Coldboot and you: Learning to love the tether
Hi guys, me again, with another explainy article that aims to clear up some of the confusion around coldboot, warmboot, the requirement for dongles and how your firmware version factors into all of this.
Let’s start at the beginning.
A coldboot method is a method of loading our own code that works from the point of turning the device on. No OS has been loaded, no bootloader code executed, no security enabled etc. An exploit like this has enormous power as it can do pretty much anything on the hardware that it wants. There is nothing to stop it, after all. A current coldboot exploit available is Fusée Gelée.
And then there is the warmboot variety of method. It works on top of a running system, the Horizon OS on the Switch in our case. By using a flaw in the operating system we can trick it into running our own code. Depending on where the flaw is we also inherit more or fewer privileges from the affected code. As such, these exploits aren’t usually as powerful as coldboot exploits. They can be if the flaws happen to be in just the right places, that’s just rarely the case. An example of this would be Jamais Vu.
“Wait a minute”, I hear you ask, “then why do so many people on GBATemp keep wondering when there will be a coldboot exploit? Didn’t you just say FG is a coldboot exploit?”
Indeed, my dear astute reader, I did say that. FG is a coldboot exploit that pretty much hands us the key to the kingdom. With one exception: We can not change the bootrom in the Switch. This means despite technically being able to replace any bit of code on the Switch, we can not touch the bootrom that checks whether this code is valid and signed by Nintendo. The good news is that this counts for Nintendo as well, they simply can not fix this bug in a firmware update as they can’t change the affected code. The bad news: Neither can we. We need to use a method of injecting our code that bypasses the bootrom, since we can’t make it think our code is legit and made by Nintendo.
This method of injection is what we call a “tether”: A second device (PC/smartphone/mod dongle) attached to the USB port of our Switch that sends initial code over to it when the Switch is in RCM mode. So all currently fashionable methods (Fusée Gelée, ShofEL2, TX mod dongle/actual modchips) are what we call “tethered coldboot” methods.
What people mean when they ask “coldboot when?!” is “When will we get a coldboot method that doesn’t require me to plug another device into my Switch, my good sir?” to which the answer, sadly, appears to be: Never. A b9s for Switch will probably not happen.
Lucky for us the FG exploit works on all firmwares and can never be patched in updates! This is old news, I know, but it has led many people to ask why they should even bother staying on lower firmwares. Here’s why:
Up there I mentioned warmboot exploits. Those run on top of the OS and rely on flaws in the Horizon OS or its associated code. This kind of exploit can and will be fixed by Nintendo in firmware updates once they get to their attention.
Right now, we know that there are a few of those around, lovingly called “Déja Vu” over at ReSwitched. Enough of them, in fact, to have an exploit chain for total world domina- I mean, total control on the Switch up to - and including - firmware 4.1.0. Due to the changes made in firmwares 5 and above, parts of those don’t work anymore.
These exploits are not being made public at this point, main reason being the impending release of Mariko, a new revision of the Switch that is assumed to have fixed the FG exploit before leaving the factory. When it does release, we’ll hopefully have at least something on our hands to get homebrew running on those.
So these unreleased methods are the main reason you should stay on firmware 4.1.0 or below, as they may allow us to boot into CFW without a device attached and don’t work in higher versions anymore.
If you are considering updating anyway just to get the newest patches to your favorite games or being able to play online, my advice is still: Don’t. Using Atmosphere you will be able to update its emuNAND to newer firmware versions while letting your actual sysNAND stay on the low, exploitable firmware that may eventually allow us to remove the need for a tether with a warmboot exploit. If you can handle waiting a few more weeks you really should.
In conclusion: The tether is here to stay for the foreseeable future. You should still not update. And now you know why.
As always: Any questions? Let me know below.
Hi guys, me again, with another explainy article that aims to clear up some of the confusion around coldboot, warmboot, the requirement for dongles and how your firmware version factors into all of this.
Let’s start at the beginning.
A coldboot method is a method of loading our own code that works from the point of turning the device on. No OS has been loaded, no bootloader code executed, no security enabled etc. An exploit like this has enormous power as it can do pretty much anything on the hardware that it wants. There is nothing to stop it, after all. A current coldboot exploit available is Fusée Gelée.
And then there is the warmboot variety of method. It works on top of a running system, the Horizon OS on the Switch in our case. By using a flaw in the operating system we can trick it into running our own code. Depending on where the flaw is we also inherit more or fewer privileges from the affected code. As such, these exploits aren’t usually as powerful as coldboot exploits. They can be if the flaws happen to be in just the right places, that’s just rarely the case. An example of this would be Jamais Vu.
“Wait a minute”, I hear you ask, “then why do so many people on GBATemp keep wondering when there will be a coldboot exploit? Didn’t you just say FG is a coldboot exploit?”
Indeed, my dear astute reader, I did say that. FG is a coldboot exploit that pretty much hands us the key to the kingdom. With one exception: We can not change the bootrom in the Switch. This means despite technically being able to replace any bit of code on the Switch, we can not touch the bootrom that checks whether this code is valid and signed by Nintendo. The good news is that this counts for Nintendo as well, they simply can not fix this bug in a firmware update as they can’t change the affected code. The bad news: Neither can we. We need to use a method of injecting our code that bypasses the bootrom, since we can’t make it think our code is legit and made by Nintendo.
This method of injection is what we call a “tether”: A second device (PC/smartphone/mod dongle) attached to the USB port of our Switch that sends initial code over to it when the Switch is in RCM mode. So all currently fashionable methods (Fusée Gelée, ShofEL2, TX mod dongle/actual modchips) are what we call “tethered coldboot” methods.
What people mean when they ask “coldboot when?!” is “When will we get a coldboot method that doesn’t require me to plug another device into my Switch, my good sir?” to which the answer, sadly, appears to be: Never. A b9s for Switch will probably not happen.
Lucky for us the FG exploit works on all firmwares and can never be patched in updates! This is old news, I know, but it has led many people to ask why they should even bother staying on lower firmwares. Here’s why:
Up there I mentioned warmboot exploits. Those run on top of the OS and rely on flaws in the Horizon OS or its associated code. This kind of exploit can and will be fixed by Nintendo in firmware updates once they get to their attention.
Right now, we know that there are a few of those around, lovingly called “Déja Vu” over at ReSwitched. Enough of them, in fact, to have an exploit chain for total world domina- I mean, total control on the Switch up to - and including - firmware 4.1.0. Due to the changes made in firmwares 5 and above, parts of those don’t work anymore.
These exploits are not being made public at this point, main reason being the impending release of Mariko, a new revision of the Switch that is assumed to have fixed the FG exploit before leaving the factory. When it does release, we’ll hopefully have at least something on our hands to get homebrew running on those.
So these unreleased methods are the main reason you should stay on firmware 4.1.0 or below, as they may allow us to boot into CFW without a device attached and don’t work in higher versions anymore.
If you are considering updating anyway just to get the newest patches to your favorite games or being able to play online, my advice is still: Don’t. Using Atmosphere you will be able to update its emuNAND to newer firmware versions while letting your actual sysNAND stay on the low, exploitable firmware that may eventually allow us to remove the need for a tether with a warmboot exploit. If you can handle waiting a few more weeks you really should.
In conclusion: The tether is here to stay for the foreseeable future. You should still not update. And now you know why.
As always: Any questions? Let me know below.