Editing Softmod (section)

==Softmods for video game consoles==
===PlayStation/PSOne===
The original [[PlayStation (console)|PlayStation]] can be softmodded with the TonyHax exploit.<ref>{{cite web |last1=Del Sol Vives |first1=Marcos |title=TonyHax |url=https://orca.pet/tonyhax/ |website=Orca.pet |access-date=12 March 2023}}</ref> The exploit is compatible with all North American and European consoles except the launch model (SCPH-100x), but is not compatible with Japanese consoles. It is also compatible with early versions of the PlayStation 2 (SCPH-3900x or older), although only for booting PS1 discs. TonyHax can be booted either with a gamesave exploit (usually [[Tony Hawk's Pro Skater 2]], [[Tony Hawk's Pro Skater 3|3]], or [[Tony Hawk's Pro Skater 4|4]], hence the name, but several other games are also supported), or except on the PS2, directly from a specially-flashed memory card. The exploit allows the console to boot homebrew, foreign-region games, and [[CD-R]] copies. Some PlayStation models are partially incompatible (slow load times, skipping audio and video) with phthalocyanine CD-Rs, preferring the older standard [[CD-R#Dyes|cyanine]] discs. TonyHax is not a permanent exploit; the drive is re-locked when the console is powered off or rebooted, requiring the user to re-load the exploit every time a CD-R or foreign game is booted.

An older method was to boot an original legitimate disc with the lid close sense button held down, quickly swap the disc with a CD-R copy or foreign disc, remove that disc and reinsert the original, and then swap for the CD-R or foreign disc again. This had to be carefully timed, and if done incorrectly could damage the drive or disc(s).

===PlayStation 2===
The [[PlayStation 2]] has various methods of achieving a softmod.

Disc swapping was used early on to bypass the PlayStation 2 copy protection, by taking advantage of certain trigger discs such as ''007: Agent Under Fire'' or Swap Magic, homebrew could be loaded. This was done by inserting the trigger disc, blocking the lid open sensor then hotswapping with a homebrew disc. Although difficult to execute correctly, the universality of the method was often used in order to softmod.

One of the earliest softmods developed — the Independence Exploit — allows the PlayStation 2 to run homebrew by exploiting a buffer overflow in the BIOS code responsible for loading original PlayStation games. This method, however, only works on models V10 and lower, excluding the PlayStation 2 slim, while still requiring a disc to be burned.<ref>{{cite web|url=http://forums.afterdawn.com/thread_view.cfm/109289|title=How to make your own Memory Card Exploit using the Independence Installer|accessdate=April 24, 2013}}</ref>

FreeMcBoot is an exploit that works on all models except the SCPH-9000x series with BIOS v2.30 and up.<ref>{{cite web|last=|first=|date=|title=PS2 Softmod Install Tutorial|url=http://freemcboot.info/ps2%20ohje/indexe.html|url-status=live|archive-url=https://web.archive.org/web/20130321045221/http://freemcboot.info/ps2%20ohje/indexe.html|archive-date=March 21, 2013|accessdate=April 24, 2013|website=}}</ref> It requires no trigger disc and is able to directly load ELFs from the memory card.

Fortuna, Funtuna, and Opentuna are another form of memory card exploit. Unlike FreeMcBoot, they will work on the SCPH-9000x model, and they are compatible with third-party memory cards that do not support [[MagicGate]].

[[HD Loader]] is an exploit for PS2 models with the hard drive peripheral.

FreeDVDBoot is an exploit discovered in 2020 that requires burning a disc image loaded with a payload onto a DVD-R. It is compatible with a range of PlayStation 2 models and works by exploiting a buffer overflow in the PS2's DVD video functionality.<ref>{{Cite web|last=Orland|first=Kyle|date=2020-06-29|title=New hack runs homebrew code from DVD-R on unmodified PlayStation 2|url=https://arstechnica.com/gaming/2020/06/new-hack-runs-homebrew-code-from-dvd-r-on-unmodified-playstation-2/|access-date=2020-12-29|website=Ars Technica|language=en-us}}</ref>

MechaPwn<ref>{{cite web |title=MechaPwn |url=https://github.com/MechaResearch/MechaPwn |website=Github |access-date=12 March 2023}}</ref> is an exploit that permanently unlocks the DVD drive of the slim PS2 (and some later revisions of the fat PS2), allowing PS1 and PS2 discs from any region to be booted. PS1 CD-R copies can be booted directly from the PS2's built-in menu; PS2 CD-R/DVD-R copies require additional software to bypass the PlayStation 2 logo check.

In August 2024, a savegame exploit affecting multiple consoles and generations called ''TonyHawksProStrcpy''<ref name="TonyHawksProStrcpy">{{cite web|title=grimdoomer/TonyHawksProStrcpy|website=[[GitHub]]|url=https://github.com/grimdoomer/TonyHawksProStrcpy|accessdate=3 September 2024}}</ref> was released, which is present in multiple [[Tony Hawk's]] titles for the PlayStation 2. It can be used to execute unsigned code.

===PlayStation 3===
The [[PlayStation 3]] has a couple of methods to achieve a softmod. All models of PS3 can be softmodded.

Consoles that have factory installed (minimum firmware) version 3.55 or lower can install CFW ([[custom firmware]]) which is unofficial firmware. This includes: all fat models, slim 20xx and 21xx models, and 25xx models - the latter only if the console was manufactured before December 2010 (datecode 0D or less is guaranteed; 1A is maybe). These guidelines assume a console has not been taken to Sony to be serviced, as Sony may update the factory installed firmware. Slim 30xx and all super slim models cannot currently install CFW. 

Installing CFW was made possible with [[code signing]] after the PS3's master key was leaked.<ref>{{Cite news|url=https://www.bbc.co.uk/news/technology-20067289|title=PlayStation 'master key' leaked online|website=[[BBC UK]]|date=24 October 2012|access-date=29 August 2024|archive-date=|archive-url=}}</ref> Sony changed the key with firmware 3.56. If a vulnerable console has official firmware above 3.55 installed, the flash can be patched via a WebKit exploit which enables a CFW install. Should the patching process be interrupted (e.g. [[power outage]]), it can [[brick (electronics)|brick]] the console.

CFW grants complete control over the console, having access to LV0 (bootloader), LV1 (hypervisor), and LV2 (kernel/GameOS). This allows the running of homebrew, load game backups, bypass region checks, enter Factory Service Mode, change fan speed, RSX speed, grant access to root keys, as well as run PS2 ISOs on unsupported backwards compatible models (via software emulation). Some CFW implementations reinstate features Sony removed such as "OtherOS".

The most supported PS3 CFW is ''Evilnat Cobra''.<ref>{{cite web|title=Evilnat/Cobra-PS3|website=[[GitHub]]|url=https://github.com/Evilnat/Cobra-PS3|accessdate=12 September 2024}}</ref> 

The other softmod is ''PS3HEN''<ref>{{cite web|title=PS3Xploit/PS3HEN|website=[[GitHub]]|url=https://github.com/PS3Xploit/PS3HEN|accessdate=12 September 2024}}</ref> (HEN). HEN is supported by all PS3 models. In order to use HEN, it is required to install HFW (hybrid firmware), another kind of unofficial firmware. During the HEN setup process, a WebKit exploit is used to install a signed file through the PS3 Web Browser which sets up HEN on the PS3's storage. This adds a shortcut to enable HEN whenever the console is powered on, which leverages additional exploits to grant LV2 kernel/GameOS access. As such, this is a tether softmod, meaning HEN has to be activated every time the console is powered on. This softmod shares core CFW features - running homebrew, load backups of games, bypass region checks, change fan speeds, and play installed PS2 Classics PKGs. The unofficial PS2 backwards compatibility is diminished as users can only run PS2 Classics encrypted PKGs instead of ISOs. Also, the hypervisor (HV) is still active and periodically checks if the current code being executed is unsigned; there is a small chance it can lead to the console becoming unresponsive or shutting down, making HEN less stable than CFW.

In March 2025, a hardware-software HV exploit called ''BadHTAB''<ref>{{cite web|title=aomsin2526/BadHTAB|website=[[GitHub]]|url=https://github.com/aomsin2526/BadHTAB|accessdate=26 April 2025}}</ref> was disclosed. It grants access to LV1 (HV) on non-CFW consoles, allowing for some CFW features such as loading a [[Linux distribution]] that HEN does not support. This is a tether softmod and will need to be activated every time the console is powered on.

===PlayStation 4===
The [[PlayStation 4]] has ways to achieve a softmod. Most require a userland exploit as the entry point, which can be either [[WebKit]] vulnerabilities in the PS4 Web Browser, or a savegame exploit. All models of PS4 can be softmodded. They are all tether exploits meaning they have to be performed every time the console is powered on, although some exploits may be persisted using rest mode.

Softmodding a PS4 allows for homebrew, loading game backups, bypass region checks, and change fan and CPU/GPU speeds. Some payloads can boot the PS4 into a [[Linux distribution]], although this is not permanent and the console will revert to Orbis OS on reboot.

Known firmware versions that allow for a softmod are: 1.76,<ref>{{Cite news|url=https://thehackernews.com/2015/12/sony-ps4-playstation-jailbreak.html|title=Hacker Confirms PlayStation 4 Jailbreak! Exploit Could Open Doors for Pirated Games|website=The Hacker News|date=14 December 2015|access-date=29 August 2024|archive-date=|archive-url=}}</ref> 4.05,<ref>{{Cite news|url=https://thehackernews.com/2017/12/ps4-jailbreak-kernel-exploit.html|title=Kernel Exploit for Sony PS4 Firmware 4.05 Released, Jailbreak Coming Soon|website=The Hacker News|date=27 December 2017|access-date=29 August 2024|archive-date=|archive-url=}}</ref><ref>{{cite web|title=Cryptogenic/PS4-4.05-Kernel-Exploit|website=[[GitHub]]|url=https://github.com/Cryptogenic/PS4-4.05-Kernel-Exploit|accessdate=29 August 2024}}</ref> 4.74, 5.05/5.07,<ref>{{cite web|title=Cryptogenic/PS4-5.05-Kernel-Exploit|website=[[GitHub]]|url=https://github.com/Cryptogenic/PS4-5.05-Kernel-Exploit|accessdate=29 August 2024}}</ref> 6.72,<ref name="ps4jb-6.72">{{cite web|title=sleirsgoevy/ps4jb|website=[[GitHub]]|url=https://github.com/sleirsgoevy/ps4jb|accessdate=29 August 2024}}</ref> 7.02,<ref>{{cite web|title=sleirsgoevy/PS4-webkit-exploit-7.02|website=[[GitHub]]|url=https://github.com/sleirsgoevy/PS4-webkit-exploit-7.02|accessdate=29 August 2024}}</ref> 7.55,<ref>{{cite web|title=sleirsgoevy/ps4jb2 at 75x|website=[[GitHub]]|url=https://github.com/sleirsgoevy/ps4jb2/tree/75x|accessdate=29 August 2024}}</ref> 9.00,<ref name="ps4jb-9.00">{{cite web|title=ChendoChap/pOOBs4|website=[[GitHub]]|url=https://github.com/ChendoChap/pOOBs4|accessdate=29 August 2024}}</ref> 11.00,<ref name="ps4jb-11.00">{{cite web|title=TheOfficialFloW/PPPwn|website=[[GitHub]]|url=https://github.com/TheOfficialFloW/PPPwn|accessdate=29 August 2024}}</ref> 12.02.<ref name="ps4jb-12.02-ps5jb-10.01">{{cite web|title=Al-Azif/psfree-lapse|website=[[GitHub]]|url=https://github.com/Al-Azif/psfree-lapse|accessdate=13 May 2025}}</ref>

It is worth noting the 9.00 exploit requires inserting a specially crafted [[USB flash drive]] into the console, and the 11.00 exploit to connect to a malicious [[Point-to-Point Protocol over Ethernet|PPPoE]] server over the [[Computer network|network]].

===PlayStation 5===
The [[PlayStation 5]] has ways to achieve a softmod. They rely on a userland exploit, which can be either [[WebKit]] vulnerabilities in the PS5 Web Browser, a specially crafted [[Blu-ray]] disc, or a savegame exploit, that is combined with a kernel (and optionally [[hypervisor]]) exploit. They are all tether exploits meaning they have to be performed every time the console is powered on, although some exploits may be persisted using rest mode.

Softmodding a PS5 allows running homebrew, load game backups, modify the PS4 backwards compatibility blacklist, install and run PS4 "FPKGs" (including PS4 homebrew and PS1/PS2/PS4 game backups), change fan speeds, and spoof firmware (which allows the install of games that require an update patch, and can also block updates). However, firmware spoofing will not allow games above the console's true firmware revision to load without the required update patch. The PS5 is also capable of playing patched PS4 titles above the PS4 [[frame rate]] cap of 60 FPS, such as [[Bloodborne]], at higher frame rates e.g. 120 FPS.

Compared to its predecessor the PS4, a userland and kernel exploit would have been enough to accomplish what is generally regarded as a true jailbreak by patching the kernel, however the PS5 has added security measures in comparison, mainly a hypervisor (HV) and eXecute Only Memory (XOM) which do not allow kernel patching - as a result not all kernel exploits on the PS5 can be leveraged due to these additional measures, and makes reverse engineering much more difficult. Despite this, several HENs (Homebrew ENablers) have been made that operate within the constraints of the HV and XOM to defeat enough security to enable a homebrew environment. After the first public HV exploit, HENs were adjusted to operate with the HV compromised (including the XOM being deactivated), providing better stability and functionality than HENs that don't leverage a HV exploit since kernel patching is now possible.

Known firmware versions that allow for a softmod are: 2.50,<ref>{{cite web|title=PS5Dev/Byepervisor|website=[[GitHub]]|url=https://github.com/PS5Dev/Byepervisor|accessdate=26 October 2024}}</ref> 4.51,<ref>{{cite web|title=Cryptogenic/PS5-IPV6-Kernel-Exploit|website=[[GitHub]]|url=https://github.com/Cryptogenic/PS5-IPV6-Kernel-Exploit|accessdate=29 August 2024}}</ref> 5.50,<ref>{{cite web|title=PS5Dev/PS5-UMTX-Jailbreak|website=[[GitHub]]|url=https://github.com/PS5Dev/PS5-UMTX-Jailbreak|accessdate=22 September 2024}}</ref> 7.61,<ref>{{cite web|title=hammer-83/ps5-jar-loader|website=[[GitHub]]|url=https://github.com/hammer-83/ps5-jar-loader|accessdate=1 June 2025}}</ref> 10.01.<ref name="ps4jb-12.02-ps5jb-10.01"/>

It is worth noting the 2.50 exploit compromises the kernel and HV, while the exploits up to 10.01 only compromise the kernel.

The IPv6 kernel exploit on the PS4 that led to the 6.72 jailbreak<ref name="ps4jb-6.72"/> was patched a few months prior to the release of the PS5, which was reintroduced on the PS5 with 3.00 firmware and affected up to 4.51 firmware. The exFAT filesystem kernel exploit that led to the 9.00 jailbreak<ref name="ps4jb-9.00"/> also affected PS5 firmware up to 4.03, however due to additional protections on the PS5 it is not possible to use this to softmod the PS5. The [[Point-to-Point Protocol over Ethernet|PPPoE]] kernel exploit that led to the PS4 11.00 jailbreak<ref name="ps4jb-11.00"/> also affected PS5 firmware up to 8.20, and is not known to softmod the PS5. The lapse kernel exploit that led to the PS4 12.02 jailbreak<ref name="ps4jb-12.02-ps5jb-10.01"/> could also be used to jailbreak the PS5, and affected up to 10.01 firmware.

In June 2023, a payload called ''libhijacker''<ref>{{cite web|title=astrelsky/libhijacker|website=[[GitHub]]|url=https://github.com/astrelsky/libhijacker|accessdate=24 June 2023}}</ref> was disclosed, becoming a reliable method of running homebrew and partially circumvents the HV, which works by creating a new, separate process by interacting with the PS5's [[Daemon (computing)|Daemon]], effectively acting as a background ELF loader. This is notable over previous ELF loaders such as the WebKit or Blu-ray methods since those ELF loaders were terminated when the corresponding process was stopped. Another advantage of this new method is that the newly separate process is not confined to the fixed maximum resource allocation of the WebKit or BD-J processes.

In July 2023, security researcher ''Flat_z'' disclosed<ref>{{cite web|title=Aleksei Kulaev on Twitter: finally... hello, PS5 PSP :)|website=[[Twitter]]|url=https://twitter.com/flat_z/status/1684554194366107650|accessdate=30 July 2023}}</ref> that they had read access to the PS5's Platform Secure Processor (PSP) which is one of the most protected parts of the system and contains crucial keys for decryption. In addition, they also confirmed they had successfully exploited the HV via a save game exploit chain. ''Flat_z'' said he does not intend to disclose his findings publicly, however he is using these exploits to further reverse engineer the PS5 now that he is able to decrypt more parts of the system.

In November 2023, scene developer ''LightningMods'' disclosed<ref>{{cite web|title=LM on Twitter: First ever PS5 Game Back up to be played, PPSA03527|website=[[Twitter]]|url=https://twitter.com/LightningMods_/status/1721713975929209075|accessdate=7 November 2023}}</ref> that they had managed to load and play a retail PS5 game backup.

In December 2023, scene developer ''LightningMods'' updated his ''Itemzflow''<ref>{{cite web|title=LightningMods/Itemzflow|website=[[GitHub]]|url=https://github.com/LightningMods/Itemzflow|accessdate=12 September 2024}}</ref> homebrew to support loading PS5 game backups.

In September 2024, a kernel exploit was disclosed for [[FreeBSD]] 11, which the PS5 software is based on. It can be leveraged on the PS5, which affects all firmware versions up to 7.61.<ref name="ps5jb-7.61">{{cite web|title=PS5Dev/PS5-UMTX-Jailbreak|website=[[GitHub]]|url=https://github.com/PS5Dev/PS5-UMTX-Jailbreak|accessdate=22 September 2024}}</ref> The bug is not present in FreeBSD 9 and as such the PS4 is unaffected.

In October 2024, security researcher ''SpecterDev'' disclosed<ref name="ps5jb-hv-2.50">{{cite web|title=PS5Dev/Byepervisor|website=[[GitHub]]|url=https://github.com/PS5Dev/Byepervisor|accessdate=26 October 2024}}</ref> two exploit chains that compromise the hypervisor, which affect all firmware versions up to 2.50.

===PlayStation Portable===
It is possible to softmod almost any [[PlayStation Portable]]. Using various exploits (such as the [[TIFF]] exploit or specially crafted savegames from games such as ''[[Grand Theft Auto: Liberty City Stories]]'', ''[[Lumines]]'', and later ''[[GripShift]]'') or original unprotected firmware, the user can run a modified version of the PSPs updater, that will install custom firmware. This newer firmware allows the booting of ISOs, as well as running unauthorized ([[PlayStation Portable homebrew|homebrew]]) code. A popular way of running homebrew code to softmod the PSP is by using the Infinity method.

===PlayStation Vita===
The [[PlayStation Vita]] can also be softmodded, with the most notorious methods being using: HENkaku Web Exploit, h-encore and h-encore².

===Xbox===
The [[Xbox (console)|Xbox]] used to include a font exploit installed through exploits in savegame code for ''[[MechAssault]]'', ''[[Tom Clancy's Splinter Cell (video game)|Splinter Cell]]'', ''[[Agent Under Fire (video game)|007: Agent Under Fire]]'', and ''[[Tony Hawk's Pro Skater 4]]''. Usage of the ''Splinter Cell'' or ''Tony Hawk's Pro Skater 4'' disc is generally recommended as any version of the game will run the exploit, whereas certain production runs of Mechassault and ''Agent Under Fire'' are needed to use the exploit. Originally, via a piece of software called "MechInstaller" created by members of the Xbox-linux team, an additional option could be added to the Xbox Dashboard for booting [[Linux]].

The font hack works by exploiting a buffer underflow in the Xbox font loader which is part of the dashboard. Unfortunately, since the Xbox requires the clock to be valid, and the dashboard itself is where one sets the clock, there is a problem if the [[Real-time clock|RTC]] [[backup capacitor]] discharges.  The Xbox will detect that the clock is not set and therefore force the dashboard to be loaded; the dashboard then reboots due to the buffer overflow exploit.  Upon restarting, the Xbox detects the clock is invalid and the process repeats. This problem became known as the "clockloop".<ref>{{cite web|title=The Official Clock Loop Thread|url=http://forums.xbox-scene.com/index.php?/topic/200248-the-official-clock-loop-thread/|accessdate=26 April 2016}}</ref>

In August 2024, a savegame exploit affecting multiple consoles and generations called ''TonyHawksProStrcpy''<ref name="TonyHawksProStrcpy"/> was released, which is present in multiple [[Tony Hawk's]] titles for the Xbox. It can be used to execute unsigned code.

===Xbox 360===
All models of [[Xbox 360]] can be softmodded.

Softmodding an Xbox 360 allows users to run homebrew, load game backups (including original [[Xbox console|Xbox]]), bypass region checks, and change fan speeds. Some payloads can boot the Xbox 360 into a [[Linux distribution]], although this is not permanent and the console will revert to the [[Xbox system software#Xbox 360 system software|Xbox system software]] on reboot. 

Shortly after the release of the Xbox 360, ways were found to modify the firmware of the [[DVD drive]] of the console. This allows the system to play games from "backup" (non-original) game discs. This requires opening of the console but no additional hardware such as a [[modchip]] is permanently installed into the system. Microsoft responded by introducing [[Ban (Internet)|console ban]] system. If the data stream from the DVD drive indicated signs of unauthorized use, Microsoft would permanently ban the console from using the [[Xbox Live]] service. The ban never expires and can only be fixed by purchasing another console. Other measures, such as introducing new hardware revisions to prevent modifications and checking/updating the drive firmware during dashboard updates, have been made too.

In January 2007, a HV (hypervisor) exploit was patched with dashboard 2.0.4552.0,<ref>{{cite web|title=Full Disclosure: Xbox 360 Hypervisor Privilege Escalation Vulnerability|website=SecLists.Org|url=https://seclists.org/fulldisclosure/2007/Feb/613|accessdate=8 March 2025}}</ref> where it could be leveraged in some previous dashboards (2.0.4532.0 and 2.0.4548.0), which granted full control over the console. This was commonly chained with a modified version of the [[King Kong (2005 video game)|King Kong]] video game for the Xbox 360, made possible using an Xbox 360 with a modified DVD drive that was able to boot unofficial game copies. It was discovered the King Kong game contained poorly coded [[shader]]s which could be specially crafted to allow for arbitrary code execution. This became known as the infamous King Kong exploit.

In August 2024, a savegame exploit affecting multiple consoles and generations called ''TonyHawksProStrcpy''<ref name="TonyHawksProStrcpy"/> was released, which is present in [[Tony Hawk's American Wasteland]] for the Xbox 360. It can be used to execute unsigned code. The [[Xbox (console)|Xbox]] version of the game does not contain the exploit on the Xbox 360.

In March 2025, a HV exploit called ''Bad Update'' was disclosed<ref>{{cite web|title=grimdoomer/Xbox360BadUpdate|website=[[GitHub]]|url=https://github.com/grimdoomer/Xbox360BadUpdate|accessdate=8 March 2025}}</ref> which affected all dashboards up to and including the latest version (2.0.17559.0 at the time of release). This exploit chain uses a savegame exploit as the entry point, granting full control over the console. It requires a specially crafted [[USB flash drive]]. It is a tether exploit meaning it has to be performed every time the console is powered on. On release, the exploit was configured to use a [[Tony Hawk's American Wasteland]] savegame as the entry point, a disk game that is not common. However, a couple days later the game [[Rock Band Blitz]] was added, which has a [[Game demo|trial version]], that can be played from a USB flash drive. Unlike the JTAG/RGH hardmod exploits which could only be applied to specific Xbox 360 models, this softmod works on all models.

In March 2025, a payload called ''FreeMyXe'' was disclosed<ref>{{cite web|title=InvoxiPlayGames/FreeMyXe|website=[[GitHub]]|url=https://github.com/InvoxiPlayGames/FreeMyXe|accessdate=10 March 2025}}</ref> which was designed to be used alongside the ''Bad Update'' exploit chain. It patches the HV and kernel to run [[code signing|unsigned code]], effectively acting as a HEN (Homebrew ENabler).

===Xbox One===
The [[Xbox One]] went through its lifecycle without having its security compromised. However, in June 2024, a userland exploit was disclosed for a [[Microsoft Store]] app called Game Script that had a bug which allowed for arbitrary code execution. Microsoft removed the app from the store a few days after disclosure, effectively patching the vulnerability for those who did not have it downloaded already.

A couple of weeks later, the same developer who published the userland exploit released a follow-up release which achieves kernel access while in Retail mode. This is roughly equivalent in functionality if the console was in Developer mode. Due to the Xbox One's security architecture, the console security is still mostly intact and further mitigations are necessary in order to become a HEN (homebrew enabler).

A payload exists that starts a [[Shellcode#Remote|reverse shell]] on the console over the network, which for example can be used to browse the console's filesystem and create directories.

===Xbox Series X and Series S===
The [[Xbox Series X and Series S]] are vulnerable to the same exploits for the Xbox One, and similarly have security measures where the console security is still mostly intact and further mitigations are necessary in order to become a HEN (homebrew enabler).

===GameCube===
There was an exploit within the game [[Phantasy Star Online]] port for the GameCube. It used the network adapter to download a malicious update containing unsigned code.

In August 2024, a savegame exploit affecting multiple consoles and generations called ''TonyHawksProStrcpy''<ref name="TonyHawksProStrcpy" /> was released, which is present in multiple [[Tony Hawk's]] titles for the [[GameCube]]. It can be used to execute unsigned code.

===Wii===
The first known softmod for the [[Wii]] is known as the Twilight hack,<ref>{{cite web|title=lewurm/savezelda|website=[[GitHub]]|url=https://github.com/lewurm/savezelda|accessdate=12 September 2024}}</ref> a savegame exploit for the Wii version of [[The Legend of Zelda: Twilight Princess]]. This allowed users to run [[code signing|unsigned code]] {{Not a typo|.dol}}/[[.elf]] files.

The Twilight hack was superseded by the development of Bannerbomb,<ref>{{cite web|title=Bannerbomb|website=WiiBrew|url=https://wiibrew.org/wiki/Bannerbomb|accessdate=1 June 2025}}</ref> which allowed for executing unsigned code without relying on an exploit within a game. Bannerbomb worked by using a malformed banner to [[code injection|inject]] a loader program into the [[Wii Menu]] program in [[computer memory|memory]]. As the Wii Menu crashed, an unsigned executable was executed.

Bannerbomb was superseded by Letterbomb,<ref>{{cite web|title=fail0verflow/letterbomb|website=[[GitHub]]|url=https://github.com/fail0verflow/letterbomb|accessdate=12 September 2024}}</ref> which used a glitch in the [[Wii Message Board]] to crash the Wii Menu.

FlashHax<ref>{{cite web|title=Fullmetal5/FlashHax|website=[[GitHub]]|url=https://github.com/Fullmetal5/FlashHax|accessdate=12 September 2024}}</ref> superseded Letterbomb, which used an exploit in the Wii's [[End-user license agreement]] to run unsigned code, requiring the Internet Channel to be installed.

str2hax<ref>{{cite web|title=Fullmetal5/str2hax|website=[[GitHub]]|url=https://github.com/Fullmetal5/str2hax|accessdate=12 September 2024}}</ref> superseded FlashHax,  which simplified the process even further. str2hax uses a custom DNS server to redirect the Wii's End-user license agreement page to a modified page that executes unsigned code, without the need for the Internet Channel.

BlueBomb<ref>{{cite web|title=Fullmetal5/bluebomb|website=[[GitHub]]|url=https://github.com/Fullmetal5/bluebomb|accessdate=12 September 2024}}</ref> was later released that leveraged a [[Bluetooth]] exploit, in particular used to softmod the Wii Mini which could not use the Internet Browser as an exploit entry point.

Exploits typically allowed the install of the [[Homebrew Channel]], an unofficial Wii channel which acted as a gateway to run unofficial Wii applications.

A large [[Wii homebrew|homebrew]] community emerged for the Wii, leading to developments such as the Homebrew Channel, third-party games, media players, and the loading of Wii and [[GameCube]] game backups.

===Wii U===
The [[Wii U]] can be softmodded with various exploits. The easiest way to softmod a Wii U is [[WebKit]] vulnerabilities in the Wii U Internet Browser. Softmodding a Wii U can allow for a [[custom firmware]] install.

The most supported CFW is ''Aroma''.<ref>{{cite web|title=wiiu-env/Aroma|website=[[GitHub]]|url=https://github.com/wiiu-env/Aroma|accessdate=10 May 2025}}</ref>

Softmodding a Wii U allows for homebrew, unlock GameCube backwards compatibility, load game backups, bypass region checks, and change fan and CPU/GPU speeds. Softmodding a Wii U does not automatically softmod the virtual Wii (vWii), although softmodding the Wii U beforehand can make softmodding the vWii easier.

Previously, a few ''Virtual DS'' games could be exploited with specially crafted savegames to install CFW. However, after the eShop closure this method is now impossible to do unless the game was downloaded pre-closure.

===Nintendo DS/DS Lite===
All versions of the [[Nintendo DS]] as well as the [[Nintendo DS Lite]] can be softmodded using FlashMe: an exploit that can be installed using any PassMe compatible [[flashcart]]. The exploit consists of shorting two pins with any metallic object to make the NAND containing the firmware writable. The custom firmware  looks and acts exactly the same as the original DS firmware except for the fact you will not need a PassMe or Passcard to boot DS roms from Slot-2 flashcarts anymore. The standard version of FlashMe removes the DS intro screen (including the Warning screen) when booting up. This method also allows for a scrapped DS Lite AV/Out feature to be used again with a [[Hardmod]]
<ref>[https://wiki.gbatemp.net/wiki/FlashMe GBATemp Wiki] ''FlashMe.''</ref>

===Nintendo DSi/DSi XL===
The [[Nintendo DSi]] made it easier to softmod the console with the introduction of an [[SD card]] slot. The easiest method method was the Memory Pit exploit released in 2019. When the [[camera]] application is used to take a photo, it creates a file called <code>pit.bin</code> to store [[metadata]] information. This file is always located at <code>sd:/private/ds/app/484E494A</code> on the [[SD card]].<ref>{{Cite web |title=Nintendo DSi Camera - DSiBrew |url=https://dsibrew.org/wiki/Nintendo_DSi_Camera#pit.bin |access-date=2024-11-25 |website=dsibrew.org}}</ref> By modifying this file, a [[buffer overflow]] is created, crashing the system.<ref>{{Cite web |title=Memory Pit - DSiBrew |url=https://dsibrew.org/wiki/Memory_Pit |access-date=2024-11-25 |website=dsibrew.org}}</ref> External tools like Unlaunch write directly to the [[Flash memory|NAND]] storage of the DSi and creates a cold-boot scenario (i.e. the console can directly launch into the custom firmware without having to use other apps). Custom UI environments have been created, most notably TWiLight Menu++ which facilitates other programs like nds-bootstrap to launch homebrew software.

===Nintendo 2DS/3DS===
The [[Nintendo 3DS]] (and its [[Nintendo 2DS]] sibling) have become some of the most popular console platforms to softmod, as the procedure requires only the 2DS/3DS itself, and modifying its [[SD card|microSD card]]. All models of 3DS and 2DS can be softmodded, including the 'New' refresh models. Since the closure of the [[Nintendo eShop]] for the 2DS/3DS, softmodding has become popular in order to reinstate features that are now officially defunct.

The most well developed and commonly used CFW (Custom Firmware) is known as Luma3DS. It contains features such as EmuNAND (NAND redirection), running non-system menu payloads on boot, and installing homebrew titles to the main menu. A popular homebrew app used for piracy, known as Freeshop,<ref>[https://www.engadget.com/2016/12/29/nintendo-dmca-takedown-freeshop-3ds/] ''Freeshop Taken Down By Nintendo''</ref> was shut down by Nintendo with firmware 11.8 by requiring a title key authorization on the Eshop download servers, thus making all NUS downloaders<ref>[http://wiibrew.org/wiki/NUS_Downloader] ''NUS Downloaders''</ref> for the 2DS/3DS to no longer function.

===Nintendo Switch===
Early versions of the [[Nintendo Switch]] known as "V1 Unpatched" are vulnerable to a ReCovery Mode (RCM) hardware exploit<ref>{{Cite news|url=https://thehackernews.com/2018/04/nintendo-switch-linux-hack.html|title=Nintendo Switches Hacked to Run Linux—Unpatchable Exploit Released|website=The Hacker News|date=24 April 2018|access-date=1 September 2024|archive-date=|archive-url=}}</ref> by holding the Volume Up button, Power button, and Tegra home button (not usually accessible to consumers), which boots the device into RCM, then connecting via USB to another device which is able to push payloads. Tegra refers to the chip the Nintendo Switch uses, the [[Tegra#Tegra X1|Tegra X1]]. This was an oversight as RCM was intended to be used by Nintendo to service consoles and not the consumer themselves. It was discovered the Tegra home button could be emulated by [[short circuit|shorting]] pin 10 on the right JoyCon rail, initializing RCM. Once in this mode, an additional exploit in the Switch USB drivers can be leveraged to push payloads via USB to a Switch while in RCM to execute [[unsigned code]], such as install CFW (custom firmware). The RCM exploit is hardware based and cannot be patched by software fixes.

Some firmware revisions have had a limited number of softmods emerge, although if updated the exploits will have been patched.

The softmods allow running homebrew, installing CFW (RCM exploit), bypass region checks, load game backups, and change fan and CPU/GPU speeds. With the RCM exploit it is also possible to install an [[Android (operating system)|Android distribution]] as an additional boot option, in which the device becomes much more versatile for cross platform play (such as the [[Xbox Game Pass]]), allowing games from other platforms to be played. The JoyCons are fully functional in an Android environment, making it a strong competitor for tablet gaming.

The most supported Nintendo Switch CFW is Atmosphère.<ref>{{cite web|title=Atmosphere-NX/Atmosphere|website=[[GitHub]]|url=https://github.com/Atmosphere-NX/Atmosphere|accessdate=1 September 2024}}</ref>

Nintendo has put safeguards in place where if a console tries to connect to a Nintendo server with a modified bootloader, or an unauthorised copy of a game is currently loaded, the device will be either bricked instantly, or eventually bricked after sending telemetry data to Nintendo servers. Once bricked, the console will be fingerprinted by Nintendo and will never be able to access a Nintendo server again, blocking access to the eShop, online play, amongst other features.

In December 2023, a group of hackers unveiled the first [[flash cartridge]] for the Switch, dubbed the Mig Switch. This cartridge accepts a [[SD card|microSD]] card that contains game backups, and the user can alternate between the loaded game by re-inserting the cartridge. The Mig Switch is safe to use online as long as an officially backed up game is used. If the cartridge used pirated files, is used by someone else, or runs homebrew files, the Switch will be flagged and banned. Mig Switch works on all models and firmware, partially defeating some of the security in order to play game backups, and also run homebrew.