Hack Your Nintendo Alarmo to Run Whatever Code You Want

We’ve seen Nintendo release a lot of interesting hardware over the years, in addition to their actual video game consoles and the typical console accessories (like controllers). Examples include the Nintendo Labo line of educational toys and Mario Kart-themed RC cars. Now, Nintendo is set to release their new Alarmo product and though it isn’t even available to the general public yet, GaryOderNichts has managed to hack the device to make it run custom code.

The Nintendo Alarmo is, essentially, a fancy alarm clock. It has a big screen where it can display imagery from your favorite Nintendo games, a speaker for playing sound effects from those games, and a big LED-lit button on top that looks kinda neat. Its killer feature, aside from the official first-party game references, is a millimeter wave sensor-based motion detection. That enables interactions like detecting when you get out of bed, so it can automatically silence the alarm — no blearily slapping the button in the morning necessary.

Right now, members of the Nintendo Switch Online service can pre-order a Nintendo Alarmo for the November 13th release, while the general public will have to wait until March of 2025 to get theirs. But Gary got an early release device and has already hacked it.

Gary saw that a Twitterer named Spinda had already cracked open their Alarmo and found some debug pins on the PCB, which motivated him to take a look inside his own device. There he found an STM32H7 microcontroller and 4GB eMMC storage. He and Spinda were able to poke around until they found the exploits they needed to gain practical control over the encrypted Alarmo firmware.

It goes something like this:

When the Alarmo turns on, the STM32H7 spins up its cryptographic processor from its own internal flash. It then uses that to pull encrypted firmware called 2ndloader from the eMMC storage. 2ndloader enables USB and checks for any secondary firmware updates, which are encrypted. If it finds one, it installs it. If not, it loads the secondary firmware from eMMC storage into RAM. From there, it continues happily.

By creating his own properly encrypted secondary firmware and placing it in USB mass storage, Gary was able to convince the Alarmo to load and begin using his own custom code.

The trick was, of course, figuring out how to decrypt the official encrypted files and how to encrypt arbitrary new files. Gary and Spinda achieved that by dumping the communication between the STM32H7 and eMMC during that startup process — communication that contains the AES-128-CTR encryption key. Finding the key within the dumped communication was a brute force task, but one that Gary was able to perform in a few hours while he slept.

Since Gary learned the structure of the encryption key, he was able to create a much more efficient program that people can use to brute force the key from their devices in just a few minutes. Those folks can then use that key (or just take Gary’s word for it and use his) to encrypt and flash their own firmware to make their Alarmo devices do whatever they want.

And yes, Alarmo can now run Doom.