Nintendo Switch的RCM（Recovery Mode，復原模式）之所以會從原本的系統維修入口，演變成改機圈中幾乎「萬用鑰匙」般的存在，關鍵在於其核心晶片NVIDIA Tegra X1在硬體設計階段就埋下一個致命缺陷，也就是後來被稱為「Fusée Gelée」的啟動流程漏洞。這個漏洞存在於主機最底層的開機啟動ROM中，使得攻擊者能在系統尚未啟動任何安全防護機制之前，強行注入未經任天堂簽署的程式碼，從根本上繞過整套安全架構。

在正常情況下，RCM模式是為了讓工程人員或官方維修流程，在主機系統嚴重損壞時仍能進行底層恢復與刷寫。然而Tegra X1在進入RCM的初始階段，對USB資料傳輸的驗證存在缺陷，導致主機會無條件接受特定格式的資料封包。黑客正是利用這一點，透過USB在開機瞬間傳送一個精心構造的 Payload，讓Switch在尚未載入官方韌體前，就已經被劫持控制權。

實際操作上，使用者只需要一個極為簡單的硬體工具，也就是俗稱的短接器（Jig），插入右側 oy-Con的導軌中，將特定針腳短接。接著在按住音量加鍵的同時按下電源鍵，主機就會被強制帶入RCM模式。此時，畫面雖然一片漆黑，但系統其實已在等待USB指令。只要將Switch透過USB連接到電腦，再由電腦端發送一個payload檔案（例如常見的 Hekate 引導程式），就能成功在底層環境中執行自製程式。

一旦Payload注入成功，後續的可能性幾乎完全打開。使用者可以啟動自製韌體（CFW），執行各式Homebrew應用，安裝並啟動Linux，甚至繞過任天堂的數位簽章驗證機制，執行未經授權的遊戲備份。也正因為這一切發生在系統啟動的最早階段，官方韌體的安全檢查根本來不及介入，使得RCM漏洞在改機社群中迅速被視為「終極後門」。

在漏洞剛被公開時，許多研究者之所以認定它「幾乎無法修復」，是因為問題並不在可更新的系統韌體，而是寫死在CPU啟動ROM（Boot ROM）中的硬體邏輯。對已經出貨的主機而言，任天堂無法透過單純的系統更新去修改這段程式碼，這也讓早期型號的Switch幾乎永久處於可被破解的狀態。

當然，任天堂並非毫無反制行動。早期官方曾嘗試透過韌體更新（例如6.2.0之後的版本）封堵與RCM相關的軟體漏洞，並加強系統層面的檢測與封鎖手段，試圖降低破解的便利性。同時，官方也逐漸在政策與技術層面，區分所謂「純軟體破解」與必須動用硬體手段的改機方式，讓一般使用者面臨更高風險與門檻。

真正徹底的解決方案，則是從生產源頭下手。任天堂在後期生產的Switch主機中，更換或修訂Tegra X1的硬體版本，修補這個啟動階段的設計缺陷。這類主機通常被玩家稱為「補丁機」或「紅盒機」，它們已無法再透過RCM模式注入Payload，單靠軟體手段也幾乎不可能完成破解，只能依賴更複雜、侵入性更高的硬改晶片。

總體而言，RCM漏洞之所以能成為Switch改機史上的關鍵節點，在於它源自Tegra X1晶片本身的設計缺陷，讓早期機型在硬體層級就失去防線。這不僅讓改機門檻大幅降低，也深刻影響任天堂後續的硬體設計、安全策略與產品版本區分，直到官方全面停產易受攻擊的晶片版本，這把「萬能鑰匙」才算真正退出歷史舞台。

The reason the Nintendo Switch’s RCM (Recovery Mode) exploit evolved from a legitimate system recovery mechanism into a powerful tool for console modding lies in a fundamental design flaw within its core chip, the NVIDIA Tegra X1. This flaw, later known as the “Fusée Gelée” vulnerability, exists in the very early boot process of the system. Because it resides at such a low level, hackers are able to inject unauthorized code before Nintendo’s security mechanisms are initialized, effectively bypassing the entire protection chain from the very start.

Under normal circumstances, RCM is intended as a low-level recovery mode for engineering and official repair purposes, allowing the system to be restored even when the main firmware is severely damaged. However, during the initial RCM stage, the Tegra X1 fails to properly validate certain USB data transfers. As a result, the console will accept specially crafted data packets without authentication. Hackers exploited this weakness by sending a carefully constructed payload via USB at the moment the system enters RCM, seizing control of the device before the official firmware has a chance to load.

In practice, entering RCM requires only a very simple piece of hardware, commonly known as a “jig,” which is inserted into the right Joy-Con rail to short specific pins. By holding the Volume Up button and pressing the Power button at the same time, the console is forced into RCM. Although the screen remains black, the system is actively waiting for USB commands. Once the Switch is connected to a computer via USB, a payload file—often a bootloader such as Hekate—can be transmitted from the computer, allowing custom code to run in this low-level environment.

Once a payload is successfully injected, the possibilities expand dramatically. Users can boot custom firmware (CFW), run homebrew applications, install and operate Linux, and even bypass Nintendo’s digital signature verification to execute unauthorized game backups. Because all of this takes place at the earliest stage of the boot process, official firmware security checks are unable to intervene in time. This is why the RCM exploit was quickly regarded within the modding community as a kind of “ultimate backdoor.”

When the vulnerability was first disclosed, many researchers believed it to be “effectively unpatchable.” The reason was simple: the flaw was not located in updateable system firmware, but in the CPU’s boot ROM—a read-only section of hardware logic. For consoles already shipped, Nintendo could not fix this issue through software updates alone. As a result, early Switch models were effectively permanently vulnerable to this form of exploitation.

Nintendo did not remain passive, however. In the early stages, the company attempted to mitigate the situation through firmware updates—such as those released after version 6.2.0—by blocking related software-level entry points and strengthening system-side detection and countermeasures. At the same time, Nintendo increasingly distinguished between “softmod” methods and modifications that required additional hardware, raising the technical risk and barrier for ordinary users.

The only truly definitive solution came at the manufacturing level. In later production runs of the Switch, Nintendo revised or replaced the Tegra X1 hardware to eliminate the flawed boot-stage logic. These consoles, commonly referred to by players as “patched units” or “red box models,” can no longer accept payloads through RCM. As a result, software-only exploits are largely ineffective, leaving only far more complex and invasive hardware modchip solutions as potential attack vectors.

In summary, the RCM exploit became a defining chapter in the Switch’s modding history because it stemmed from a design flaw inherent to the Tegra X1 itself, stripping early models of their hardware-level defenses. This dramatically lowered the barrier to console modification and forced Nintendo to rethink its hardware design, security strategy, and product segmentation. Only after the vulnerable chip revisions were fully phased out did this so-called “master key” finally fade into history.