Enlarge / Android on the Nintendo Switch. Just think of all the Nintendo apps you’re missing out on.

The Nintendo Switch is, basically, a game console made out of smartphone parts. The quad-core Nvidia Tegra X1 ARM SoC would be right at home in a smartphone or tablet, along with the 4GB of RAM, a 720p touchscreen, and a 4310mAh battery. Really, the only things that make the Switch a game console are the sweet slide-on controllers and the fact that it is blessed by Nintendo, with actually good AAA games, ecosystem support, and developer outreach.

With such a close relation to smartphone hardware, it only makes sense that people would eventually load some smartphone software onto the Nintendo Switch—and around Ars, we’ve recently made everyone’s favorite handheld run Android. Such a thing might sound like a hardware hacker’s pipe dream, but thanks to work from a group called “Switchroot,” you can now get a pretty good build of Android up and running on Nintendo’s console.

A project like this is only possible thanks to two of the Internet’s biggest hacking communities joining forces—you’ve got the best of the Nintendo Homebrew scene combining with the best of the Android custom ROM community. And as we recently discovered, getting Android running on the Switch is a whirlwind tour of huge community projects and discoveries all in the name of doing whatever you want with hardware you own.

Currently, we don’t have a strong argument for why anyone would want to run Android on the Switch, other than it’s super fun, and walking through the process is a great way to learn more about the Switch and Android. And if you’ve been disappointed with Nintendo’s lack of an official Virtual Console on the Switch, you’ll be able to blow open the doors to classic gaming, both with Android ports of titles for sale on the Play Store and access to about a million emulators.

But before we worry about loading Android onto the Switch, the first step is a getaway: we have to break out of Nintendo’s sandbox.

The Homebrew basics

While you might think running Android on a thing made out of smartphone parts was inevitable, the road to getting Android on the Switch first had to be paved by the Switch homebrew community. Out of the box, game consoles are locked down to only run software the manufacturer wants them to run. So before anyone can even think about running something like Android, a group of dedicated hackers first had to document how the Switch worked, hunt down exploits, develop software, and probably destroy some devices in order to figure out how to actually run arbitrary code on the Switch.

In this case, Nintendo’s use of an off-the-shelf Nvidia Tegra SoC gave the hackers a good starting point. As a commercial product, the Tegra SoC has a ton of documentation and even readily available developer kits. Early Switch hacking attempts started on one of these development kits, and documentation from Nvidia even detailed how to bypass memory management and kick off the first exploit. As one of the hackers behind the exploit said, “Nvidia backdoored themselves.”

Since then a number of vulnerabilities have been discovered in the Switch’s hardware and software, but the biggest is “Fusée Gelée,” an exploit in the recovery mode of the Switch’s Tegra X1 SoC. Of all the fun and interesting ways you could break the security of a video game console, a recovery mode vulnerability is pretty handy.

Like many ARM-based computers, the Nintendo Switch has a built-in recovery mode that it can be booted into instead of the OS. This mode is meant for the initial flashing of the consumer OS, and it’s used for recovery in the event of a damaged operating system. The consumer OS is meant to be frequently updated and changed over the life of the console, but if anything goes wrong and the main OS stops working, this recovery mode is your only way to possibly recover the system. Since it is very important that this recovery mode never gets damaged or maliciously modified, it is completely independent of the main OS, and it’s read only—it can never be changed or updated once the device leaves the factory.

An exploit in the recovery mode is seriously bad news for a company like Nintendo that wants to lock down its hardware. For devices that have already left the factory, recovery mode can’t be patched with a system update. The whole point of the recovery mode is that it always works and never changes, so that it can never be broken by a dumb user, a malicious program, or a bad update. So shortly after the disclosure of Fusée Gelée, Nintendo reportedly started producing new Switches that were immune to the vulnerability, but there are still 15 million-ish devices out there with a unpatchable recovery mode. Any Switch purchased before mid-2018 should be vulnerable, and you can compare your serial number against this list if curious. You can also just give the exploit a shot and see if it works. A detailed step-by-step guide on how to do this is here—we’re just giving a brief overview.

The process of triggering Fusée Gelée and loading homebrew on your Switch is, frankly, pretty cool. First you have to boot into the Tegra’s ReCovery Mode (called “Tegra RCM”), which, just like on a smartphone, is done with a secret key combination. On the Switch, recovery mode requires you to turn off the system and hold the buttons for “Volume Up,” “Home,” and “Power” on the body of the Switch, not the Joy Cons. This is kind of a problem, because if you detach the Joy Cons and just hold the Switch body in your hands, you’ll find a volume rocker and power button on the top edge, but you won’t find a home button anywhere.

In the name of Android, we’re still going to trigger the home button, though, even if a home button doesn’t physically exist. The system-defining Joy Con rails on the sides of the console have an electrical connector tucked into the bottom of the rail. This set of ten gold connectors is normally used for charging the controllers and passing data back and forth, but during the initial simplified boot-up state, the Tegra SoC has the rear-most pin on the right joycon rail (usually referred to as “Pin 10”) mapped to the system’s “Home” button. Just bridge Pin 10 to ground (via any of the rail screws or the ground Joy Con pin), and you’ve got yourself a system home button.

These pins are pretty small, about the size of a MicroUSB pin, and they are tucked away in the bottom of the rail, so they can be tough to get at. The homebrew community has been coming up with all sorts of fun and creative ways to make what is referred to as an “RCM Jig”—a tool that connects Pin 10 to ground. I’ve seen everything from artisanally crafted paper clips to safety pins to sacrificial Joy Con connectors. The nicest and most repeatable way, though, is to buy or 3D-print a plastic cap that smoothly slides into the Joy Con rails and bridges Pin 10 to Pin 1.

Going the DIY route for an RCM jig can be dangerous, since shorting the wrong pins or damaging the pins can damage your Switch. Buying a pre-made jig has much less room for error and less risk of damage, and shorting the pins correctly is really the only hard part of modding the Switch—from here on out it’s all software work. Compared to some of the old-school console mods where you would have to open the system and solder a modchip to the CD drive, being able to break into the Switch without even picking up a screw driver is pretty easy.

Now that we have a way to press our non-existent system home button, turn the Switch off all the way, and it’s time for the magic key combination. Slide in your RCM jig, hold “volume up” and “power” at the top of the Switch, and, if you did it right, uh, nothing will happen. The Tegra’s recovery mode on the Switch does not have any fancy graphics or even a text message confirming the mode is on—the Switch just looks like it is off. So a completely blank screen after pressing the power button is a good thing—that or the random bits of metal you jammed into your Switch killed it and you’ll have to go back to playing the Wii U. (As always, with great power comes great responsibility—proceed with projects like this at your own risk.)

If successful, now we have theoretically entered recovery mode, so we should probably talk about the exploit we’re going to do. Fusée Gelée is a USB-based exploit, so we’re going to plug the Switch into something and send it some magic exploit-packing software. The way these recovery modes are supposed to work is that they should only accept a signed software package from the system manufacturer, thereby allowing you to do something like re-flash the system software—but only approved system software from the vendor.

Nvidia’s recovery mode contains a copy operation that did not quite get coded correctly, though, and by sending it a bad “length” argument you can trigger a buffer overflow and gain control of the Tegra’s “Boot and Power Management processor (BPMP).” “BPMP” is a Tegra-specific design flourish, and it’s a tiny ARM7 “boot cpu” designed to get the system up and running. Because BPMP is the very first step in the Tegra boot-up process, taking control of this means you’ve owned the system before any security lockout procedures start. From here, it’s possible to exfiltrate secrets and make the main CPU do whatever you want, which gets executed at the highest possible privilege level. Again this is all from recovery mode and completely unpatchable via the consumer update system, so it’s pretty bad news for Nintendo’s security.

<img alt="You probably don't need a USB dongle to load software onto the Switch, but this one is so pretty!” src=”https://cdn.arstechnica.net/wp-content/uploads/2019/07/2-4.jpg” width=”800″ height=”600″>
You probably don’t need a USB dongle to load software onto the Switch, but this one is so pretty!

You’ll need some kind of USB-host to beam over the magic software package to the Switch, and just about anything will work. There is Switch RCM software for Windows, Mac, Linux, and even Android, which is thematically appropriate for our purposes (yes, you could totally hack a Switch from another Switch!). There are even purpose-built USB dongles with their own internal storage and a battery—just plug it in, pick your payload, and it will zip over the right (preloaded!) software.

Now that we can do whatever we want, a popular next step is to have the RCM loader send over the “Hekate” bootloader, which will provide a nice boot menu to launch other custom software from the Switch’s MicroSD slot. And from here, the sky’s the limit. You can permanently mod the Switch with custom firmware that does things like turn the Switch OS’ “Album” screen into a homebrew menu. You can back up your Switch or make game backups.

Or, as of this month, you can launch Android!

Getting a working build of Android

While there were early rumors of the then “Nintendo NX” running Android out of the box, the Switch’s OS is actually a custom microkernel called “Horizon.” This can trace its lineage back to Nintendo’s previous portable console, the 3DS. Still, side-stepping Horizon and loading Android won’t be the first time Android code has hit the Nintendo Switch. Nintendo’s licensing info screen contains a shoutout to Android’s infamous “Stagefright” media playback engine, indicating it is used in the Switch somewhere. According to the SwitchBrew.org wiki, Stagefright powers the Switch’s built-in game recording and the Album screen’s media playback capabilities.

The graphics pipeline also didn’t escape the reach of Google’s codebase. Developers of the “Yuzu” Nintendo Switch emulator flatly state on their blog, “Nintendo re-purposed the Android graphics stack and used it in the Switch for rendering. We had to implement this even to get homebrew applications to display graphics.” At least part of this is the “Nvnflinger” service. Included in the SwitchBrew writeup for service is a great one-liner: “This uses Android code.” Judging by what Nvnflinger does and what it’s called, this service is not being shy about its relation to Android’s SurfaceFlinger, which composites display buffers and sends them to the display.

For Ars’ purposes, we’re going all-the-way Android, though, and with the ability to run whatever we want, we now need a build of Android that runs on the Switch. As a device running the Nvidia Tegra X1 SoC, the Nintendo Switch is a close cousin to two Android devices, the Nvidia Shield TV, a set-top box that runs Android TV, and the Google Pixel C, Google’s last (ever?) Android tablet. Tegra is pretty rare hardware for an Android device, since almost every other Android device on Earth runs a Qualcomm SoC.

The “Switchroot” team that got Android running on the Switch, Langer Hans and Bylaws, started with an Nvidia Shield TV branch of LineageOS, the most popular community version of Android. This is easier than starting with raw AOSP (Android Open Source Project) builds direct from Google, since, in addition to a host of power-user features, Lineage is made “device-ready” by an army of maintainers. Google’s AOSP codebase is more device-neutral, so while you want a lot of it, there’s also a lot that does not apply to an individual device. It’s also often missing proprietary code for an individual device.

If it wasn’t clear by now, the process from here is going to involve handing off bits from the Nintendo homebrew community to bits from the Android custom ROM community. We’re going to be running LineageOS 15.1 (based on Android 8.1 Oreo) and using TWRP (Team Win Recovery Project) to flash whatever we want to our new Android system partition, like the Google apps, which aren’t included with Lineage. TWRP is the biggest Android recovery project out there, and while it is completely separate from the Tegra’s built-in recovery mode, it’s kind of the same idea with more functionality. This is an alternate mini OS we can boot into that gives lots of administrative options for our build of Android. We get full offline access to the system in TWRP, so we can back up and restore images of the NAND flash, flash zip packages to the system partition, mount the system and edit things in a file manager, wipe the entire phone of user data, and change or upgrade the entire OS.

The one quirk with this “Switchroot” build of Android is that we aren’t going to touch the internal storage of the Nintendo Switch. Switchroot’s build is provided as an image file that you write to a MicroSD card, and this SD card will stand in as the primary storage for the Android system—instead of the Android partitions being on the Switch’s internal storage, everything runs from the SD card. This means none of this Android stuff can hurt your Switch or get it banned from Nintendo’s servers. Provided you only launch the Hekate bootloader and then launch Android (without touching ANY other buttons), you aren’t modifying the Switch’s internal storage at all. That way, Nintendo’s Horizon OS and servers are not aware you are doing anything unapproved with your hardware.

The instructions tell you to download an appropriately sized disk image and write the image to your SD card. Now, if you’re following along at home, don’t make the same mistake I did and grab any old SD card from the bottom of your junk drawer. In my initial “let’s just see if I can get this working” install, I mindlessly followed the instructions without realizing I was turning an SD card into my system’s primary storage device. When I booted up with my anonymous junk-drawer SD card, every…. button…. press… was accompanied by a laborious load time—even the keyboard was slow. So, don’t do this! Instead, use the absolute-fastest MicroSD card you can get your hands on. I ended up upgrading from a 16GB class 4 card to a 200GB class 10 card, and there was a night-and-day difference in performance.

Once you have your MicroSD card flashed, pop it in the Nintendo Switch, slide in your RCM Jig, boot into RCM mode with the special key combo, plug in a USB cord and push the Hekate bootloader as your payload, and you’ll see an actual user interface. From here, hit “More Configs” and you should see an option to launch your build of Android.

What works, what’s broken

This is the first version of an effort to make Android run on something it’s not supposed to run on, and for projects like this, there is always something broken in the initial releases. There is a list of known bugs on the XDA post, but let’s talk about what does and doesn’t work at the moment.

In person, the first thing that stands out is the touchscreen support, which is not great. The touch screen works, but a polished touch screen implementation has a good amount of error correction built in, and that is not present in this build. For instance, long-press commands are tough in this build, since you have to place your finger on the screen and not move it a single pixel in any direction. Normally you get some wiggle room for an interaction like this. When scrolling, it’s easy to accidentally trigger a list item, again, because there’s no smoothing or error correction. The keyboard likes to double-enter button presses, too. For a build like this, which is based on the Nvidia Shield TV, it’s understandable. The Shield TV is a set-top box, which has no touchscreen, so you’d have to get a touch implementation from somewhere else.

Android’s deep sleep mode doesn’t work, either, so if you leave the Switch unplugged overnight, you’ll wake up to a device that has lost about 50% of its battery just sitting there. An Android smartphone, if left alone, will power all the way down to the point where nearly every Internet and notification function will stop working, which saves a ton of battery. So by comparison, a phone would only lose a few percentage points overnight.

This is not the most welcoming sight on boot-up, but it seems like we're up and running.
Enlarge / This is not the most welcoming sight on boot-up, but it seems like we’re up and running.
Ron Amadeo

The Joy Cons mostly work. On the stock Nintendo Switch, they support both a wired and wireless mode, using Bluetooth while disconnected and the aforementioned Joy Con pins for charging and data while connected. In this build on Android, only wireless mode works, and you have to jump into the Bluetooth settings of Android to pair them. The four lights on the side of the Joy Cons normally indicate Player 1-4 in the stock Horizon OS, but in Bluetooth mode on Android the controllers constantly put on a disapproving light show, ping ponging a light across the four positions. This seems to be a weird quirk of the Joy Cons, but some PC drivers have managed to stop it.

Analog support doesn’t work for the joysticks (even after flashing a supposed “joycon fix” zip file), instead they register as eight-way d-pads. For some games, this is a real bummer, but I would imagine this will be fixed soon. When the Joy Cons are connected, they work in most Android games, which immediately makes this one of the best portable Android gaming platforms out there. Outside of games, Android’s joystick support is a total crapshoot, which is not a problem in handheld mode when you can just use the touchscreen. In docked mode, you might want to plug in a mouse.

Yes, docked mode does work, although the Switch’s onboard screen doesn’t turn off. Interestingly Android’s usually stellar USB accessory support works on the dock’s USB-A port, but not on the Switch’s USB-C port in handheld mode. I am not really sure why, but you can’t even plug the Switch into a computer to do a basic file transfer. (I guess this is how iPhone users feel.)


Benchmarking the Nintendo Switch sounded like a fun proposition, so we ran it through the usual suite of apps we would use for a smartphone. There is a whole list of caveats that go along with these numbers, though. It’s best to treat these benchmark scores not as a definitive measure of the Nintendo Switch’s speed but as a set of diagnostic tests that help us learn more about the device and about how its early beta build of Android functions.

The Nintendo Switch is an interesting console, as it kind of lives two lives depending on if it’s in handheld mode running on a battery or in docked mode with unlimited AC power. First, there’s the resolution. In handheld mode the Switch uses the onboard 1280×720 display, but while docked it outputs a 1920×1080 signal to your TV. The Switch has a number of different performance modes developers can pick from, but in general the CPU runs at around 1GHz in both docked and handheld mode, while GPU changes significantly from 384MHz in handheld mode to 768MHz in docked mode. In addition to not having to worry about using battery with the higher clock rate in docked mode, the faster GPU while docked helps with the task of suddenly having to pump out double the amount of pixels to your 1080p TV.

This all goes out the window when you install Android. The Switchroot build instead just has user-selectable performance profiles you can pick from in the battery options. There’s a “Balanced” 1GHz CPU, 468MHz GPU mode, a “Quick” 1.4GHz CPU, 768MHz GPU mode, and a “Performance” mode boasting a 1.7GHz CPU and 920MHz GPU. That performance mode sounds insane given the Switch’s usual 1GHz CPU, but Nintendo gave the Switch lots of headroom for higher clocks. Even Nintendo itself recently patched systems with a 1.7GHz “boost mode” CPU overclock that kicks in during the load screen times of some games. This also isn’t crazy compared to the Nvidia Shield, which runs the X1 CPU at 2GHz.

Of course, the official Nintendo patch has the Switch only running at 1.7GHz for a short amount of time while the game loads, but I’ve been running in performance mode all the time and haven’t encountered any problems. This “1.7GHz” is still with Android’s usual power saving and thermal throttling engaged, so the CPU actually runs anywhere from 200MHz to 1.7GHz depending on the heat and workload. It seems fine in practice. The battery life is not great, but the battery life is going to be a mess no matter what given that deep sleep isn’t functioning.

The CPU benchmarks, then, look like this. Compared to the Nvidia Shield TV, the 1.7GHz Switch numbers are not wildly off-base given the higher clocks of the Nvidia Shield TV and the fact that this brand-new hacked-together beta build for the Switch has probably not had nearly as much polish put into it as the shipping version on the Shield. The Tegra X1 originally launched in 2015, so both our Tegra devices get absolutely dusted by a modern, high-end SoC—the Snapdragon 855 in the Galaxy S10, in this case. Comparing a $300 Switch to a $1,000 smartphone isn’t really fair, though.

It’s also not that relevant to run the Switch CPU at 1.7GHz, since, as we said earlier, the Switch almost never runs in 1.7GHz mode during gameplay. So for a closer look at what the typical stock speeds are like, we used Switchroot’s “Balanced” preset, which gives us the 1GHz CPU clock. It’s hard to find a new Android phone in our arsenal that scored as low as a 1GHz Switch, but the best match we could find was the teeny, tiny Palm phone with its Snapdragon 435 SoC. The Palm phone is wildly overpriced at $350, but you can also find this SoC in a ~$200 phone like the Moto E5 Plus. Considering the expensive extras like the Joy Cons, dock, heatsink, game slot, and the million other things you get with a Switch, I think the performance is surprisingly price competitive with smartphones.

The other problem with benchmarks is that the screen resolution is completely crazy right now in this Android beta. Despite having a 720p screen, all software and benchmarks report the Switch’s internal display as 1080p, and these tests are most likely rendering way more pixels than they need to in handheld mode. This is easy to confirm by comparing benchmarks for handheld and docked mode, which have basically identical scores. If we were really switching between 720p and 1080p rendering, there would be a huge score difference. Oddly GFXBench reports a “1920×999” resolution when hooked up to my TV. That, uh, seems wrong.

So the best we can approximate here is “docked” mode, since there is no way to do a 720p render test right now. Again, we have a “Max power” mode just for fun, which runs at 928MHz, and we picked the 768MHz GPU preset because that’s what a docked Switch normally runs at. We’re giving rough estimates here, though, thanks to the whacked-out resolution.

As a graphics company, it should be no surprise that Nvidia’s Tegra X1 punches way above its weight class in the graphics department. While Nvidia’s lacking SoC division might make you wonder why anyone would pick the company for their mobile device, Qualcomm has only recently been able to compete with the aging Tegra X1 GPU. For a game console, you want the better graphics chip.

If you haven’t guessed yet, we won’t be benchmarking the Switch’s internal storage because we don’t have access to it. Again, Android runs off the SD card, so running a storage benchmark would just benchmark my SD card.

Build the Virtual Console Nintendo refuses to give us

So what can you do now that Android is on your Switch? Anything! Why play Super Mario Odyssey when you now have access to the clearly superior Super Mario Run? Soon you’ll be able to put down Mario Kart 8 and enjoy some of the many microtransactions Mario Kart Tour has to offer! (Just kidding, don’t install any of Nintendo’s terrible mobile games.)

If you’ve been lamenting Nintendo’s lack of a comprehensive Virtual Console on the Switch, there are a good number of classic games that have already been ported to Android and can be downloaded through the Play Store. Sega has ports of Sonic 1, 2, and Sonic CD, Comix Zone, Streets of Rage 2, Golden Axe, Altered Beast, Super Monkey Ball, Crazy Taxi, Revenge of Shinobi, Beyond Oasis, and more. Square Enix has Final Fantasy I through VII, IX, and Tactics (Sorry, FFVIII fans, at least the remaster is happening). Square also has Dragon Quest I through VII, Chrono Trigger, Secret of Mana, and The World Ends with You. SNK has a couple Metal Slugs, some Kings of Fighters, and Fatal Fury. Capcom has a whole army of Mega Men to choose from, from 1 to 6, along with 1942, a couple games in the Ace Attorney series, and Ghosts ‘n Goblins, and Ghouls ‘n Ghosts. Rockstar has ports of Grand Theft Auto III, Vice City, San Andreas, Bully, and Max Payne.

I can’t vouch for the quality of all of these games (the Mega Man Mobile series in particular has problems), but there are a ton of other mobile ports if you dig through the Play Store. In some cases, these are even better than the Nintendo Switch version: you can buy emulated versions of Sonic 1 and 2 on the Switch through the 50-game Sega Genesis Classics pack, but the Android (and iOS) versions of Sonic are the best versions of the games available. They have been lovingly remastered by the developers that would go on to make Sonic Mania, and these games now run in 16:9 aspect ratio, 60FPS, and come with optional extras like a playable Knuckles and Tails and a backport of the spin dash. As long as you don’t want to play any Nintendo games on your Nintendo system, classic gaming on Android seems pretty good.

If you have your own game backups, you can get basically every emulator on Earth for Android, from Atari 2600 to ZX Spectrum. Of course, emulators for every Nintendo console are on the Play Store, all the way up to the incredible Dolphin emulator, which covers both the Gamecube and Wii (The Wii, remember, is just two Gamecubes duct-taped together). There’s even a very experimental Nintendo Switch emulator that you can now run on your Nintendo Switch, though it only plays Homebrew. While the software is there, and the Switch is fast enough to run all the classics, actually having enough horsepower to run some of the newer emulators is an issue. The Switch can’t handle most complex Wii games, but Gamecube should be fine.

You can stream PC games to your Androidified Switch with Steam Link, and if Google Stadia becomes a thing, theoretically, that would work, too.

The rest of Android on the Switch feels like, well, Android—all the notifications, apps, and services you’re used to, albeit with a janky touchscreen right now. One of the worst realizations you’ll have once you finally get the Switch up and running is that you did all this work just to build an Android tablet, and Android is not particularly great on tablets. Google has abandoned the idea of building tablet-specific interfaces for its apps, and most of the app ecosystem has followed suit. The result is a lot of apps that were designed exclusively for phones, and on a tablet you’ll get a blown-up phone UI.

The other Android tablet problem you’ll run into with the Switch is not just that it has a big, 6.2-inch touch screen, but that the device can really only be used in landscape mode. The phone-exclusive app design trend has resulted in a lot of apps that don’t support rotation and only display in portrait, and while this is not a big deal on a phone, it is super awkward on a Switch with the controllers attached.

For games when you can get the Joy-Cons working, though, the Switch is an awesome Android device, and I really can’t overstate how good of a system this is for portable classic games. You get a huge, bright, crisp touchscreen and great physical controls in a comfy layout. It is a million times better than trying to play these games with the fake touchscreen controls the Play Store games and emulators give you, and it’s a slicker, more stable package than trying to mount a phone to an Xbox controller. There are still some bugs to work out, but the Switch is the perfect combination of form factor and computing power for something like this, and if anything tempts you to put Android on your own Switch, it should be the promise of classic gaming. And perhaps more than anything else, this whole experiment reminds us: it really is a shame Nintendo refuses to make this easier and make boatloads of money in the process.

Let’s block ads! (Why?)

Source link