Hacking [FAQ] eFuses

[The9thBit]

It seems that a lot of people don't fully grasp the situation with eFuses. So, I figured I'd go ahead and write out an FAQ for them.

Edit: Made some corrections.

Q: eFuses? What?
A: The Nintendo Switch contains things called eFuses that can be blown on command. The system checks on every boot how many fuses are intact, and if too many have already been burnt, it will panic, stop the boot process, and lock up. If not enough have been burnt, it will burn more. Different firmware versions require different numbers of fuses to be blown (generally going upward every now and then from 1.0).

Q: So how is that supposed to prevent downgrading?
A: Downgrading would involve switching to a firmware that expects a lower number of fuses to be burnt than already have. There's no way around this, so the older firmware just won't boot.

Q: Can't we just unburn the eFuses?
A: eFuses are physical objects, and burning them involves physically destroying or permanently modifying part of it. There is no way to reverse this process through software.

Q: Then can't we just replace them?
A: These are microscopic objects embedded into the CPU. It would be easier and more cost effective to replace the entire CPU.

Q: Why can't we just replace the entire CPU then?
A: If you really want to disassemble your Switch and replace the CPU, be my guest. For the rest of us, it's just not practical.

Q: Is there some way to just skip the eFuse check?
A: We don't know yet.

Q: So is downgrading impossible then?
A: Not necessarily. The modding community has overcome harsh security measures in the past, so they could still overcome this one. It just so happens that this one is extremely difficult.

Q: What does this mean for emuNAND and Custom Firmware?
A: emuNAND would still check the eFuses when starting up, just like the system itself does, and act in the same way. This means that, unless sysNAND and emuNAND are on the same firmware, your system would probably end up bricked after starting emuNAND just once.
EDIT: As pointed out by multiple other users, emuNAND would have to be very poorly implemented for this to be an actual problem.

Q: Would [insert elaborate hypothetical solution here] work?
A: Maybe. Probably not, but maybe.

Q: So does this mean I shouldn't update?
A: If you care about homebrew and/or CFW, you shouldn't update anyway, for other reasons.

Q: What eFuse counts do the different firmware versions expect?
A: http://switchbrew.org/index.php?title=Fuse_registers

 

[Pleng]

Q: Why can't we just replace the entire CPU then?
A: If you really want to disassemble your Switch and replace the CPU, be my guest. For the rest of us, it's just not practical.

You should probably explicitly state how this is impossible to achieve without specialist equipment costing thousands of pounds, just to avoid any confusion amongst people who might take this as something that can actually be achieved.

 

[DinohScene]

Q: Is there some way to just skip the eFuse check?
A: This check is baked into the boot process. There is very likely no way around it whatsoever.

RGH on the 360 doesn't care about fuse count.
It glitches the bootloader to load an older bootloader which is denied by the LDV consisting of the burnt fuses.

eFuse technology was a nice way of preventing downgrading, to bad it's flawed on itself.
It's likely Nintendo implemented it the same was as MS.

Correct me if I'm wrong.

 

[Zulnoth]

Q: What does this mean for emuNAND and Custom Firmware?
A: emuNAND would still check the eFuses when starting up, just like the system itself does, and act in the same way. This means that, unless sysNAND and emuNAND are on the same firmware, your system would probably end up bricked after starting emuNAND just once.

This sounds counter-intuitive. SciresM is saying that emunand will be possible on 1.0 (and maybe 2.x from what i'm reading today) - if the above was true, what would be the point of it? Emunand that is on the same firmware would be very limited use in a 1.0 environment - not even really worth working on.

 

[untok]

efuses are tiny 100 nm but i believe in future we could spoof how many are burnt. Its not an alien tec

 

[Lacius]

In response to the concern about eFuses and emuNAND:

Not a concern at all if you're both clever and careful.

Any emuNAND solution that jeopardizes [eFuses] would have to be a very poorly written solution.

 

[yeddish]

Is it known how many eFuses are burnt on the different FW versions so far?

 

[XxShalevElimelechxX]

Is it known how many eFuses are burnt on the different FW versions so far?

Yes, here ya go: http://switchbrew.org/index.php?title=Fuse_registers

 

[yeddish]

Yes, here ya go: http://switchbrew.org/index.php?title=Fuse_registers

Beautiful. Thanks.

 

[ArcLP]

Stupid question: Why can't we just modify the OS Firmware? Example: you're on 3.0.1 but you want to go to 3.0.0, Why can't you just change the check number of efuses from say, 4, to 5, (if check was 4 on 3.0.0, but there's now 5 blown due to your update). so it then checks for 5 instead of 4?

plez no besh, I am n0 exprt.

Also I barely understand the eFuse thing, though I think it is smart of Nintendo, but I still dislike it.

Hope I make sense to someone.

 

[ThisIsDaAccount]

Stupid question: Why can't we just modify the OS Firmware? Example: you're on 3.0.1 but you want to go to 3.0.0, Why can't you just change the check number of efuses from say, 4, to 5, (if check was 4 on 3.0.0, but there's now 5 blown due to your update). so it then checks for 5 instead of 4?

plez no besh, I am n0 exprt.

Also I barely understand the eFuse thing, though I think it is smart of Nintendo, but I still dislike it.

Hope I make sense to someone.

The OS includes a digital signature to verify it isn't modified. Overcoming it would require a numerical value that is at this point impossible to acquire without working at Nintendo.

 

[Ronhero]

Um... I really fail to see how system nand and emunand would need to be the same revision. Pretty sure SciresM already said it would not be a problem.

 

[lordelan]

Q: Is there some way to just skip the eFuse check?
A: We don't know yet.

Q: So is downgrading impossible then?
A: Not necessarily. The modding community has overcome harsh security measures in the past, so they could still overcome this one. It just so happens that this one is extremely difficult.

You should consider updating these.

 

[Digital_0xFF]

Q: Is there some way to just skip the eFuse check?
A: We don't know yet.

Outdated info

Edit: ups should read the comments first

 

[slaphappygamer]

R.I.P. Jan 2018

 

[Jhyrachy]

Question:
If I upgrade my switch with the 'efuse safe procedure' (the one that does not blow the efuse), I still wil need to boot EVERYTIME in a CFW? Or I can boot in the normal firmware too?

I need to upgrade the switch to use my 256Gb microSD, but I would love to keep a downgrade option

 

[M7L7NK7]

If you aren't starting through RCM it will burn the fuses

 

[Yoshimaster96]

Is it possible to downgrade to a version with the same number of required burnt fuses? For example, going from 5.1.0 to 5.0.0, since both require 6 burnt fuses?

 

[Deleted member 420418]

Is it possible to downgrade to a version with the same number of required burnt fuses? For example, going from 5.1.0 to 5.0.0, since both require 6 burnt fuses?

Yes, it is possible.

 

[chocoboss]

Yes you can

I think you can go lower if you use hekate but I'm not 100% sure xD

Edit : you can if you boot in cfw