Hacking Switch boot procedure is now documented in switchbrew, and it has downgrade protection with fuses.

gabru

gabru

Well-Known Member
OP
Newcomer
Level 4
Joined
Aug 22, 2016
Messages
82
Trophies
0
Age
28
XP
477
Country
Spain
More info in: http://switchbrew.org/index.php?title=Package1

Downgrade check
The bootloader will check if someone attempted to downgrade it. A fuse array will be checked, if too many fuses are burnt the bootloader will detect a downgrade attempt. The fuse array and the expected number of burnt fuses is different on unit type 0 (non-retail) and unit type 1 (retail).

Panic
The panic function does the following things:
  • It clears the stack
  • It disables(?) and clears the security engine
  • It sets a fuse (so that Nintendo knows that you attempted to mess with the bootloader)
  • It clears the key area
  • It clears the data for stage 2
  • It signals over the debug interface that a panic occurred until the Switch is reset.
 
Last edited by gabru,
  • Like
Reactions: matpower, dAVID_, lAkdaOpeKA and 19 others
Futurdreamz

Futurdreamz

Well-Known Member
Member
Level 10
Joined
Jun 15, 2014
Messages
2,276
Trophies
1
Age
32
XP
2,129
Country
Canada
They certainly took a pretty hardball stance on this system. Even if it does get hacked, it may be very possible that it will always be a difficult procedure, that kills online.


That reminds me... I wonder if Voice Chat is actually coming to the Switch, but only as a mandatory update that kills all exploits.
 

Attachments

  • Untitled.png
    Untitled.png
    5.1 KB · Views: 1,058
Last edited by Futurdreamz,
  • Like
Reactions: StarTrekVoyager
D

delta nite

Well-Known Member
Newcomer
Level 7
Joined
Sep 18, 2010
Messages
86
Trophies
1
XP
1,186
Country
United States
Switchbrew said:
  • Registers are setup
  • A device (?) is powered on
  • Flags are set on the clock-reset registers
  • [3.0.0+] The security engine address is setup
  • [3.0.0+] Bit30 of offset 0x800 of the security engine is checked: if set, panic.
  • The SKU info is checked. If it doesn't match 0x83, panic.
  • Fuse coherency is checked, potentially panicking.
  • The copy of the BCT left by the bootROM is checked. If the version field doesn't match the expected version field, panic.
  • Anti-downgrade fuses are checked, potentially panicking.
  • [1.0.0-2.3.0] Fuse programming is disabled until next reboot.
  • The memory controller is powered on and setup to allow GPU DMA to the IRAM. This will be needed to interact with the Falcon and with the security engine.
  • [1.0.0-2.3.0] The security engine address is setup
  • [1.0.0-2.3.0] Bit30 of offset 0x800 of the security engine is checked: if set, panic.
Click to expand...
So apparently 3.0.0 made a few changes on the order security engine setup happens. Maybe they became aware of a possible exploit happening on older versions?
 
migles

migles

All my gbatemp friends are now mods, except for me
Member
Level 15
Joined
Sep 19, 2013
Messages
8,033
Trophies
0
Location
Earth-chan
XP
5,300
Country
China
does this mean if someone does attempt downgrade the switch the fuses will be blown and you have to send it to nintendo to repair?
or it's that type of self reset fuses?
 
  • Like
Reactions: DaMan and DarthDub
D

Deleted User

Guest
Ask the people over at the 360 Scene what Efuses can do lol

Many people will blow up the Switches soon...
 
Last edited by ,
  • Like
Reactions: Subtle Demise
FAST6191

FAST6191

Techromancer
Editorial Team
Level 33
Joined
Nov 21, 2005
Messages
36,798
Trophies
3
XP
28,405
Country
United Kingdom
mech said:
meh this is what xbox 360 had, still got raped.
Click to expand...
Did the 360 have a tamper flag? I don't recall mention of this (mostly just if you flashed the wrong NAND flash the right one and try again, that or hope you did not burn a few more fuses by flashing a current update or something).
While I am fully prepared for it to be rendered moot by something it would on the face of it seem to be a fairly fundamental change, at least as far as ease of exploration and care needed for end users of the hacks.
 
XDee

XDee

Member
Newcomer
Level 4
Joined
Jun 13, 2016
Messages
15
Trophies
0
Age
32
XP
447
Country
mech said:
meh this is what xbox 360 had, still got raped.
Click to expand...

Xbox360 had 2 security flaws which allowed for this to happen: it had separate power supply pin for the fuses, and the early versions of firmware didn't check for the presence of voltage on the fuse supply pin. None of the modern CPUs have separate supply for security fuses anymore, the lesson has been learned. Not saying the Switch is immune to hacking, but probably it will be more difficult than just desoldering the power resistor to disable the fuses.
 
Gnarmagon

Gnarmagon

Noob <3
Member
Level 6
Joined
Dec 12, 2016
Messages
647
Trophies
0
Age
22
XP
794
Country
Germany
SciresM said:
The switch doesn't have an "OTP dump"...I don't think you understand what those words mean...
Click to expand...
What do you exactly mean with this ?
Do you mean the Switch doesn't have the OTP Keys or that there is no exploit avaible to get them ?

The OTP's are used for signing/encrypting the Payloads to be legit on our Consoles ?
Does only the 3ds has the OTP's ? (I am sure that I heared on the 33c3 Derrek talking about Wii U OTP Dumping)

-> For a Loaderhax on the Switch are the OTP's required
-> hopefully for the Dump of them is in 3 Years not a Version below 3.0.0 required so I don't have to downgrade...

Please apologize that I am talking in Questions :(
 
Last edited by Gnarmagon,
PabloMK7

PabloMK7

Red Yoshi! ^ω^
Developer
Level 15
Joined
Feb 21, 2014
Messages
2,617
Trophies
2
Age
24
Location
Yoshi's Island
XP
5,195
Country
Spain
Some are not understanding what the fuses do. In the process of updating the console, it burns a certain number of fuses. Let's say that for 3.0 the cpu have exactly 3 fuses burnt. (The update process burns them). Then you succefully downgrade to 1.0. Since having version 1.0 means you should have ONLY a single burnt fuse, the bootrom will detect that you have 3 fuses burnt, (because you updated to 3.0 at some point) so it will panic. And no, there is no way to un-burn the fuses.
 
  • Like
Reactions: Deleted User, orionsnebula, Xzi and 2 others
D

Deleted-355425

Guest
Just use exploits for current firmware's, fuck the efuses.

--------------------- MERGED ---------------------------

Just to add, this is an effective method but come one people, this is Nintendo we are talking about.. and exploits are going to be found throughout the switches whole firmware life.
 
  • Like
Reactions: Subtle Demise

Site & Scene News

Go to forum More news

Popular threads in this forum

Paper Mario TTYD 60fps patch?

Paper Mario Thousand Year Door got leaked

Tutorial  How to play Pokerogue on Nintendo Switch

TTYD patch for AMD black screen sewer issue?

Is there any point upgrading to 18.0?

Paper Mario TTYD Resolution Patch?

Paper Mario: The Thousand Year Door (Switch) save editor request

18.0.1 crash - Atmosphere

General chit-chat
Help Users
  • The Catboy @ The Catboy:
  • K3Nv2 @ K3Nv2:
    Catnip high
     +1
  • BakerMan @ BakerMan:
    cuz i got high, cuz i got high, cuz i got high
     +1
  • B @ BananaGuy259:
    Monkey
  • B @ BananaGuy259:
    monkey
  • B @ BananaGuy259:
    monkey
  • BigOnYa @ BigOnYa:
    Ban, ban, ban
     +1
  • NinStar @ NinStar:
    super monkey ball
  • HiradeGirl @ HiradeGirl:
    How's everyone doing?
  • HiradeGirl @ HiradeGirl:
    Would you recommend a Meta Quest 2 as first low budget headset?
  • SylverReZ @ SylverReZ:
    @BigOnYa, Maybe he doesn't know how to type words for shit.
  • SylverReZ @ SylverReZ:
    GBAtemp should be legally obligated to ban them, as its against the law to collect information from users under 13 because of COPPA. :tpi:
  • SylverReZ @ SylverReZ:
    @NinStar, Super Monkey Ball: Banana Blitz
  • SylverReZ @ SylverReZ:
    @HiradeGirl, Why not get an Oculus?
  • SylverReZ @ SylverReZ:
    @BakerMan, https://www.youtube.com/watch?v=OgLD1yhxNik
     +1
  • Psionic Roshambo @ Psionic Roshambo:
    VR is like 3D TVs in my opinion it's cool and all but it doesn't have enough great content.
     +1
  • SylverReZ @ SylverReZ:
    @Psionic Roshambo, Porn exists, Psi.
  • SylverReZ @ SylverReZ:
    I'm sure you'll live with it.
  • Veho @ Veho:
    VR had the chance to integrate with existing games and tech but VR companies said "NO, I WANT MY SHIT TO BE STANDALONE AND MY GAMES EXCLUSIVE TO FACEBOOK"
     +1
  • Veho @ Veho:
    Back when Oculus Rift was still starting out and being demoed around, they modded existing games to use it as a 360° immersive screen thing and that was AMAZING.
     +1
  • K3Nv2 @ K3Nv2:
    The tech isn't there for affordable power enough VR headsets at a good market value yet sadly, oculus had a good idea but didn't have enough funds for marketing iirc
  • Veho @ Veho:
    But now it's "can I use my VR set with my racing games, that would be neat?" "ONLY IF YOU USE OUR DILDOSTICK CONTROLLERS AND RUN THE GAME ON OUR ANDROID-UNDERPOWERED BRICK"
     +1
  • Veho @ Veho:
    The tech to have quality VR goggles at an affordable price is here, but every set has to have 4 additional controllers and be standalone.
  • K3Nv2 @ K3Nv2:
    These are the same type of gamers that spend $2,000 on a GPU when a $600 GPU gives nearly the same outcome which is what the market looks at for them to do spend more on unneeded bs
  • K3Nv2 @ K3Nv2:
    If we're talking AAA titles a vr headset would be priced at nearly the same cost as a midrange gaming pc maybe even double
    K3Nv2 @ K3Nv2: If we're talking AAA titles a vr headset would be priced at nearly the same cost as a midrange...