The NH Switch Guide is a collaboration from Nintendo Homebrew's Discord community, getting you from a stock Switch to Atmosph\u00e8re.
For live support with this guide, visit us in #switch-assistance-1 or #switch-assistance-2 over at the NH-Discord server.
Prepare to set aside a minimum of an hour to follow this guide. This is specifically for you to carefully read and understand each page for safe execution for the safety and longevity of your Switch console. Some required device backups can also take around ten to thirty minutes to create, depending on your Switch model and your microSD card specifications.
"},{"location":"#what-is-custom-firmware","title":"What is Custom Firmware?","text":"Custom FirmWare (\u201cCFW\u201d) is complex software that modifies the function of a device's operating system, also known as a system firmware. Atmosph\u00e8re, for example, patches the Switch OS (named Horizon) on the fly.
Custom firmware can be considered a holy grail in terms of device modding, as it allows nearly limitless control and freedoms than you would get with more primitive \"userland\" access. \u00a0
"},{"location":"#what-is-homebrew","title":"What is homebrew?","text":"Homebrew refers to unofficial software written by hobbyists for locked down systems, like the Nintendo Switch. Homebrew can include original games, emulators, save-editing tools, and much, much more!
On the Switch in particular, you need CFW to run almost all available homebrew. Some first-gen (\"V1\") consoles can run homebrew for free, while all other (\"patched\") consoles require specialized hardware installation beforehand. \u00a0
"},{"location":"#what-are-custom-operating-systems","title":"What are custom operating systems?","text":"Custom operating systems (OSes) are alternative system software installations, like Android or Linux, that install alongside the default Switch OS. These are usually perfect for powerusers who want to extend the functionality of their console beyond that of a gaming console, transforming Nintendo Switch to a full-fledged hybrid tablet or desktop. These custom OSes run completely independent of the Switch OS, meaning that anything you do in a custom OS cannot be reported back to Nintendo. Custom operating systems are not \"emulated\"; they run natively on the Switch's Tegra X1 SoC.
This guide will give you the opportunity to set aside space on your microSD to install these custom OSes onto, if you desire. It is important to note that these installations are optional; you do not need to install any custom OS in order to complete this guide and install Atmosph\u00e8re. However, it is better to decide sooner rather than later, as the installation process involves formatting your microSD card.
"},{"location":"#what-does-this-guide-install","title":"What does this guide install?","text":"This guide has the end-goal of taking a completely unmodified Switch from stock firmware to a custom firmware named Atmosph\u00e8re.
fusee-gelee is currently the most widespread software entrypoint of launching custom firmware. It utilizes a vulnerability in the bootROM of the first-generation Switch systems, allowing us to boot the console via any payload we choose, instead of only ones that Nvidia and Nintendo authorize. The result allows full baremetal control over your console, including system storage backups, recovery, custom firmwares, and custom operating systems. \u00a0
"},{"location":"#what-can-i-do-with-custom-firmware","title":"What can I do with custom firmware?","text":"More on this can be found later on in the guide.
"},{"location":"#what-do-i-need-to-know-before-starting","title":"What do I need to know before starting?","text":"As previously mentioned, this guide will take a minimum of an hour to fully complete. Please responsibly set aside this time before your first run-through.
Acknowledge that EVERY time you modify your system, there is always the potential for an UNRECOVERABLE brick. A brick is a damaged device that no longer functions; something that becomes as \"useful as a brick\". On the Switch, they're rare, but still a possibility -- so make sure you read the directions carefully before performing them, and follow them EXACTLY.
This guide will work on first-generation (V1) and modchipped Switch consoles in all regions on any firmware version.
You will need one of the following in order to successfully follow this guide:
If you choose the emuMMC path introduced later in the guide, you will also need a microSD card that is at least 128 gigabytes. In this path, it'll be important to disable the Automatic Save Data Cloud function beforehand, as well as making sure the Switch is set as the primary console. If you must use a smaller microSD card, you can choose to use the sysCFW path, after assuming the risks involved.
Additionally, on a V1 \"unpatched\" Switch, you will need a way to access the ReCovery Mode (this will be further explained in the \"Entering RCM section\"). While possible with household tools, you may want to shell money out for a \"jig\" that inserts into the Joy-Con rail to reliably enable RCM.
Upon completion, you will lose no data, ending up with everything that you started with (games, Nintendo Account, saves, etc will be preserved). Your functionalities will only be enhanced.
Keep your device plugged in and charged throughout the entire process to avoid data loss or damage from an unexpected power-off.
Custom firmware is not permanently installed and does not change anything on your console simply by running it. It will be entirely unloaded upon rebooting the console. However, CFW does allow you to make permanent changes to your console at your own will, so be responsible and cautious with the abilities enabled by CFW.
It is advised that you read the entire guide from start to finish one or more times before actually running through the guide with your system.
If something doesn't make sense while you follow the guide, please reach out and ask for clarification rather than fumble around on your own. If your English isn't the best, use a translator such as Google Translate to submit your questions, so we can help.
"},{"location":"#click-the-button-below-to-get-started-with-the-guide","title":"Click the button below to get started with the guide!","text":"Continue to Getting Started
Note: We are not currently, historically, or will we ever be, associated with Anton Retro, sthetix, Ely M., or other derivative or YouTube/TikTok guide publishers, especially any that claim relation to us.
Furthermore, we resent any implication to the contrary.
Frequently Asked Questions about this pageQ: What are the differences between \"first-generation\" (\"V1\") consoles and \"patched\" consoles when it comes to running homebrew? A: Once you boot into Horizon, not much. The primary things to keep in mind is that only V1 consoles support Atmosph\u00e8re's \"Reboot to Payload\" function, but modchips automatically load payloads during reboots on their own.
Q: What is Horizon? A: Horizon is the name of the Switch's operating system. It is sometimes called \"HorizonNX\", because it is actually a derivative version of the Nintendo 3DS's operating system of the same name.
Q: Why is it called Atmosph\u00e8re? A: Atmosph\u00e8re \"runs on top of the Horizon\" operating system. Each layer of Horizon's security is referenced via the atmosphere's different layers. For example, the EL1 \"kernel\" reimplementation is called mesosph\u00e8re, while the EL3 \"TrustZone\" reimplementation is called exosph\u00e8re. Learn more about ARM Exception Levels here.
Q: What exactly is the \"emuMMC path,\" and why is it recommended for the microSD card to be at least 128GB for this path? A: The purpose of an emuMMC/emuNAND is to give you a safe place to use custom firmware functions without Nintendo catching sight. As it is an offline clone of your internal storage ran entirely from your microSD card, you will need to set allocate up to 64GB on your microSD card for it (depending on the size of your internal storage), plus a duplicate your of digital game data (emuMMC uses a separate Nintendo folder for game installs).
Q: Why do I need to set my console as primary before starting this guide? A: The Switch will otherwise try to connect to Nintendo servers before starting apps, which can lead to unexpected delays and make emuMMCs completely unusable.
Q: Can I follow this guide if I have a smaller microSD card, and what are the risks involved in choosing the sysCFW path? A: Nothing stops you from using sysCFW, but it is recommended for first-timers to get familiar with CFW by starting with an emuMMC. If used improperly, running sysCFW can cause software bricks and/or bans.
Q: Are there any specific restrictions or limitations imposed by Nintendo on consoles running custom firmware and homebrew? A: Nintendo has shown a distinct tolerance for users using CFW while online. They do not ban for the presence of CFW, they ban for misbehavior - such as piracy or cheating online. Otherwise, you are treated like all other users.
Q: Is there any community support or forums recommended for users who may have questions or issues during the process? A: Of course! As well as the Nintendo Homebrew Discord server, you can also try the r/SwitchHacks subreddit!
This guide was written by community members of the Nintendo Homebrew Discord Server.
You can find this guide on GitHub, It is licensed under the ISC license.
"},{"location":"about/#guide-writers-maintainers","title":"Guide Writers / Maintainers","text":"Thank you to everyone else that contributed to the guide on GitHub, but special thanks to noirscape.
"},{"location":"about/#developers","title":"Developers","text":"Currently two hardware revisions of the Switch exist. Any Switch bought or manufactured before the middle of 2018 has a bootrom bug that allows us to run code regardless of the firmware version on the Switch. When Nintendo updates the system, however, CFW will usually need an update to account for it. This bug cannot be fixed by Nintendo once the console leaves the factory, unless the console is sent in for repairs. This means that all current and future firmwares will be able to launch CFW through this exploit on the old hardware revision.
Any console purchased after approximately August 2018 is likely to be patched. This includes the latest units on shelves, referred to as 'red box' or 'Mariko'. Mariko is hardware patched, but may come on a vulnerable firmware. Currently the only way to know if your Switch is hackable is by trying to send the payload in RCM. Even with this exploit fixed, many Switch consoles on 8.0.1 and below will be hackable to some degree in the future (see Should I update my Firmware? for much more detailed information). The serial number on the back of the box can possibly tell you which consoles are patched and which aren't. See here for an up to date list.
"},{"location":"faq/#how-do-i-use-fusee-gelee-how-can-i-boot-into-rcm","title":"How do I use fusee-gelee? How can I boot into RCM?","text":"To launch CFW through the fusee-gelee, the Switch needs to be in \"ReCovery Mode\"(RCM). The easiest way to enter RCM is by grounding pin 10 in the right joycon rail and holding VOL+ on boot. Several methods and designs to do this exist, see our guide for more information. Once the Switch is in RCM it needs to be connected to either a computer, phone or dongle to send the exploit and the payload.
This procedure needs to happen every time the Switch boots from a completely \"off\" state, otherwise the Switch will boot into the stock firmware.
"},{"location":"faq/#what-makes-a-good-jig-good-can-i-use-a-paperclip","title":"What makes a good jig good? Can I use a paperclip?","text":"Most people prefer to use 3d-printed jigs to enter RCM. These jigs are made in a way that they slide into the right joycon rail and have a piece of connected wire that then bridges pin 10 and one of the grounded pins on the Switch. A lot of different designs for these jigs exist, but it is important to understand, that these jigs can damage the Switch if they are made in a bad way.
Since the wire in the jig is supposed to touch the pads inside the Switch's joycon rail, it is important to use wire that is thin, not rigid and bent/not pointy. Paperclips make for potentially dangerous jigs, as they are made out of a hard material, are rigid and pointy and can easily scratch off the pads inside the Switch. A good jig uses 32Gauge(0.2mm diameter) wire and is bent in a way that the end of the wire does not scratch the pads. You can download and 3d-print your own jig and use the pictures on this website to guide you on how to bend the wire correctly. Premade jigs can be found on online marketplaces for cheap.
"},{"location":"faq/#is-there-an-easier-way-to-enter-rcm","title":"Is there an easier way to enter RCM?","text":"To enter RCM more comfortably a solution called \"AutoRCM\" exists. Once set up, this method will always boot the Switch into RCM, even without a jig or holding any buttons. This works by \"bricking\" the Switch in a controlled manner. The Switch detects that something is wrong and boots into RCM to get repaired. The big downside of this method is, that it is impossible to boot the Switch without a computer, phone or dongle, as it will never boot into stock firmware by itself, and that it requires an SD card with the proper CFW files on it at all times. In addition, if the battery of the Switch is completely drained, the Switch will need to charge to at least 10% in Hekate before launching Atmosphere, otherwise the Switch will refuse to boot due to the low battery. Charging in RCM is not recommended as this is very slow. AutoRCM can be reversed, but it is advised to keep a working NAND and BOOT0/1 backup before using it.
Many Android-phones are able to send the exploit to the Switch, making them a perfect portable way to launch CFW. Different designs for portable dongles exist, ranging from Raspberry Pi Zero and Arduino projects to internal dongles, that work completely autonomous. The latter should only be done by advanced users, as it requires soldering onto the Switch mainboard itself.
"},{"location":"faq/#should-i-update-my-firmware","title":"Should I update my Firmware?","text":"If your Switch is one of the new hardware revisions that patched the exploit in RCM and you are on firmware 7.0.1 or lower, you should not update if you want to have CFW in the forseeable future.
If your Switch is one of the older hardware revisions and you don't mind having to use jigs/hardmods/AutoRCM and sending the exploit via computer, phone or dongle everytime you want to launch into CFW then it is completely safe to update. If you want the chance to maybe, one day, not have to use a external device, then it is recommended to stay on a FW as low as possible. Beware that this means that you potentially need to wait for a very long time (months to years) for this to happen, if ever. Private exploits to launch CFW over the Browser are known to exist for firmwares up to 7.0.1.
Downgrading on the Switch is possible, but it requires using AutoRCM and a custom bootloader payload to bypass the Switch's several hardware anti-downgrade mechanisms. This will not work on an unpatched system, and is practically useless for most users. On every boot the Switch firmware checks how many e-fuses have been burned and how many e-fuses the Switch expects to be burned. Major updates to the Switch, or updates in which a large vulnerability has been patched, irreversibly burn one of the Switch's 64 \"e-fuses\". If the Switch ever detects that more e-fuses have been burned than expected (meaning a downgrade happened), it will refuse to boot. Replacing e-fuses is not an option. You can find more information about fuses here Atmosph\u00e8reis maintained to support the latest firmware updates on unpatched units. The situation for patched and new units is as follows:
\"Old\" Patched Switch (HAC-001): Do NOT update past 7.0.1. Units on 7.0.1 and below will eventually get CFW. Patched units that have upgraded to 8.0.0 or 8.0.1 will likely get homebrew.
\"New\" Switch (HAC-001(-01): Do NOT update past 8.0.1. Units on 8.0.1 and below will likely get homebrew. Units on 8.1.0 and higher are not expected to be hacked and can be updated.
Switch Lite (HDH-001): Do NOT update past 8.0.1. Units on 8.0.1 and below will likely get homebrew. Units on 8.1.0 and higher are not expected to be hacked and can be updated.
A method to update without burning e-fuses exists, but, like downgrading, it forces you to use AutoRCM and sending the exploit via USB every time, as booting into the stock firmware even once would instantly burn the e-fuse. Note that other anti-downgrade mechanisms exist, making it for example impossible to boot game carts on a firmware below 4.1/9.0.0 if the Switch has ever launched a game on firmware 4.1+/9.0.0+. This can only be worked around by completely disabling the game cart slot while on 4.1/9.0.0 or greater, which is similarly impractical for most users.
"},{"location":"faq/#is-it-safe-to-use-homebrew-will-i-get-banned","title":"Is it safe to use homebrew? Will I get banned?","text":"The Switch comes with a lot of telemetry, and has been called a \"telemetry monster\" by several prominent developers. As long as the Switch is connected to the internet, Nintendo gets a report about a lot of different actions and states and has the option to log or act on them. Even if the Switch is offline and connects to the internet at a later point, Nintendo still recieves information about what happened while the Switch was disconnected.
To disable some of this telemetry, it is advised to disable the sending of error reports in the System Settings of the Switch. Additionally if you live in the EU you can set the \"do not share\" option on Nintendo's website to prevent your Switch from sending a lot of telemetry, although the effectiveness of this is questionable.
Nintendo still receives a lot of information, even with those options disabled. We also cannot know if Nintendo decides to look for something in the logs and ban people in retrospect. They have also shown to expand their telemetry options with every other firmware update.
Currently all bans have been for very obvious and intrusive actions, specifically:
Atmosph\u00e8re stops some, but not all of Nintendo's telemetry, and prevents crash reports from being sent. This means Nintendo can't tell if anything, including homebrew or modded games crashed, and Atmosph\u00e8re dumps the crash log to the microSD card to help homebrew developers. However, Nintendo still receives information about what is being played, and general system report information.
Atmosph\u00e8re is not a silver bullet, and this does not mean that Nintendo won't decide to ban people for harmless homebrew in the future. If you are scared to get banned then don't use homebrew for now. Atmosph\u00e8re now supports emuMMC (emuNAND): a copy of Switch system software, run entirely from the microSD card instead. This erases ban risks due to the fact that emuMMC is run in a quarantined, offline state, not touching the internal memory. You are still able to boot into original firmware to play online.
For patched units reliant on deja-vu, sysNAND will always have to be on a firmware below 4.1. For Switch versions from 5.0 to 7.0.1 deja-vu isn't quite out yet but will come eventually. (Also please note that firmwares 8.0.0+ will never work with deja-vu) You can use an updated emuMMC dedicated to online/clean play, while your sysNAND is used offline for custom firmware.
We do not recommend the use of ReiNX or SX OS for many reasons, primary among them that they use lots of assets from Atmosph\u00e8re and offer no real benefit that Atmosph\u00e8re does not offer anyway. We also do not recommend Kosmos, as its large amount of extras on top of regular Atmosph\u00e8re make it difficult to troubleshoot strange issues. All of these alternative CFWs also tend to use non-conventional setups which can cause issues that make it difficult to troubleshoot, which is another reason we prefer using Atmosphere. Additionally, it is advised to use 90DNS which blocks connections to any Nintendo servers. If you use an emuNAND for CFW and keep your sysNAND clean for playing online, you should use 90DNS on your emuNAND. Note: Keeping your emuNAND \"dirty\" and your sysNAND \"clean\" pertains primarily to those using the RCM exploit. Users employing Nereba or Caffeine will do the opposite.
"},{"location":"faq/#what-formats-can-homebrew-come-in","title":"What formats can homebrew come in","text":"Homebrew can come in two different formats, namely in nro files and in bin files.
nro Files are placed in the switch folder on your microSD card and can be launched using the Homebrew menu.bin This format is used as a payload and is to be pushed in RCM using a payload launcher like tegrarcmgui on windows and fusee-interfacee-tk on other operating systems.Homebrew risks Be careful with launching downloaded homebrew! If you don't know the source, it's best not to launch it. Homebrew can potentially damage your system! Atmosph\u00e8re provides protections against common bricking methods, but these are not guaranteed to always work!
"},{"location":"faq/#what-microsd-cardformat-should-i-use","title":"What microSD card/format should I use?","text":"microSD cards that are 32GB or smaller can be used for homebrew, but are not recommended as these will not permit you to have a full NAND dump and/or an emuMMC on them.
The recommended microSD card size is 128GB. This will permit you to make a full NAND dump as well as having enough space to run an emuNAND in the future while also having adequate space for homebrew.
The recommended filesystem format is FAT32. While the Switch supports exFAT through an additional update from Nintendo, this filesystem is prone to corruption and as a result is not advisable.
"},{"location":"faq/#fake-microsd-cards","title":"Fake microSD cards","text":"Do not buy microSD cards from sites like eBay. These microSD cards are often fake and do not have the advertised amount of storage and will result in data corruption if used. Amazon has had some problems with fake microSD cards, so we recommend buying them at a physical store. Even on trustworthy sites, always, always check reviews on a product before buying!!
If you suspect your microSD card is fake or damaged, see the instructions here to verify the integrity of your microSD card.
"},{"location":"faq/#my-homebrew-apps-are-not-showing-up-in-the-homebrew-menu","title":"My Homebrew apps are not showing up in the Homebrew menu!","text":"This is an issue primarily affecting macOS users, but may occur on other devices as well. If you are able to launch the homebrew menu, but you are not seeing some or any of your Homebrew apps, you may need to unset the archive bit with Hekate.
Tools on the top menu bar.Arch Bit \u2022 AutoRCM \u2022 Touch \u2022 Pkg1/2.Fix Archive bit - this might take a while.Close in the top right corner.Home in the top menu bar to get back from where you started.This report documents Fus\u00e9e Gel\u00e9e, a coldboot vulnerability that allows full, unauthenticated arbitrary code execution from an early bootROM context via Tegra Recovery Mode (RCM) on NVIDIA's Tegra line of embedded processors. As this vulnerability allows arbitrary code execution on the Boot and Power Management Processor (BPMP) before any lock-outs take effect, this vulnerability compromises the entire root-of-trust for each processor, and allows exfiltration of secrets e.g. burned into device fuses.
Quick vitals: \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 Reporter: Katherine Temkin (@ktemkin) Affiliation: ReSwitched (https://reswitched.tech) E-mail: k@ktemkin.com Affects: Tegra SoCs, independent of software stack Versions: believed to affect Tegra SoCs released prior to the T186 / X2 Impact: early bootROM code execution with no software requirements, which can lead to full compromise of on-device secrets where USB access is possible Disclosure public disclosure planned for June 15th, 2018"},{"location":"fusee_gelee/#vulnerability-summary","title":"Vulnerability Summary","text":"The USB software stack provided inside the boot instruction rom (IROM/bootROM) contains a copy operation whose length can be controlled by an attacker. By carefully constructing a USB control request, an attacker can leverage this vulnerability to copy the contents of an attacker-controlled buffer over the active execution stack, gaining control of the Boot and Power Management processor (BPMP) before any lock-outs or privilege reductions occur. This execution can then be used to exfiltrate secrets and to load arbitrary code onto the main CPU Complex (CCPLEX) \"application processors\" at the highest possible level of privilege (typically as the TrustZone Secure Monitor at PL3/EL3).
"},{"location":"fusee_gelee/#public-disclosure-notice","title":"Public Disclosure Notice","text":"This vulnerability is notable due to the significant number and variety of devices affected, the severity of the issue, and the immutability of the relevant code on devices already delivered to end users. This vulnerability report is provided as a courtesy to help aid remediation efforts, guide communication, and minimize impact to users.
As other groups appear to have this or an equivalent exploit-- including a group who claims they will be selling access to an implementation of such an exploit-- it is the author and the ReSwitched team's belief that prompt public disclosure best serves the public interest. By minimizing the information asymmetry between the general public and exploit-holders and notifying the public, users will be able to best assess how this vulnerability impacts their personal threat models.
Accordingly, ReSwitched anticipates public disclosure of this vulnerability: * If another group releases an implementation of the identified vulnerability; or * On June 15th, 2018, whichever comes first.
"},{"location":"fusee_gelee/#vulnerability-details","title":"Vulnerability Details","text":"The core of the Tegra boot process is approximated by the following block of pseudo-code, as obtained by reverse-engineering an IROM extracted from a vulnerable T210 system:
// If this is a warmboot (from \"sleep\"), restore the saved state from RAM.\nif (read_scratch0_bit(1)) {\n restore_warmboot_image(&load_addr);\n}\n// Otherwise, bootstrap the processor.\nelse\n{\n // Allow recovery mode to be forced by a PMC scratch bit or physical straps.\n force_recovery = check_for_rcm_straps() || read_scratch0_bit(2);\n\n // Determine whether to use USB2 or USB3 for RCM.\n determine_rcm_usb_version(&usb_version);\n usb_ops = set_up_usb_ops(usb_version);\n usb_ops->initialize();\n\n // If we're not forcing recovery, attempt to load an image from boot media.\n if (!force_recovery)\n {\n // If we succeeded, don't fall back into recovery mode.\n if (read_boot_configuration_and_images(&load_addr) == SUCCESS) {\n goto boot_complete;\n }\n }\n\n // In all other conditions\n if (read_boot_images_via_usb_rcm(<snip>, &load_addr) != SUCCESS) {\n /* load address is poisoned here */\n }\n}\n\nboot_complete:\n /* apply lock-outs, and boot the program at address load_address */\nTegra processors include a USB Recovery Mode (RCM), which we can observe to be activated under a number of conditions: * If the processor fails to find a valid Boot Control Table (BCT) + bootloader on its boot media; * If processor straps are pulled to a particular value e.g. by holding a button combination; or * If the processor is rebooted after a particular value is written into a power management controller scratch register.
USB recovery mode is present in all devices, including devices that have been production secured. To ensure that USB recovery mode does not allow unauthenticated communications, RCM requires all recovery commands be signed using either RSA or via AES-CMAC.
The bootloader's implementation of the Tegra RCM protocol is simple, and exists to allow loading a small piece of code (called the miniloader or applet) into the bootloader's local Instruction RAM (IRAM). In a typical application, this applet is nvtboot-recovery, a stub which allows further USB communications to bootstrap a system or to allow system provisioning.
The RCM process is approximated by the following pseudo-code, again obtained via reverse engineering a dumped IROM from a T210:
// Significantly simplified for clarity, with error checking omitted where unimportant.\nwhile (1) {\n // Repeatedly handle USB standard events on the control endpoint EP0.\n usb_ops->handle_control_requests(current_dma_buffer);\n\n // Try to send the device ID over the main USB data pipe until we succeed.\n if ( rcm_send_device_id() == USB_NOT_CONFIGURED ) {\n usb_initialized = 0;\n }\n // Once we've made a USB connection, accept RCM commands on EP1.\n else {\n usb_initialized = 1;\n\n // Read a full RCM command and any associated payload into a global buffer.\n // (Error checking omitted for brevity.)\n rcm_read_command_and_payload();\n\n // Validate the received RCM command; e.g. by checking for signatures\n // in RSA or AES_CMAC mode, or by trivially succeeding if we're not in\n // a secure mode.\n rc = rcm_validate_command();\n if (rc != VALIDATION_PASS) {\n return rc;\n }\n\n // Handle the received and validated command.\n // For a \"load miniloader\" command, this sanity checks the (validated)\n // miniloader image and takes steps to prevent re-use of signed data not\n // intended to be used as an RCM command.\n rcm_handle_command_complete(...);\n }\n}\nIt is important to note that a full RCM command and its associated payload are read into 1) a global buffer, and 2) the target load address, respectively, before any signature checking is done. This effectively grants the attacker a narrow window in which they control a large region of unvalidated memory.
The largest vulnerability surface area occurs in the rcm_read_command_and_payload function, which accepts the RCM command and payload packets via a USB bulk endpoint. For our purposes, this endpoint is essentially a simple pipe for conveyance of blocks of binary data separate from standard USB communications.
The rcm_read_command_and_payload function actually contains several issues-- of which exactly one is known to be exploitable:
uint32_t total_rxd = 0;\nuint32_t total_to_rx = 0x400;\n\n// Loop until we've received our full command and payload.\nwhile (total_rxd < total_to_rx) {\n // Switch between two DMA buffers, so the USB is never DMA'ing into the same\n // buffer that we're processing.\n active_buffer = next_buffer;\n next_buffer = switch_dma_buffers();\n\n // Start a USB DMA transaction on the RCM bulk endpoint, which will hopefully\n // receive data from the host in the background as we copy.\n usb_ops->start_nonblocking_bulk_read(active_buffer, 0x1000);\n\n // If we're in the first 680-bytes we're receiving, this is part of the RCM\n // command, and we should read it into the command buffer.\n if ( total_rxd < 680 ) {\n /* copy data from the DMA buffer into the RCM command buffer until we've\n read a full 680-byte RCM command */\n\n // Once we've received the first four bytes of the RCM command,\n // use that to figure out how much data should be received.\n if ( total_rxd >= 4 )\n {\n // validate:\n // -- the command won't exceed our total RAM\n // (680 here, 0x30000 in upper IRAM)\n // -- the command is >= 0x400 bytes\n // -- the size ends in 8\n if ( rcm_command_buffer[0] >= 0x302A8u\n || rcm_command_buffer[0] < 0x400u\n || (rcm_command_buffer[0] & 0xF) != 8 ) {\n return ERROR_INVALID_SIZE;\n } else {\n left_to_rx = *((uint32_t *)rcm_command_buffer);\n }\n }\n }\n\n /* copy any data _past_ the command into a separate payload\n buffer at 0x40010000 */\n /* -code omitted for brevity - */\n\n // Wait for the DMA transaction to complete.\n // [This is, again, simplified to convey concepts.]\n while(!usb_ops->bulk_read_complete()) {\n\n // While we're blocking, it's still important that we respond to standard\n // USB packets on the control endpoint, so do that here.\n usb_ops->handle_control_requests(next_buffer);\n }\n}\nAstute readers will notice an issue unrelated to the Fus\u00e9e Gel\u00e9e exploit: this code fails to properly ensure DMA buffers are being used exclusively for a single operation. This results in an interesting race condition in which a DMA buffer can be simultaneously used to handle a control request and a RCM bulk transfer. This can break the flow of RCM, but as both operations contain untrusted data, this issue poses no security risk.
To find the actual vulnerability, we must delve deeper, into the code that handles standard USB control requests. The core of this code is responsible for responding to USB control requests. A control request is initiated when the host sends a setup packet, of the following form:
Field \u00a0 \u00a0 \u00a0 \u00a0 Size \u00a0 \u00a0 Description direction 1b if '1', the device should respond with data type 2b specifies whether this request is of a standard type or not recipient 5b encodes the context in which this request should be considered; for example, is this about aDEVICE or about an ENDPOINT? request 8b specifies the request number value 16b argument to the request index 16b argument to the request length 16b specifies the maximum amount of data to be transferred As an example, the host can request the status of a device by issuing a GET_STATUS request, at which point the device would be expected to respond with a short setup packet. Of particular note is the length field of the request, which should limit -- but not exclusively determine-- the maximum amount of data that should be included in the response. Per the specification, the device should respond with either the amount of data specified or the amount of data available, whichever is less.
The bootloader's implementation of this behavior is conceptually implemented as follows:
// Temporary, automatic variables, located on the stack.\nuint16_t status;\nvoid *data_to_tx;\n\n// The amount of data available to transmit.\nuint16_t size_to_tx = 0;\n\n // The amount of data the USB host requested.\nuint16_t length_read = setup_packet.length;\n\n/* Lots of handler cases have omitted for brevity. */\n\n// Handle GET_STATUS requests.\nif (setup_packet.request == REQUEST_GET_STATUS)\n{\n // If this is asking for the DEVICE's status, respond accordingly.\n if(setup_packet.recipient == RECIPIENT_DEVICE) {\n status = get_usb_device_status();\n size_to_tx = sizeof(status);\n }\n // Otherwise, respond with the ENDPOINT status.\n else if (setup_packet.recipient == RECIPIENT_ENDPOINT){\n status = get_usb_endpoint_status(setup_packet.index);\n size_to_tx = length_read; // <-- This is a critical error!\n }\n else {\n /* ... */\n }\n\n // Send the status value, which we'll copy from the stack variable 'status'.\n data_to_tx = &status;\n}\n\n// Copy the data we have into our DMA buffer for transmission.\n// For a GET_STATUS request, this copies data from the stack into our DMA buffer.\nmemcpy(dma_buffer, data_to_tx, size_to_tx);\n\n// If the host requested less data than we have, only send the amount requested.\n// This effectively selects min(size_to_tx, length_read).\nif (length_read < size_to_tx) {\n size_to_tx = length_read;\n}\n\n// Transmit the response we've constructed back to the host.\nrespond_to_control_request(dma_buffer, length_to_send);\nIn most cases, the handler correctly limits the length of the transmitted responses to the amount it has available, per the USB specification. However, in a few notable cases, the length is incorrectly always set to the amount requested by the host: * When issuing a GET_CONFIGURATION request with a DEVICE recipient. * When issuing a GET_INTERFACE request with a INTERFACE recipient. * When issuing a GET_STATUS request with a ENDPOINT recipient.
This is a critical security error, as the host can request up to 65,535 bytes per control request. In cases where this is loaded directly into size_to_tx, this value directly sets the extent of the memcpy that follows-- and thus can copy up to 65,535 bytes into the currently selected dma_buffer. As the DMA buffers used for the USB stack are each comparatively short, this can result in a very significant buffer overflow.
To validate that the vulnerability is present on a given device, one can try issuing an oversized request and watch as the device responds. Pictured below is the response generated when sending a oversized GET_STATUS control request with an ENDPOINT recipient to a T124:
A compliant device should generate a two-byte response to a GET_STATUS request-- but the affected Tegra responds with significantly longer response. This is a clear indication that we've run into the vulnerability described above.
To really understand the impact of this vulnerability, it helps to understand the memory layout used by the bootROM. For our proof-of-concept, we'll consider the layout used by the T210 variant of the affected bootROM:
The major memory regions relevant to this vulnerability are as follows: * The bootROM's execution stack grows downward from 0x40010000; so the execution stack is located in the memory immediately preceding that address. * The DMA buffers used for USB are located at 0x40005000 and 0x40009000, respectively. Because the USB stack alternates between these two buffers once per USB transfer, the host effectively can control which DMA buffer is in use by sending USB transfers. * Once the bootloader's RCM code receives a 680-byte command, it begins to store received data in a section of upper IRAM located at address 0x40010000, and can store up to 0x30000 bytes of payload. This address is notable, as it is immediately past the end of the active execution stack.
Of particular note is the adjacency of the bootROM's execution stack and the attacker-controlled RCM payload. Consider the behavior of the previous pseudo-code segment on receipt of a GET_STATUS request to the ENDPOINT with an excessive length. The resulting memcpy: * copies up to 65,535 bytes total; * sources data from a region starting at the status variable on the stack and extending significantly past the stack -- effectively copying mostly from the attacker-controllable RCM payload buffer * targets a buffer starting either 0x40005000 or 0x40009000, at the attacker's discretion, reaching addresses of up to 0x40014fff or 0x40018fff
This is a powerful copy primitive, as it copies from attacker controlled memory and into a region that includes the entire execution stack:
This would be a powerful exploit on any platform; but this is a particularly devastating attack in the bootROM environment, which does not: * Use common attack mitigations such as stack canaries, ostensibly to reduce complexity and save limited IRAM and IROM space. * Apply memory protections, so the entire stack and all attacker controlled buffers can be read from, written to, and executed from. * Employ typical 'application-processor' mitigation strategies such as ASLR.
Accordingly, we now have: 1. The capability to load arbitrary payloads into memory via RCM, as RCM only validates command signatures once payload receipt is complete. 2. The ability to copy attacker-controlled values over the execution stack, overwriting return addresses and redirecting execution to a location of our choice.
Together, these two abilities give us a full arbitrary-code execution exploit at a critical point in the Tegra's start-up process. As control flow is hijacked before return from read_boot_images_via_usb_rcm, none of the \"lock-out\" operations that precede normal startup are executed. This means, for example, that the T210 fuses-- and the keydata stored within them-- are accessible from the attack payload, and the bootROM is not yet protected.
The Fus\u00e9e Launcher PoC exploits the vulnerability described on the T210 via a careful sequence of interactions: 1. The device is started in RCM mode. Device specifics will differ, but this is often via a key-combination held on startup. 2. A host computer is allowed to enumerate the RCM device normally. 3. The host reads the RCM device's ID by reading 16 bytes from the EP1 IN. 4. The host builds an exploit payload, which is comprised of: 1. An RCM command that includes a maximum length, ensuring that we can send as much payload as possible without completing receipt of the RCM payload. Only the length of this command is used prior to validation; so we can submit an RCM command that starts with a maximum length of 0x30298, but which fills the remaining 676 bytes of the RCM command with any value. 2. A set of values with which to overwrite the stack. As stack return address locations vary across the series, it's recommended that a large block composed of a single entry-point address be repeated a significant number of times, so one can effectively replace the entire stack with that address. 3. The program to be executed (\"final payload\") is appended, ensuring that its position in the binary matches the entry-point from the previous step. 4. The payload is padded to be evenly divisible by the 0x1000 block size to ensure the active block is not overwritten by the \"DMA dual-use\" bug described above. 5. The exploit payload is sent to the device over EP1 OUT, tracking the number of 0x1000-byte \"blocks\" that have been sent to the device. If this number is even, the next write will be issued to the lower DMA buffer (0x40005000); otherwise, it will be issued to the upper DMA buffer (0x40009000). 6. If the next write would target the lower DMA buffer, issue another write of a full 0x1000 bytes to move the target to the upper DMA buffer, reducing the total amount of data to be copied. 7. Trigger the vulnerable memcpy by sending a GET_STATUS IN control request with an ENDPOINT recipient, and a length long enough to smash the desired stack region, and preferably not longer than required.
A simple host program that triggers this vulnerability is included with this report: see fusee-launcher.py. Note the restrictions on its function in the following section.
Included with this report is a set of three files: * fusee-launcher.py -- The main proof-of-concept accompanying this report. This python script is designed to launch a simple binary payload in the described bootROM context via the exploit. * intermezzo.bin -- This small stub is designed to relocate a payload from a higher load address to the standard RCM load address of 0x40010000. This allows standard RCM payloads (such as nvtboot-recover.bin) to be executed. * fusee.bin -- An example payload for the Nintendo Switch, a representative and well-secured device based on a T210. This payload will print information from the device's fuses and protected IROM to the display, demonstrating that early bootROM execution has been achieved.
Support note: Many host-OS driver stacks are reluctant to issue unreasonably large control requests. Accordingly, the current proof-of-concept includes code designed to work in the following environments: * 64-bit linux via xhci_hcd. The proof-of-concept can manually submit large control requests, but does not work with the common ehci_hcd drivers due to driver limitations. A rough rule of thumb is that a connection via a blue / USB3 SuperSpeed port will almost always be handled by xhci_hcd. * macOS. The exploit works out of the box with no surprises or restrictions on modern macOS.
Windows support would require addition of a custom kernel module, and thus was beyond the scope of a simple proof-of-concept.
To use this proof-of-concept on a Nintendo Switch: 1. Set up an Linux or macOS environment that meets the criteria above, and which has a working python3 and pyusb as well as libusb installed. 2. Connect the Switch to your host PC with a USB A -> USB C cable. 3. Boot the Switch in RCM mode. There are three ways to do this, but the first-- unseating its eMMC board-- is likely the most straightforward: 1. Ensure the Switch cannot boot off its eMMC. The most straightforward way to to this is to open the back cover and remove the socketed eMMC board; corrupting the BCT or bootloader on the eMMC boot partition would also work. 2. Trigger the RCM straps. Hold VOL_UP and short pin 10 on the right JoyCon connector to ground while engaging the power button. 3. Set bit 2 of PMC scratch register zero. On modern firmwares, this requires EL3 or pre-sleep BPMP execution. 4. Run the fusee-launcher.py with an argument of fusee.bin. (This requires intermezzo.bin to be located in the same folder as fusee-launcher.py.)
```\nsudo python3 ./fusee-launcher.py fusee.bin\n```\nIf everything functions correctly, your Switch should be displaying a collection of fuse and protected-IROM information:
"},{"location":"fusee_gelee/#recommended-mitigations","title":"Recommended Mitigations","text":"In this case, the recommended mitigation is to correct the USB control request handler such that it always correctly constrains the length to be transmitted. This has to be handled according to the type of device:
It seems likely that OEMs producing T210-based devices may move to T214 solutions; it is the hope of the author that the T214's bootROM shares immunity with the T186. If not, patching the above is a recommended modification to the mask ROM and/or ipatches of the T214, as well.
"},{"location":"extras/","title":"Extras","text":"Several extra guides that are not required for basic usage can be found here.
They are listed in the sidebar as well.
"},{"location":"extras/#commonly-used-guides","title":"Commonly used guides:","text":"This section details how to add an udev rule to let you send a payload to your Switch without needing to use sudo.
The following instructions only work if you have a system that implements udev. Most modern distros come with systemd already installed, which includes a udev implementation.
Do the following instructions while your Switch is not connected to your computer.
For Arch Linux users:
The package android-udev includes rules that will also allow for payload injection to work without root. Do note this also allows Android specific commands such as adb and fastboot to also work without root (as is the intention of it.)
"},{"location":"extras/adding_udev/#option-1-manually-adding-rules-and-group","title":"Option 1: Manually adding rules and group","text":"
The following instructions are not for beginners. Only do this if you understand what you are doing.
"},{"location":"extras/adding_udev/#creating-a-new-group","title":"Creating a new group","text":"To start, we will create a new group and add ourselves to it. The group the Nintendo Switch device will be owned by on Linux will be set to this group.
sudo groupadd nintendo_switch.sudo usermod -a -G nintendo_switch $USER. Make sure that the G is capitalized!Next we're gonna add a new udev rule. udev is a device manager for the linux kernel. The rule we're gonna specify is that if the Switch is connected in RCM, the group the Switch belongs to will be the group we made in the previous section.
sudo -i. Enter your password when prompted.mkdir -p /etc/udev/rules.d.echo 'SUBSYSTEMS==\"usb\", ATTRS{manufacturer}==\"NVIDIA Corp.\", ATTRS{product}==\"APX\", GROUP=\"nintendo_switch\"' > /etc/udev/rules.d/10-switch.rules.udevadm control --reload.udevadm trigger.You should now be able to run the payload sender without having to use sudo.
"},{"location":"extras/adding_udev/#option-2-installing-a-package-with-the-rules","title":"Option 2: Installing a package with the rules","text":"
These rules will actually allow ANY user to access your Switch via USB, not only your user.
You may just follow the instructions at nx-udev, or if you're on Ubuntu / Debian:
sudo dpkg -i nx-udev_latest_all.deb to install the packageYou should now be able to run the payload injector and homebrew with USB communication without having to use sudo.
If you need to troubleshoot something, or need to try a different boot setup, read on.
Do I need any of these?
Unless you are experiencing problems with booting or Atmosph\u00e8re itself, it's strongly recommended to use the main guide instead of these. They are provided for the sake of completeness.
"},{"location":"extras/alternate_bootsetups/#chainloading-fusee-from-hekate","title":"Chainloading Fusee from Hekate","text":"
fusee.bin.zip file to the root of your microSD card.bootloader folder from the Hekate .zip file to the root of your microSD card.fusee.bin to the sd:/bootloader/payloads folder on your microSD card.payload.bin (Modchipped Switch users).Payloads > fusee.bin.fusee uses a set boot order that is not as easily configurable as Hekate. Its boot order is emuMMC > sysCFW > stock. If an emuMMC isn't present, it will boot into sysCFW for example. Make sure you have a method of blocking Nintendo's servers set up (such as DNS-MITM) if you do use fusee and have an emuMMC.This method will not work for Modchipped Switch users.
fusee.bin.zip file to the root of your microSD card.fusee.bin payload.fusee uses a set boot order that is not as easily configurable as Hekate. Its boot order is emuMMC > sysCFW > stock. If an emuMMC isn't present, it will boot into sysCFW for example. Make sure you have a method of blocking Nintendo's servers set up (such as DNS-MITM) if you do use fusee and have an emuMMC.AutoRCM causes the console to believe it is bricked, and will automatically launch RCM upon boot for recovery purposes, without needing a jig. As RCM is a recovery mode from repair specialists, this is an intended feature from the device developer, though is also considered a softbrick. If you aren't careful, misuse of AutoRCM can lead to real damage, especially with units that cannot inject custom RCM payloads (like Mariko hardware). Please take care when using it. Please keep in mind that the console can no longer boot on its own, so you'll need a PC, phone, or other payload injector to start the console after a coldboot.
If you don't have a BOOT0/1 backup yet...
You really want to kill your console, huh? If you haven't made a BOOT0/1 backup yet, it is recommended to make one right now.
Tools, and select Backup eMMCeMMC BOOT0 & BOOT1 and let the process complete.There are some disadvantages you should consider before installing AutoRCM:
AutoRCM can be used for good as well:
Other information...
If, despite all of the information above, you still wish to enable AutoRCM, and understand the risks, do the following:
ToolsArch Bit \u2022 AutoRCM \u2022 Touch \u2022 Pkg1/2AutoRCM. It will show a little ON next to the option once you have done this.AutoRCM option is set to OFF.This page will help you set up a method to block all communication with Nintendo. This will stop any updates and reporting to Nintendo, but it will prevent use of the eShop and online games.
"},{"location":"extras/blocking_nintendo/#instructions-ams-dns-redirection","title":"Instructions (AMS DNS redirection)","text":"You can configure Atmosph\u00e8re to automatically redirect any requests directed to Nintendo to nothing instead. Documentation about this feature can be found here. The section below will help you set up DNS redirection on your emummc. Note that this will only apply when you are using cfw.
"},{"location":"extras/blocking_nintendo/#what-you-need","title":"What you need:","text":"payload.bin on the root of your SD.Tools > USB Tools > SD Card and plug your Switch into your PC via USB.atmosphere folder.hosts in the atmosphere folder.sd:/atmosphere/hosts directory.emummc.txt file into the hosts folder.sysmmc.txtUMS device safely from within your computer's operating system and boot into CFW.Verify functionality
You can verify the functionality of the DNS redirection by booting into emummc (or sysmmc if you applied the config to sys), and powering off after.
A report will be generated in sd:/atmosphere/logs called dns_mitm_startup.log. If this starts with the following, the dns redirection is active
"},{"location":"extras/blocking_nintendo/#instructions-90dns","title":"Instructions (90DNS)","text":"
You can add a custom DNS to your WiFi connection that will block all communication with Nintendo's servers. We will be using 90DNS, a community-run custom DNS server. If you prefer, you can run your own DNS server following the instructions on the GitLab repository.
Enter the console's System Settings, and then proceed to the Internet tab. From here:
"},{"location":"extras/blocking_nintendo/#setting-up-a-new-connection-via-wi-fi","title":"Setting up a new connection via Wi-Fi","text":"Open WiFi networks without a password
Not all WiFi networks require a password to connect. If your network does not use one, you can use the Manual Setup option, located at the very bottom of the Internet Settings screen below all other WiFi networks.
OK.OK to close the error message.Close when it offers to display more details about the error.View Settings.DNS Settings to Manual.Primary and Secondary DNS into your connection settings.Save the settings and test the connection.
Change Settings.Save the settings and test the connection.
/switch folder.90DNS Setter.163.172.141.219 207.246.121.77 America (Server located in the USA) 207.246.121.77 163.172.141.219 Example for a 90DNS connection with the Europe settings:
"},{"location":"extras/blocking_nintendo/#testing-if-you-can-reach-nintendo","title":"Testing if you can reach Nintendo","text":""},{"location":"extras/blocking_nintendo/#testing-via-the-eshop-stock","title":"Testing via the eShop (Stock)","text":"
Switch_90DNS_tester.nro in the switch folder on your SD.nintendo domain being blocked.LayeredFS, a tool built into Atmosphere, allows you to (temporarily) replace a game's assets with your own, modified assets as long as you're booted into CFW.
"},{"location":"extras/game_modding/#usage-instructions","title":"Usage instructions","text":"Check the section below to find your mod's folder/file structure, then install your mod accordingly.
Checking folder/file structures
If the mod solely includes a romfs (and/or exefs folder), you will need to place that folder inside of sd:/atmosphere/contents/<title_id>/.
If the mod solely includes a contents folder, you can simply copy that folder to sd:/atmosphere/ on your microSD card and merge folders if prompted.
If the mod has the complete folder structure set up (i.e. atmosphere/contents/<title_id>/romfs), you can simply copy the atmosphere folder (likely inside of a mod's .zip file) to the root of your microSD card and merge folders if prompted.
Atmosphere 0.9.4 and below
Note: On Atmosph\u00e8re 0.9.4 and below, contents is called titles
In the image below, you can see a Batman skin mod being used in The Legend of Zelda: Breath of the Wild. In this example, the title ID and mod installation directory would be sd:/atmosphere/contents/0100509005AF2000/.
The romfs folder contains modified assets in the way the game would normally read them. romfs stands for \"romFileSystem\", which is quite literally what the filesystem (folder and file structure) of the game you're modding consists of internally.
If you want to disable mods on launch of a game, hold the L button before launching the game and launch the game normally, L is the default button to do this. This will disable all modifications (like cheats and mods) that you have configured for your game.
While most games only require Atmosphere's LayeredFS to enable game modding, there are some games that may require more specialized setup. For example:
Modding Super Smash Bros. requires ARCropolis and skyline, ARCropolis looks for mods in the sd:/ultimate/mods directory on your microSD card.
Modding Breath of the Wild and Tears of the Kingdom with multiple mods requires the use of BCML or UKMM and TKMM respectively.
Animal Crossing: New Horizons requires some extra setup for mods to work. The folder that would normally be called romfs has to be called romFs and you'll need to create an empty file inside of atmosphere/contents/01006F8002326000/romFs/System/Resource/ called ResourceSizeTable.srsizetable. More information on this can be found on the ac-modding website.
If your game crashes during launch, hold the L button to see if disabling all modifications for your game solves the issue. If so, delete the most recently added mod(s) for your game.
Assuming you've followed the installation instructions successfully, this is probably due to the archive bit being set on one or more folders/files on your microSD card. This is usually the result of copying files to a microSD card via a Mac. If you are experiencing this issue, try running the archive bit fixer utility via Hekate for all files.
This can be done by booting into Hekate and going to Tools > Arch bit \u2022 RCM Touch \u2022 Pkg1/2 > Fix Archive Bit.
This section is dedicated to explaining a number of common terms that are used when hacking the Nintendo Switch as well as linking a number of resources that can help fledgling developers or curious users.
"},{"location":"extras/glossary/#hacking-terms","title":"Hacking terms","text":"The following list is in alphabetical order.
The resources below are for users and developers interested in developing Homebrew or for those that want to get a more technical understanding of the various concepts.
This page will detail the setup of Switchroot Android (Android 11) for the Nintendo Switch.
Have you partitioned your microSD card?
This page assumes that you've followed our guide to set up Atmosph\u00e8re. Before starting, your microSD card needs partitions for Android set up via Hekate. If you didn't do so, see this page to install Android alongside Atmosph\u00e8re. If you don't want to use Switch CFW and only Android, check the Official Switchroot Documentation instead. If you already have Android fully installed, do not follow this guide, as your current installation would be erased.
Looking for Android 10?
An unfortunate bug with clocking on Android 11 results in degraded performance for Erista (v1) units on Android 11. Android 10 installation is not covered here, but there is a guide on the Switchroot Wiki. However, Android 11 is the currently supported version and uses much more updated drivers.
Looking for Android 14?
Recently, Android 14 was released for the Switch. You can follow the official LineageOS guide to install Android 14.
The Switch lacks a cell modem; simply installing Android does not grant your Switch access to cell towers. This means, unlike most Android devices, you will not be able to make emergency phone calls, and you will still need Wi-Fi to access the Internet. You can, however, natively run Android programs and games.
This page will also not detail things such as rooting and overclocking; external links to these types of additions can be found in the Power User Guides section at the bottom of this page.
"},{"location":"extras/installing_android/#requirements","title":"Requirements:","text":"If you have official Joy-Con controllers, you can set up auto-pairing so undocking them seamlessly connects to the console regardless of what OS is running. To make this work, boot HOS, ensure both work undocked (pair them), then reboot to Hekate. Select Nyx Options followed by Dump Joy-Con BT. You should see \"Found 2 out of 2 Joy-Con pairing data!\"
Have a Switch Lite?
You should poke the dump button in Hekate anyway -- this will dump factory stick and IMU calibration for use in Android.
"},{"location":"extras/installing_android/#step-1-downloading-files","title":"Step 1: Downloading Files","text":"Download the latest .7z release archive from the official Switchroot download site--choose nx-atv... for Android TV (more console-like experience) or nx-tab... for standard Android (a more standard Android tablet experience). Both are usable with controllers and docking, but only tab supports proper touch input.
If you prefer TWRP recovery...
...you can download twrp.img from the extras folder.
Are you using a V1 or V2 Switch (standard models)?
These models have a poorly designed microSD card reader and repeated removals/reinsertions can eventually cause the reader to fail. Please use Hekate SD UMS to transfer files instead of removing the microSD card from your Switch!
Tools > USB Tools > SD Card and plugging your Switch into your PC via USB.Extract the archive to the root of the microSD card (the FAT32 partition). The microSD card file structure should look more or less like this:
root\n|- bootloader\n| |- ini\n| | |- ...\n| |- payloads\n| | |- ...\n| |- res\n| | |- ...\n| |- sys\n| | |- ...\n|- Nintendo (if you use Horizon)\n| |- ...\n|- switchroot\n| |- android\n| | |- ...\n| |- install\n| | |- ...\n|- lineage-18.1-[date]-UNOFFICIAL-[device].zip\nIf you downloaded TWRP...
...you have to replace /switchroot/install/recovery.img with twrp.img. No need to rename the file, just swap it out.
Open the Hekate partition manager (located in Tools > Partition SD Card) and select Flash Android at the bottom of your screen. All three images should be found and successfully flashed. Select the option to reboot to recovery.
Once in recovery, select Factory Reset followed by Format Data. This does not delete anything here, but rather is used to prepare your data partitions for flashing. Ignore any errors that may appear. Return to the main menu and select Apply Update followed by Select from SWITCH SD. Find and select the lineage-18.1... zip in the list, and wait for it to finish.
Did the zip fail to flash?
Your microSD card is probably bad... Take a look at Hekate's microSD card info, and consider buying a better card.
If you are using TWRP...
Good luck... TWRP is for advanced users; no user support will be provided. TWRP is provided for power users who have a specific need for it.
Once done, reboot the system when prompted -- Android is now installed!
"},{"location":"extras/installing_android/#post-install","title":"Post-Install","text":""},{"location":"extras/installing_android/#tips-and-tricks","title":"Tips and Tricks","text":"If Joy-Con autopairing has not kicked in, try a reboot. Sometimes the first boot doesn't pick up the addition.
To access recovery/TWRP: hold VOL+ on boot or reboot.
To access Hekate from Android: hold VOL- on reboot.
To reboot back to Android: hold Power for a few seconds and perform a standard reboot.
To return to Horizon (OFW/CFW): power your Switch off fully, then boot into your desired mode.
To learn more about using the Switch Configuration App and overclocking, see the Switch Configuration App section. Furthermore, you can check out the INI guide as well.
"},{"location":"extras/installing_android/#need-help","title":"Need Help?","text":"Join the Switchroot Discord server.
This page was made in collaboration with makinbacon21 on Discord. See the collapsible section below for the Switchroot guide maintainers.
If you'd like, you can donate to the people who made this project possible using these links.
makinbacon (Android developer) https://paypal.me/makinbacon21
npjohnson (Android developer) https://paypal.me/nolenjohnson
CTCaer (Linux & Low level developer, Hekate maintainer) https://www.patreon.com/ctcaer
ave (Infrastructure & Hosting) https://patreon.com/aveao
Have you partitioned your microSD card?
This guide assumes that you've followed the NH-Server guide up until this point, your microSD card should be partitioned accordingly. If you didn't do so, see this page of our guide.
Linux 4 Switch is a sister project to Switchroot Android--it uses a similar kernel but provides a variety of Linux distributions.The available distributions at this time are:
Ubuntu Bionic (maintained by CTCaer, the primary dev of both the L4S kernel and hekate--this is the most stable and supported distro)
Ubuntu Jammy (maintained by theofficialgman, one of the primary devs of the L4T Megascript installer program)
Fedora 39 (maintained by azkali, a L4S kernel developer)
Lakka 5.x (maintained by gavin_darkglider, a L4S kernel developer and Lakka maintainer)
Looking for Arch?
Unfortunately, L4S Arch Linux is deprecated following an xorg ABI change that breaks compatibility with the Tegra210 BSP.
"},{"location":"extras/installing_linux/#the-installation","title":"The installation","text":"To install an L4S distribution, follow the official guide starting from 0. Linux Distributions.
This page was made in collaboration with makinbacon21 on Discord. See the collapsible section below for the L4S guide maintainers.
If you'd like, you can donate to the people who made this project possible using these links.
CTCaer (Linux & Low level developer, Hekate maintainer) https://www.patreon.com/ctcaer
Azkali (Linux & Low level developer) https://www.patreon.com/azkali
gavin_darkglider (Linux & Lakka developer) https://paypal.me/gavindarkglider
ave (Infrastructure & Hosting) https://patreon.com/aveao
Warning:
This will reset all of your saves, games, system version and other system settings back to the point of when you made the NAND backup. Keep this in mind, as you probably don't have to restore a NAND backup unless you have bricked your Switch or want to go back online safely after using CFW.
If you're going to restore an old NAND which will downgrade your firmware it's best to create a second NAND backup before restoring the first one in case something goes wrong.
rawnand.bin (Combined or in 15 or 30 parts)BOOT0 and BOOT1Before we start, check if you have a tree of folders called backup/[8 Character NAND id]/restore on your microSD card.
If you don't see a backup or [8 Character NAND id] folder on your microSD card:
This means you do not have a nand backup, it is highly recommended you make one as soon as possible. Follow the steps below to make one.
Tools > Backup eMMC > eMMC BOOT0 & BOOT1 and let it do its thing.backup/[8 Character NAND id]/restore folder on your microSD card. Continue with step 1 of the instructions below.payload.bin on the root of your SD.Tools > USB Tools > SD Card and plug your Switch into your PC via USB.rawnand.bin (combined or in 15 or 30 parts), BOOT0, and BOOT1 to the backup/[8 Character NAND id]/restore folder on the microSD card.UMS device safely from within your computer's operating system.Tools > Restore eMMC. Select Restore eMMC BOOT0 & BOOT1. Wait for this process to complete.eMMC RAW GPP and wait for the process to complete.If you're downgrading using your NAND backup
If the security version you were on before you performed the NAND restore is HIGHER than the NAND backup itself, you have to enable autoRCM to not get stuck in a boot crash.
A system update is considered a security version when a fuse is burned, you can check which versions burn fuses here.
If you were in AutoRCM before you upgraded to a newer security version (and still were after the upgrade) you don't have to do this.
Tools and go to the bottom of the page where you will find a button called Archive bit - AutoRCMAutoRCM buttom and you will see ON written next to it. This means it is enabled.There are currently multiple RCM payload injectors available from multiple different companies and individuals. These devices remove the need to use a computer or smartphone when hacking an unpatched Switch. Each injector has its own advantages and disadvantages, listed below:
Name Manufacturer RCM Jig Included? RCM Jig Storage? Standard Payload (.bin) Support? Payload on SD Support? Multi-Payload Support? Battery Life Recharge Time Price (USD) Misc Info AceNS (Old) Ace3DS Team \u2714\ufe0f \u274c \u2714\ufe0f \u274c \u2714\ufe0f N/A (Capacitors) 10 seconds $18.00\u200b (Discontinued) Not Recommended: Overpriced clone of the RCMLoader Zero AceNS (New) Ace3DS Team \u2714\ufe0f \ufe0f \u2714\ufe0f \u2714\ufe0f \u274c \u2714\ufe0f 45mAh LiPo (~1000 injections) 1 hour $17.50 Not Recommended: Overpriced clone of the RCMLoader One AceNS Pro Ace3DS Team \u2714\ufe0f \u2714\ufe0f \u2714\ufe0f \u2714\ufe0f (Required) \u274c 45mAh LiPo (~1000 injections) 1 hour $42.90 Not Recommended: Overpriced clone of the RCMLoader One with multiple features missing DragonInjector MatinatorX \u2714\ufe0f \u2714\ufe0f \u2714\ufe0f \u2714\ufe0f (Required) \u2714\ufe0f 40mAh CR1612 (~4000 injections) Non-Rechargeable (Replacable) $30.00\u200b (Discontinued) Fits in the Switch's gamecard slot NS-Atmosphere Generic \u2714\ufe0f \u2714\ufe0f \u274c \u274c \u274c 150mAh LiPo (>1000 injections) >1 hour $13.15 Not Recommended: Unsafe jig, overly bulky, changing payload requires installing a program, lack of .bin support complicates usage R4S R4i-SDHC Team \u2714\ufe0f \u274c \u2714\ufe0f \u2714\ufe0f \u274c 120mAh LiPo (~1000 injections) 1 hour $19.99 RCMLoader Zero Xkit \u2714\ufe0f \u274c \u2714\ufe0f \u274c \ufe0f \u2714\ufe0f N/A (Capacitors) 10 seconds $5.99\u200b (Discontinued) RCMLoader One Xkit \u2714\ufe0f \u2714\ufe0f \u2714\ufe0f \u274c \u2714\ufe0f 45mAh LiPo (~1000 injections) 1 hour $9.99 SX Gear Team Xecuter \u2714\ufe0f \u274c \u274c \u2714\ufe0f (Required) \u274c N/A (Supercapacitors) 5-10 seconds $24.95 Not Recommended: Lack of .bin support complicates usage SX Pro Team Xecuter \u2714\ufe0f \u274c \u274c \u2714\ufe0f (Required) \u274c N/A (Supercapacitors) 5-10 seconds $49.99 Not Recommended: Lack of .bin support complicates usage"},{"location":"extras/showing_file_extensions/","title":"Showing File Name Extensions on Windows 10/11","text":"By default, Microsoft Windows 10 and 11 do not show file extensions for known file types. This can result in problems when you need to rename files.
"},{"location":"extras/showing_file_extensions/#instructions-for-windows-10","title":"Instructions for Windows 10:","text":"File name extensions checkbox is not ticked, put a check/tick mark in it by clicking it.View hamburger menu/dropdown menu.Show at the bottom and ensure that File name extensions is ticked.The goal of this page is to transfer the contents from one microSD card to another one. The method to do this will differ, depending on whether you're using a partition based emuMMC on your microSD card or not.
We will be using hekate to both backup and restore the emuMMC, so make sure that you have its latest files on your microSD card already.
"},{"location":"extras/transfer_sd/#instructions","title":"Instructions:","text":"You should first check whether you have a file or partition based emuMMC:
payload.bin on the root of your microSD card.emuMMC button.emuMMC Info & Selection, check the text next to Type.SD Raw Partition or SD File.payload.bin on the root of your microSD card.Tools > USB Tools > SD Card and plug your Switch into your PC via USB.UMS device safely from within your computer's operating system.Space for the backup
You need at least 30GB (or 60GB if using an OLED Switch) of free space to be able to restore the emuMMC!
payload.bin on the root of your SD.Tools, then Backup eMMC and set SD emuMMC Raw Partition at the bottom of your screen to ON.SD emuMMC BOOT0 & BOOT1 and SD emuMMC RAW GPP (Note: SD emuMMC RAW GPP may take a while).Tools > USB Tools > SD Card and plug your Switch into your PC via USB.Preparing Hekate section at the bottom of this page (Unpatched Switch users only) to prepare your new SD card with Hekate's files.Tools > USB Tools > SD Card, then plug your Switch into your PC via USB./backup/<some characters>/emummc on your microSD card and move BOOT0, BOOT1 and the rawnand.bin.xx files to /backup/<some characters>/restore/emummc.UMS device safely from within your computer's operating system.Tools, Restore eMMC, set SD emuMMC Raw Partition at the bottom of your screen to ON.SD emuMMC BOOT0 & BOOT1 and SD emuMMC RAW GPP (Note: SD emuMMC RAW GPP may take a while).SD emuMMC Raw Partition option is enabled, otherwise you will be altering your sysMMC which is not what you want.Launch -> Atmosphere FSS0 emuMMC in Hekate.This page documents how you can keep your system up-to-date.
After following our guide, your system will consist of three core elements that can be updated. Atmosphere, Hekate and your system firmware.
"},{"location":"extras/updating/#updating-atmosphere","title":"Updating Atmosphere","text":"When updating Atmosph\u00e8re, always make sure to read the release notes. They may list important changes and modifications to your system.
Updating from below Atmosph\u00e8re 1.0.0
If you update from below Atmosph\u00e8re 1.0.0, there are additional steps to follow. You will have to delete the sept folder from your microSD, delete fusee-secondary.bin from your atmosphere folder and update your Hekate config file: hekate_ipl.ini in the bootloader folder.
When a new version of Atmosph\u00e8re releases, you can update Atmosph\u00e8re by following these steps:
payload.bin on the root of your microSD card.Tools > USB Tools > SD Card and plug your Switch into your PC via USB.atmosphere-(version)-master-(version)+hbl-(version)+hbmenu-(version).zip release of Atmosphere.).zip file to the root of your microSD card.UMS device safely from within your computer's operating system.When updating Hekate always make sure to read the release notes. They may list important changes and modifications to your system.
When a new version of Hekate releases, you can update by following these steps:
payload.bin on the root of your microSD card.Tools > USB Tools > SD Card and plug your Switch into your PC via USB.hekate_ctcaer_(version).zip release of hekate).bootloader folder from the Hekate .zip file to the root of your microSD card. If you are asked to overwrite or merge files while copying, say yes to merge/overwrite them.UMS device safely from within your computer's operating system.Reload > Reload to reload Hekate from your microSD card.Always check before updating your system firmware if the latest version of Atmosph\u00e8re as well as the latest version of Hekate support the firmware version you are updating towards.
In addition, updating to or past some firmwares update the gamecard firmware. Reference the table below for information about these.
Updating from Updating towards Updates gamecard firmware Below 4.0.0 Below 4.0.0 No Below 4.0.0 4.0.0 or above Yes On or above 4.0.0, but below 9.0.0 At least 4.1.0 but below 9.0.0 No On or above 4.0.0, but below 9.0.0 9.0.0 or above Yes On or above 9.0.0, but below 11.0.0 At least 9.1.0 but below 11.0.0 No On or above 9.0.0, but below 11.0.0 11.0.0 or above Yes On or above 11.0.0 but below 12.0.0 At least 11.0.1 but below 12.0.0 No On or above 11.0.0 but below 12.0.0 12.0.0 or above Yes On or above 12.0.0 Latest supported Atmosph\u00e8re & Hekate revision NoIf at least one of the versions you are updating towards also updates the gamecard firmware, you will not be able to downgrade below that version without making the gamecard slot unusable until you update.
Atmosphere (and Hekate) come bundled with patches that automatically disable the gamecard slot if it is detected that the system has an older gamecard firmware that would be updated. If you boot into RCM on each boot (for example by using AutoRCM), this means that the gamecard slot will not be updated and you can downgrade below that version. If this happens, you will not be able to use the gamecard slot as long as you are on the newer firmware.
Otherwise, you can safely update your system firmware through the system settings.
Note about autoRCM
If you have autoRCM enabled and you're updating your system while in stock firmware, updating will disable autoRCM and you will need to enter RCM manually to boot custom firmware again. To prevent autoRCM from being disabled, boot CFW on sysMMC and update through settings from there, as booting without AutoRCM will burn any preserved fuses.
"},{"location":"extras/updating/#about-emummc","title":"About emuMMC","text":"sysMMC and emuMMC have separate system firmwares and need to be updated separately.
If you keep your emuMMC offline, you will have to use a gamecard to update your system firmware, synchronize it with another Nintendo Switch or dump an updated firmware from your sysMMC.
"},{"location":"extras/updating/#updating-emummc-by-dumping-an-updated-firmware-from-your-sysmmc","title":"Updating emuMMC by dumping an updated firmware from your sysMMC","text":"Do you have an eMMC backup yet?
Please do not start this guide without doing a RAW GPP and a BOOT 0/1 eMMC backup!
You can learn how to make one here.
Downgrading
This guide is made for updating your emuMMC. It is not for downgrading. Downgrading at all, sysMMC or emuMMC, is not recommended and not worth it. Downgrading is also very dangerous and can lead to serious complications even when performed correctly.
"},{"location":"extras/updating/#what-you-need","title":"What you need:","text":"Tools > USB Tools > SD Card and connect your Switch to your PC via USB.TegraExplorer.bin and place it sd:/bootloader/payloads.Make sure your sysMMC is updated before moving onto the instructions below.
"},{"location":"extras/updating/#dumping-your-sysmmc-firmware","title":"Dumping your sysMMC firmware","text":"TegraExplorer.bin using your favourite payload injector (Like you would with Hekate).TegraExplorer.bin in sd:/bootloader/payloads on your microSD card, then turn on your console and load TegraExplorer via Hekate's payloads menu (Payloads > TegraExplorer.bin).FirmwareDump.te, then select Dump sysmmc.Reboot to bootloader/update.bin.Launch -> Atmosphere FSS0 emuMMC.R while launching a game to boot into the homebrew menu.Install and navigate to sd:/tegraexplorer/Firmware/<latest firmware number>.Continue and then Preserve settings.Warning: exFAT firmware is missing or corrupt, you likely don't have the exFAT drivers installed on your sysMMC. Just press continue if this is the case.Install (FAT32 + exFAT), otherwise Install (FAT32) and then Continue.Reboot.Settings -> System.This page summarizes the included Homebrew apps and additional Homebrew you can check out.
"},{"location":"homebrew/#the-guide-includes-a-few-homebrew-apps-by-default-these-apps-are","title":"The guide includes a few Homebrew apps by default, these apps are:","text":"Homebrew is a general term, the term can be used for Homebrew apps (.nro files) or in the form of background processes, called \"sysmodules\". The Switch natively has sysmodules built into its firmware but you can run additional Homebrew sysmodules that can add functionality to your Switch. In the section below, you can find additional and commonly used Homebrew apps and sysmodules.
Homebrew apps are stored in sd:/switch by default and Homebrew sysmodules are stored in sd:/atmosphere/contents by default.
For cheats management, EdiZon and/or EdiZon-SE (up to date and offers more features) are recommended. They offer support for Atmosphere's cheat engine, providing an easy way to download new cheats, as well as toggle them on or off.
"},{"location":"homebrew/edizon/#installation-requirements","title":"Installation requirements:","text":"EdiZon.nro file) or EdiZon-SE (the EdiZon.zip file)EdiZon overlay
EdiZon also offers a Tesla-Menu overlay, however, the official EdiZon overlay is no longer maintained and will result in Atmosphere crashing when trying to use the EdiZon overlay on firmware version 16.0.0+. The maintained EdiZon overlay can be found here.
Installation instructions (EdiZon):Installation instructions (EdiZon-SE):Tools > USB Tools > SD Card, then plug your Switch into your PC via USB.EdiZon.nro in sd:/switch.Tools > USB Tools > SD Card, then plug your Switch into your PC via USB..zip file to a location on your computer..zip file directly..zip file to the root of your microSD card.054e4f4558454000 (EdiZon-SE) in sd:/atmosphere/contents and an EdiZon.nro file in sd:/switch/EdiZon.Atmosph\u00e8re looks for cheats to load in the contents sub-folder of the atmosphere folder. The template it looks for is sd:/atmosphere/contents/<title_id>/cheats/<build_id>.txt. You need to create the <title_id> folder and sub-folders manually:
title_id being the title or program of a game. This is game specific and can be found on EdiZon's cheat menu (TID and BID, see the bottom of this page for a sample), switchbrew and nswdb.
build_id being the version of a game. This is game specific and can be found on EdiZon's cheat menu (BID, see the bottom of this page for a sample) Cheats can be version specific so make sure the cheats you are using are compatible with your game version.
Note: On Atmosph\u00e8re 0.9.4 and below contents is called titles.
Once the title is launched while in Atmosphere, your cheats should be applied.
"},{"location":"homebrew/edizon/#preventing-cheats-from-being-enabled-by-default","title":"Preventing cheats from being enabled by default","text":"To prevent cheats from being enabled by default, you can change your Atmosph\u00e8re configuration by following the steps below.
system_settings.ini from sd:/atmosphere/config_templates to sd:/atmosphere/config if it's not already there.Open the system_settings.ini file with a text editor and edit the line ; dmnt_cheats_enabled_by_default = u8!0x1 to dmnt_cheats_enabled_by_default = u8!0x0.
;\" in front of dmnt_cheats_enabled_by_default.By default, holding the L button while launching a game will disable any game modification.
Here the Title ID of the game (TID) is 0100646009FBE000 and the Build ID of the game (BID) is 0B9A75586BC1A6C6. Cheats are loaded from sd:/atmosphere/contents/0100646009FBE000/cheats/0B9A75586BC1A6C6.txt in this example.
For more in-depth details about Atmosphere's cheat engine, you can refer to this page.
"},{"location":"homebrew/edizon/#troubleshooting","title":"Troubleshooting","text":""},{"location":"homebrew/edizon/#edizon-isnt-showing-up-when-i-open-the-homebrew-menu","title":"EdiZon isn't showing up when I open the Homebrew menu!:","text":"Assuming you've followed the installation instructions successfully, this is probably due to the archive bit being set on one or more folders/files on your microSD card. This is usually the result of copying files to a microSD card via a Mac. If you are experiencing this issue, try running the archive bit fixer utility via Hekate for all files.
This can be done by booting into Hekate and going to Tools > Arch bit \u2022 RCM Touch \u2022 Pkg1/2 > Fix Archive Bit.
FTPD is simply an FTP server for the Switch, it can be used to transfer files wirelessly to- and from- your microSD card.
"},{"location":"homebrew/ftpd/#usage-requirements","title":"Usage requirements:","text":"Note
This section assumes that the device running the FTP client and your Switch are connected to the same network. If it's not, make sure they are connected to the same network before continuing.
Host field of your FTP client, put in the IP address of your Switch mentioned in the top left of FTPD.Anonymous box.5000 for the port and attempt to connect to your Switch.FTPD can also run in the form of a background process (sysmodule), called sys-ftpd. It can be found here, usage and configuration options are mentioned there as well.
"},{"location":"homebrew/goldleaf/","title":"Goldleaf","text":""},{"location":"homebrew/goldleaf/#goldleaf","title":"Goldleaf","text":"Goldleaf is primarily a very extensive file and console content manager.
"},{"location":"homebrew/goldleaf/#common-use-cases-for-goldleaf-are","title":"Common use cases for Goldleaf are:","text":"And a lot more, which you can view on Goldleaf's Github repository here.
"},{"location":"homebrew/goldleaf/#goldleaf-screenshots","title":"Goldleaf screenshots:","text":""},{"location":"homebrew/jksv/","title":"Save Management","text":""},{"location":"homebrew/jksv/#jksv","title":"JKSV","text":"For save management, JKSV is recommended. It can be used to back up and restore game saves to your microSD card.
"},{"location":"homebrew/jksv/#backing-up-save-data-using-jksv","title":"Backing up save data using JKSV","text":""},{"location":"homebrew/jksv/#instructions","title":"Instructions:","text":"A button.A to select it.A again to create a new save backup+ or OK.A button.A to select it.Y.A button to restore the save data, keep holding it until it's finished.Please read JKSV's homepage for information on how to use it.
"},{"location":"homebrew/jksv/#checkpoint","title":"Checkpoint","text":"Checkpoint is also a save manager. It can be used to back up and restore game saves to your microSD card. It also has the ability to share save data over FTP and WiFi.
"},{"location":"homebrew/jksv/#checkpoint-documentation","title":"Checkpoint Documentation","text":"Please read Checkpoint's homepage for information on how to use it.
"},{"location":"homebrew/ldn_mitm/","title":"ldn_mitm","text":""},{"location":"homebrew/ldn_mitm/#information","title":"Information","text":"ldn_mitm is a sysmodule that allows you to route the local wireless ad-hoc network traffic of the Switch via the network your Switch is connected to, essentially allowing \"LAN\" functionality between consoles and emulators using ldn_mitm. The official Github repository for ldn_mitm can be found here.
"},{"location":"homebrew/ldn_mitm/#common-use-cases-for-ldn_mitm","title":"Common use cases for ldn_mitm:","text":"ldn_mitm.zip file)Tools > USB Tools > SD Card, then plug your Switch into your PC via USB..zip file to a location on your computer..zip file directly..zip file to the root of your microSD card.4200000000000010 (ldn_mitm) in sd:/atmosphere/contents and the ldnmitm_config.nro file in sd:/switch/ldnmitm_config.You can enable/disable ldn_mitm by opening the Homebrew menu, opening ldn_mitm's config app and pressing Y to toggle ldn_mitm.
Cause: If your Switch crashes with Error std::abort (0xFFE) and Title ID 4200000000000010, you're using a version of ldn_mitm that's incompatible with your Atmosphere version. The expected Atmosphere version is mentioned on each release page of an ldn_mitm release.
"},{"location":"homebrew/ldn_mitm/#ldn_mitm-isnt-working","title":"ldn_mitm isn't working!:","text":"
Assuming you've followed the installation instructions successfully, this is probably due to the archive bit being set on one or more folders/files on your microSD card. This is usually the result of copying files to a microSD card via a Mac. If you are experiencing this issue, try running the archive bit fixer utility via Hekate for all files.
This can be done by booting into Hekate and going to Tools > Arch bit \u2022 RCM Touch \u2022 Pkg1/2 > Fix Archive Bit.
MissionControl is a sysmodule that allows you to pair normally-unsupported controllers as if they were natively supported, like PS3, PS4, PS5 and Xbox One S/X controllers via Bluetooth. The full supported controller list can be found on the official Github repository here including pairing instructions for the supported controllers.
"},{"location":"homebrew/mission-control/#installation-requirements","title":"Installation requirements:","text":"MissionControl-(version)-master.zip file)Tools > USB Tools > SD Card, then plug your Switch into your PC via USB..zip file to a location on your computer..zip file directly..zip file to the root of your microSD card.010000000000BD00 (MissionControl) in sd:/atmosphere/contents.Cause: If your Switch crashes with Error std::abort (0xFFE) and Title ID 010000000000BD00, you're using a version of MissionControl that's incompatible with your Atmosphere version. The expected Atmosphere version is mentioned on each release page of a MissionControl release.
"},{"location":"homebrew/mission-control/#missioncontrol-isnt-working","title":"MissionControl isn't working!:","text":"
Assuming you've followed the installation instructions successfully, this is probably due to the archive bit being set on one or more folders/files on your microSD card. This is usually the result of copying files to a microSD card via a Mac. If you are experiencing this issue, try running the archive bit fixer utility via Hekate for all files.
This can be done by booting into Hekate and going to Tools > Arch bit \u2022 RCM Touch \u2022 Pkg1/2 > Fix Archive Bit.
NX-Shell is a file manager.
"},{"location":"homebrew/nx-shell/#common-use-cases-for-nx-shell","title":"Common use cases for NX-Shell","text":"For more information, you can check out NX-Shell's Github repository here.
"},{"location":"homebrew/nx-shell/#nx-shell-screenshots","title":"NX-Shell screenshots:","text":""},{"location":"homebrew/nxtheme-installer/","title":"Theming","text":"Using NXTheme Installer, you can install and create unique styles and layouts for your Switch Home Menu.
"},{"location":"homebrew/nxtheme-installer/#index","title":"Index","text":"Follow the Installing a theme section if you want to install a theme.
Follow the Making a theme section if you want to make a theme manually.
Follow the Installing a custom font section if you want to install a custom font.
If you run into any issues, visit the Troubleshooting section.
Community Themes
If you want to use community made themes, for example from the r/NXThemes subreddit or Themezer, you can follow the guide below to install a community provided .nxtheme file.
NXThemesInstaller.nro and put it in sd:/switch..nxtheme files to the themes folder on your microSD card (It is recommended you put them into their own folders, e.g. sd:/themes/awesome_theme/awesome.nxtheme).themes folder on the root of your microSD card if it does not exist.NXThemes Installer with an internet connection.Extract home menu tab in NXTheme Installer.NXTheme Installer, the Themes tab is where you will find your themes. To install them, press the folder name of your theme and go through each home menu section to install the desired theme for that section (e.g. going to /awesome_theme and selecting your theme for the specific menu you want to change, do the same for the other menus).Reboot tab to see the changes.An example of a Home Menu theme being installed
"},{"location":"homebrew/nxtheme-installer/#making-a-theme","title":"Making a theme","text":"WindowsMac / Linux / ChromeOS"},{"location":"homebrew/nxtheme-installer/#what-you-need_1","title":"What you need:","text":"The latest release of Switch Theme Injector
ReleaseVx.x.zip on the download pageReleaseVx.x.zip to somewhere on your PC's drive.SwitchThemes.exe app. Navigate to NXTheme Builder.Build NXTheme after selecting your home menu part, image and layout patch.Make sure that the images you want to use are 1280x720 and in JPG!
.ttf file type into the themes folder (It is recommended you put them into their own folders, e.g. sd:/themes/cool_font/font.ttf).NXThemes Installer.NXTheme Installer, the Themes tab is where you will find your font(s)..ttf file in the font folder you created.Reboot tab to see the changes.Cause 1: You didn't install the required theme patches for your firmware version. You can remove your installed custom theme data by navigating to sd:/atmosphere/contents and deleting the 01000000000001000 folder.
Cause 2: You didn't extract your home menu data when prompted. You can remove your installed custom theme data by navigating to sd:/atmosphere/contents and deleting the 01000000000001000 folder.
Cause 3: You installed a bad theme. You can remove them by navigating to sd:/atmosphere/contents and deleting the 01000000000001000 folder.
contents is called titles on Atmosph\u00e8re versions 0.9.4 and below."},{"location":"homebrew/nxtheme-installer/#my-switch-crashes-on-boot-after-i-installed-a-font","title":"My Switch crashes on boot after I installed a font!:","text":"
Cause 1: You installed a font that was too large in file size (maximum file size being 1.9MB). You can remove your installed custom font data by navigating to sd:/atmosphere/contents and deleting the 0100000000000811 folder.
Cause 2: You installed a font that wasn't the right file type (e.g. .otf). You can remove your installed custom font data by navigating to sd:/atmosphere/contents and deleting the 0100000000000811 folder.
contents is called titles on Atmosph\u00e8re versions 0.9.4 and below."},{"location":"homebrew/nxtheme-installer/#the-nxtheme-installer-crashes-when-i-launch-it","title":"The NXTheme installer crashes when I launch it:","text":"
This is probably due to the archive bit being set on either the app or the .nxtheme files. This is usually the result of copying files to a microSD card via a Mac. If you are experiencing this issue, try running the archive bit fixer utility via Hekate for all files.
This can be done by booting into Hekate and going to Tools > Arch bit \u2022 RCM Touch \u2022 Pkg1/2 > Fix Archive Bit.
sys-botbase is an advanced sysmodule that allows users to interact with their Switch remotely, to \"remote control\" their Switch. This remote control allows users to create automated tasks, simulate button presses, simulate touchscreen input and read/write to the memory of the Switch while in-game.
"},{"location":"homebrew/sys-botbase/#common-use-cases-for-sys-botbase","title":"Common use cases for sys-botbase:","text":"sys-botbase(version).zip file)Tools > USB Tools > SD Card, then plug your Switch into your PC via USB..zip file to a location on your computer..zip file directly..zip file to the root of your microSD card.430000000000000B (sys-botbase) in sd:/atmosphere/contents.Cause: While it's almost impossible for this to happen, if your Switch crashes with Error 2001-0123 (0xf601) and Title ID 430000000000000B, you're using a version of sys-botbase that's incompatible with your Atmosphere version.
"},{"location":"homebrew/sys-botbase/#sys-botbase-isnt-working","title":"sys-botbase isn't working!:","text":"
Assuming you've followed the installation instructions successfully, this is probably due to the archive bit being set on one or more folders/files on your microSD card. This is usually the result of copying files to a microSD card via a Mac. If you are experiencing this issue, try running the archive bit fixer utility via Hekate for all files.
This can be done by booting into Hekate and going to Tools > Arch bit \u2022 RCM Touch \u2022 Pkg1/2 > Fix Archive Bit.
sys-clk is a sysmodule that allows you to overclock the hardware of your Switch. The usage, configuration and clock speed information can be found on the official Github repository here
Limits of sys-clk
sys-clk has limits for a reason, which is to not damage the hardware of your Switch. Using any modified version of sys-clk puts your Switch at risk of hardware failure. We do not support any modified version of sys-clk nor should you ever touch them. Overclocking is not something you should be doing 24/7 as overclocking in general will always degrade/wear out the hardware of your Switch faster and you should know what you're doing if you do decide to do so.
"},{"location":"homebrew/sys-clk/#installation-requirements","title":"Installation requirements:","text":"sys-clk-(version).zip file)Tools > USB Tools > SD Card, then plug your Switch into your PC via USB..zip file to a location on your computer..zip file directly..zip file to the root of your microSD card.00FF0000636C6BFF (sys-clk) in sd:/atmosphere/contents.Open the Homebrew menu and open sys-clk's manager app. This app allows you to change the global clock speeds or clock speeds based on title.
"},{"location":"homebrew/sys-clk/#troubleshooting","title":"Troubleshooting","text":""},{"location":"homebrew/sys-clk/#my-switch-crashes-on-boot-after-i-installed-sys-clk","title":"My Switch crashes on boot after I installed sys-clk!:","text":"Cause: If your Switch crashes on boot, make sure you're using the latest release of sys-clk. If it continues to crash afterwards, see the troubleshooting step at the bottom of this page.
"},{"location":"homebrew/sys-clk/#my-switch-crashes-while-using-sys-clk","title":"My Switch crashes while using sys-clk!:","text":"
Cause: You're either using a modified version of sys-clk and pushing the hardware of your Switch too far or your console is overheating. The cooling system of the Switch is not the best and overheating can be a cause of dried up thermal paste/lack of thermal paste. Overclock with caution and be careful, monitor the temperatures of your Switch using a Tesla-Menu overlay like Status-Monitor-Overlay (requires Tesla-Menu).
"},{"location":"homebrew/sys-clk/#sys-clk-isnt-working","title":"sys-clk isn't working!:","text":"
Assuming you've followed the installation instructions successfully, this is probably due to the archive bit being set on one or more folders/files on your microSD card. This is usually the result of copying files to a microSD card via a Mac. If you are experiencing this issue, try running the archive bit fixer utility via Hekate for all files.
This can be done by booting into Hekate and going to Tools > Arch bit \u2022 RCM Touch \u2022 Pkg1/2 > Fix Archive Bit.
sys-con is a sysmodule that allows you to use normally-unsupported controllers as if they were natively supported, like PS3, PS4, PS5 and Xbox One S/X controllers via USB. The full supported feature and controller list can be found on the official Github repository here including usage instructions and configuration options.
"},{"location":"homebrew/sys-con/#installation-requirements","title":"Installation requirements:","text":"sys-con-(version).zip file)Tools > USB Tools > SD Card, then plug your Switch into your PC via USB..zip file to a location on your computer..zip file directly..zip file to the root of your microSD card.690000000000000D (sys-con) in sd:/atmosphere/contents.Cause: While it's almost impossible for this to happen, if your Switch crashes with Error code 2162-0002 (0x4a2) and Title ID 690000000000000D, you're using a version of sys-con that's incompatible with your Switch firmware version. The expected firmware version is mentioned on each release page of a sys-con release.
"},{"location":"homebrew/sys-con/#sys-con-isnt-working","title":"sys-con isn't working!:","text":"
Assuming you've followed the installation instructions successfully, this is probably due to the archive bit being set on one or more folders/files on your microSD card. This is usually the result of copying files to a microSD card via a Mac. If you are experiencing this issue, try running the archive bit fixer utility via Hekate for all files.
This can be done by booting into Hekate and going to Tools > Arch bit \u2022 RCM Touch \u2022 Pkg1/2 > Fix Archive Bit.
SysDVR is a sysmodule that allows you to stream the screen of your Switch (while in-game/in an application) to your PC via the network or USB.
"},{"location":"homebrew/sysdvr/#sysdvr","title":"SysDVR","text":"Installation, usage, configuration and extensive troubleshooting information can be found on the SysDVR Wiki.
"},{"location":"homebrew/sysdvr/#sysdvr-screenshots","title":"SysDVR screenshots:","text":""},{"location":"homebrew/tesla-menu/","title":"Tesla-Menu","text":""},{"location":"homebrew/tesla-menu/#information","title":"Information","text":"Tesla-Menu is an overlay menu developed by WerWolv, Tesla-Menu is comparable to Rosalina menu on the 3DS and its purpose is to be able to load community made overlays for Homebrew apps and sysmodules that can be accessed at any time. Below you can find common use cases for Tesla-Menu. The official Github page for Tesla-Menu can be found here.
Dependencies
Tesla-Menu is dependent on a sysmodule called nx-ovlloader, this sysmodule is responsible for loading ovlmenu.ovl from sd:/switch/.overlays.
ovlmenu.zip file)nx-ovlloader.zip file)Tools > USB Tools > SD Card, then plug your Switch into your PC via USB..zip files to a location on your computer..zip files directly..zip file to the root of your microSD card.420000000007E51A (nx-ovlloader) in sd:/atmosphere/contents and the ovlmenu.ovl (Tesla-Menu) file in sd:/switch/.overlays.Tesla-Menu can be opened by pressing L + R Stick press (R3) + DPAD down, assuming you use the default configuration.
Cause: If your Switch crashes with Error code 2001-0123 (0xf601) and Title ID 420000000007E51A, you didn't successfully install Tesla-Menu or you aren't using the latest release of Tesla-Menu, re-follow the installation instructions above.
"},{"location":"homebrew/tesla-menu/#my-switch-crashes-when-i-open-an-overlay-via-tesla-menu","title":"My Switch crashes when I open an overlay via Tesla-Menu!:","text":"
Cause: If your Switch crashes with Error code 2001-0123 (0xf601) and Title ID 420000000007E51A, the overlay you're trying to open/use isn't up to date. Check its source repository for updates.
libtesla library. The latter is for developers (or advanced users)."},{"location":"homebrew/tesla-menu/#tesla-menu-is-only-showing-while-on-the-main-menu-and-not-in-game","title":"Tesla-Menu is only showing while on the main menu and not in-game!:","text":"
Cause: This issue will only happen when the Switch is docked, ensure that you've set the \"Screen size\" in System Settings > TV Output to 100%. Adjust your TV/monitor to fit the entirety of the screen of your Switch using its OSD (On Screen Display) or remote.
"},{"location":"homebrew/tesla-menu/#tesla-menu-isnt-opening-when-i-press-the-correct-button-combination","title":"Tesla-Menu isn't opening when I press the correct button combination!:","text":"
Assuming you've followed the installation instructions successfully, this is probably due to the archive bit being set on one or more folders/files on your microSD card. This is usually the result of copying files to a microSD card via a Mac. If you are experiencing this issue, try running the archive bit fixer utility via Hekate for all files.
This can be done by booting into Hekate and going to Tools > Arch bit \u2022 RCM Touch \u2022 Pkg1/2 > Fix Archive Bit.
About modchipped Switch console users
If you already know you have a modchipped Switch console, you can skip ahead to the Modchip Introduction page.
"},{"location":"user_guide/getting_started/#finding-your-serial-number","title":"Finding your serial number","text":"In the RCM path, we'll first determine if your Switch is vulnerable to fusee-gelee, the exploit we will be using to launch CFW.
The fusee-gelee vulnerability was discovered independently by different Switch hacking teams, who all independently released versions of the exploit in April 2018. Nintendo and NVIDIA were informed 90 days before these releases, and patched consoles were launched by mid-2018. NVIDIA publicly acknowledged the flaw in April as well. In July 2019, Nintendo announced updated consoles: the Switch Lite (HDH-001), and a new model of original Switch (HAC-001(-01)/\"V2\") with better battery life. Both of these new models use the Tegra X1+ (also known as Mariko, the T214, and T210B01) with a brand-new bootROM, and cannot currently be hacked without a modchip.
Patched and Mariko units can be identified by their serial number. This number can be found in the Settings applet at System -> Serial Information. You can also find it on the bottom of the console, adjacent to the charging port. However, it is always more accurate to use the serial reported in Settings instead, especially if you aren't the original owner of the console.
"},{"location":"user_guide/getting_started/#determining-if-your-switch-is-vulnerable","title":"Determining if your Switch is vulnerable","text":"
The community has crowdsourced a list of known serial numbers which are vulnerable to fusee-gelee.
Notice
If you are unsure if your serial is patched, you can test your console yourself following the instructions here.
"},{"location":"user_guide/getting_started/#serial-list","title":"Serial list","text":"The following information is based on this GBATemp thread.
Serial Numbers Unpatched Potentially patched Patched XAW1 XAW10000000000 to XAW10074000000 XAW10074000000 to XAW10120000000 XAW10120000000 and up XAW4 XAW40000000000 to XAW40011000000 XAW40011000000 to XAW40012000000 XAW40012000000 and up XAW7 XAW70000000000 to XAW70017800000 XAW70017800000 to XAW70030000000 XAW70030000000 and up XAJ1 XAJ10000000000 to XAJ10020000000 XAJ10020000000 to XAJ10030000000 XAJ10030000000 and up XAJ4 XAJ40000000000 to XAJ40046000000 XAJ40046000000 to XAJ40060000000 XAJ40060000000 and up XAJ7 XAJ70000000000 to XAJ70040000000 XAJ70040000000 to XAJ70050000000 XAJ70050000000 and up XAK1 N/A XAK10000000000 and up N/AIf your serial number is not listed above, your device is not vulnerable to the fusee-gelee exploit.
"},{"location":"user_guide/getting_started/#version-table","title":"Version Table","text":"Note
While the \"New\" Switch (HAC-001(-01)'s earliest possible firmware is 7.0.1, it is not vulnerable to d\u00e9j\u00e0 vu, the exploit used by Nereba and Caffeine, because of hardware differences from the \"old\" Switch (HAC-001).
Firmware Version Unpatched Switch systems (HAC-001) Patched Switch systems (HAC-001) \"New\" Switch (HAC-001(-01) Switch Lite (HDH-001) 1.0.0 Nereba or RCM N/A N/A N/A 2.0.0 - 3.0.2 Caffeine or RCM N/A N/A N/A 4.0.0 - 4.1.0 Caffeine or RCM Caffeine N/A N/A 5.0.0 - 7.0.0 RCM Modchip / Wait for CFW N/A N/A 7.0.1 RCM Modchip (no software exploit) Modchip (no software exploit) N/A 8.0.1 RCM Modchip (no software exploit) Modchip (no software exploit) Modchip (no software exploit) 8.1.0 and up RCM Modchip (no software exploit) Modchip (no software exploit) Modchip (no software exploit)About Mariko Switch models
All Mariko (V2) Switch models (HAC-001(-01), HDH-001, HEG-001) are currently unhackable via software. If Modchip is listed as a method for your console model, then that means the device is currently unhackable without a hardware modification (modchip). If there are theoretical exploits that may lead to CFW or homebrew for that device, you also have the choice to \"wait\" for their release. These exploits may (and will likely) never launch and there is NO ETA, so what you choose to do is up to you. This guide assumes you have a functional modchip installation if you do have a Patched console.
Before setting up for homebrew, install at least one eShop title to utilize \"title takeover\", an Atmosph\u00e8re feature that allows homebrew to use more resources than they would normally have. Try downloading a free game (like Fallout Shelter), application (like YouTube), or a game demo (like 10 Second Run RETURNS). Running the Homebrew Menu via a game cartridge is an alternative, but requires the game to be inserted any time you want to launch the Homebrew Menu. Generally, title takeover doesn't permanently alter the donor game or application. Once you obtain any bootable title, you are prepared to continue on with the guide.
Frequently Asked Questions about this pageContinue to RCM
"},{"location":"user_guide/getting_started/#if-your-switch-is-patched-and-modchipped-click-the-button-below-to-follow-the-modchip-path-of-the-guide","title":"If your Switch is patched and modchipped, click the button below to follow the Modchip path of the guide.","text":"Continue to Modchip introduction
"},{"location":"user_guide/all/cfw_environment/","title":"Choosing an Environment","text":""},{"location":"user_guide/all/cfw_environment/#cfw-on-sysmmc-vs-cfw-on-emummc","title":"CFW on sysMMC vs. CFW on emuMMC","text":"A \"CFW Environment\" describes the context in which you are using custom firmware (CFW). As a reminder, custom firmware is never permanently installed, and runs independently on top of the system firmware. This means that you never have to commit to where you want to use custom firmware.
Atmosph\u00e8re temporarily patches HOS (HorizonOS, operating system of the switch) to enable customisations. You can choose what version of HOS it patches, each time you turn on your system. Each option has its own benefits and drawbacks.
Generally, sys- refers to the physical storage chip (sysMMC/eMMC) inside of your Switch. It stands for \"system\".
Generally, emu- refers to a virtual version of the eMMC (internal storage), running from a microSD card. It stands for \"emulated\".
For more information on terminology, please refer to the glossary.
You get to decide! Your choices are between using the internal storage or emulated storage. We will go over the advantages and disadvantages of either decision below.
No parity between sysMMC and emuMMC (Game installs, save data, and system settings will be separated when you boot between the two)
"},{"location":"user_guide/all/cfw_environment/#in-particular-here-are-just-some-popular-use-cases-for-cfw-on-emummc","title":"In particular, here are just some popular use-cases for CFW on emuMMC:","text":"If you prefer foolproofing, and a separation between official features and custom features, you may consider using CFW on emuMMC. In this guide, emuMMC is assumed to be utilised for offline play.
About this path
This path of the guide also includes sysCFW as launch option.
To proceed with CFW on emuMMC, click on the button below:
Continue with the emuMMC path
"},{"location":"user_guide/all/cfw_environment/#syscfw-cfw-on-sysmmc","title":"sysCFW (CFW on sysMMC)","text":""},{"location":"user_guide/all/cfw_environment/#cfw-on-sysmmc-has-the-following-benefits","title":"CFW on sysMMC has the following benefits:","text":"If you prefer snappiness, online play, and a seamless transition between official features and custom features, you may consider using CFW on sysMMC. In this guide, sysMMC is assumed to be utilised for online play.
To proceed with CFW on sysMMC, click on the button below:
Continue with the sysCFW path
"},{"location":"user_guide/all/cfw_environment/#modchip-instability","title":"Modchip Instability","text":"About Modchipped Switch console users
Modchips directly infiltrate communication with the internal storage chip. Due to this, there are slight chances of NAND backups being tainted with corrupted data. If a bad backup is restored to sysNAND, the console can be bricked, and a modchip alone won't be able to fix it. To be safe, we recommend setting up an emuMMC on a console with a modchip, verify BOOT0/1 backups using tools like NXNandManager (Windows) or test NAND backups by running them as emuMMCs before you flash them to the sysNAND.
Frequently Asked Questions about this pageQ: Why is CFW referred to as being \"never permanently installed\"? A: Unless you have a modchip of any kind, turning the console off will disactivate the custom firmware. There is no current method for Atmosph\u00e8re to install-to or permanently replace any part of the Nintendo Switch, so it will need to be triggered by an exploit every time you turn on the console. Atmosph\u00e8re will then patch Horizon to bring you custom firmware features.
Q: Should I personally use sys/emuMMC? A: These questions are answered in detail within the webpage. Please make sure that you are fully reading the page before jumping here.
Now that the preparation work is out of the way, we're finally ready to launch custom firmware on the Switch.
Unlike systems such as the DSi, Wii, or 3DS, Switch CFW is currently volatile. It will only work as long as your Switch is on. As soon as your Switch completely loses power for any reason (shutting down, battery dying, etc.), CFW will no longer be active and you will need to follow these instructions again.
Keep emuMMC offline at all times
Your emuMMC (emuNAND) should never connect to Nintendo. For online play, eShop browsing, or any other Nintendo online activity, use your sysNAND. Using both emuMMC and sysNAND online will likely result in a ban.
Instructions for emuMMCInstructions for sysCFWRebooting to Hekate
Once booted into CFW, you can easily get back to Hekate by holding the power button, and selecting Restart in the power menu or by using the \"reboot to payload\" homebrew app in the homebrew menu. (Note that while the Reboot to Payload app app does not work on modchipped Switch consoles, those already automatically run payloads upon reboot in the first place by default.)
Home menu, navigate to the Launch menu.Atmosphere FSS0 emuMMC and launch it.Hekate is now booting into your emuMMC. To verify that your emuMMC launched properly, open System Settings and navigate to System. You should see AMS next to the version number (AMS indicating that you're booted into Atmosphere), as well as an E at the end (indicating you are booted into emuMMC).
Home menu, navigate to the Launch menu.Atmosphere FSS0 sysMMC and launch it.Hekate is now booting into sysCFW. To verify that sysCFW launched properly, open System Settings and navigate to System. You should see AMS next to the version number (AMS indicating that you're booted into Atmosphere), as well as an S at the end (indicating you are booted into sysCFW).
Atmosphere FSS0 EmuMMC launch option in Hekate, launching it will just result in an error and is expected because you don't have an emuMMC.You will now be able to launch the Homebrew Menu by opening the album or by holding the R button while launching any game (including demos/cartridges), or application (e.g. YouTube/Hulu). If R is not held, the game or application will launch like normal.
A note about using the album for the Homebrew Menu
See the Homebrew tab for information about what the included Homebrew apps do and if you want to check out more Homebrew apps and read about sysmodules like MissionControl, ldn_mitm, sys-con and more.
If you wish to install more homebrew apps, place them (.nro files) in the switch folder on your microSD card.
If you've partitioned your microSD card for preparation of Android/Linux earlier, you can continue with the installation of Android/Linux here with the guides below:
Android installation guide Linux installation guide
Frequently Asked Questions about this pageatmosphere/reboot_to_payload.bin. This can be any payload, but ideally is Hekate.Important
A NAND backup is crucial to have, it's a full backup of the internal storage of your Switch and can be used to restore the device to a working state in case of emergencies. DO NOT SKIP THIS STEP
Once the backup is finished, keep it somewhere safe. The best backup is the one you have but never need, and the worst backup is the one you need but never made. To save space, it's recommended to compress the end-result with a .zip file or something similar.
It's highly recommended that you use an microSD card that is formatted to FAT32 and has at least 32 gigabytes of space free. This will still work on smaller cards, but it's not ideal.
"},{"location":"user_guide/all/making_essential_backups/#instructions","title":"Instructions:","text":"payload.bin on the root of your microSD card.Tools > Backup eMMC.eMMC BOOT0 & BOOT1Close to continue, then tap on eMMC RAW GPPClose > Home.Tools > USB tools > SD card and plug your Switch into your PC via USB.backup folder on your microSD card to a safe location on your PC.backup folder from the root of your microSD card and eject the UMS device safely from within your computer's operating system, then return to Hekate's Home menu.Hekate will stop producing these parts when it runs out of space. When this happens, do the following:
OK when Hekate tells you to back up your stuff. Close > Close > USB Tools > SD Card and connect your Switch to your PC via USB.backup folder on the root of your microSD card to a safe location on your PC.UMS device safely from within your computer's operating system and close the UMS window in Hekate.Close > Backup eMMC > eMMC RAW GPP and continue backing up your NAND.Home menu.Click the button below to continue to Launching emuMMC! Launching CFW (emuMMC)
Click the button below to continue to Launching sysCFW! Launching CFW (sysCFW)
Partitioning WILL wipe all data on your SD card!
Hekate will prompt you to back it up with UMS before you begin, but in case you miss it, go to Tools > USB tools > SD card and plug your switch into your PC via USB, and backup the contents of your SD card. If you don't mind redownloading all the games stored on the SD card, you may skip this.
Tools > Partition SD cardemuMMC (RAW) slider to 29 FULL in the middle of the bar.emuMMC (RAW) slider to 58 FULL if you're on an OLED Switch.Android (USER) and Linux (EXT4) sliders to 16GB minimum.Legacy partitioning if you wish to install Android 10/11 and Dynamic partitioning if you wish to install Android 13+. Legacy and Dynamic partitioning are NOT intercompatible.Next Step at the bottom right, then select Start in the menu that appears.Home menu, navigate to emuMMC > Create emuMMC > SD Partition > Part 1 and wait for Hekate to complete creating the emuMMC.Close button, then navigate to Change emuMMC > SD RAW 1 and press the Close button twice in the top right to return to hekate's Home menu.Tools > USB tools > SD card and plug your Switch into your PC via USB.Your microSD card is not showing up or Windows complaining about an unreadable drive
If you get the issue that Windows says the microSD card is unreadable and wants to format it, do not format! This is likely your emuMMC partition. After partitioning your SD, your microSD will show up as 2 drives on your PC. Use the accessible drive. If your microSD card isn't showing up at all, ensure that you're using a USB cable capable of data transfer and that, if you use Windows, Windows has assigned a drive letter to the FAT32 partition of your SD. If you still experience errors, join the NH-Discord server for support.
Continue to SD Preparations
"},{"location":"user_guide/all/partitioning_sd_syscfw/","title":"Formatting and/or partitioning the microSD Card","text":""},{"location":"user_guide/all/partitioning_sd_syscfw/#what-you-need","title":"What you need:","text":"Partitioning WILL wipe all data on your SD card!
Hekate will prompt you to back it up with UMS before you begin, but in case you miss it, go to Tools > USB tools > SD card and plug your switch into your PC via USB, and backup the contents of your SD card. If you don't mind redownloading all the games stored on the SD card, you may skip this.
Tools > Partition SD cardNext Step at the bottom right, then select Start in the menu that appears.Android (USER) and Linux (EXT4) sliders to at least 16GB.Legacy partitioning for Android 10/11 and Dynamic partitioning for Android 13+. Legacy and Dynamic partitioning are NOT intercompatible.Home menu and then Tools > USB tools > SD card and plug your Switch into your PC via USB.Your microSD card is not showing up
If your microSD card isn't showing up at all, ensure that you're using a USB cable capable of data transfer and that if you use Windows, Windows has assigned a drive letter to the FAT32 partition of your microSD card. If you still experience errors, join the NH-Discord server for support.
Continue to SD Preparations
"},{"location":"user_guide/all/sd_preparation/","title":"microSD Card preparations","text":""},{"location":"user_guide/all/sd_preparation/#information","title":"Information","text":"We will now place the required files for the Atmosph\u00e8re custom firmware and some additional homebrew files on the microSD card.
Atmosphere has its own bootloader, called fusee. For the purposes of this guide we will be using Hekate instead, so that we can back up the system's NAND (internal storage) and take advantage of other advanced features in the future.
File name extensions
If you use Windows, you should enable file name extensions before continuing. See this link for a guide on how to do this.
"},{"location":"user_guide/all/sd_preparation/#what-you-need","title":"What you need:","text":"hekate_ctcaer_(version).zip release of hekate)atmosphere-(version)-master-(version)+hbl-(version)+hbmenu-(version).zip release of Atmosphere.JKSV.nro release of JKSV)ftpd.nro release of FTPD)NXThemesInstaller.nro release of NXThemesInstaller)NX-Shell.nro release of nx-shell)Goldleaf.nro release of Goldleaf).zip file to the root of your microSD card.bootloader folder from the Hekate .zip file to the root of your microSD card.bootloader folder from the bootlogos.zip file to the root of your microSD card.hekate_ipl.ini to the bootloader folder on your microSD card.hosts inside the atmosphere folder on your microSD card, and put emummc.txt in it.JKSV.nro, ftpd.nro, NxThemesInstaller.nro, NX-Shell.nro and Goldleaf.nro to the switch folder on your microSD card.If you were already using your microSD card as a storage device for your games and backed up the Nintendo folder before partitioning your microSD card, please place it back on the root of your microSD card now.
sd:/emuMMC/RAW1/!About emummc.txt
Putting the emummc.txt file provided by this guide into /atmosphere/hosts will prevent your emuMMC (emuNAND) from connecting to Nintendo. Not doing this will likely result in a ban.
Your microSD card should look similar to the image below. The Nintendo folder will not be present if your Switch has not already booted with the microSD card inserted and the emuMMC folder will not be present if you're following the sysCFW path of the guide/you haven't created an emuMMC! payload.bin will not be present if you're using an unpatched Switch.
Continue to Making Essential Backups
"},{"location":"user_guide/modchip/","title":"Introduction","text":""},{"location":"user_guide/modchip/#introduction-to-modchips","title":"Introduction to Modchips","text":""},{"location":"user_guide/modchip/#prerequisites","title":"Prerequisites","text":"A modchip is a physical modification to the motherboard of your Switch. It cannot be installed without decent microsoldering experience. You can outsource this work to people who are willing to do the job for you, or you can also view the following guide if you are willing to install one yourself.
Modchip Installation guide
Note: The above guide is not hosted or supported by NH Server; we cannot provide support for reviving consoles ruined by inexperience.
"},{"location":"user_guide/modchip/#information","title":"Information","text":"Unlike \"unpatched\" consoles, modchips enable CFW via CPU voltage glitching, which bypass bootROM firmware verifications. It allows a payload.bin file to be launched in place of BOOT0, loaded via a modchip firmware module named sdloader. This is much different from RCM and its exploit, fusee-gelee, which \"unpatched\" consoles use. Modchips allow any console, including all patched consoles, to run CFW!
Patched Switch consoles, except certain original V1 consoles made from 2017 to mid-2018, are immune to the fusee-gelee exploit in RCM. Attempting to inject a payload on a Patched console will be unsuccessful.
Depending on your modchip's firmware, you may not be able to boot the console without a microSD card inserted. This means without a microSD inserted at all times, your Switch becomes unusable.
If you do turn on your Switch without a microSD card inserted, you should end up at a splash screen saying something along the lines of NO SD.
Some modchip firmwares (e.g., Spacecraft-NX, Hwfly-NX and the Picofly firmware) allow bypassing sdloader by holding one - or both - of the volume buttons during power-on, enabling normal boot without a microSD card. Not all modchips support manual firmware updates.
Modchipped Switch consoles allow untethered, coldboot CFW loading, directly entering custom firmware without external devices like dongles or jigs. This is in contrast to the tethered coldboot \"RCM\" entrypoint.
Running CFW on modchipped consoles is more simplistic, as it only requires you to have payload.bin present on the root of your microSD card when you turn on the system.
Furthermore, this guide assumes you have a functional modchip installation.
"},{"location":"user_guide/modchip/#important","title":"Important","text":"If you do decide to follow the recommended emuMMC path later in the guide, make sure you disable Automatic Save Data Cloud backups/downloads beforehand as well as making sure the Switch is set as Primary Console.
Disclaimer
We ONLY support the Picofly modchip (the RP2040 Zero development board and the \"modchip variant\" of it). Installing a modchip safely is your responsibility, so if you don't trust yourself, get someone trusted to perform the install. There is always a risk of your Switch being rendered dysfunctional when messing with its hardware without proper experience. The NH-Discord server is not for fixing bad/failed modchip installations. We can give advice and installation tips for the installation as long as it's for a Picofly modchip.
Continue to Preparing Hekate
Frequently Asked Questions about this pageQ: Can you provide more information about modchip firmwares, specifically regarding their impact on the boot process and the ability to bypass the sdloader? A: Modchip firmwares indirectly determine the functionality of your system. Modern modchips (such as Picofly) typically have firmware flashed to them that support all hardware configurations (namely eMMC brands like Hynix, Samsung and Toshiba) \"out-of-the-box\" and also allow you to bypass sdloader. If this is not the case however, flashing the firmware manually is required by opening up the Switch and using the USB debug port that comes with the modchip to flash the modchip directly. This is especially required in the cases where the eMMC brand is not supported, as your Switch wouldn't boot whatsoever and the modchip would be stuck while trying to glitch/train and write its payload to the BOOT0 partition of the internal storage.
Q: What different types of modchips are there? A: There are three main types of modchips for the Nintendo Switch. Only two of them are relevant for this guide. On the V1 Nintendo Switch, a chip can be installed which automatically injects a payload whenever the console is detected in RCM. This type of modchip is not supported by this guide. On all other Switch consoles, there are DIY \"Picofly\" modchips which can be created with Raspberry Pi parts and custom cables. These use special firmwares, and are not compatible with firmwares intended for other modchips. There are also other \"commercial\" modchips of dubious origin by the name of \"hwfly\" or \"SX Core/Lite\"; we only will help with flashing new firmwares onto these, if you happen to already have one of them installed. Do not ask for assistance installing or sourcing this type of modchip.
Q: Can you further explain the concept of running homebrew \"over a title\" and why it allows for higher resource allocation? A: The default way to run homebrew within Atmosph\u00e8re is via the Album applet on the HOME Menu. However, applets have significantly less resources compared to full applications, and homebrew tools often run into constraints with these limits. By holding a button while launching normal apps while in CFW, you can load the Homebrew menu in their stead with full resources.
Q: What makes Picofly the only supported modchip, and what are the potential risks associated with installing a modchip on your Switch without proper experience? A: Picofly is a fully open-source modchip, from the firmware to the RP2040 microcontroller it uses. Other \"commercial\" modchips have dubious origins, or were manufactured by established illegal piracy groups that have no place in the homebrew community. For the safety of your console and to respect the law of where NH Server is based, we will not assist with sourcing these types of modchips.
To get ready for formatting and/or partitioning your microSD card, we will need to prepare and place the required files on the microSD card.
Following the guide will delete everything on your microSD card!
Later in the guide, you will be formatting and/or partitioning your microSD card. This means that all data on the microSD card will be lost. Now is a good time to back up all of its data to a safe place (for example, on your PC or external drive) so that you can restore it later. You can do this by following the instructions below.
"},{"location":"user_guide/modchip/preparing_hekate/#what-you-need","title":"What you need:","text":"hekate_ctcaer_(version).zip release of Hekate).zip to a location on your computer.Nintendo folder (and any other important data) from the root of your microSD card to a safe space on your device.bootloader folder and the hekate_ctcaer_(version).bin payload.bootloader folder and hekate_ctcaer_(version).bin payload to the root of your microSD card.hekate_ctcaer_(version).bin payload to payload.binWarning
If your Switch does not load into the Hekate GUI, or shows a No SD Card/No Payload screen when turning on the console, ensure that you inserted your microSD card and that Hekate's payload.bin is on the root of the microSD card.
Continue to choosing your CFW environment
Frequently Asked Questions about this pageQ: Can I use a microSD card with existing data, or does it need to be formatted specifically for this process? A: It is recommended that you use a microSD that is already formatted as FAT32 before starting. In addition, it is important that the microSD card does not have any data from other Switch consoles already on it.
Q: What makes Hekate the recommended choice in this guide? A: Hekate is a polished, multi-purpose bootloader for the Switch. It has the tools to facilitate simple usage of custom firmware and custom operating systems, and aids with organisation and formatting later on in this guide.
Q: How do you pronounce \"Hekate\"? A: Hekate comes from Greek. The most commonly accepted pronunciations are \"HEK-ate\", \"HEK-uh-tee\", and \"hek-AH-tay\".
Q: What role does the /bootloader folder play in the overall functionality of Hekate? A: The bootloader folder contains crucial parts of Hekate that can't fit in the injectable RCM/modchip payload, such as Nyx; Hekate's touch-enabled GUI. If you start Hekate without these files on your microSD, Hekate's functionality will be severely limited.
Q: How often should I check for updates to Hekate, and what benefits do newer releases bring to the process? A: Nintendo Homebrew's #announcements channel will automatically poll for updates to Atmosph\u00e8re and Hekate, letting you know when updates are available for them. In general, you'll want to look for updates whenever a major Switch system update is launched, as major updates will stop Horizon from booting until Hekate and Atmosph\u00e8re are updated accordingly.
Q: Does this process have any effect on the Switch's system or data? A: No, nothing in the guide has had any permanent effect on the Switch so far.
"},{"location":"user_guide/rcm/","title":"RCM","text":""},{"location":"user_guide/rcm/#about-rcm","title":"About RCM","text":"RCM (short for ReCovery Mode) is a pre-boot mode for Tegra processors that allows NVIDIA and Nintendo to send the Switch tiny programs for various internal uses. On unpatched consoles, once a payload was sent, then quickly copied into the memory buffer behind the stack, it overflowed the memory buffer into the stack. This leads to a \"smashed stack\" and unsigned code execution within a bootROM context, giving us access to nearly everything on the console. We use it here to launch Atmosph\u00e8re.
If you choose the emuMMC path introduced later in the guide, it'll be important to disable the Automatic Save Data Cloud function beforehand, as well as making sure the Switch is set as the primary console.
Continue to Entering RCM
Frequently Asked Questions about this pageQ: How does the RCM exploit work on unpatched Nintendo Switch consoles? A: For more information, please reference this page. There is also a Medium article about it here.
Q: Does RCM work on patched consoles? A: Yes. RCM is an intended mode for all Switch consoles. The exploit is the unintended effect that only some consoles can use. Consoles with the Tegra X1+ have a completely new bootROM with no evidence of the exploit, while \"patched\" V1 systems have an IROM patch to the bootROM applied that effectively removes fusee-gelee as well.
The Switch's Tegra X1 processor has a recovery mode referred to shorthand as RCM, intended to be useless for end-users. Fortunately, due to the fusee-gelee vulnerability, this special mode acts as our gateway into CFW.
Methods to enter RCM can require nothing more than household items (not recommended) to affordable tools ($5-10) available on platforms like AliExpress and Amazon. Avoid the \"metal bridge\" or \"paperclip method\" as it can damage your console. You can also consider 3D printing necessary tools.
Patched Switch
Note that patched units can enter RCM, but it is not possible to send a payload on those systems. Also note that RCM is a different recovery mode than the one accessed by holding Volume Up, Volume Down and powering on your console.
Information about the methods below
The order of methods on this page is in the order of ease. The easiest method to immediately accomplish is the RCM Jig method. The most advanced/difficult methods are mentioned in the other tabs and should not be attempted by most people as they require voiding your warranty and/or soldering. USING A PAPERCLIP OR TIN FOIL CAN/WILL DAMAGE YOUR CONSOLE, DO NOT DO THIS!
Volume Up button, press the Power button once while holding Volume Up.Volume Up button.Some jig designs use paperclips, inheriting the same risks as the \"metal bridge\" / \"paperclip method\" and should not be done.
Once you have successfully entered RCM, you can take the jig out of the Joy-Con rail.
This method is similar to the \"metal bridge\" / \"paperclip method\", but is more reliable and safer in many cases. Jigs hold a wire in place so the correct pins (10 and a ground) are reliably shorted.
This method requires opening your right Joy-Con, voiding its warranty. Not for the faint of heart.
This method comes to us from the mind of pbanj on Discord. All pictures of this method in action were provided by him, with some supplementary images provided by eip618 on Discord.
The goal of this method is to open the right Joy-Con to the point that you can reach the contact pads easily. This is similar to the previous method, however you will be soldering wires to pins 7 and 10 (shown below) and wiring them to the \"rail release button\" at the top back of the right Joy-Con.
This method requires opening your right Joy-Con, voiding its warranty. Not for the faint of heart.
The goal of this method is to open the right handed Joy-Con to the point that you can reach the contact pads easily. This is similar to the previous method, however the goal is to solder pins 7 and 10 (shown below) together with a surface-mount 0805 10k resistor. Apart from using a physical switch/button, this is currently considered the safest method that involves soldering to pads.
This method will result in the right Joy-Con being seen as \"detached\" while physically connected to the Switch, so it will not be able to charge. This method may result in the Joy-Con being permanently detected as wireless if you update the Joy-Con firmware while this mod is installed. In the latter case, fixing this requires opening up the Joy-Con and reseating the battery. It is recommended to solder pads 7 and 10 together with a resistor instead.
This method requires opening your right Joy-Con, voiding its warranty. Not for the faint of heart.
The goal of this method is to open the right Joy-Con to the point that you can reach the contact pads easily. This is similar to the previous method, however the goal is to solder pads 9 and 10 (seen below) together. This can either be done using a small wire, or directly bridging the pads with solder.
This method will result in the right Joy-Con being detected as in wireless mode while attached to the Switch, and this method may result in the Joy-Con being permanently detected as wireless if you update the Joy-Con firmware while this mod is installed. In the latter case, fixing this requires opening up the Joy-Con and reseating the battery.
This method requires opening your right Joy-Con, voiding its warranty. Not for the faint of heart.
The goal of this method is to open the right handed Joy-Con to the point that you can reach the contact pads easily, and use a thin object such as a knife to gently bend pin 9 and 10 (shown below) slightly up and towards each other so they touch, shorting them.
Continue to Sending a Payload
"},{"location":"user_guide/rcm/entering_rcm/#the-rcm-jig-pictured-below-is-the-model-we-recommend","title":"The RCM jig pictured below is the model we recommend:","text":"Making your own RCM Jig
If you plan on making your own jig, the second image lays out the right Joy-Con pad out on the console. Make sure your jig NEVER touches pin 4. Pin 4 provides 5 volts of power to the Joy-Con, and can permanently damage the rail or console if shorted.
"},{"location":"user_guide/rcm/entering_rcm/#joycon-pad-pinout","title":"JoyCon pad pinout:","text":"In order to start this method you will want to take two lengths of wire, and wrap one end of each into a small circle.
"},{"location":"user_guide/rcm/entering_rcm/#wire-reference","title":"Wire reference:","text":"You will then want to take the circular end of one of the wires and add a small amount of solder, keeping it mostly flat (ONLY DO THIS TO ONE OF THE WIRES!). You will then glue this wire down to the below point on the rail release button. Make sure glue doesn't cover the top of the solder/wire as it will act as a contact point. Also, ensure that you leave enough space for the button to function correctly. Try pushing the button from the outside and observing its travel path so that you can see where and how you should safely glue the solder glob.
"},{"location":"user_guide/rcm/entering_rcm/#joy-con-button","title":"Joy-Con button:","text":""},{"location":"user_guide/rcm/entering_rcm/#joy-con-button_1","title":"Joy-Con button:","text":"The first wire should now be in place as seen by the green circle below. The second wire does not need any solder, instead you will hold it in place using the screw as shown by the red circle in the picture below.
"},{"location":"user_guide/rcm/entering_rcm/#joy-con-button-in-place","title":"Joy-Con button in place:","text":"Pressing the Joy-Con button in you should now notice the solder point you created making contact with the piece of metal held in by the screw. Once you have these elements in place you want to connect one wire to pad 7 and the other to pad 10 (it doesn't matter which is which). After that you have successfully created an RCM button on your Joycon. You will now need to hold down the Joycon release button when attempting to boot RCM.
"},{"location":"user_guide/rcm/entering_rcm/#successful-installation","title":"Successful installation:","text":""},{"location":"user_guide/rcm/entering_rcm/#joycon-pad-pinout_1","title":"JoyCon pad pinout:","text":"Here is an example from stuck_pixel from the ReSwitched Discord server.
Below is an example from yami0666 from our Discord server.
Here is an example from sonlen on our Discord server.
If you are here to test if your Switch is patched
Make sure you have put your device into RCM and downloaded Hekate. Once finished, if your console is not patched, continue with the \"Preparing Hekate\" section at the bottom of the page.
Now that the device is in RCM, we will need to send it a payload. The methods are mostly the same but slightly differ depending on what hardware you have available.
WindowsLinuxMacAndroidChromebook
If nothing happens after you send the payload
If your console's screen remains black after you've sent Hekate (or any other payload), it's possible your payload was corrupted, or that your console is patched. If your payload injector program shows that zero or 0x0000 bytes were sent, then it is patched. This isn't a one-time glitch or up for debate; it is patched. Consider an alternate method that isn't via RCM.
"},{"location":"user_guide/rcm/sending_payload/#what-you-need","title":"What you need:","text":"hekate_ctcaer_(version).bin) is located inside of the hekate_ctcaer_(version).zip.Settings tab, then press Install Driver and follow the on-screen instructions.Payload tab of TegraRcmGUI.Inject payload, and navigate to and select the hekate_ctcaer_X.X.X.bin file.Inject payload to launch the payload you selected.Follow these steps if you face issues when installing the driver with TegraRcmGUI. You will need the latest version of Zadig.
Options menu, be sure that List All Devices is enabled.libusbK (v3.1.0.0) in the driver list.Install Driver and wait for the installation to finish.hekate_ctcaer_(version).bin) is located inside of the hekate_ctcaer_(version).zip../fusee-nano /path/to/hekate-ctcaer_X.X.X.binsudoCrystalRCM.(version).dmg file)hekate_ctcaer_(version).bin) is located inside of the hekate_ctcaer_(version).zip.CrystalRCM.(version).dmg file, open the mounted disk image in File Explorer and copy the CrystalRCM.app file inside of the mounted disk image to any location on your Mac.CrystalRCM.app app, then click Payload... and select the hekate_ctcaer_X.X.X.bin file.Push!. The payload should now be injected successfully.hekate_ctcaer_(version).bin) is located inside of the hekate_ctcaer_(version).zip..bin file from the Hekate .zip file to a location on your phone.Payloads (Signified by a downwards arrow with a line), then press the + button at the bottom right..bin file and tap it to add it to Rekado's menu.Hide bundled.hekate_ctcaer_X.X.X.bin file in the dialog that pops up.About USB-C
If your Chromebook has a USB-C port, do note that this will not work using a C-C cable.
hekate_ctcaer_(version).bin) is located inside of the hekate_ctcaer_(version).zip.hekate_ctcaer_X.X.X.bin file from the Hekate .zip file.APX option.We will prepare the microSD card for formatting/partitioning before going to the next page. Removing the microSD card while in Hekate is safe so turning off the console is not necessary and keeping it on will save time that would be spent reinjecting the payload.
Following the guide will delete everything on your microSD card!
Later in the guide, you will be formatting and/or partitioning your microSD card. This means that all data on the microSD card will be lost. Now is a good time to back up all of its data to a safe place (for example, on your PC or external drive) so that you can restore it later. You can do this by following the instructions below.
"},{"location":"user_guide/rcm/sending_payload/#what-you-need_5","title":"What you need:","text":"Nintendo folder (and any other important data) from the root of your microSD card to a safe space on your device..zip to a location on your computerbootloader.bootloader folder to the root of your microSD card.Continue to choosing your CFW environment
"}]} \ No newline at end of file +{"config":{"lang":["en"],"separator":"[\\s\\-]+","pipeline":["stopWordFilter"]},"docs":[{"location":"","title":"Home","text":""},{"location":"#nh-switch-guide","title":"NH Switch Guide","text":"The NH Switch Guide is a collaboration from Nintendo Homebrew's Discord community, getting you from a stock Switch to Atmosph\u00e8re.
For live support with this guide, visit us in #switch-assistance-1 or #switch-assistance-2 over at the NH-Discord server.
Prepare to set aside a minimum of an hour to follow this guide. This is specifically for you to carefully read and understand each page for safe execution for the safety and longevity of your Switch console. Some required device backups can also take around ten to thirty minutes to create, depending on your Switch model and your microSD card specifications.
"},{"location":"#what-is-custom-firmware","title":"What is Custom Firmware?","text":"Custom FirmWare (\u201cCFW\u201d) is complex software that modifies the function of a device's operating system, also known as a system firmware. Atmosph\u00e8re, for example, patches the Switch OS (named Horizon) on the fly.
Custom firmware can be considered a holy grail in terms of device modding, as it allows nearly limitless control and freedoms than you would get with more primitive \"userland\" access. \u00a0
"},{"location":"#what-is-homebrew","title":"What is homebrew?","text":"Homebrew refers to unofficial software written by hobbyists for locked down systems, like the Nintendo Switch. Homebrew can include original games, emulators, save-editing tools, and much, much more!
On the Switch in particular, you need CFW to run almost all available homebrew. Some first-gen (\"V1\") consoles can run homebrew for free, while all other (\"patched\") consoles require specialized hardware installation beforehand. \u00a0
"},{"location":"#what-are-custom-operating-systems","title":"What are custom operating systems?","text":"Custom operating systems (OSes) are alternative system software installations, like Android or Linux, that install alongside the default Switch OS. These are usually perfect for powerusers who want to extend the functionality of their console beyond that of a gaming console, transforming Nintendo Switch to a full-fledged hybrid tablet or desktop. These custom OSes run completely independent of the Switch OS, meaning that anything you do in a custom OS cannot be reported back to Nintendo. Custom operating systems are not \"emulated\"; they run natively on the Switch's Tegra X1 SoC.
This guide will give you the opportunity to set aside space on your microSD to install these custom OSes onto, if you desire. It is important to note that these installations are optional; you do not need to install any custom OS in order to complete this guide and install Atmosph\u00e8re. However, it is better to decide sooner rather than later, as the installation process involves formatting your microSD card.
"},{"location":"#what-does-this-guide-install","title":"What does this guide install?","text":"This guide has the end-goal of taking a completely unmodified Switch from stock firmware to a custom firmware named Atmosph\u00e8re.
fusee-gelee is currently the most widespread software entrypoint of launching custom firmware. It utilizes a vulnerability in the bootROM of the first-generation Switch systems, allowing us to boot the console via any payload we choose, instead of only ones that Nvidia and Nintendo authorize. The result allows full baremetal control over your console, including system storage backups, recovery, custom firmwares, and custom operating systems. \u00a0
"},{"location":"#what-can-i-do-with-custom-firmware","title":"What can I do with custom firmware?","text":"More on this can be found later on in the guide.
"},{"location":"#what-do-i-need-to-know-before-starting","title":"What do I need to know before starting?","text":"As previously mentioned, this guide will take a minimum of an hour to fully complete. Please responsibly set aside this time before your first run-through.
Acknowledge that EVERY time you modify your system, there is always the potential for an UNRECOVERABLE brick. A brick is a damaged device that no longer functions; something that becomes as \"useful as a brick\". On the Switch, they're rare, but still a possibility -- so make sure you read the directions carefully before performing them, and follow them EXACTLY.
This guide will work on first-generation (V1) and modchipped Switch consoles in all regions on any firmware version.
You will need one of the following in order to successfully follow this guide:
If you choose the emuMMC path introduced later in the guide, you will also need a microSD card that is at least 128 gigabytes. In this path, it'll be important to disable the Automatic Save Data Cloud function beforehand, as well as making sure the Switch is set as the primary console. If you must use a smaller microSD card, you can choose to use the sysCFW path, after assuming the risks involved.
Additionally, on a V1 \"unpatched\" Switch, you will need a way to access the ReCovery Mode (this will be further explained in the \"Entering RCM section\"). While possible with household tools, you may want to shell money out for a \"jig\" that inserts into the Joy-Con rail to reliably enable RCM.
Upon completion, you will lose no data, ending up with everything that you started with (games, Nintendo Account, saves, etc will be preserved). Your functionalities will only be enhanced.
Keep your device plugged in and charged throughout the entire process to avoid data loss or damage from an unexpected power-off.
Custom firmware is not permanently installed and does not change anything on your console simply by running it. It will be entirely unloaded upon rebooting the console. However, CFW does allow you to make permanent changes to your console at your own will, so be responsible and cautious with the abilities enabled by CFW.
It is advised that you read the entire guide from start to finish one or more times before actually running through the guide with your system.
If something doesn't make sense while you follow the guide, please reach out and ask for clarification rather than fumble around on your own. If your English isn't the best, use a translator such as Google Translate to submit your questions, so we can help.
"},{"location":"#click-the-button-below-to-get-started-with-the-guide","title":"Click the button below to get started with the guide!","text":"Continue to Getting Started
Note: We are not currently, historically, or will we ever be, associated with Anton Retro, sthetix, Ely M., or other derivative or YouTube/TikTok guide publishers, especially any that claim relation to us.
Furthermore, we resent any implication to the contrary.
Frequently Asked Questions about this pageQ: What are the differences between \"first-generation\" (\"V1\") consoles and \"patched\" consoles when it comes to running homebrew? A: Once you boot into Horizon, not much. The primary things to keep in mind is that only V1 consoles support Atmosph\u00e8re's \"Reboot to Payload\" function, but modchips automatically load payloads during reboots on their own.
Q: What is Horizon? A: Horizon is the name of the Switch's operating system. It is sometimes called \"HorizonNX\", because it is actually a derivative version of the Nintendo 3DS's operating system of the same name.
Q: Why is it called Atmosph\u00e8re? A: Atmosph\u00e8re \"runs on top of the Horizon\" operating system. Each layer of Horizon's security is referenced via the atmosphere's different layers. For example, the EL1 \"kernel\" reimplementation is called mesosph\u00e8re, while the EL3 \"TrustZone\" reimplementation is called exosph\u00e8re. Learn more about ARM Exception Levels here.
Q: What exactly is the \"emuMMC path,\" and why is it recommended for the microSD card to be at least 128GB for this path? A: The purpose of an emuMMC/emuNAND is to give you a safe place to use custom firmware functions without Nintendo catching sight. As it is an offline clone of your internal storage ran entirely from your microSD card, you will need to set allocate up to 64GB on your microSD card for it (depending on the size of your internal storage), plus a duplicate your of digital game data (emuMMC uses a separate Nintendo folder for game installs).
Q: Why do I need to set my console as primary before starting this guide? A: The Switch will otherwise try to connect to Nintendo servers before starting apps, which can lead to unexpected delays and make emuMMCs completely unusable.
Q: Can I follow this guide if I have a smaller microSD card, and what are the risks involved in choosing the sysCFW path? A: Nothing stops you from using sysCFW, but it is recommended for first-timers to get familiar with CFW by starting with an emuMMC. If used improperly, running sysCFW can cause software bricks and/or bans.
Q: Are there any specific restrictions or limitations imposed by Nintendo on consoles running custom firmware and homebrew? A: Nintendo has shown a distinct tolerance for users using CFW while online. They do not ban for the presence of CFW, they ban for misbehavior - such as piracy or cheating online. Otherwise, you are treated like all other users.
Q: Is there any community support or forums recommended for users who may have questions or issues during the process? A: Of course! As well as the Nintendo Homebrew Discord server, you can also try the r/SwitchHacks subreddit!
This guide was written by community members of the Nintendo Homebrew Discord Server.
You can find this guide on GitHub, It is licensed under the ISC license.
"},{"location":"about/#guide-writers-maintainers","title":"Guide Writers / Maintainers","text":"Thank you to everyone else that contributed to the guide on GitHub, but special thanks to noirscape.
"},{"location":"about/#developers","title":"Developers","text":"Currently two hardware revisions of the Switch exist. Any Switch bought or manufactured before the middle of 2018 has a bootrom bug that allows us to run code regardless of the firmware version on the Switch. When Nintendo updates the system, however, CFW will usually need an update to account for it. This bug cannot be fixed by Nintendo once the console leaves the factory, unless the console is sent in for repairs. This means that all current and future firmwares will be able to launch CFW through this exploit on the old hardware revision.
Any console purchased after approximately August 2018 is likely to be patched. This includes the latest units on shelves, referred to as 'red box' or 'Mariko'. Mariko is hardware patched, but may come on a vulnerable firmware. Currently the only way to know if your Switch is hackable is by trying to send the payload in RCM. Even with this exploit fixed, many Switch consoles on 8.0.1 and below will be hackable to some degree in the future (see Should I update my Firmware? for much more detailed information). The serial number on the back of the box can possibly tell you which consoles are patched and which aren't. See here for an up to date list.
"},{"location":"faq/#how-do-i-use-fusee-gelee-how-can-i-boot-into-rcm","title":"How do I use fusee-gelee? How can I boot into RCM?","text":"To launch CFW through the fusee-gelee, the Switch needs to be in \"ReCovery Mode\"(RCM). The easiest way to enter RCM is by grounding pin 10 in the right joycon rail and holding VOL+ on boot. Several methods and designs to do this exist, see our guide for more information. Once the Switch is in RCM it needs to be connected to either a computer, phone or dongle to send the exploit and the payload.
This procedure needs to happen every time the Switch boots from a completely \"off\" state, otherwise the Switch will boot into the stock firmware.
"},{"location":"faq/#what-makes-a-good-jig-good-can-i-use-a-paperclip","title":"What makes a good jig good? Can I use a paperclip?","text":"Most people prefer to use 3d-printed jigs to enter RCM. These jigs are made in a way that they slide into the right joycon rail and have a piece of connected wire that then bridges pin 10 and one of the grounded pins on the Switch. A lot of different designs for these jigs exist, but it is important to understand, that these jigs can damage the Switch if they are made in a bad way.
Since the wire in the jig is supposed to touch the pads inside the Switch's joycon rail, it is important to use wire that is thin, not rigid and bent/not pointy. Paperclips make for potentially dangerous jigs, as they are made out of a hard material, are rigid and pointy and can easily scratch off the pads inside the Switch. A good jig uses 32Gauge(0.2mm diameter) wire and is bent in a way that the end of the wire does not scratch the pads. You can download and 3d-print your own jig and use the pictures on this website to guide you on how to bend the wire correctly. Premade jigs can be found on online marketplaces for cheap.
"},{"location":"faq/#is-there-an-easier-way-to-enter-rcm","title":"Is there an easier way to enter RCM?","text":"To enter RCM more comfortably a solution called \"AutoRCM\" exists. Once set up, this method will always boot the Switch into RCM, even without a jig or holding any buttons. This works by \"bricking\" the Switch in a controlled manner. The Switch detects that something is wrong and boots into RCM to get repaired. The big downside of this method is, that it is impossible to boot the Switch without a computer, phone or dongle, as it will never boot into stock firmware by itself, and that it requires an SD card with the proper CFW files on it at all times. In addition, if the battery of the Switch is completely drained, the Switch will need to charge to at least 10% in Hekate before launching Atmosphere, otherwise the Switch will refuse to boot due to the low battery. Charging in RCM is not recommended as this is very slow. AutoRCM can be reversed, but it is advised to keep a working NAND and BOOT0/1 backup before using it.
Many Android-phones are able to send the exploit to the Switch, making them a perfect portable way to launch CFW. Different designs for portable dongles exist, ranging from Raspberry Pi Zero and Arduino projects to internal dongles, that work completely autonomous. The latter should only be done by advanced users, as it requires soldering onto the Switch mainboard itself.
"},{"location":"faq/#should-i-update-my-firmware","title":"Should I update my Firmware?","text":"If your Switch is one of the new hardware revisions that patched the exploit in RCM and you are on firmware 7.0.1 or lower, you should not update if you want to have CFW in the forseeable future.
If your Switch is one of the older hardware revisions and you don't mind having to use jigs/hardmods/AutoRCM and sending the exploit via computer, phone or dongle everytime you want to launch into CFW then it is completely safe to update. If you want the chance to maybe, one day, not have to use a external device, then it is recommended to stay on a FW as low as possible. Beware that this means that you potentially need to wait for a very long time (months to years) for this to happen, if ever. Private exploits to launch CFW over the Browser are known to exist for firmwares up to 7.0.1.
Downgrading on the Switch is possible, but it requires using AutoRCM and a custom bootloader payload to bypass the Switch's several hardware anti-downgrade mechanisms. This will not work on an unpatched system, and is practically useless for most users. On every boot the Switch firmware checks how many e-fuses have been burned and how many e-fuses the Switch expects to be burned. Major updates to the Switch, or updates in which a large vulnerability has been patched, irreversibly burn one of the Switch's 64 \"e-fuses\". If the Switch ever detects that more e-fuses have been burned than expected (meaning a downgrade happened), it will refuse to boot. Replacing e-fuses is not an option. You can find more information about fuses here Atmosph\u00e8reis maintained to support the latest firmware updates on unpatched units. The situation for patched and new units is as follows:
\"Old\" Patched Switch (HAC-001): Do NOT update past 7.0.1. Units on 7.0.1 and below will eventually get CFW. Patched units that have upgraded to 8.0.0 or 8.0.1 will likely get homebrew.
\"New\" Switch (HAC-001(-01): Do NOT update past 8.0.1. Units on 8.0.1 and below will likely get homebrew. Units on 8.1.0 and higher are not expected to be hacked and can be updated.
Switch Lite (HDH-001): Do NOT update past 8.0.1. Units on 8.0.1 and below will likely get homebrew. Units on 8.1.0 and higher are not expected to be hacked and can be updated.
A method to update without burning e-fuses exists, but, like downgrading, it forces you to use AutoRCM and sending the exploit via USB every time, as booting into the stock firmware even once would instantly burn the e-fuse. Note that other anti-downgrade mechanisms exist, making it for example impossible to boot game carts on a firmware below 4.1/9.0.0 if the Switch has ever launched a game on firmware 4.1+/9.0.0+. This can only be worked around by completely disabling the game cart slot while on 4.1/9.0.0 or greater, which is similarly impractical for most users.
"},{"location":"faq/#is-it-safe-to-use-homebrew-will-i-get-banned","title":"Is it safe to use homebrew? Will I get banned?","text":"The Switch comes with a lot of telemetry, and has been called a \"telemetry monster\" by several prominent developers. As long as the Switch is connected to the internet, Nintendo gets a report about a lot of different actions and states and has the option to log or act on them. Even if the Switch is offline and connects to the internet at a later point, Nintendo still recieves information about what happened while the Switch was disconnected.
To disable some of this telemetry, it is advised to disable the sending of error reports in the System Settings of the Switch. Additionally if you live in the EU you can set the \"do not share\" option on Nintendo's website to prevent your Switch from sending a lot of telemetry, although the effectiveness of this is questionable.
Nintendo still receives a lot of information, even with those options disabled. We also cannot know if Nintendo decides to look for something in the logs and ban people in retrospect. They have also shown to expand their telemetry options with every other firmware update.
Currently all bans have been for very obvious and intrusive actions, specifically:
Atmosph\u00e8re stops some, but not all of Nintendo's telemetry, and prevents crash reports from being sent. This means Nintendo can't tell if anything, including homebrew or modded games crashed, and Atmosph\u00e8re dumps the crash log to the microSD card to help homebrew developers. However, Nintendo still receives information about what is being played, and general system report information.
Atmosph\u00e8re is not a silver bullet, and this does not mean that Nintendo won't decide to ban people for harmless homebrew in the future. If you are scared to get banned then don't use homebrew for now. Atmosph\u00e8re now supports emuMMC (emuNAND): a copy of Switch system software, run entirely from the microSD card instead. This erases ban risks due to the fact that emuMMC is run in a quarantined, offline state, not touching the internal memory. You are still able to boot into original firmware to play online.
For patched units reliant on deja-vu, sysNAND will always have to be on a firmware below 4.1. For Switch versions from 5.0 to 7.0.1 deja-vu isn't quite out yet but will come eventually. (Also please note that firmwares 8.0.0+ will never work with deja-vu) You can use an updated emuMMC dedicated to online/clean play, while your sysNAND is used offline for custom firmware.
We do not recommend the use of ReiNX or SX OS for many reasons, primary among them that they use lots of assets from Atmosph\u00e8re and offer no real benefit that Atmosph\u00e8re does not offer anyway. We also do not recommend Kosmos, as its large amount of extras on top of regular Atmosph\u00e8re make it difficult to troubleshoot strange issues. All of these alternative CFWs also tend to use non-conventional setups which can cause issues that make it difficult to troubleshoot, which is another reason we prefer using Atmosphere. Additionally, it is advised to use 90DNS which blocks connections to any Nintendo servers. If you use an emuNAND for CFW and keep your sysNAND clean for playing online, you should use 90DNS on your emuNAND. Note: Keeping your emuNAND \"dirty\" and your sysNAND \"clean\" pertains primarily to those using the RCM exploit. Users employing Nereba or Caffeine will do the opposite.
"},{"location":"faq/#what-formats-can-homebrew-come-in","title":"What formats can homebrew come in","text":"Homebrew can come in two different formats, namely in nro files and in bin files.
nro Files are placed in the switch folder on your microSD card and can be launched using the Homebrew menu.bin This format is used as a payload and is to be pushed in RCM using a payload launcher like tegrarcmgui on windows and fusee-interfacee-tk on other operating systems.Homebrew risks Be careful with launching downloaded homebrew! If you don't know the source, it's best not to launch it. Homebrew can potentially damage your system! Atmosph\u00e8re provides protections against common bricking methods, but these are not guaranteed to always work!
"},{"location":"faq/#what-microsd-cardformat-should-i-use","title":"What microSD card/format should I use?","text":"microSD cards that are 32GB or smaller can be used for homebrew, but are not recommended as these will not permit you to have a full NAND dump and/or an emuMMC on them.
The recommended microSD card size is 128GB. This will permit you to make a full NAND dump as well as having enough space to run an emuNAND in the future while also having adequate space for homebrew.
The recommended filesystem format is FAT32. While the Switch supports exFAT through an additional update from Nintendo, this filesystem is prone to corruption and as a result is not advisable.
"},{"location":"faq/#fake-microsd-cards","title":"Fake microSD cards","text":"Do not buy microSD cards from sites like eBay. These microSD cards are often fake and do not have the advertised amount of storage and will result in data corruption if used. Amazon has had some problems with fake microSD cards, so we recommend buying them at a physical store. Even on trustworthy sites, always, always check reviews on a product before buying!!
If you suspect your microSD card is fake or damaged, see the instructions here to verify the integrity of your microSD card.
"},{"location":"faq/#my-homebrew-apps-are-not-showing-up-in-the-homebrew-menu","title":"My Homebrew apps are not showing up in the Homebrew menu!","text":"This is an issue primarily affecting macOS users, but may occur on other devices as well. If you are able to launch the homebrew menu, but you are not seeing some or any of your Homebrew apps, you may need to unset the archive bit with Hekate.
Tools on the top menu bar.Arch Bit \u2022 AutoRCM \u2022 Touch \u2022 Pkg1/2.Fix Archive bit - this might take a while.Close in the top right corner.Home in the top menu bar to get back from where you started.This report documents Fus\u00e9e Gel\u00e9e, a coldboot vulnerability that allows full, unauthenticated arbitrary code execution from an early bootROM context via Tegra Recovery Mode (RCM) on NVIDIA's Tegra line of embedded processors. As this vulnerability allows arbitrary code execution on the Boot and Power Management Processor (BPMP) before any lock-outs take effect, this vulnerability compromises the entire root-of-trust for each processor, and allows exfiltration of secrets e.g. burned into device fuses.
Quick vitals: \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 Reporter: Katherine Temkin (@ktemkin) Affiliation: ReSwitched (https://reswitched.tech) E-mail: k@ktemkin.com Affects: Tegra SoCs, independent of software stack Versions: believed to affect Tegra SoCs released prior to the T186 / X2 Impact: early bootROM code execution with no software requirements, which can lead to full compromise of on-device secrets where USB access is possible Disclosure public disclosure planned for June 15th, 2018"},{"location":"fusee_gelee/#vulnerability-summary","title":"Vulnerability Summary","text":"The USB software stack provided inside the boot instruction rom (IROM/bootROM) contains a copy operation whose length can be controlled by an attacker. By carefully constructing a USB control request, an attacker can leverage this vulnerability to copy the contents of an attacker-controlled buffer over the active execution stack, gaining control of the Boot and Power Management processor (BPMP) before any lock-outs or privilege reductions occur. This execution can then be used to exfiltrate secrets and to load arbitrary code onto the main CPU Complex (CCPLEX) \"application processors\" at the highest possible level of privilege (typically as the TrustZone Secure Monitor at PL3/EL3).
"},{"location":"fusee_gelee/#public-disclosure-notice","title":"Public Disclosure Notice","text":"This vulnerability is notable due to the significant number and variety of devices affected, the severity of the issue, and the immutability of the relevant code on devices already delivered to end users. This vulnerability report is provided as a courtesy to help aid remediation efforts, guide communication, and minimize impact to users.
As other groups appear to have this or an equivalent exploit-- including a group who claims they will be selling access to an implementation of such an exploit-- it is the author and the ReSwitched team's belief that prompt public disclosure best serves the public interest. By minimizing the information asymmetry between the general public and exploit-holders and notifying the public, users will be able to best assess how this vulnerability impacts their personal threat models.
Accordingly, ReSwitched anticipates public disclosure of this vulnerability: * If another group releases an implementation of the identified vulnerability; or * On June 15th, 2018, whichever comes first.
"},{"location":"fusee_gelee/#vulnerability-details","title":"Vulnerability Details","text":"The core of the Tegra boot process is approximated by the following block of pseudo-code, as obtained by reverse-engineering an IROM extracted from a vulnerable T210 system:
// If this is a warmboot (from \"sleep\"), restore the saved state from RAM.\nif (read_scratch0_bit(1)) {\n restore_warmboot_image(&load_addr);\n}\n// Otherwise, bootstrap the processor.\nelse\n{\n // Allow recovery mode to be forced by a PMC scratch bit or physical straps.\n force_recovery = check_for_rcm_straps() || read_scratch0_bit(2);\n\n // Determine whether to use USB2 or USB3 for RCM.\n determine_rcm_usb_version(&usb_version);\n usb_ops = set_up_usb_ops(usb_version);\n usb_ops->initialize();\n\n // If we're not forcing recovery, attempt to load an image from boot media.\n if (!force_recovery)\n {\n // If we succeeded, don't fall back into recovery mode.\n if (read_boot_configuration_and_images(&load_addr) == SUCCESS) {\n goto boot_complete;\n }\n }\n\n // In all other conditions\n if (read_boot_images_via_usb_rcm(<snip>, &load_addr) != SUCCESS) {\n /* load address is poisoned here */\n }\n}\n\nboot_complete:\n /* apply lock-outs, and boot the program at address load_address */\nTegra processors include a USB Recovery Mode (RCM), which we can observe to be activated under a number of conditions: * If the processor fails to find a valid Boot Control Table (BCT) + bootloader on its boot media; * If processor straps are pulled to a particular value e.g. by holding a button combination; or * If the processor is rebooted after a particular value is written into a power management controller scratch register.
USB recovery mode is present in all devices, including devices that have been production secured. To ensure that USB recovery mode does not allow unauthenticated communications, RCM requires all recovery commands be signed using either RSA or via AES-CMAC.
The bootloader's implementation of the Tegra RCM protocol is simple, and exists to allow loading a small piece of code (called the miniloader or applet) into the bootloader's local Instruction RAM (IRAM). In a typical application, this applet is nvtboot-recovery, a stub which allows further USB communications to bootstrap a system or to allow system provisioning.
The RCM process is approximated by the following pseudo-code, again obtained via reverse engineering a dumped IROM from a T210:
// Significantly simplified for clarity, with error checking omitted where unimportant.\nwhile (1) {\n // Repeatedly handle USB standard events on the control endpoint EP0.\n usb_ops->handle_control_requests(current_dma_buffer);\n\n // Try to send the device ID over the main USB data pipe until we succeed.\n if ( rcm_send_device_id() == USB_NOT_CONFIGURED ) {\n usb_initialized = 0;\n }\n // Once we've made a USB connection, accept RCM commands on EP1.\n else {\n usb_initialized = 1;\n\n // Read a full RCM command and any associated payload into a global buffer.\n // (Error checking omitted for brevity.)\n rcm_read_command_and_payload();\n\n // Validate the received RCM command; e.g. by checking for signatures\n // in RSA or AES_CMAC mode, or by trivially succeeding if we're not in\n // a secure mode.\n rc = rcm_validate_command();\n if (rc != VALIDATION_PASS) {\n return rc;\n }\n\n // Handle the received and validated command.\n // For a \"load miniloader\" command, this sanity checks the (validated)\n // miniloader image and takes steps to prevent re-use of signed data not\n // intended to be used as an RCM command.\n rcm_handle_command_complete(...);\n }\n}\nIt is important to note that a full RCM command and its associated payload are read into 1) a global buffer, and 2) the target load address, respectively, before any signature checking is done. This effectively grants the attacker a narrow window in which they control a large region of unvalidated memory.
The largest vulnerability surface area occurs in the rcm_read_command_and_payload function, which accepts the RCM command and payload packets via a USB bulk endpoint. For our purposes, this endpoint is essentially a simple pipe for conveyance of blocks of binary data separate from standard USB communications.
The rcm_read_command_and_payload function actually contains several issues-- of which exactly one is known to be exploitable:
uint32_t total_rxd = 0;\nuint32_t total_to_rx = 0x400;\n\n// Loop until we've received our full command and payload.\nwhile (total_rxd < total_to_rx) {\n // Switch between two DMA buffers, so the USB is never DMA'ing into the same\n // buffer that we're processing.\n active_buffer = next_buffer;\n next_buffer = switch_dma_buffers();\n\n // Start a USB DMA transaction on the RCM bulk endpoint, which will hopefully\n // receive data from the host in the background as we copy.\n usb_ops->start_nonblocking_bulk_read(active_buffer, 0x1000);\n\n // If we're in the first 680-bytes we're receiving, this is part of the RCM\n // command, and we should read it into the command buffer.\n if ( total_rxd < 680 ) {\n /* copy data from the DMA buffer into the RCM command buffer until we've\n read a full 680-byte RCM command */\n\n // Once we've received the first four bytes of the RCM command,\n // use that to figure out how much data should be received.\n if ( total_rxd >= 4 )\n {\n // validate:\n // -- the command won't exceed our total RAM\n // (680 here, 0x30000 in upper IRAM)\n // -- the command is >= 0x400 bytes\n // -- the size ends in 8\n if ( rcm_command_buffer[0] >= 0x302A8u\n || rcm_command_buffer[0] < 0x400u\n || (rcm_command_buffer[0] & 0xF) != 8 ) {\n return ERROR_INVALID_SIZE;\n } else {\n left_to_rx = *((uint32_t *)rcm_command_buffer);\n }\n }\n }\n\n /* copy any data _past_ the command into a separate payload\n buffer at 0x40010000 */\n /* -code omitted for brevity - */\n\n // Wait for the DMA transaction to complete.\n // [This is, again, simplified to convey concepts.]\n while(!usb_ops->bulk_read_complete()) {\n\n // While we're blocking, it's still important that we respond to standard\n // USB packets on the control endpoint, so do that here.\n usb_ops->handle_control_requests(next_buffer);\n }\n}\nAstute readers will notice an issue unrelated to the Fus\u00e9e Gel\u00e9e exploit: this code fails to properly ensure DMA buffers are being used exclusively for a single operation. This results in an interesting race condition in which a DMA buffer can be simultaneously used to handle a control request and a RCM bulk transfer. This can break the flow of RCM, but as both operations contain untrusted data, this issue poses no security risk.
To find the actual vulnerability, we must delve deeper, into the code that handles standard USB control requests. The core of this code is responsible for responding to USB control requests. A control request is initiated when the host sends a setup packet, of the following form:
Field \u00a0 \u00a0 \u00a0 \u00a0 Size \u00a0 \u00a0 Description direction 1b if '1', the device should respond with data type 2b specifies whether this request is of a standard type or not recipient 5b encodes the context in which this request should be considered; for example, is this about aDEVICE or about an ENDPOINT? request 8b specifies the request number value 16b argument to the request index 16b argument to the request length 16b specifies the maximum amount of data to be transferred As an example, the host can request the status of a device by issuing a GET_STATUS request, at which point the device would be expected to respond with a short setup packet. Of particular note is the length field of the request, which should limit -- but not exclusively determine-- the maximum amount of data that should be included in the response. Per the specification, the device should respond with either the amount of data specified or the amount of data available, whichever is less.
The bootloader's implementation of this behavior is conceptually implemented as follows:
// Temporary, automatic variables, located on the stack.\nuint16_t status;\nvoid *data_to_tx;\n\n// The amount of data available to transmit.\nuint16_t size_to_tx = 0;\n\n // The amount of data the USB host requested.\nuint16_t length_read = setup_packet.length;\n\n/* Lots of handler cases have omitted for brevity. */\n\n// Handle GET_STATUS requests.\nif (setup_packet.request == REQUEST_GET_STATUS)\n{\n // If this is asking for the DEVICE's status, respond accordingly.\n if(setup_packet.recipient == RECIPIENT_DEVICE) {\n status = get_usb_device_status();\n size_to_tx = sizeof(status);\n }\n // Otherwise, respond with the ENDPOINT status.\n else if (setup_packet.recipient == RECIPIENT_ENDPOINT){\n status = get_usb_endpoint_status(setup_packet.index);\n size_to_tx = length_read; // <-- This is a critical error!\n }\n else {\n /* ... */\n }\n\n // Send the status value, which we'll copy from the stack variable 'status'.\n data_to_tx = &status;\n}\n\n// Copy the data we have into our DMA buffer for transmission.\n// For a GET_STATUS request, this copies data from the stack into our DMA buffer.\nmemcpy(dma_buffer, data_to_tx, size_to_tx);\n\n// If the host requested less data than we have, only send the amount requested.\n// This effectively selects min(size_to_tx, length_read).\nif (length_read < size_to_tx) {\n size_to_tx = length_read;\n}\n\n// Transmit the response we've constructed back to the host.\nrespond_to_control_request(dma_buffer, length_to_send);\nIn most cases, the handler correctly limits the length of the transmitted responses to the amount it has available, per the USB specification. However, in a few notable cases, the length is incorrectly always set to the amount requested by the host: * When issuing a GET_CONFIGURATION request with a DEVICE recipient. * When issuing a GET_INTERFACE request with a INTERFACE recipient. * When issuing a GET_STATUS request with a ENDPOINT recipient.
This is a critical security error, as the host can request up to 65,535 bytes per control request. In cases where this is loaded directly into size_to_tx, this value directly sets the extent of the memcpy that follows-- and thus can copy up to 65,535 bytes into the currently selected dma_buffer. As the DMA buffers used for the USB stack are each comparatively short, this can result in a very significant buffer overflow.
To validate that the vulnerability is present on a given device, one can try issuing an oversized request and watch as the device responds. Pictured below is the response generated when sending a oversized GET_STATUS control request with an ENDPOINT recipient to a T124:
A compliant device should generate a two-byte response to a GET_STATUS request-- but the affected Tegra responds with significantly longer response. This is a clear indication that we've run into the vulnerability described above.
To really understand the impact of this vulnerability, it helps to understand the memory layout used by the bootROM. For our proof-of-concept, we'll consider the layout used by the T210 variant of the affected bootROM:
The major memory regions relevant to this vulnerability are as follows: * The bootROM's execution stack grows downward from 0x40010000; so the execution stack is located in the memory immediately preceding that address. * The DMA buffers used for USB are located at 0x40005000 and 0x40009000, respectively. Because the USB stack alternates between these two buffers once per USB transfer, the host effectively can control which DMA buffer is in use by sending USB transfers. * Once the bootloader's RCM code receives a 680-byte command, it begins to store received data in a section of upper IRAM located at address 0x40010000, and can store up to 0x30000 bytes of payload. This address is notable, as it is immediately past the end of the active execution stack.
Of particular note is the adjacency of the bootROM's execution stack and the attacker-controlled RCM payload. Consider the behavior of the previous pseudo-code segment on receipt of a GET_STATUS request to the ENDPOINT with an excessive length. The resulting memcpy: * copies up to 65,535 bytes total; * sources data from a region starting at the status variable on the stack and extending significantly past the stack -- effectively copying mostly from the attacker-controllable RCM payload buffer * targets a buffer starting either 0x40005000 or 0x40009000, at the attacker's discretion, reaching addresses of up to 0x40014fff or 0x40018fff
This is a powerful copy primitive, as it copies from attacker controlled memory and into a region that includes the entire execution stack:
This would be a powerful exploit on any platform; but this is a particularly devastating attack in the bootROM environment, which does not: * Use common attack mitigations such as stack canaries, ostensibly to reduce complexity and save limited IRAM and IROM space. * Apply memory protections, so the entire stack and all attacker controlled buffers can be read from, written to, and executed from. * Employ typical 'application-processor' mitigation strategies such as ASLR.
Accordingly, we now have: 1. The capability to load arbitrary payloads into memory via RCM, as RCM only validates command signatures once payload receipt is complete. 2. The ability to copy attacker-controlled values over the execution stack, overwriting return addresses and redirecting execution to a location of our choice.
Together, these two abilities give us a full arbitrary-code execution exploit at a critical point in the Tegra's start-up process. As control flow is hijacked before return from read_boot_images_via_usb_rcm, none of the \"lock-out\" operations that precede normal startup are executed. This means, for example, that the T210 fuses-- and the keydata stored within them-- are accessible from the attack payload, and the bootROM is not yet protected.
The Fus\u00e9e Launcher PoC exploits the vulnerability described on the T210 via a careful sequence of interactions: 1. The device is started in RCM mode. Device specifics will differ, but this is often via a key-combination held on startup. 2. A host computer is allowed to enumerate the RCM device normally. 3. The host reads the RCM device's ID by reading 16 bytes from the EP1 IN. 4. The host builds an exploit payload, which is comprised of: 1. An RCM command that includes a maximum length, ensuring that we can send as much payload as possible without completing receipt of the RCM payload. Only the length of this command is used prior to validation; so we can submit an RCM command that starts with a maximum length of 0x30298, but which fills the remaining 676 bytes of the RCM command with any value. 2. A set of values with which to overwrite the stack. As stack return address locations vary across the series, it's recommended that a large block composed of a single entry-point address be repeated a significant number of times, so one can effectively replace the entire stack with that address. 3. The program to be executed (\"final payload\") is appended, ensuring that its position in the binary matches the entry-point from the previous step. 4. The payload is padded to be evenly divisible by the 0x1000 block size to ensure the active block is not overwritten by the \"DMA dual-use\" bug described above. 5. The exploit payload is sent to the device over EP1 OUT, tracking the number of 0x1000-byte \"blocks\" that have been sent to the device. If this number is even, the next write will be issued to the lower DMA buffer (0x40005000); otherwise, it will be issued to the upper DMA buffer (0x40009000). 6. If the next write would target the lower DMA buffer, issue another write of a full 0x1000 bytes to move the target to the upper DMA buffer, reducing the total amount of data to be copied. 7. Trigger the vulnerable memcpy by sending a GET_STATUS IN control request with an ENDPOINT recipient, and a length long enough to smash the desired stack region, and preferably not longer than required.
A simple host program that triggers this vulnerability is included with this report: see fusee-launcher.py. Note the restrictions on its function in the following section.
Included with this report is a set of three files: * fusee-launcher.py -- The main proof-of-concept accompanying this report. This python script is designed to launch a simple binary payload in the described bootROM context via the exploit. * intermezzo.bin -- This small stub is designed to relocate a payload from a higher load address to the standard RCM load address of 0x40010000. This allows standard RCM payloads (such as nvtboot-recover.bin) to be executed. * fusee.bin -- An example payload for the Nintendo Switch, a representative and well-secured device based on a T210. This payload will print information from the device's fuses and protected IROM to the display, demonstrating that early bootROM execution has been achieved.
Support note: Many host-OS driver stacks are reluctant to issue unreasonably large control requests. Accordingly, the current proof-of-concept includes code designed to work in the following environments: * 64-bit linux via xhci_hcd. The proof-of-concept can manually submit large control requests, but does not work with the common ehci_hcd drivers due to driver limitations. A rough rule of thumb is that a connection via a blue / USB3 SuperSpeed port will almost always be handled by xhci_hcd. * macOS. The exploit works out of the box with no surprises or restrictions on modern macOS.
Windows support would require addition of a custom kernel module, and thus was beyond the scope of a simple proof-of-concept.
To use this proof-of-concept on a Nintendo Switch: 1. Set up an Linux or macOS environment that meets the criteria above, and which has a working python3 and pyusb as well as libusb installed. 2. Connect the Switch to your host PC with a USB A -> USB C cable. 3. Boot the Switch in RCM mode. There are three ways to do this, but the first-- unseating its eMMC board-- is likely the most straightforward: 1. Ensure the Switch cannot boot off its eMMC. The most straightforward way to to this is to open the back cover and remove the socketed eMMC board; corrupting the BCT or bootloader on the eMMC boot partition would also work. 2. Trigger the RCM straps. Hold VOL_UP and short pin 10 on the right JoyCon connector to ground while engaging the power button. 3. Set bit 2 of PMC scratch register zero. On modern firmwares, this requires EL3 or pre-sleep BPMP execution. 4. Run the fusee-launcher.py with an argument of fusee.bin. (This requires intermezzo.bin to be located in the same folder as fusee-launcher.py.)
```\nsudo python3 ./fusee-launcher.py fusee.bin\n```\nIf everything functions correctly, your Switch should be displaying a collection of fuse and protected-IROM information:
"},{"location":"fusee_gelee/#recommended-mitigations","title":"Recommended Mitigations","text":"In this case, the recommended mitigation is to correct the USB control request handler such that it always correctly constrains the length to be transmitted. This has to be handled according to the type of device:
It seems likely that OEMs producing T210-based devices may move to T214 solutions; it is the hope of the author that the T214's bootROM shares immunity with the T186. If not, patching the above is a recommended modification to the mask ROM and/or ipatches of the T214, as well.
"},{"location":"extras/","title":"Extras","text":"Several extra guides that are not required for basic usage can be found here.
They are listed in the sidebar as well.
"},{"location":"extras/#commonly-used-guides","title":"Commonly used guides:","text":"This section details how to add an udev rule to let you send a payload to your Switch without needing to use sudo.
The following instructions only work if you have a system that implements udev. Most modern distros come with systemd already installed, which includes a udev implementation.
Do the following instructions while your Switch is not connected to your computer.
For Arch Linux users:
The package android-udev includes rules that will also allow for payload injection to work without root. Do note this also allows Android specific commands such as adb and fastboot to also work without root (as is the intention of it.)
"},{"location":"extras/adding_udev/#option-1-manually-adding-rules-and-group","title":"Option 1: Manually adding rules and group","text":"
The following instructions are not for beginners. Only do this if you understand what you are doing.
"},{"location":"extras/adding_udev/#creating-a-new-group","title":"Creating a new group","text":"To start, we will create a new group and add ourselves to it. The group the Nintendo Switch device will be owned by on Linux will be set to this group.
sudo groupadd nintendo_switch.sudo usermod -a -G nintendo_switch $USER. Make sure that the G is capitalized!Next we're gonna add a new udev rule. udev is a device manager for the linux kernel. The rule we're gonna specify is that if the Switch is connected in RCM, the group the Switch belongs to will be the group we made in the previous section.
sudo -i. Enter your password when prompted.mkdir -p /etc/udev/rules.d.echo 'SUBSYSTEMS==\"usb\", ATTRS{manufacturer}==\"NVIDIA Corp.\", ATTRS{product}==\"APX\", GROUP=\"nintendo_switch\"' > /etc/udev/rules.d/10-switch.rules.udevadm control --reload.udevadm trigger.You should now be able to run the payload sender without having to use sudo.
"},{"location":"extras/adding_udev/#option-2-installing-a-package-with-the-rules","title":"Option 2: Installing a package with the rules","text":"
These rules will actually allow ANY user to access your Switch via USB, not only your user.
You may just follow the instructions at nx-udev, or if you're on Ubuntu / Debian:
sudo dpkg -i nx-udev_latest_all.deb to install the packageYou should now be able to run the payload injector and homebrew with USB communication without having to use sudo.
If you need to troubleshoot something, or need to try a different boot setup, read on.
Do I need any of these?
Unless you are experiencing problems with booting or Atmosph\u00e8re itself, it's strongly recommended to use the main guide instead of these. They are provided for the sake of completeness.
"},{"location":"extras/alternate_bootsetups/#chainloading-fusee-from-hekate","title":"Chainloading Fusee from Hekate","text":"
fusee.bin.zip file to the root of your microSD card.bootloader folder from the Hekate .zip file to the root of your microSD card.fusee.bin to the sd:/bootloader/payloads folder on your microSD card.payload.bin (Modchipped Switch users).Payloads > fusee.bin.fusee uses a set boot order that is not as easily configurable as Hekate. Its boot order is emuMMC > sysCFW > stock. If an emuMMC isn't present, it will boot into sysCFW for example. Make sure you have a method of blocking Nintendo's servers set up (such as DNS-MITM) if you do use fusee and have an emuMMC.This method will not work for Modchipped Switch users.
fusee.bin.zip file to the root of your microSD card.fusee.bin payload.fusee uses a set boot order that is not as easily configurable as Hekate. Its boot order is emuMMC > sysCFW > stock. If an emuMMC isn't present, it will boot into sysCFW for example. Make sure you have a method of blocking Nintendo's servers set up (such as DNS-MITM) if you do use fusee and have an emuMMC.AutoRCM causes the console to believe it is bricked, and will automatically launch RCM upon boot for recovery purposes, without needing a jig. As RCM is a recovery mode from repair specialists, this is an intended feature from the device developer, though is also considered a softbrick. If you aren't careful, misuse of AutoRCM can lead to real damage, especially with units that cannot inject custom RCM payloads (like Mariko hardware). Please take care when using it. Please keep in mind that the console can no longer boot on its own, so you'll need a PC, phone, or other payload injector to start the console after a coldboot.
If you don't have a BOOT0/1 backup yet...
You really want to kill your console, huh? If you haven't made a BOOT0/1 backup yet, it is recommended to make one right now.
Tools, and select Backup eMMCeMMC BOOT0 & BOOT1 and let the process complete.There are some disadvantages you should consider before installing AutoRCM:
AutoRCM can be used for good as well:
Other information...
If, despite all of the information above, you still wish to enable AutoRCM, and understand the risks, do the following:
ToolsArch Bit \u2022 AutoRCM \u2022 Touch \u2022 Pkg1/2AutoRCM. It will show a little ON next to the option once you have done this.AutoRCM option is set to OFF.This page will help you set up a method to block all communication with Nintendo. This will stop any updates and reporting to Nintendo, but it will prevent use of the eShop and online games.
"},{"location":"extras/blocking_nintendo/#instructions-ams-dns-redirection","title":"Instructions (AMS DNS redirection)","text":"You can configure Atmosph\u00e8re to automatically redirect any requests directed to Nintendo to nothing instead. Documentation about this feature can be found here. The section below will help you set up DNS redirection on your emummc. Note that this will only apply when you are using cfw.
"},{"location":"extras/blocking_nintendo/#what-you-need","title":"What you need:","text":"payload.bin on the root of your SD.Tools > USB Tools > SD Card and plug your Switch into your PC via USB.atmosphere folder.hosts in the atmosphere folder.sd:/atmosphere/hosts directory.emummc.txt file into the hosts folder.sysmmc.txtUMS device safely from within your computer's operating system and boot into CFW.Verify functionality
You can verify the functionality of the DNS redirection by booting into emummc (or sysmmc if you applied the config to sys), and powering off after.
A report will be generated in sd:/atmosphere/logs called dns_mitm_startup.log. If this starts with the following, the dns redirection is active
"},{"location":"extras/blocking_nintendo/#instructions-90dns","title":"Instructions (90DNS)","text":"
You can add a custom DNS to your WiFi connection that will block all communication with Nintendo's servers. We will be using 90DNS, a community-run custom DNS server. If you prefer, you can run your own DNS server following the instructions on the GitLab repository.
Enter the console's System Settings, and then proceed to the Internet tab. From here:
"},{"location":"extras/blocking_nintendo/#setting-up-a-new-connection-via-wi-fi","title":"Setting up a new connection via Wi-Fi","text":"Open WiFi networks without a password
Not all WiFi networks require a password to connect. If your network does not use one, you can use the Manual Setup option, located at the very bottom of the Internet Settings screen below all other WiFi networks.
OK.OK to close the error message.Close when it offers to display more details about the error.View Settings.DNS Settings to Manual.Primary and Secondary DNS into your connection settings.Save the settings and test the connection.
Change Settings.Save the settings and test the connection.
/switch folder.90DNS Setter.163.172.141.219 207.246.121.77 America (Server located in the USA) 207.246.121.77 163.172.141.219 Example for a 90DNS connection with the Europe settings:
"},{"location":"extras/blocking_nintendo/#testing-if-you-can-reach-nintendo","title":"Testing if you can reach Nintendo","text":""},{"location":"extras/blocking_nintendo/#testing-via-the-eshop-stock","title":"Testing via the eShop (Stock)","text":"
Switch_90DNS_tester.nro in the switch folder on your SD.nintendo domain being blocked.LayeredFS, a tool built into Atmosphere, allows you to (temporarily) replace a game's assets with your own, modified assets as long as you're booted into CFW.
"},{"location":"extras/game_modding/#usage-instructions","title":"Usage instructions","text":"Check the section below to find your mod's folder/file structure, then install your mod accordingly.
Checking folder/file structures
If the mod solely includes a romfs (and/or exefs folder), you will need to place that folder inside of sd:/atmosphere/contents/<title_id>/.
If the mod solely includes a contents folder, you can simply copy that folder to sd:/atmosphere/ on your microSD card and merge folders if prompted.
If the mod has the complete folder structure set up (i.e. atmosphere/contents/<title_id>/romfs), you can simply copy the atmosphere folder (likely inside of a mod's .zip file) to the root of your microSD card and merge folders if prompted.
Atmosphere 0.9.4 and below
Note: On Atmosph\u00e8re 0.9.4 and below, contents is called titles
In the image below, you can see a Batman skin mod being used in The Legend of Zelda: Breath of the Wild. In this example, the title ID and mod installation directory would be sd:/atmosphere/contents/0100509005AF2000/.
The romfs folder contains modified assets in the way the game would normally read them. romfs stands for \"romFileSystem\", which is quite literally what the filesystem (folder and file structure) of the game you're modding consists of internally.
If you want to disable mods on launch of a game, hold the L button before launching the game and launch the game normally, L is the default button to do this. This will disable all modifications (like cheats and mods) that you have configured for your game.
While most games only require Atmosphere's LayeredFS to enable game modding, there are some games that may require more specialized setup. For example:
Modding Super Smash Bros. requires ARCropolis and skyline, ARCropolis looks for mods in the sd:/ultimate/mods directory on your microSD card.
Modding Breath of the Wild and Tears of the Kingdom with multiple mods requires the use of BCML or UKMM and TKMM respectively.
Animal Crossing: New Horizons requires some extra setup for mods to work. The folder that would normally be called romfs has to be called romFs and you'll need to create an empty file inside of atmosphere/contents/01006F8002326000/romFs/System/Resource/ called ResourceSizeTable.srsizetable. More information on this can be found on the ac-modding website.
If your game crashes during launch, hold the L button to see if disabling all modifications for your game solves the issue. If so, delete the most recently added mod(s) for your game.
Assuming you've followed the installation instructions successfully, this is probably due to the archive bit being set on one or more folders/files on your microSD card. This is usually the result of copying files to a microSD card via a Mac. If you are experiencing this issue, try running the archive bit fixer utility via Hekate for all files.
This can be done by booting into Hekate and going to Tools > Arch bit \u2022 RCM Touch \u2022 Pkg1/2 > Fix Archive Bit.
This section is dedicated to explaining a number of common terms that are used when hacking the Nintendo Switch as well as linking a number of resources that can help fledgling developers or curious users.
"},{"location":"extras/glossary/#hacking-terms","title":"Hacking terms","text":"The following list is in alphabetical order.
The resources below are for users and developers interested in developing Homebrew or for those that want to get a more technical understanding of the various concepts.
This page will detail the setup of Switchroot Android (Android 11) for the Nintendo Switch.
Have you partitioned your microSD card?
This page assumes that you've followed our guide to set up Atmosph\u00e8re. Before starting, your microSD card needs partitions for Android set up via Hekate. If you didn't do so, see this page to install Android alongside Atmosph\u00e8re. If you don't want to use Switch CFW and only Android, check the Official Switchroot Documentation instead. If you already have Android fully installed, do not follow this guide, as your current installation would be erased.
Looking for Android 10?
An unfortunate bug with clocking on Android 11 results in degraded performance for Erista (v1) units on Android 11. Android 10 installation is not covered here, but there is a guide on the Switchroot Wiki. However, Android 11 is the currently supported version and uses much more updated drivers.
Looking for Android 14?
Recently, Android 14 was released for the Switch. You can follow the official LineageOS guide to install Android 14.
The Switch lacks a cell modem; simply installing Android does not grant your Switch access to cell towers. This means, unlike most Android devices, you will not be able to make emergency phone calls, and you will still need Wi-Fi to access the Internet. You can, however, natively run Android programs and games.
This page will also not detail things such as rooting and overclocking; external links to these types of additions can be found in the Power User Guides section at the bottom of this page.
"},{"location":"extras/installing_android/#requirements","title":"Requirements:","text":"If you have official Joy-Con controllers, you can set up auto-pairing so undocking them seamlessly connects to the console regardless of what OS is running. To make this work, boot HOS, ensure both work undocked (pair them), then reboot to Hekate. Select Nyx Options followed by Dump Joy-Con BT. You should see \"Found 2 out of 2 Joy-Con pairing data!\"
Have a Switch Lite?
You should poke the dump button in Hekate anyway -- this will dump factory stick and IMU calibration for use in Android.
"},{"location":"extras/installing_android/#step-1-downloading-files","title":"Step 1: Downloading Files","text":"Download the latest .7z release archive from the official Switchroot download site--choose nx-atv... for Android TV (more console-like experience) or nx-tab... for standard Android (a more standard Android tablet experience). Both are usable with controllers and docking, but only tab supports proper touch input.
If you prefer TWRP recovery...
...you can download twrp.img from the extras folder.
Are you using a V1 or V2 Switch (standard models)?
These models have a poorly designed microSD card reader and repeated removals/reinsertions can eventually cause the reader to fail. Please use Hekate SD UMS to transfer files instead of removing the microSD card from your Switch!
Tools > USB Tools > SD Card and plugging your Switch into your PC via USB.Extract the archive to the root of the microSD card (the FAT32 partition). The microSD card file structure should look more or less like this:
root\n|- bootloader\n| |- ini\n| | |- ...\n| |- payloads\n| | |- ...\n| |- res\n| | |- ...\n| |- sys\n| | |- ...\n|- Nintendo (if you use Horizon)\n| |- ...\n|- switchroot\n| |- android\n| | |- ...\n| |- install\n| | |- ...\n|- lineage-18.1-[date]-UNOFFICIAL-[device].zip\nIf you downloaded TWRP...
...you have to replace /switchroot/install/recovery.img with twrp.img. No need to rename the file, just swap it out.
Open the Hekate partition manager (located in Tools > Partition SD Card) and select Flash Android at the bottom of your screen. All three images should be found and successfully flashed. Select the option to reboot to recovery.
Once in recovery, select Factory Reset followed by Format Data. This does not delete anything here, but rather is used to prepare your data partitions for flashing. Ignore any errors that may appear. Return to the main menu and select Apply Update followed by Select from SWITCH SD. Find and select the lineage-18.1... zip in the list, and wait for it to finish.
Did the zip fail to flash?
Your microSD card is probably bad... Take a look at Hekate's microSD card info, and consider buying a better card.
If you are using TWRP...
Good luck... TWRP is for advanced users; no user support will be provided. TWRP is provided for power users who have a specific need for it.
Once done, reboot the system when prompted -- Android is now installed!
"},{"location":"extras/installing_android/#post-install","title":"Post-Install","text":""},{"location":"extras/installing_android/#tips-and-tricks","title":"Tips and Tricks","text":"If Joy-Con autopairing has not kicked in, try a reboot. Sometimes the first boot doesn't pick up the addition.
To access recovery/TWRP: hold VOL+ on boot or reboot.
To access Hekate from Android: hold VOL- on reboot.
To reboot back to Android: hold Power for a few seconds and perform a standard reboot.
To return to Horizon (OFW/CFW): power your Switch off fully, then boot into your desired mode.
To learn more about using the Switch Configuration App and overclocking, see the Switch Configuration App section. Furthermore, you can check out the INI guide as well.
"},{"location":"extras/installing_android/#need-help","title":"Need Help?","text":"Join the Switchroot Discord server.
This page was made in collaboration with makinbacon21 on Discord. See the collapsible section below for the Switchroot guide maintainers.
If you'd like, you can donate to the people who made this project possible using these links.
makinbacon (Android developer) https://paypal.me/makinbacon21
npjohnson (Android developer) https://paypal.me/nolenjohnson
CTCaer (Linux & Low level developer, Hekate maintainer) https://www.patreon.com/ctcaer
ave (Infrastructure & Hosting) https://patreon.com/aveao
Have you partitioned your microSD card?
This guide assumes that you've followed the NH-Server guide up until this point, your microSD card should be partitioned accordingly. If you didn't do so, see this page of our guide.
Linux 4 Switch is a sister project to Switchroot Android--it uses a similar kernel but provides a variety of Linux distributions.The available distributions at this time are:
Ubuntu Bionic (maintained by CTCaer, the primary dev of both the L4S kernel and hekate--this is the most stable and supported distro)
Ubuntu Jammy (maintained by theofficialgman, one of the primary devs of the L4T Megascript installer program)
Fedora 39 (maintained by azkali, a L4S kernel developer)
Lakka 5.x (maintained by gavin_darkglider, a L4S kernel developer and Lakka maintainer)
Looking for Arch?
Unfortunately, L4S Arch Linux is deprecated following an xorg ABI change that breaks compatibility with the Tegra210 BSP.
"},{"location":"extras/installing_linux/#the-installation","title":"The installation","text":"To install an L4S distribution, follow the official guide starting from 0. Linux Distributions.
This page was made in collaboration with makinbacon21 on Discord. See the collapsible section below for the L4S guide maintainers.
If you'd like, you can donate to the people who made this project possible using these links.
CTCaer (Linux & Low level developer, Hekate maintainer) https://www.patreon.com/ctcaer
Azkali (Linux & Low level developer) https://www.patreon.com/azkali
gavin_darkglider (Linux & Lakka developer) https://paypal.me/gavindarkglider
ave (Infrastructure & Hosting) https://patreon.com/aveao
Warning:
This will reset all of your saves, games, system version and other system settings back to the point of when you made the NAND backup. Keep this in mind, as you probably don't have to restore a NAND backup unless you have bricked your Switch or want to go back online safely after using CFW.
If you're going to restore an old NAND which will downgrade your firmware it's best to create a second NAND backup before restoring the first one in case something goes wrong.
rawnand.bin (Combined or in 15 or 30 parts)BOOT0 and BOOT1Before we start, check if you have a tree of folders called backup/[8 Character NAND id]/restore on your microSD card.
If you don't see a backup or [8 Character NAND id] folder on your microSD card:
This means you do not have a nand backup, it is highly recommended you make one as soon as possible. Follow the steps below to make one.
Tools > Backup eMMC > eMMC BOOT0 & BOOT1 and let it do its thing.backup/[8 Character NAND id]/restore folder on your microSD card. Continue with step 1 of the instructions below.payload.bin on the root of your SD.Tools > USB Tools > SD Card and plug your Switch into your PC via USB.rawnand.bin (combined or in 15 or 30 parts), BOOT0, and BOOT1 to the backup/[8 Character NAND id]/restore folder on the microSD card.UMS device safely from within your computer's operating system.Tools > Restore eMMC. Select Restore eMMC BOOT0 & BOOT1. Wait for this process to complete.eMMC RAW GPP and wait for the process to complete.If you're downgrading using your NAND backup
If the security version you were on before you performed the NAND restore is HIGHER than the NAND backup itself, you have to enable autoRCM to not get stuck in a boot crash.
A system update is considered a security version when a fuse is burned, you can check which versions burn fuses here.
If you were in AutoRCM before you upgraded to a newer security version (and still were after the upgrade) you don't have to do this.
Tools and go to the bottom of the page where you will find a button called Archive bit - AutoRCMAutoRCM buttom and you will see ON written next to it. This means it is enabled.There are currently multiple RCM payload injectors available from multiple different companies and individuals. These devices remove the need to use a computer or smartphone when hacking an unpatched Switch. Each injector has its own advantages and disadvantages, listed below:
Name Manufacturer RCM Jig Included? RCM Jig Storage? Standard Payload (.bin) Support? Payload on SD Support? Multi-Payload Support? Battery Life Recharge Time Price (USD) Misc Info AceNS (Old) Ace3DS Team \u2714\ufe0f \u274c \u2714\ufe0f \u274c \u2714\ufe0f N/A (Capacitors) 10 seconds $18.00\u200b (Discontinued) Not Recommended: Overpriced clone of the RCMLoader Zero AceNS (New) Ace3DS Team \u2714\ufe0f \ufe0f \u2714\ufe0f \u2714\ufe0f \u274c \u2714\ufe0f 45mAh LiPo (~1000 injections) 1 hour $17.50 Not Recommended: Overpriced clone of the RCMLoader One AceNS Pro Ace3DS Team \u2714\ufe0f \u2714\ufe0f \u2714\ufe0f \u2714\ufe0f (Required) \u274c 45mAh LiPo (~1000 injections) 1 hour $42.90 Not Recommended: Overpriced clone of the RCMLoader One with multiple features missing DragonInjector MatinatorX \u2714\ufe0f \u2714\ufe0f \u2714\ufe0f \u2714\ufe0f (Required) \u2714\ufe0f 40mAh CR1612 (~4000 injections) Non-Rechargeable (Replacable) $30.00\u200b (Discontinued) Fits in the Switch's gamecard slot NS-Atmosphere Generic \u2714\ufe0f \u2714\ufe0f \u274c \u274c \u274c 150mAh LiPo (>1000 injections) >1 hour $13.15 Not Recommended: Unsafe jig, overly bulky, changing payload requires installing a program, lack of .bin support complicates usage R4S R4i-SDHC Team \u2714\ufe0f \u274c \u2714\ufe0f \u2714\ufe0f \u274c 120mAh LiPo (~1000 injections) 1 hour $19.99 RCMLoader Zero Xkit \u2714\ufe0f \u274c \u2714\ufe0f \u274c \ufe0f \u2714\ufe0f N/A (Capacitors) 10 seconds $5.99\u200b (Discontinued) RCMLoader One Xkit \u2714\ufe0f \u2714\ufe0f \u2714\ufe0f \u274c \u2714\ufe0f 45mAh LiPo (~1000 injections) 1 hour $9.99 SX Gear Team Xecuter \u2714\ufe0f \u274c \u274c \u2714\ufe0f (Required) \u274c N/A (Supercapacitors) 5-10 seconds $24.95 Not Recommended: Lack of .bin support complicates usage SX Pro Team Xecuter \u2714\ufe0f \u274c \u274c \u2714\ufe0f (Required) \u274c N/A (Supercapacitors) 5-10 seconds $49.99 Not Recommended: Lack of .bin support complicates usage"},{"location":"extras/showing_file_extensions/","title":"Showing File Name Extensions on Windows 10/11","text":"By default, Microsoft Windows 10 and 11 do not show file extensions for known file types. This can result in problems when you need to rename files.
"},{"location":"extras/showing_file_extensions/#instructions-for-windows-10","title":"Instructions for Windows 10:","text":"File name extensions checkbox is not ticked, put a check/tick mark in it by clicking it.View hamburger menu/dropdown menu.Show at the bottom and ensure that File name extensions is ticked.The goal of this page is to transfer the contents from one microSD card to another one. The method to do this will differ, depending on whether you're using a partition based emuMMC on your microSD card or not.
We will be using hekate to both backup and restore the emuMMC, so make sure that you have its latest files on your microSD card already.
"},{"location":"extras/transfer_sd/#instructions","title":"Instructions:","text":"You should first check whether you have a file or partition based emuMMC:
payload.bin on the root of your microSD card.emuMMC button.emuMMC Info & Selection, check the text next to Type.SD Raw Partition or SD File.payload.bin on the root of your microSD card.Tools > USB Tools > SD Card and plug your Switch into your PC via USB.UMS device safely from within your computer's operating system.Space for the backup
You need at least 30GB (or 60GB if using an OLED Switch) of free space to be able to restore the emuMMC!
payload.bin on the root of your SD.Tools, then Backup eMMC and set SD emuMMC Raw Partition at the bottom of your screen to ON.SD emuMMC BOOT0 & BOOT1 and SD emuMMC RAW GPP (Note: SD emuMMC RAW GPP may take a while).Tools > USB Tools > SD Card and plug your Switch into your PC via USB.Preparing Hekate section at the bottom of this page (Unpatched Switch users only) to prepare your new SD card with Hekate's files.Tools > USB Tools > SD Card, then plug your Switch into your PC via USB./backup/<some characters>/emummc on your microSD card and move BOOT0, BOOT1 and the rawnand.bin.xx files to /backup/<some characters>/restore/emummc.UMS device safely from within your computer's operating system.Tools, Restore eMMC, set SD emuMMC Raw Partition at the bottom of your screen to ON.SD emuMMC BOOT0 & BOOT1 and SD emuMMC RAW GPP (Note: SD emuMMC RAW GPP may take a while).SD emuMMC Raw Partition option is enabled, otherwise you will be altering your sysMMC which is not what you want.Launch -> Atmosphere FSS0 emuMMC in Hekate.This page documents how you can keep your system up-to-date.
After following our guide, your system will consist of three core elements that can be updated. Atmosphere, Hekate and your system firmware.
"},{"location":"extras/updating/#updating-atmosphere","title":"Updating Atmosphere","text":"When updating Atmosph\u00e8re, always make sure to read the release notes. They may list important changes and modifications to your system.
Updating from below Atmosph\u00e8re 1.0.0
If you update from below Atmosph\u00e8re 1.0.0, there are additional steps to follow. You will have to delete the sept folder from your microSD, delete fusee-secondary.bin from your atmosphere folder and update your Hekate config file: hekate_ipl.ini in the bootloader folder.
When a new version of Atmosph\u00e8re releases, you can update Atmosph\u00e8re by following these steps:
payload.bin on the root of your microSD card.Tools > USB Tools > SD Card and plug your Switch into your PC via USB.atmosphere-(version)-master-(version)+hbl-(version)+hbmenu-(version).zip release of Atmosphere.).zip file to the root of your microSD card.UMS device safely from within your computer's operating system.When updating Hekate always make sure to read the release notes. They may list important changes and modifications to your system.
When a new version of Hekate releases, you can update by following these steps:
payload.bin on the root of your microSD card.Tools > USB Tools > SD Card and plug your Switch into your PC via USB.hekate_ctcaer_(version).zip release of hekate).bootloader folder from the Hekate .zip file to the root of your microSD card. If you are asked to overwrite or merge files while copying, say yes to merge/overwrite them.UMS device safely from within your computer's operating system.Reload > Reload to reload Hekate from your microSD card.Always check before updating your system firmware if the latest version of Atmosph\u00e8re as well as the latest version of Hekate support the firmware version you are updating towards.
In addition, updating to or past some firmwares update the gamecard firmware. Reference the table below for information about these.
Updating from Updating towards Updates gamecard firmware Below 4.0.0 Below 4.0.0 No Below 4.0.0 4.0.0 or above Yes On or above 4.0.0, but below 9.0.0 At least 4.1.0 but below 9.0.0 No On or above 4.0.0, but below 9.0.0 9.0.0 or above Yes On or above 9.0.0, but below 11.0.0 At least 9.1.0 but below 11.0.0 No On or above 9.0.0, but below 11.0.0 11.0.0 or above Yes On or above 11.0.0 but below 12.0.0 At least 11.0.1 but below 12.0.0 No On or above 11.0.0 but below 12.0.0 12.0.0 or above Yes On or above 12.0.0 Latest supported Atmosph\u00e8re & Hekate revision NoIf at least one of the versions you are updating towards also updates the gamecard firmware, you will not be able to downgrade below that version without making the gamecard slot unusable until you update.
Atmosphere (and Hekate) come bundled with patches that automatically disable the gamecard slot if it is detected that the system has an older gamecard firmware that would be updated. If you boot into RCM on each boot (for example by using AutoRCM), this means that the gamecard slot will not be updated and you can downgrade below that version. If this happens, you will not be able to use the gamecard slot as long as you are on the newer firmware.
Otherwise, you can safely update your system firmware through the system settings.
Note about autoRCM
If you have autoRCM enabled and you're updating your system while in stock firmware, updating will disable autoRCM and you will need to enter RCM manually to boot custom firmware again. To prevent autoRCM from being disabled, boot CFW on sysMMC and update through settings from there, as booting without AutoRCM will burn any preserved fuses.
"},{"location":"extras/updating/#about-emummc","title":"About emuMMC","text":"sysMMC and emuMMC have separate system firmwares and need to be updated separately.
If you keep your emuMMC offline, you will have to use a gamecard to update your system firmware, synchronize it with another Nintendo Switch or dump an updated firmware from your sysMMC.
"},{"location":"extras/updating/#updating-emummc-by-dumping-an-updated-firmware-from-your-sysmmc","title":"Updating emuMMC by dumping an updated firmware from your sysMMC","text":"Do you have an eMMC backup yet?
Please do not start this guide without doing a RAW GPP and a BOOT 0/1 eMMC backup!
You can learn how to make one here.
Downgrading
This guide is made for updating your emuMMC. It is not for downgrading. Downgrading at all, sysMMC or emuMMC, is not recommended and not worth it. Downgrading is also very dangerous and can lead to serious complications even when performed correctly.
"},{"location":"extras/updating/#what-you-need","title":"What you need:","text":"Tools > USB Tools > SD Card and connect your Switch to your PC via USB.TegraExplorer.bin and place it sd:/bootloader/payloads.Make sure your sysMMC is updated before moving onto the instructions below.
"},{"location":"extras/updating/#dumping-your-sysmmc-firmware","title":"Dumping your sysMMC firmware","text":"TegraExplorer.bin using your favourite payload injector (Like you would with Hekate).TegraExplorer.bin in sd:/bootloader/payloads on your microSD card, then turn on your console and load TegraExplorer via Hekate's payloads menu (Payloads > TegraExplorer.bin).FirmwareDump.te, then select Dump sysmmc.Reboot to bootloader/update.bin.Launch -> Atmosphere FSS0 emuMMC.R while launching a game to boot into the homebrew menu.Install and navigate to sd:/tegraexplorer/Firmware/<latest firmware number>.Continue and then Preserve settings.Warning: exFAT firmware is missing or corrupt, you likely don't have the exFAT drivers installed on your sysMMC. Just press continue if this is the case.Install (FAT32 + exFAT), otherwise Install (FAT32) and then Continue.Reboot.Settings -> System.This page summarizes the included Homebrew apps and additional Homebrew you can check out.
"},{"location":"homebrew/#the-guide-includes-a-few-homebrew-apps-by-default-these-apps-are","title":"The guide includes a few Homebrew apps by default, these apps are:","text":"Homebrew is a general term, the term can be used for Homebrew apps (.nro files) or in the form of background processes, called \"sysmodules\". The Switch natively has sysmodules built into its firmware but you can run additional Homebrew sysmodules that can add functionality to your Switch. In the section below, you can find additional and commonly used Homebrew apps and sysmodules.
Homebrew apps are stored in sd:/switch by default and Homebrew sysmodules are stored in sd:/atmosphere/contents by default.
For cheats management, EdiZon and/or EdiZon-SE (up to date and offers more features) are recommended. They offer support for Atmosphere's cheat engine, providing an easy way to download new cheats, as well as toggle them on or off.
"},{"location":"homebrew/edizon/#installation-requirements","title":"Installation requirements:","text":"EdiZon.nro file) or EdiZon-SE (the EdiZon.zip file)EdiZon overlay
EdiZon also offers a Tesla-Menu overlay, however, the official EdiZon overlay is no longer maintained and will result in Atmosphere crashing when trying to use the EdiZon overlay on firmware version 16.0.0+. The maintained EdiZon overlay can be found here.
Installation instructions (EdiZon):Installation instructions (EdiZon-SE):Tools > USB Tools > SD Card, then plug your Switch into your PC via USB.EdiZon.nro in sd:/switch.Tools > USB Tools > SD Card, then plug your Switch into your PC via USB..zip file to a location on your computer..zip file directly..zip file to the root of your microSD card.054e4f4558454000 (EdiZon-SE) in sd:/atmosphere/contents and an EdiZon.nro file in sd:/switch/EdiZon.Atmosph\u00e8re looks for cheats to load in the contents sub-folder of the atmosphere folder. The template it looks for is sd:/atmosphere/contents/<title_id>/cheats/<build_id>.txt. You need to create the <title_id> folder and sub-folders manually:
title_id being the title or program of a game. This is game specific and can be found on EdiZon's cheat menu (TID and BID, see the bottom of this page for a sample), switchbrew and nswdb.
build_id being the version of a game. This is game specific and can be found on EdiZon's cheat menu (BID, see the bottom of this page for a sample) Cheats can be version specific so make sure the cheats you are using are compatible with your game version.
Note: On Atmosph\u00e8re 0.9.4 and below contents is called titles.
Once the title is launched while in Atmosphere, your cheats should be applied.
"},{"location":"homebrew/edizon/#preventing-cheats-from-being-enabled-by-default","title":"Preventing cheats from being enabled by default","text":"To prevent cheats from being enabled by default, you can change your Atmosph\u00e8re configuration by following the steps below.
system_settings.ini from sd:/atmosphere/config_templates to sd:/atmosphere/config if it's not already there.Open the system_settings.ini file with a text editor and edit the line ; dmnt_cheats_enabled_by_default = u8!0x1 to dmnt_cheats_enabled_by_default = u8!0x0.
;\" in front of dmnt_cheats_enabled_by_default.By default, holding the L button while launching a game will disable any game modification.
Here the Title ID of the game (TID) is 0100646009FBE000 and the Build ID of the game (BID) is 0B9A75586BC1A6C6. Cheats are loaded from sd:/atmosphere/contents/0100646009FBE000/cheats/0B9A75586BC1A6C6.txt in this example.
For more in-depth details about Atmosphere's cheat engine, you can refer to this page.
"},{"location":"homebrew/edizon/#troubleshooting","title":"Troubleshooting","text":""},{"location":"homebrew/edizon/#edizon-isnt-showing-up-when-i-open-the-homebrew-menu","title":"EdiZon isn't showing up when I open the Homebrew menu!:","text":"Assuming you've followed the installation instructions successfully, this is probably due to the archive bit being set on one or more folders/files on your microSD card. This is usually the result of copying files to a microSD card via a Mac. If you are experiencing this issue, try running the archive bit fixer utility via Hekate for all files.
This can be done by booting into Hekate and going to Tools > Arch bit \u2022 RCM Touch \u2022 Pkg1/2 > Fix Archive Bit.
FTPD is simply an FTP server for the Switch, it can be used to transfer files wirelessly to- and from- your microSD card.
"},{"location":"homebrew/ftpd/#usage-requirements","title":"Usage requirements:","text":"Note
This section assumes that the device running the FTP client and your Switch are connected to the same network. If it's not, make sure they are connected to the same network before continuing.
Host field of your FTP client, put in the IP address of your Switch mentioned in the top left of FTPD.Anonymous box.5000 for the port and attempt to connect to your Switch.FTPD can also run in the form of a background process (sysmodule), called sys-ftpd. It can be found here, usage and configuration options are mentioned there as well.
"},{"location":"homebrew/goldleaf/","title":"Goldleaf","text":""},{"location":"homebrew/goldleaf/#goldleaf","title":"Goldleaf","text":"Goldleaf is primarily a very extensive file and console content manager.
"},{"location":"homebrew/goldleaf/#common-use-cases-for-goldleaf-are","title":"Common use cases for Goldleaf are:","text":"And a lot more, which you can view on Goldleaf's Github repository here.
"},{"location":"homebrew/goldleaf/#goldleaf-screenshots","title":"Goldleaf screenshots:","text":""},{"location":"homebrew/jksv/","title":"Save Management","text":""},{"location":"homebrew/jksv/#jksv","title":"JKSV","text":"For save management, JKSV is recommended. It can be used to back up and restore game saves to your microSD card.
"},{"location":"homebrew/jksv/#backing-up-save-data-using-jksv","title":"Backing up save data using JKSV","text":""},{"location":"homebrew/jksv/#instructions","title":"Instructions:","text":"A button.A to select it.A again to create a new save backup+ or OK.A button.A to select it.Y.A button to restore the save data, keep holding it until it's finished.Please read JKSV's homepage for information on how to use it.
"},{"location":"homebrew/jksv/#checkpoint","title":"Checkpoint","text":"Checkpoint is also a save manager. It can be used to back up and restore game saves to your microSD card. It also has the ability to share save data over FTP and WiFi.
"},{"location":"homebrew/jksv/#checkpoint-documentation","title":"Checkpoint Documentation","text":"Please read Checkpoint's homepage for information on how to use it.
"},{"location":"homebrew/ldn_mitm/","title":"ldn_mitm","text":""},{"location":"homebrew/ldn_mitm/#information","title":"Information","text":"ldn_mitm is a sysmodule that allows you to route the local wireless ad-hoc network traffic of the Switch via the network your Switch is connected to, essentially allowing \"LAN\" functionality between consoles and emulators using ldn_mitm. The official Github repository for ldn_mitm can be found here.
"},{"location":"homebrew/ldn_mitm/#common-use-cases-for-ldn_mitm","title":"Common use cases for ldn_mitm:","text":"ldn_mitm.zip file)Tools > USB Tools > SD Card, then plug your Switch into your PC via USB..zip file to a location on your computer..zip file directly..zip file to the root of your microSD card.4200000000000010 (ldn_mitm) in sd:/atmosphere/contents and the ldnmitm_config.nro file in sd:/switch/ldnmitm_config.You can enable/disable ldn_mitm by opening the Homebrew menu, opening ldn_mitm's config app and pressing Y to toggle ldn_mitm.
Cause: If your Switch crashes with Error std::abort (0xFFE) and Title ID 4200000000000010, you're using a version of ldn_mitm that's incompatible with your Atmosphere version. The expected Atmosphere version is mentioned on each release page of an ldn_mitm release.
"},{"location":"homebrew/ldn_mitm/#ldn_mitm-isnt-working","title":"ldn_mitm isn't working!:","text":"
Assuming you've followed the installation instructions successfully, this is probably due to the archive bit being set on one or more folders/files on your microSD card. This is usually the result of copying files to a microSD card via a Mac. If you are experiencing this issue, try running the archive bit fixer utility via Hekate for all files.
This can be done by booting into Hekate and going to Tools > Arch bit \u2022 RCM Touch \u2022 Pkg1/2 > Fix Archive Bit.
MissionControl is a sysmodule that allows you to pair normally-unsupported controllers as if they were natively supported, like PS3, PS4, PS5 and Xbox One S/X controllers via Bluetooth. The full supported controller list can be found on the official Github repository here including pairing instructions for the supported controllers.
"},{"location":"homebrew/mission-control/#installation-requirements","title":"Installation requirements:","text":"MissionControl-(version)-master.zip file)Tools > USB Tools > SD Card, then plug your Switch into your PC via USB..zip file to a location on your computer..zip file directly..zip file to the root of your microSD card.010000000000BD00 (MissionControl) in sd:/atmosphere/contents.Cause: If your Switch crashes with Error std::abort (0xFFE) and Title ID 010000000000BD00, you're using a version of MissionControl that's incompatible with your Atmosphere version. The expected Atmosphere version is mentioned on each release page of a MissionControl release.
"},{"location":"homebrew/mission-control/#missioncontrol-isnt-working","title":"MissionControl isn't working!:","text":"
Assuming you've followed the installation instructions successfully, this is probably due to the archive bit being set on one or more folders/files on your microSD card. This is usually the result of copying files to a microSD card via a Mac. If you are experiencing this issue, try running the archive bit fixer utility via Hekate for all files.
This can be done by booting into Hekate and going to Tools > Arch bit \u2022 RCM Touch \u2022 Pkg1/2 > Fix Archive Bit.
NX-Shell is a file manager.
"},{"location":"homebrew/nx-shell/#common-use-cases-for-nx-shell","title":"Common use cases for NX-Shell","text":"For more information, you can check out NX-Shell's Github repository here.
"},{"location":"homebrew/nx-shell/#nx-shell-screenshots","title":"NX-Shell screenshots:","text":""},{"location":"homebrew/nxtheme-installer/","title":"Theming","text":"Using NXTheme Installer, you can install and create unique styles and layouts for your Switch Home Menu.
"},{"location":"homebrew/nxtheme-installer/#index","title":"Index","text":"Follow the Installing a theme section if you want to install a theme.
Follow the Making a theme section if you want to make a theme manually.
Follow the Installing a custom font section if you want to install a custom font.
If you run into any issues, visit the Troubleshooting section.
Community Themes
If you want to use community made themes, for example from the r/NXThemes subreddit or Themezer, you can follow the guide below to install a community provided .nxtheme file.
NXThemesInstaller.nro and put it in sd:/switch..nxtheme files to the themes folder on your microSD card (It is recommended you put them into their own folders, e.g. sd:/themes/awesome_theme/awesome.nxtheme).themes folder on the root of your microSD card if it does not exist.NXThemes Installer with an internet connection.Extract home menu tab in NXTheme Installer.NXTheme Installer, the Themes tab is where you will find your themes. To install them, press the folder name of your theme and go through each home menu section to install the desired theme for that section (e.g. going to /awesome_theme and selecting your theme for the specific menu you want to change, do the same for the other menus).Reboot tab to see the changes.An example of a Home Menu theme being installed
"},{"location":"homebrew/nxtheme-installer/#making-a-theme","title":"Making a theme","text":"WindowsMac / Linux / ChromeOS"},{"location":"homebrew/nxtheme-installer/#what-you-need_1","title":"What you need:","text":"The latest release of Switch Theme Injector
ReleaseVx.x.zip on the download pageReleaseVx.x.zip to somewhere on your PC's drive.SwitchThemes.exe app. Navigate to NXTheme Builder.Build NXTheme after selecting your home menu part, image and layout patch.Make sure that the images you want to use are 1280x720 and in JPG!
.ttf file type into the themes folder (It is recommended you put them into their own folders, e.g. sd:/themes/cool_font/font.ttf).NXThemes Installer.NXTheme Installer, the Themes tab is where you will find your font(s)..ttf file in the font folder you created.Reboot tab to see the changes.Cause 1: You didn't install the required theme patches for your firmware version. You can remove your installed custom theme data by navigating to sd:/atmosphere/contents and deleting the 01000000000001000 folder.
Cause 2: You didn't extract your home menu data when prompted. You can remove your installed custom theme data by navigating to sd:/atmosphere/contents and deleting the 01000000000001000 folder.
Cause 3: You installed a bad theme. You can remove them by navigating to sd:/atmosphere/contents and deleting the 01000000000001000 folder.
contents is called titles on Atmosph\u00e8re versions 0.9.4 and below."},{"location":"homebrew/nxtheme-installer/#my-switch-crashes-on-boot-after-i-installed-a-font","title":"My Switch crashes on boot after I installed a font!:","text":"
Cause 1: You installed a font that was too large in file size (maximum file size being 1.9MB). You can remove your installed custom font data by navigating to sd:/atmosphere/contents and deleting the 0100000000000811 folder.
Cause 2: You installed a font that wasn't the right file type (e.g. .otf). You can remove your installed custom font data by navigating to sd:/atmosphere/contents and deleting the 0100000000000811 folder.
contents is called titles on Atmosph\u00e8re versions 0.9.4 and below."},{"location":"homebrew/nxtheme-installer/#the-nxtheme-installer-crashes-when-i-launch-it","title":"The NXTheme installer crashes when I launch it:","text":"
This is probably due to the archive bit being set on either the app or the .nxtheme files. This is usually the result of copying files to a microSD card via a Mac. If you are experiencing this issue, try running the archive bit fixer utility via Hekate for all files.
This can be done by booting into Hekate and going to Tools > Arch bit \u2022 RCM Touch \u2022 Pkg1/2 > Fix Archive Bit.
sys-botbase is an advanced sysmodule that allows users to interact with their Switch remotely, to \"remote control\" their Switch. This remote control allows users to create automated tasks, simulate button presses, simulate touchscreen input and read/write to the memory of the Switch while in-game.
"},{"location":"homebrew/sys-botbase/#common-use-cases-for-sys-botbase","title":"Common use cases for sys-botbase:","text":"sys-botbase(version).zip file)Tools > USB Tools > SD Card, then plug your Switch into your PC via USB..zip file to a location on your computer..zip file directly..zip file to the root of your microSD card.430000000000000B (sys-botbase) in sd:/atmosphere/contents.Cause: While it's almost impossible for this to happen, if your Switch crashes with Error 2001-0123 (0xf601) and Title ID 430000000000000B, you're using a version of sys-botbase that's incompatible with your Atmosphere version.
"},{"location":"homebrew/sys-botbase/#sys-botbase-isnt-working","title":"sys-botbase isn't working!:","text":"
Assuming you've followed the installation instructions successfully, this is probably due to the archive bit being set on one or more folders/files on your microSD card. This is usually the result of copying files to a microSD card via a Mac. If you are experiencing this issue, try running the archive bit fixer utility via Hekate for all files.
This can be done by booting into Hekate and going to Tools > Arch bit \u2022 RCM Touch \u2022 Pkg1/2 > Fix Archive Bit.
sys-clk is a sysmodule that allows you to overclock the hardware of your Switch. The usage, configuration and clock speed information can be found on the official Github repository here
Limits of sys-clk
sys-clk has limits for a reason, which is to not damage the hardware of your Switch. Using any modified version of sys-clk puts your Switch at risk of hardware failure. We do not support any modified version of sys-clk nor should you ever touch them. Overclocking is not something you should be doing 24/7 as overclocking in general will always degrade/wear out the hardware of your Switch faster and you should know what you're doing if you do decide to do so.
"},{"location":"homebrew/sys-clk/#installation-requirements","title":"Installation requirements:","text":"sys-clk-(version).zip file)Tools > USB Tools > SD Card, then plug your Switch into your PC via USB..zip file to a location on your computer..zip file directly..zip file to the root of your microSD card.00FF0000636C6BFF (sys-clk) in sd:/atmosphere/contents.Open the Homebrew menu and open sys-clk's manager app. This app allows you to change the global clock speeds or clock speeds based on title.
"},{"location":"homebrew/sys-clk/#troubleshooting","title":"Troubleshooting","text":""},{"location":"homebrew/sys-clk/#my-switch-crashes-on-boot-after-i-installed-sys-clk","title":"My Switch crashes on boot after I installed sys-clk!:","text":"Cause: If your Switch crashes on boot, make sure you're using the latest release of sys-clk. If it continues to crash afterwards, see the troubleshooting step at the bottom of this page.
"},{"location":"homebrew/sys-clk/#my-switch-crashes-while-using-sys-clk","title":"My Switch crashes while using sys-clk!:","text":"
Cause: You're either using a modified version of sys-clk and pushing the hardware of your Switch too far or your console is overheating. The cooling system of the Switch is not the best and overheating can be a cause of dried up thermal paste/lack of thermal paste. Overclock with caution and be careful, monitor the temperatures of your Switch using a Tesla-Menu overlay like Status-Monitor-Overlay (requires Tesla-Menu).
"},{"location":"homebrew/sys-clk/#sys-clk-isnt-working","title":"sys-clk isn't working!:","text":"
Assuming you've followed the installation instructions successfully, this is probably due to the archive bit being set on one or more folders/files on your microSD card. This is usually the result of copying files to a microSD card via a Mac. If you are experiencing this issue, try running the archive bit fixer utility via Hekate for all files.
This can be done by booting into Hekate and going to Tools > Arch bit \u2022 RCM Touch \u2022 Pkg1/2 > Fix Archive Bit.
sys-con is a sysmodule that allows you to use normally-unsupported controllers as if they were natively supported, like PS3, PS4, PS5 and Xbox One S/X controllers via USB. The full supported feature and controller list can be found on the official Github repository here including usage instructions and configuration options.
"},{"location":"homebrew/sys-con/#installation-requirements","title":"Installation requirements:","text":"sys-con-(version).zip file)Tools > USB Tools > SD Card, then plug your Switch into your PC via USB..zip file to a location on your computer..zip file directly..zip file to the root of your microSD card.690000000000000D (sys-con) in sd:/atmosphere/contents.Cause: While it's almost impossible for this to happen, if your Switch crashes with Error code 2162-0002 (0x4a2) and Title ID 690000000000000D, you're using a version of sys-con that's incompatible with your Switch firmware version. The expected firmware version is mentioned on each release page of a sys-con release.
"},{"location":"homebrew/sys-con/#sys-con-isnt-working","title":"sys-con isn't working!:","text":"
Assuming you've followed the installation instructions successfully, this is probably due to the archive bit being set on one or more folders/files on your microSD card. This is usually the result of copying files to a microSD card via a Mac. If you are experiencing this issue, try running the archive bit fixer utility via Hekate for all files.
This can be done by booting into Hekate and going to Tools > Arch bit \u2022 RCM Touch \u2022 Pkg1/2 > Fix Archive Bit.
SysDVR is a sysmodule that allows you to stream the screen of your Switch (while in-game/in an application) to your PC via the network or USB.
"},{"location":"homebrew/sysdvr/#sysdvr","title":"SysDVR","text":"Installation, usage, configuration and extensive troubleshooting information can be found on the SysDVR Wiki.
"},{"location":"homebrew/sysdvr/#sysdvr-screenshots","title":"SysDVR screenshots:","text":""},{"location":"homebrew/tesla-menu/","title":"Tesla-Menu","text":""},{"location":"homebrew/tesla-menu/#information","title":"Information","text":"Tesla-Menu is an overlay menu developed by WerWolv, Tesla-Menu is comparable to Rosalina menu on the 3DS and its purpose is to be able to load community made overlays for Homebrew apps and sysmodules that can be accessed at any time. Below you can find common use cases for Tesla-Menu. The official Github page for Tesla-Menu can be found here.
Dependencies
Tesla-Menu is dependent on a sysmodule called nx-ovlloader, this sysmodule is responsible for loading ovlmenu.ovl from sd:/switch/.overlays.
ovlmenu.zip file)nx-ovlloader.zip file)Tools > USB Tools > SD Card, then plug your Switch into your PC via USB..zip files to a location on your computer..zip files directly..zip file to the root of your microSD card.420000000007E51A (nx-ovlloader) in sd:/atmosphere/contents and the ovlmenu.ovl (Tesla-Menu) file in sd:/switch/.overlays.Tesla-Menu can be opened by pressing L + R Stick press (R3) + DPAD down, assuming you use the default configuration.
Cause: If your Switch crashes with Error code 2001-0123 (0xf601) and Title ID 420000000007E51A, you didn't successfully install Tesla-Menu or you aren't using the latest release of Tesla-Menu, re-follow the installation instructions above.
"},{"location":"homebrew/tesla-menu/#my-switch-crashes-when-i-open-an-overlay-via-tesla-menu","title":"My Switch crashes when I open an overlay via Tesla-Menu!:","text":"
Cause: If your Switch crashes with Error code 2001-0123 (0xf601) and Title ID 420000000007E51A, the overlay you're trying to open/use isn't up to date. Check its source repository for updates.
libtesla library. The latter is for developers (or advanced users)."},{"location":"homebrew/tesla-menu/#tesla-menu-is-only-showing-while-on-the-main-menu-and-not-in-game","title":"Tesla-Menu is only showing while on the main menu and not in-game!:","text":"
Cause: This issue will only happen when the Switch is docked, ensure that you've set the \"Screen size\" in System Settings > TV Output to 100%. Adjust your TV/monitor to fit the entirety of the screen of your Switch using its OSD (On Screen Display) or remote.
"},{"location":"homebrew/tesla-menu/#tesla-menu-isnt-opening-when-i-press-the-correct-button-combination","title":"Tesla-Menu isn't opening when I press the correct button combination!:","text":"
Assuming you've followed the installation instructions successfully, this is probably due to the archive bit being set on one or more folders/files on your microSD card. This is usually the result of copying files to a microSD card via a Mac. If you are experiencing this issue, try running the archive bit fixer utility via Hekate for all files.
This can be done by booting into Hekate and going to Tools > Arch bit \u2022 RCM Touch \u2022 Pkg1/2 > Fix Archive Bit.
About modchipped Switch console users
If you already know you have a modchipped Switch console, you can skip ahead to the Modchip Introduction page.
"},{"location":"user_guide/getting_started/#finding-your-serial-number","title":"Finding your serial number","text":"In the RCM path, we'll first determine if your Switch is vulnerable to fusee-gelee, the exploit we will be using to launch CFW.
The fusee-gelee vulnerability was discovered independently by different Switch hacking teams, who all independently released versions of the exploit in April 2018. Nintendo and NVIDIA were informed 90 days before these releases, and patched consoles were launched by mid-2018. NVIDIA publicly acknowledged the flaw in April as well. In July 2019, Nintendo announced updated consoles: the Switch Lite (HDH-001), and a new model of original Switch (HAC-001(-01)/\"V2\") with better battery life. Both of these new models use the Tegra X1+ (also known as Mariko, the T214, and T210B01) with a brand-new bootROM, and cannot currently be hacked without a modchip.
Patched and Mariko units can be identified by their serial number. This number can be found in the Settings applet at System -> Serial Information. You can also find it on the bottom of the console, adjacent to the charging port. However, it is always more accurate to use the serial reported in Settings instead, especially if you aren't the original owner of the console.
"},{"location":"user_guide/getting_started/#determining-if-your-switch-is-vulnerable","title":"Determining if your Switch is vulnerable","text":"
The community has crowdsourced a list of known serial numbers which are vulnerable to fusee-gelee.
Notice
If you are unsure if your serial is patched, you can test your console yourself following the instructions here.
"},{"location":"user_guide/getting_started/#serial-list","title":"Serial list","text":"The following information is based on this GBATemp thread.
Serial Numbers Unpatched Potentially patched Patched XAW1 XAW10000000000 to XAW10074000000 XAW10074000000 to XAW10120000000 XAW10120000000 and up XAW4 XAW40000000000 to XAW40011000000 XAW40011000000 to XAW40012000000 XAW40012000000 and up XAW7 XAW70000000000 to XAW70017800000 XAW70017800000 to XAW70030000000 XAW70030000000 and up XAJ1 XAJ10000000000 to XAJ10020000000 XAJ10020000000 to XAJ10030000000 XAJ10030000000 and up XAJ4 XAJ40000000000 to XAJ40046000000 XAJ40046000000 to XAJ40060000000 XAJ40060000000 and up XAJ7 XAJ70000000000 to XAJ70040000000 XAJ70040000000 to XAJ70050000000 XAJ70050000000 and up XAK1 N/A XAK10000000000 and up N/AIf your serial number is not listed above, your device is not vulnerable to the fusee-gelee exploit.
"},{"location":"user_guide/getting_started/#version-table","title":"Version Table","text":"Note
While the \"New\" Switch (HAC-001(-01)'s earliest possible firmware is 7.0.1, it is not vulnerable to d\u00e9j\u00e0 vu, the exploit used by Nereba and Caffeine, because of hardware differences from the \"old\" Switch (HAC-001).
Firmware Version Unpatched Switch systems (HAC-001) Patched Switch systems (HAC-001) \"New\" Switch (HAC-001(-01) Switch Lite (HDH-001) 1.0.0 Nereba or RCM N/A N/A N/A 2.0.0 - 3.0.2 Caffeine or RCM N/A N/A N/A 4.0.0 - 4.1.0 Caffeine or RCM Caffeine N/A N/A 5.0.0 - 7.0.0 RCM Modchip / Wait for CFW N/A N/A 7.0.1 RCM Modchip (no software exploit) Modchip (no software exploit) N/A 8.0.1 RCM Modchip (no software exploit) Modchip (no software exploit) Modchip (no software exploit) 8.1.0 and up RCM Modchip (no software exploit) Modchip (no software exploit) Modchip (no software exploit)About Mariko Switch models
All Mariko (V2) Switch models (HAC-001(-01), HDH-001, HEG-001) are currently unhackable via software. If Modchip is listed as a method for your console model, then that means the device is currently unhackable without a hardware modification (modchip). If there are theoretical exploits that may lead to CFW or homebrew for that device, you also have the choice to \"wait\" for their release. These exploits may (and will likely) never launch and there is NO ETA, so what you choose to do is up to you. This guide assumes you have a functional modchip installation if you do have a Patched console.
Before setting up for homebrew, install at least one eShop title to utilize \"title takeover\", an Atmosph\u00e8re feature that allows homebrew to use more resources than they would normally have. Try downloading a free game (like Fallout Shelter), application (like YouTube), or a game demo (like 10 Second Run RETURNS). Running the Homebrew Menu via a game cartridge is an alternative, but requires the game to be inserted any time you want to launch the Homebrew Menu. Generally, title takeover doesn't permanently alter the donor game or application. Once you obtain any bootable title, you are prepared to continue on with the guide.
Frequently Asked Questions about this pageContinue to RCM
"},{"location":"user_guide/getting_started/#if-your-switch-is-patched-and-modchipped-click-the-button-below-to-follow-the-modchip-path-of-the-guide","title":"If your Switch is patched and modchipped, click the button below to follow the Modchip path of the guide.","text":"Continue to Modchip introduction
"},{"location":"user_guide/all/cfw_environment/","title":"Choosing an Environment","text":""},{"location":"user_guide/all/cfw_environment/#cfw-on-sysmmc-vs-cfw-on-emummc","title":"CFW on sysMMC vs. CFW on emuMMC","text":"A \"CFW Environment\" describes the context in which you are using custom firmware (CFW). As a reminder, custom firmware is never permanently installed, and runs independently on top of the system firmware. This means that you never have to commit to where you want to use custom firmware.
Atmosph\u00e8re temporarily patches HOS (HorizonOS, operating system of the switch) to enable customisations. You can choose what version of HOS it patches, each time you turn on your system. Each option has its own benefits and drawbacks.
Generally, sys- refers to the physical storage chip (sysMMC/eMMC) inside of your Switch. It stands for \"system\".
Generally, emu- refers to a virtual version of the eMMC (internal storage), running from a microSD card. It stands for \"emulated\".
For more information on terminology, please refer to the glossary.
You get to decide! Your choices are between using the internal storage or emulated storage. We will go over the advantages and disadvantages of either decision below.
No parity between sysMMC and emuMMC (Game installs, save data, and system settings will be separated when you boot between the two)
"},{"location":"user_guide/all/cfw_environment/#in-particular-here-are-just-some-popular-use-cases-for-cfw-on-emummc","title":"In particular, here are just some popular use-cases for CFW on emuMMC:","text":"If you prefer foolproofing, and a separation between official features and custom features, you may consider using CFW on emuMMC. In this guide, emuMMC is assumed to be utilised for offline play.
About this path
This path of the guide also includes sysCFW as launch option.
To proceed with CFW on emuMMC, click on the button below:
Continue with the emuMMC path
"},{"location":"user_guide/all/cfw_environment/#syscfw-cfw-on-sysmmc","title":"sysCFW (CFW on sysMMC)","text":""},{"location":"user_guide/all/cfw_environment/#cfw-on-sysmmc-has-the-following-benefits","title":"CFW on sysMMC has the following benefits:","text":"If you prefer snappiness, online play, and a seamless transition between official features and custom features, you may consider using CFW on sysMMC. In this guide, sysMMC is assumed to be utilised for online play.
To proceed with CFW on sysMMC, click on the button below:
Continue with the sysCFW path
"},{"location":"user_guide/all/cfw_environment/#modchip-instability","title":"Modchip Instability","text":"About Modchipped Switch console users
Modchips directly infiltrate communication with the internal storage chip. Due to this, there are slight chances of NAND backups being tainted with corrupted data. If a bad backup is restored to sysNAND, the console can be bricked, and a modchip alone won't be able to fix it. To be safe, we recommend setting up an emuMMC on a console with a modchip, verify BOOT0/1 backups using tools like NXNandManager (Windows) or test NAND backups by running them as emuMMCs before you flash them to the sysNAND.
Frequently Asked Questions about this pageQ: Why is CFW referred to as being \"never permanently installed\"? A: Unless you have a modchip of any kind, turning the console off will disactivate the custom firmware. There is no current method for Atmosph\u00e8re to install-to or permanently replace any part of the Nintendo Switch, so it will need to be triggered by an exploit every time you turn on the console. Atmosph\u00e8re will then patch Horizon to bring you custom firmware features.
Q: Should I personally use sys/emuMMC? A: These questions are answered in detail within the webpage. Please make sure that you are fully reading the page before jumping here.
Now that the preparation work is out of the way, we're finally ready to launch custom firmware on the Switch.
Unlike systems such as the DSi, Wii, or 3DS, Switch CFW is currently volatile. It will only work as long as your Switch is on. As soon as your Switch completely loses power for any reason (shutting down, battery dying, etc.), CFW will no longer be active and you will need to follow these instructions again.
Keep emuMMC offline at all times
Your emuMMC (emuNAND) should never connect to Nintendo. For online play, eShop browsing, or any other Nintendo online activity, use your sysNAND. Using both emuMMC and sysNAND online will likely result in a ban.
Instructions for emuMMCInstructions for sysCFWRebooting to Hekate
Once booted into CFW, you can easily get back to Hekate by holding the power button, and selecting Restart in the power menu or by using the \"reboot to payload\" homebrew app in the homebrew menu. (Note that while the Reboot to Payload app app does not work on modchipped Switch consoles, those already automatically run payloads upon reboot in the first place by default.)
Home menu, navigate to the Launch menu.Atmosphere FSS0 emuMMC and launch it.Hekate is now booting into your emuMMC. To verify that your emuMMC launched properly, open System Settings and navigate to System. You should see AMS next to the version number (AMS indicating that you're booted into Atmosphere), as well as an E at the end (indicating you are booted into emuMMC).
Home menu, navigate to the Launch menu.Atmosphere FSS0 sysMMC and launch it.Hekate is now booting into sysCFW. To verify that sysCFW launched properly, open System Settings and navigate to System. You should see AMS next to the version number (AMS indicating that you're booted into Atmosphere), as well as an S at the end (indicating you are booted into sysCFW).
Atmosphere FSS0 EmuMMC launch option in Hekate, launching it will just result in an error and is expected because you don't have an emuMMC.You will now be able to launch the Homebrew Menu by opening the album or by holding the R button while launching any game (including demos/cartridges), or application (e.g. YouTube/Hulu). If R is not held, the game or application will launch like normal.
A note about using the album for the Homebrew Menu
See the Homebrew tab for information about what the included Homebrew apps do and if you want to check out more Homebrew apps and read about sysmodules like MissionControl, ldn_mitm, sys-con and more.
If you wish to install more homebrew apps, place them (.nro files) in the switch folder on your microSD card.
If you've partitioned your microSD card for preparation of Android/Linux earlier, you can continue with the installation of Android/Linux here with the guides below:
Android installation guide Linux installation guide
Frequently Asked Questions about this pageatmosphere/reboot_to_payload.bin. This can be any payload, but ideally is Hekate.Important
A NAND backup is crucial to have, it's a full backup of the internal storage of your Switch and can be used to restore the device to a working state in case of emergencies. DO NOT SKIP THIS STEP
Once the backup is finished, keep it somewhere safe. The best backup is the one you have but never need, and the worst backup is the one you need but never made. To save space, it's recommended to compress the end-result with a .zip file or something similar.
It's highly recommended that you use an microSD card that is formatted to FAT32 and has at least 32 gigabytes of space free. This will still work on smaller cards, but it's not ideal.
"},{"location":"user_guide/all/making_essential_backups/#instructions","title":"Instructions:","text":"payload.bin on the root of your microSD card.Tools > Backup eMMC.eMMC BOOT0 & BOOT1Close to continue, then tap on eMMC RAW GPPClose > Home.Tools > USB tools > SD card and plug your Switch into your PC via USB.backup folder on your microSD card to a safe location on your PC.backup folder from the root of your microSD card and eject the UMS device safely from within your computer's operating system, then return to Hekate's Home menu.Hekate will stop producing these parts when it runs out of space. When this happens, do the following:
OK when Hekate tells you to back up your stuff. Close > Close > USB Tools > SD Card and connect your Switch to your PC via USB.backup folder on the root of your microSD card to a safe location on your PC.UMS device safely from within your computer's operating system and close the UMS window in Hekate.Close > Backup eMMC > eMMC RAW GPP and continue backing up your NAND.Home menu.Click the button below to continue to Launching emuMMC! Launching CFW (emuMMC)
Click the button below to continue to Launching sysCFW! Launching CFW (sysCFW)
Partitioning WILL wipe all data on your microSD card!
In case you missed the warning earlier, your microSD card will be wiped during this page. Go to Tools > USB Tools > SD Card, plug your switch into your PC via USB and back up the contents of your microSD card to your PC if you haven't done so yet. If you don't mind redownloading all the games stored on the microSD card and/or all other (potentially important) files getting deleted, you may skip this.
Tools > Partition SD cardemuMMC (RAW) slider to 29 FULL in the middle of the bar.emuMMC (RAW) slider to 58 FULL if you're on an OLED Switch.Android (USER) and Linux (EXT4) sliders to 16GB minimum.Legacy partitioning if you wish to install Android 10/11 and Dynamic partitioning if you wish to install Android 13+. Legacy and Dynamic partitioning are NOT intercompatible.Next Step at the bottom right, then select Start in the menu that appears.Home menu, navigate to emuMMC > Create emuMMC > SD Partition > Part 1 and wait for Hekate to complete creating the emuMMC.Close button, then navigate to Change emuMMC > SD RAW 1 and press the Close button twice in the top right to return to hekate's Home menu.Tools > USB Tools > SD Card and plug your Switch into your PC via USB.Your microSD card is not showing up or Windows complaining about an unreadable drive
If you get the issue that Windows says the microSD card is unreadable and wants to format it, do not format! This is likely your emuMMC partition. After partitioning your SD, your microSD will show up as 2 drives on your PC. Use the accessible drive. If your microSD card isn't showing up at all, ensure that you're using a USB cable capable of data transfer and that, if you use Windows, Windows has assigned a drive letter to the FAT32 partition of your SD. If you still experience errors, join the NH-Discord server for support.
Continue to SD Preparations
"},{"location":"user_guide/all/partitioning_sd_syscfw/","title":"Formatting and/or partitioning the microSD Card","text":""},{"location":"user_guide/all/partitioning_sd_syscfw/#what-you-need","title":"What you need:","text":"Partitioning WILL wipe all data on your microSD card!
In case you missed the warning earlier, your microSD card will be wiped during this page. Go to Tools > USB Tools > SD Card, plug your switch into your PC via USB and back up the contents of your microSD card to your PC if you haven't done so yet. If you don't mind redownloading all the games stored on the microSD card and/or all other (potentially important) files getting deleted, you may skip this.
Tools > Partition SD cardNext Step at the bottom right, then select Start in the menu that appears.Android (USER) and Linux (EXT4) sliders to at least 16GB.Legacy partitioning for Android 10/11 and Dynamic partitioning for Android 13+. Legacy and Dynamic partitioning are NOT intercompatible.Home menu and then Tools > USB Tools > SD Card and plug your Switch into your PC via USB.Your microSD card is not showing up
If your microSD card isn't showing up at all, ensure that you're using a USB cable capable of data transfer and that if you use Windows, Windows has assigned a drive letter to the FAT32 partition of your microSD card. If you still experience errors, join the NH-Discord server for support.
Continue to SD Preparations
"},{"location":"user_guide/all/sd_preparation/","title":"microSD Card preparations","text":""},{"location":"user_guide/all/sd_preparation/#information","title":"Information","text":"We will now place the required files for the Atmosph\u00e8re custom firmware and some additional homebrew files on the microSD card.
Atmosphere has its own bootloader, called fusee. For the purposes of this guide we will be using Hekate instead, so that we can back up the system's NAND (internal storage) and take advantage of other advanced features in the future.
File name extensions
If you use Windows, you should enable file name extensions before continuing. See this link for a guide on how to do this.
"},{"location":"user_guide/all/sd_preparation/#what-you-need","title":"What you need:","text":"hekate_ctcaer_(version).zip release of hekate)atmosphere-(version)-master-(version)+hbl-(version)+hbmenu-(version).zip release of Atmosphere.JKSV.nro release of JKSV)ftpd.nro release of FTPD)NXThemesInstaller.nro release of NXThemesInstaller)NX-Shell.nro release of nx-shell)Goldleaf.nro release of Goldleaf).zip file to the root of your microSD card.bootloader folder from the Hekate .zip file to the root of your microSD card.bootloader folder from the bootlogos.zip file to the root of your microSD card.hekate_ipl.ini to the bootloader folder on your microSD card.hosts inside the atmosphere folder on your microSD card, and put emummc.txt inside of the hosts folder.JKSV.nro, ftpd.nro, NxThemesInstaller.nro, NX-Shell.nro and Goldleaf.nro to the switch folder on your microSD card.If you were already using your microSD card as a storage device for your games and backed up the Nintendo folder before partitioning your microSD card, please place it back on the root of your microSD card now.
sd:/emuMMC/RAW1/!About emummc.txt
Putting the emummc.txt file provided by this guide into /atmosphere/hosts will prevent your emuMMC (emuNAND) from connecting to Nintendo. Not doing this will likely result in a ban.
Your microSD card should look similar to the image below. The Nintendo folder will not be present if your Switch has not already booted with the microSD card inserted and the emuMMC folder will not be present if you're following the sysCFW path of the guide/you haven't created an emuMMC! payload.bin will not be present if you're using an unpatched Switch.
Continue to Making Essential Backups
"},{"location":"user_guide/modchip/","title":"Introduction","text":""},{"location":"user_guide/modchip/#introduction-to-modchips","title":"Introduction to Modchips","text":""},{"location":"user_guide/modchip/#prerequisites","title":"Prerequisites","text":"A modchip is a physical modification to the motherboard of your Switch. It cannot be installed without decent microsoldering experience. You can outsource this work to people who are willing to do the job for you, or you can also view the following guide if you are willing to install one yourself.
Modchip Installation guide
Note: The above guide is not hosted or supported by NH Server; we cannot provide support for reviving consoles ruined by inexperience.
"},{"location":"user_guide/modchip/#information","title":"Information","text":"Unlike \"unpatched\" consoles, modchips enable CFW via CPU voltage glitching, which bypass bootROM firmware verifications. It allows a payload.bin file to be launched in place of BOOT0, loaded via a modchip firmware module named sdloader. This is much different from RCM and its exploit, fusee-gelee, which \"unpatched\" consoles use. Modchips allow any console, including all patched consoles, to run CFW!
Patched Switch consoles, except certain original V1 consoles made from 2017 to mid-2018, are immune to the fusee-gelee exploit in RCM. Attempting to inject a payload on a Patched console will be unsuccessful.
Depending on your modchip's firmware, you may not be able to boot the console without a microSD card inserted. This means without a microSD inserted at all times, your Switch becomes unusable.
If you do turn on your Switch without a microSD card inserted, you should end up at a splash screen saying something along the lines of NO SD.
Some modchip firmwares (e.g., Spacecraft-NX, Hwfly-NX and the Picofly firmware) allow bypassing sdloader by holding one - or both - of the volume buttons during power-on, enabling normal boot without a microSD card. Not all modchips support manual firmware updates.
Modchipped Switch consoles allow untethered, coldboot CFW loading, directly entering custom firmware without external devices like dongles or jigs. This is in contrast to the tethered coldboot \"RCM\" entrypoint.
Running CFW on modchipped consoles is more simplistic, as it only requires you to have payload.bin present on the root of your microSD card when you turn on the system.
Furthermore, this guide assumes you have a functional modchip installation.
"},{"location":"user_guide/modchip/#important","title":"Important","text":"If you do decide to follow the recommended emuMMC path later in the guide, make sure you disable Automatic Save Data Cloud backups/downloads beforehand as well as making sure the Switch is set as Primary Console.
Disclaimer
We ONLY support the Picofly modchip (the RP2040 Zero development board and the \"modchip variant\" of it). Installing a modchip safely is your responsibility, so if you don't trust yourself, get someone trusted to perform the install. There is always a risk of your Switch being rendered dysfunctional when messing with its hardware without proper experience. The NH-Discord server is not for fixing bad/failed modchip installations. We can give advice and installation tips for the installation as long as it's for a Picofly modchip.
Continue to Preparing Hekate
Frequently Asked Questions about this pageQ: Can you provide more information about modchip firmwares, specifically regarding their impact on the boot process and the ability to bypass the sdloader? A: Modchip firmwares indirectly determine the functionality of your system. Modern modchips (such as Picofly) typically have firmware flashed to them that support all hardware configurations (namely eMMC brands like Hynix, Samsung and Toshiba) \"out-of-the-box\" and also allow you to bypass sdloader. If this is not the case however, flashing the firmware manually is required by opening up the Switch and using the USB debug port that comes with the modchip to flash the modchip directly. This is especially required in the cases where the eMMC brand is not supported, as your Switch wouldn't boot whatsoever and the modchip would be stuck while trying to glitch/train and write its payload to the BOOT0 partition of the internal storage.
Q: What different types of modchips are there? A: There are three main types of modchips for the Nintendo Switch. Only two of them are relevant for this guide. On the V1 Nintendo Switch, a chip can be installed which automatically injects a payload whenever the console is detected in RCM. This type of modchip is not supported by this guide. On all other Switch consoles, there are DIY \"Picofly\" modchips which can be created with Raspberry Pi parts and custom cables. These use special firmwares, and are not compatible with firmwares intended for other modchips. There are also other \"commercial\" modchips of dubious origin by the name of \"hwfly\" or \"SX Core/Lite\"; we only will help with flashing new firmwares onto these, if you happen to already have one of them installed. Do not ask for assistance installing or sourcing this type of modchip.
Q: Can you further explain the concept of running homebrew \"over a title\" and why it allows for higher resource allocation? A: The default way to run homebrew within Atmosph\u00e8re is via the Album applet on the HOME Menu. However, applets have significantly less resources compared to full applications, and homebrew tools often run into constraints with these limits. By holding a button while launching normal apps while in CFW, you can load the Homebrew menu in their stead with full resources.
Q: What makes Picofly the only supported modchip, and what are the potential risks associated with installing a modchip on your Switch without proper experience? A: Picofly is a fully open-source modchip, from the firmware to the RP2040 microcontroller it uses. Other \"commercial\" modchips have dubious origins, or were manufactured by established illegal piracy groups that have no place in the homebrew community. For the safety of your console and to respect the law of where NH Server is based, we will not assist with sourcing these types of modchips.
To get ready for formatting and/or partitioning your microSD card, we will need to prepare and place the required files on the microSD card.
Following the guide will delete everything on your microSD card!
Later in the guide, you will be formatting and/or partitioning your microSD card. This means that all data on the microSD card will be lost. Now is a good time to back up all of its data to a safe place (for example, on your PC or external drive) so that you can restore it later. You can do this by following the instructions below.
"},{"location":"user_guide/modchip/preparing_hekate/#what-you-need","title":"What you need:","text":"hekate_ctcaer_(version).zip release of Hekate).zip to a location on your computer.Nintendo folder (and any other important data) from the root of your microSD card to a safe space on your device.bootloader folder and the hekate_ctcaer_(version).bin payload.bootloader folder and hekate_ctcaer_(version).bin payload to the root of your microSD card.hekate_ctcaer_(version).bin payload to payload.binWarning
If your Switch does not load into the Hekate GUI, or shows a No SD Card/No Payload screen when turning on the console, ensure that you inserted your microSD card and that Hekate's payload.bin is on the root of the microSD card.
Continue to choosing your CFW environment
Frequently Asked Questions about this pageQ: Can I use a microSD card with existing data, or does it need to be formatted specifically for this process? A: It is recommended that you use a microSD that is already formatted as FAT32 before starting. In addition, it is important that the microSD card does not have any data from other Switch consoles already on it.
Q: What makes Hekate the recommended choice in this guide? A: Hekate is a polished, multi-purpose bootloader for the Switch. It has the tools to facilitate simple usage of custom firmware and custom operating systems, and aids with organisation and formatting later on in this guide.
Q: How do you pronounce \"Hekate\"? A: Hekate comes from Greek. The most commonly accepted pronunciations are \"HEK-ate\", \"HEK-uh-tee\", and \"hek-AH-tay\".
Q: What role does the /bootloader folder play in the overall functionality of Hekate? A: The bootloader folder contains crucial parts of Hekate that can't fit in the injectable RCM/modchip payload, such as Nyx; Hekate's touch-enabled GUI. If you start Hekate without these files on your microSD, Hekate's functionality will be severely limited.
Q: How often should I check for updates to Hekate, and what benefits do newer releases bring to the process? A: Nintendo Homebrew's #announcements channel will automatically poll for updates to Atmosph\u00e8re and Hekate, letting you know when updates are available for them. In general, you'll want to look for updates whenever a major Switch system update is launched, as major updates will stop Horizon from booting until Hekate and Atmosph\u00e8re are updated accordingly.
Q: Does this process have any effect on the Switch's system or data? A: No, nothing in the guide has had any permanent effect on the Switch so far.
"},{"location":"user_guide/rcm/","title":"RCM","text":""},{"location":"user_guide/rcm/#about-rcm","title":"About RCM","text":"RCM (short for ReCovery Mode) is a pre-boot mode for Tegra processors that allows NVIDIA and Nintendo to send the Switch tiny programs for various internal uses. On unpatched consoles, once a payload was sent, then quickly copied into the memory buffer behind the stack, it overflowed the memory buffer into the stack. This leads to a \"smashed stack\" and unsigned code execution within a bootROM context, giving us access to nearly everything on the console. We use it here to launch Atmosph\u00e8re.
If you choose the emuMMC path introduced later in the guide, it'll be important to disable the Automatic Save Data Cloud function beforehand, as well as making sure the Switch is set as the primary console.
Continue to Entering RCM
Frequently Asked Questions about this pageQ: How does the RCM exploit work on unpatched Nintendo Switch consoles? A: For more information, please reference this page. There is also a Medium article about it here.
Q: Does RCM work on patched consoles? A: Yes. RCM is an intended mode for all Switch consoles. The exploit is the unintended effect that only some consoles can use. Consoles with the Tegra X1+ have a completely new bootROM with no evidence of the exploit, while \"patched\" V1 systems have an IROM patch to the bootROM applied that effectively removes fusee-gelee as well.
The Switch's Tegra X1 processor has a recovery mode referred to shorthand as RCM, intended to be useless for end-users. Fortunately, due to the fusee-gelee vulnerability, this special mode acts as our gateway into CFW.
Methods to enter RCM can require nothing more than household items (not recommended) to affordable tools ($5-10) available on platforms like AliExpress and Amazon. Avoid the \"metal bridge\" or \"paperclip method\" as it can damage your console. You can also consider 3D printing necessary tools.
Patched Switch
Note that patched units can enter RCM, but it is not possible to send a payload on those systems. Also note that RCM is a different recovery mode than the one accessed by holding Volume Up, Volume Down and powering on your console.
Information about the methods below
The order of methods on this page is in the order of ease. The easiest method to immediately accomplish is the RCM Jig method. The most advanced/difficult methods are mentioned in the other tabs and should not be attempted by most people as they require voiding your warranty and/or soldering. USING A PAPERCLIP OR TIN FOIL CAN/WILL DAMAGE YOUR CONSOLE, DO NOT DO THIS!
Volume Up button, press the Power button once while holding Volume Up.Volume Up button.Some jig designs use paperclips, inheriting the same risks as the \"metal bridge\" / \"paperclip method\" and should not be done.
Once you have successfully entered RCM, you can take the jig out of the Joy-Con rail.
This method is similar to the \"metal bridge\" / \"paperclip method\", but is more reliable and safer in many cases. Jigs hold a wire in place so the correct pins (10 and a ground) are reliably shorted.
This method requires opening your right Joy-Con, voiding its warranty. Not for the faint of heart.
This method comes to us from the mind of pbanj on Discord. All pictures of this method in action were provided by him, with some supplementary images provided by eip618 on Discord.
The goal of this method is to open the right Joy-Con to the point that you can reach the contact pads easily. This is similar to the previous method, however you will be soldering wires to pins 7 and 10 (shown below) and wiring them to the \"rail release button\" at the top back of the right Joy-Con.
This method requires opening your right Joy-Con, voiding its warranty. Not for the faint of heart.
The goal of this method is to open the right handed Joy-Con to the point that you can reach the contact pads easily. This is similar to the previous method, however the goal is to solder pins 7 and 10 (shown below) together with a surface-mount 0805 10k resistor. Apart from using a physical switch/button, this is currently considered the safest method that involves soldering to pads.
This method will result in the right Joy-Con being seen as \"detached\" while physically connected to the Switch, so it will not be able to charge. This method may result in the Joy-Con being permanently detected as wireless if you update the Joy-Con firmware while this mod is installed. In the latter case, fixing this requires opening up the Joy-Con and reseating the battery. It is recommended to solder pads 7 and 10 together with a resistor instead.
This method requires opening your right Joy-Con, voiding its warranty. Not for the faint of heart.
The goal of this method is to open the right Joy-Con to the point that you can reach the contact pads easily. This is similar to the previous method, however the goal is to solder pads 9 and 10 (seen below) together. This can either be done using a small wire, or directly bridging the pads with solder.
This method will result in the right Joy-Con being detected as in wireless mode while attached to the Switch, and this method may result in the Joy-Con being permanently detected as wireless if you update the Joy-Con firmware while this mod is installed. In the latter case, fixing this requires opening up the Joy-Con and reseating the battery.
This method requires opening your right Joy-Con, voiding its warranty. Not for the faint of heart.
The goal of this method is to open the right handed Joy-Con to the point that you can reach the contact pads easily, and use a thin object such as a knife to gently bend pin 9 and 10 (shown below) slightly up and towards each other so they touch, shorting them.
Continue to Sending a Payload
"},{"location":"user_guide/rcm/entering_rcm/#the-rcm-jig-pictured-below-is-the-model-we-recommend","title":"The RCM jig pictured below is the model we recommend:","text":"Making your own RCM Jig
If you plan on making your own jig, the second image lays out the right Joy-Con pad out on the console. Make sure your jig NEVER touches pin 4. Pin 4 provides 5 volts of power to the Joy-Con, and can permanently damage the rail or console if shorted.
"},{"location":"user_guide/rcm/entering_rcm/#joycon-pad-pinout","title":"JoyCon pad pinout:","text":"In order to start this method you will want to take two lengths of wire, and wrap one end of each into a small circle.
"},{"location":"user_guide/rcm/entering_rcm/#wire-reference","title":"Wire reference:","text":"You will then want to take the circular end of one of the wires and add a small amount of solder, keeping it mostly flat (ONLY DO THIS TO ONE OF THE WIRES!). You will then glue this wire down to the below point on the rail release button. Make sure glue doesn't cover the top of the solder/wire as it will act as a contact point. Also, ensure that you leave enough space for the button to function correctly. Try pushing the button from the outside and observing its travel path so that you can see where and how you should safely glue the solder glob.
"},{"location":"user_guide/rcm/entering_rcm/#joy-con-button","title":"Joy-Con button:","text":""},{"location":"user_guide/rcm/entering_rcm/#joy-con-button_1","title":"Joy-Con button:","text":"The first wire should now be in place as seen by the green circle below. The second wire does not need any solder, instead you will hold it in place using the screw as shown by the red circle in the picture below.
"},{"location":"user_guide/rcm/entering_rcm/#joy-con-button-in-place","title":"Joy-Con button in place:","text":"Pressing the Joy-Con button in you should now notice the solder point you created making contact with the piece of metal held in by the screw. Once you have these elements in place you want to connect one wire to pad 7 and the other to pad 10 (it doesn't matter which is which). After that you have successfully created an RCM button on your Joycon. You will now need to hold down the Joycon release button when attempting to boot RCM.
"},{"location":"user_guide/rcm/entering_rcm/#successful-installation","title":"Successful installation:","text":""},{"location":"user_guide/rcm/entering_rcm/#joycon-pad-pinout_1","title":"JoyCon pad pinout:","text":"Here is an example from stuck_pixel from the ReSwitched Discord server.
Below is an example from yami0666 from our Discord server.
Here is an example from sonlen on our Discord server.
If you are here to test if your Switch is patched
Make sure you have put your device into RCM and downloaded Hekate. Once finished, if your console is not patched, continue with the \"Preparing Hekate\" section at the bottom of the page.
Now that the device is in RCM, we will need to send it a payload. The methods are mostly the same but slightly differ depending on what hardware you have available.
WindowsLinuxMacAndroidChromebook
If nothing happens after you send the payload
If your console's screen remains black after you've sent Hekate (or any other payload), it's possible your payload was corrupted, or that your console is patched. If your payload injector program shows that zero or 0x0000 bytes were sent, then it is patched. This isn't a one-time glitch or up for debate; it is patched. Consider an alternate method that isn't via RCM.
"},{"location":"user_guide/rcm/sending_payload/#what-you-need","title":"What you need:","text":"hekate_ctcaer_(version).bin) is located inside of the hekate_ctcaer_(version).zip.Settings tab, then press Install Driver and follow the on-screen instructions.Payload tab of TegraRcmGUI.Inject payload, and navigate to and select the hekate_ctcaer_X.X.X.bin file.Inject payload to launch the payload you selected.Follow these steps if you face issues when installing the driver with TegraRcmGUI. You will need the latest version of Zadig.
Options menu, be sure that List All Devices is enabled.libusbK (v3.1.0.0) in the driver list.Install Driver and wait for the installation to finish.hekate_ctcaer_(version).bin) is located inside of the hekate_ctcaer_(version).zip../fusee-nano /path/to/hekate-ctcaer_X.X.X.binsudoCrystalRCM.(version).dmg file)hekate_ctcaer_(version).bin) is located inside of the hekate_ctcaer_(version).zip.CrystalRCM.(version).dmg file, open the mounted disk image in File Explorer and copy the CrystalRCM.app file inside of the mounted disk image to any location on your Mac.CrystalRCM.app app, then click Payload... and select the hekate_ctcaer_X.X.X.bin file.Push!. The payload should now be injected successfully.hekate_ctcaer_(version).bin) is located inside of the hekate_ctcaer_(version).zip..bin file from the Hekate .zip file to a location on your phone.Payloads (Signified by a downwards arrow with a line), then press the + button at the bottom right..bin file and tap it to add it to Rekado's menu.Hide bundled.hekate_ctcaer_X.X.X.bin file in the dialog that pops up.About USB-C
If your Chromebook has a USB-C port, do note that this will not work using a C-C cable.
hekate_ctcaer_(version).bin) is located inside of the hekate_ctcaer_(version).zip.hekate_ctcaer_X.X.X.bin file from the Hekate .zip file.APX option.We will prepare the microSD card for formatting/partitioning before going to the next page. Removing the microSD card while in Hekate is safe so turning off the console is not necessary and keeping it on will save time that would be spent reinjecting the payload.
Following the guide will delete everything on your microSD card!
Later in the guide, you will be formatting and/or partitioning your microSD card. This means that all data on the microSD card will be lost. Now is a good time to back up all of its data to a safe place (for example, on your PC or external drive) so that you can restore it later. You can do this by following the instructions below.
"},{"location":"user_guide/rcm/sending_payload/#what-you-need_5","title":"What you need:","text":"Nintendo folder (and any other important data) from the root of your microSD card to a safe space on your device..zip to a location on your computerbootloader.bootloader folder to the root of your microSD card.Continue to choosing your CFW environment
"}]} \ No newline at end of file diff --git a/sitemap.xml.gz b/sitemap.xml.gz index d789b378e9e0111e0b6bcbc3169de29d26c6e7c9..62a388085e35b070ae7c882fbc87b56f5a6627e5 100644 GIT binary patch delta 15 Wcmcb?a)X6UzMF&Ng6~GQASM7P#{{7O delta 15 Wcmcb?a)X6UzMF$1RcIqy5EB3;9s~OT diff --git a/user_guide/all/partitioning_sd/index.html b/user_guide/all/partitioning_sd/index.html index 28d390aa..6fd35d80 100644 --- a/user_guide/all/partitioning_sd/index.html +++ b/user_guide/all/partitioning_sd/index.html @@ -1648,9 +1648,9 @@Partitioning WILL wipe all data on your SD card!
-Hekate will prompt you to back it up with UMS before you begin, but in case you miss it, go to Tools > USB tools > SD card and plug your switch into your PC via USB, and backup the contents of your SD card. If you don't mind redownloading all the games stored on the SD card, you may skip this.
Partitioning WILL wipe all data on your microSD card!
+In case you missed the warning earlier, your microSD card will be wiped during this page. Go to Tools > USB Tools > SD Card, plug your switch into your PC via USB and back up the contents of your microSD card to your PC if you haven't done so yet. If you don't mind redownloading all the games stored on the microSD card and/or all other (potentially important) files getting deleted, you may skip this.
Partitioning WILL wipe all data on your SD card!
-Hekate will prompt you to back it up with UMS before you begin, but in case you miss it, go to Tools > USB tools > SD card and plug your switch into your PC via USB, and backup the contents of your SD card. If you don't mind redownloading all the games stored on the SD card, you may skip this.
Partitioning WILL wipe all data on your microSD card!
+In case you missed the warning earlier, your microSD card will be wiped during this page. Go to Tools > USB Tools > SD Card, plug your switch into your PC via USB and back up the contents of your microSD card to your PC if you haven't done so yet. If you don't mind redownloading all the games stored on the microSD card and/or all other (potentially important) files getting deleted, you may skip this.