Custom firmware


Custom firmware, also known as aftermarket firmware, is an unofficial new or modified version of firmware created by third parties on devices such as video game consoles and various embedded device types to provide new features or to unlock hidden functionality. In the video game console community, the term is often written as custom firmware or simply CFW, referring to an altered version of the original system software inside a video game console such as the PlayStation Portable, PlayStation 3, PlayStation Vita and Nintendo 3DS.

Video game consoles

Custom firmware often allow homebrew applications or ROM image backups to run directly within the game console, unlike official firmware, which usually only allow signed or retailed copies of software to run. Because custom firmware is often associated with software piracy, console manufacturers such as Nintendo and Sony have put significant effort into blocking custom firmware and other third party devices and content from their game consoles.

PlayStation Portable, PlayStation 3 and PlayStation Vita

Custom firmware is commonly seen in the PlayStation Portable handhelds released by Sony. Notable custom firmware include M33 by Dark_AleX as well as those made by others such as the 5.50GEN series, Minimum Edition, and PRO.
Custom firmware is also seen in the PlayStation 3 console. Only early "Fat" and Slim model to run custom firmware. Slim and Super Slim model can only run HEN, which has functionality similar to a custom firmware.
The PlayStation Vita, has eCFW meaning custom firmware for PSP running in the PSP emulator of the PS Vita. These eCFWs include ARK, TN-V and more recently, Adrenaline, which includes more features since it was hacked from the native side. In 2016 things changed for the PS Vita scene, as a Team called Molecule released HENkaku which alters the OFW of the PS Vita on firmware 3.60 and by doing so creating a custom firmware on your handheld, opening it up like never before. The team behind the original HENkaku has also released taiHEN. taiHEN is a framework on which the newest version of HENkaku runs. It is a way to load plugins at the system level like you were used to on the PSP allowing you to change/add function to your console. Enso is a bootloader vulnerability of the Vita that make HENkaku permanent and allows to run itself on the boot. So the Vita has a full CFW with HENkaku taiHEN and Enso. People on 3.60 can also update to 3.65 without losing HENkaku Enso.

Nintendo 3DS

The modding scene of the Nintendo 3DS primarily involve custom firmware, which requires an exploit to obtain control of the ARM9, the 3DS' security coprocessor, and, secondarily, flash cartridges, which emulate an original game cart. The current most widely used CFW is Luma3DS, developed by Aurora Wright and TuxSH, which allows unsigned CIA installation, includes open-source rewritten system firmware modules, and exception handling for homebrew software developers. Other past and abandoned CFWs included Gateway, Pasta, RxTools, Cakes CFW, ReiNAND, which Luma3DS was originally based on, and Corbenik; as of now the only custom firmware still currently being developed is Luma3DS. 3DS CFWs used to rely on "EmuNAND"/"RedNAND", a feature that boots the system from an unpartitioned space of the SD card containing a copy of the 3DS' NAND memory. These EmuNANDs could protect the 3DS system from bricking, as the usual system NAND was unaffected if the emuNAND is no longer functioned properly or was otherwise unusable. EmuNANDs could also be updated separately from the usual system NAND, allowing users to have the latest system version on the EmuNAND while retaining the vulnerable version on the system NAND; thus making online play and Nintendo eShop access possible on outdated 3DS system versions.
EmuNANDs were obsoleted by the release of arm9loaderhax, a boot-time ARM9 exploit that allowed people to safely use SysNAND and update it, as CFWs started patching the OS' update code so that official updates wouldn't remove the exploit. However, this exploit required a downgrade to a very early system version to get the console's unique OTP, necessary for the installation.
On May 19, 2017 a new exploit basis called sighax was released, replacing arm9loaderhax and allowing users to get even earlier control of the system, granting code execution in the context of the bootROM and thus a cleaner environment, with no downgrades or OTP required. Boot9Strap, a user-friendly version of sighax, was released.
At the same time, another bootROM exploit called ntrboot was announced, which allows people to use a backdoor present in the bootROM to get full system control on any 3DS console regardless of the firmware version, only requiring a modified DS flash cartridge and a magnet. The initial release was on August 12, supporting the AceKard 2i and R4i Gold 3DS RTS cartridges.

Nintendo Switch

Currently, several custom firmwares for the Switch console exist: Atmosphère, ReiNX and SX OS. The differences between them are largely inconsequential; Atmosphère remains in active development and is free and open-source software. ReiNX bases much of its code off Atmosphère but with some modifications to runtime components and a different bootloader, while SX OS is closed source and paid, but largely based off Atmosphère code despite assertions to the contrary.
Nintendo has made the Switch environment much more secure than previous consoles. Despite this, there exist notable bugs which lead to user exploits. Of these, the NVIDIA Tegra stack bug is the most well-exploited. It leverages the Recovery Mode of the Switch unit in order to push unsigned/unverified payloads, in turn granting the user access to arbitrary code execution. This vulnerability has been further leveraged by users within the Switch hacking scene to reverse-engineer the firmware, leading to two other notable exploits: Nereba and Caffeine. While RCM is a hardware exploit, Nereba and Caffeine are software exploits and rely on the console being at or below specific firmware versions in order to make use of the exploits. RCM, being hardware related, merely relies on the console being vulnerable to that particular exploit and does not have a firmware requirement or range.
Due to NVIDIA's disclosure of CVE-2018-6242, Nintendo was forced to address the vulnerability, and during late 2018 began manufacturing and distributing units which have been hardware patched and are unable to access the RCM vulnerability. Any unit manufactured during or after this time is likely to be hardware patched, including the Switch Lite and the newer "red box" Switches, and any unit which is hardware patched and running a relatively recent firmware is unlikely to be able to access custom firmware at this time or in the future due to the unusually secure software environment of the Switch.

Android

The practice of replacing the system partition of the Android operating system, usually mounted as read-only, with a modified version of Android is called "flashing." The procedure is generally not supported by device manufacturers, and requires advanced knowledge of OS mechanics. However, recent years have brought many more manufacturers, such as LG, Motorola, OnePlus, Google, and Sony allowing customers to unlock the bootloader, bypassing secure boot, without the need for exploits. The "custom ROMs" being used may include different features, require less power, or offer other benefits to the user.

Other devices

Various other devices, such as digital cameras, wireless routers and smart TVs, may also run custom firmware. Examples of such custom firmware include: