lockpick_RCM starting again. If it does not prompt you, continue on to step 5.
  5. Lockpick_RCM should now inform you that your keys have been saved to /switch/prod.keys on the SD card.
  6. Press the power button to power off your Switch
  7. Insert your SD card into your PC
  8. Copy prod.keys from the switch folder on your SD card to a safe location on your PC (it is suggested to copy it to the same place that you copied your NAND backup to).

Launching CFW

Now that the preparation work is out of the way, we're finally ready to launch custom firmware on the Switch.

Unlike systems such as the DSi, Wii, or 3DS, Switch CFW is currently volatile- it will only work as long as your Switch is on. As soon as your Switch completely loses power for any reason (shutting down, battery dying, etc.), CFW will no longer be active and you will need to follow these instructions again.

Instructions
  1. Power on your Switch into RCM, and upload the Hekate payload
  2. Navigate to Launch with the volume buttons, and press the power button to confirm
  3. Navigate to Atmosphere FSS0 with the volume buttons, and press the power button to confirm
Your Switch is now booting into Atmosphere.

To verify Atmosphere launched properly, open the Settings applet, and navigate to System. You should see AMS next to the version number.

Launching the Homebrew Menu

You will now be able to launch the Homebrew Menu by by holding the R button while launching any game (including demos/cartridges), application (e.g. Youtube/Hulu), or the album. If R is not held, the album, game, or application will launch like normal.

A note about using the album for the Homebrew Menu
  • Using the album for the Homebrew Menu instead of a game or application has several limitations, including but not limited to: a smaller amout of available memory (RAM), as well as being unable to launch a full-featured web browser. It is strongly recommended to launch homebrew through applications or games instead.
Adding new applications

Place homebrew applications (.nro files) into the switch folder on your SD card.
What the included homebrew applications do
  • Checkpoint is a save manager, it can dump and restore saves from/to your system.
     
  • FTPD is a ftp tool for connecting your Switch's sd card wirelessly to your pc. Tools like Filezilla can connect to your switch on (ip of switch):5000
  • NX-Shell is a file explorer for the Switch. You can move files, listen to mp3's, view images etc.
  • NXThemeInstaller is a theme installer app.
  • hbappstore is a homebrew app store where a large collection of switch homebrew is kept.

Post a Comment

0 Comments