Hacking Nintendo Switch bootrom dumped.

[ShadowOne333]

Defeat TrustZone and everyone in Re-Switched will probably buy you every game you'd ever want! You won't even need the flashkart.

So if I can my Switch's trust can I get mah bakups?
How do I do so, do I take my Switch to dinner or to the movies first?

But in all seriousness though:

To quote myself:


And now that I've learned that the bootrom is actually able to accept signed patches (thanks @SciresM), its even more true. I thought Nintendo had only learned from the top down to protect against compromises, but it turns out they actually learned to protect the bottom of the pyramid as well.

The major difference from the PSP is that your Switch can be permanently blacklisted, so you have an either/or proposition of sorts to deal with. But as an emulator? It will be ace. nVidia's chip, Nintendo's spacemagic hardware durability and ergonomics.

The fourth little pig built his house out of blacklisted switches.

Wouldn't we be able to still play online if we have the original cart of the game while still having the emus in the system?
I assume the online blacklist would only apply if Nintendo detects something odd with the backup you are playing with.

 

[Seliph]

Ok, Nintendo will announce a console in 3 weeks. It was a short but nice lifespan for the Switch.

--------------------- MERGED ---------------------------


Wondering what that game was ?

Ghoul Patrol for the SNES, complete in box with manual. I also found Mario RPG which is like 150.

 

[V-Temp]

But in all seriousness though:

Wouldn't we be able to still play online if we have the original cart of the game while still having the emus in the system?
I assume the online blacklist would only apply if Nintendo detects something odd with the backup you are playing with.

No its for detecting any degree of tampering/fw or flag mismatches. You console has a unique, burned in cert that they can blacklist if they detect anything fishy and if they do, then your console is permanently banned.

Backups, tampered with saves/game data, firmware issues, etc, it can all potentially get you banned.

 

[ShadowOne333]

No its for detecting any degree of tampering/fw or flag mismatches. You console has a unique, burned in cert that they can blacklist if they detect anything fishy and if they do, then your console is permanently banned.

Backups, tampered with saves/game data, firmware issues, etc, it can all potentially get you banned.

That's if I even pay them for the online service in the first place

 

[the_randomizer]

That's if I even pay them for the online service in the first place

I really hope it doesn't suck

 

[V-Temp]

That's if I even pay them for the online service in the first place

It bans you from all services, including the free ones.

 

[Risingdawn]

I really hope it doesn't suck

For $20 A year I don't even really care if it sucks lol.

 

[TheMCNerd2017]

No its for detecting any degree of tampering/fw or flag mismatches. You console has a unique, burned in cert that they can blacklist if they detect anything fishy and if they do, then your console is permanently banned.

Backups, tampered with saves/game data, firmware issues, etc, it can all potentially get you banned.

What do you mean that our consoles have a unique burned-in cert? I didn't see anything about it on Switchbrew. Also, wouldn't there be a way to load a different cert temporarily into RAM to bypass a ban(like how 3DS hyperbans can be bypassed)?

 

[TheCyberQuake]

What do you mean that our consoles have a unique burned-in cert? I didn't see anything about it on Switchbrew. Also, wouldn't there be a way to load a different cert temporarily into RAM to bypass a ban(like how 3DS hyperbans can be bypassed)?

Instead of being read from a file like the 3ds, it reads from a hard-coded section of the switch. Burned in, can't be modified.

 

[TheMCNerd2017]

Instead of being read from a file like the 3ds, it reads from a hard-coded section of the switch. Burned in, can't be modified.

So I assume it's stored in the same place where the Keys and other console-unique info is stored? And I assume the cert is not loaded into RAM either, which means that injecting a completely different one into RAM would not work?

 

[V-Temp]

What do you mean that our consoles have a unique burned-in cert? I didn't see anything about it on Switchbrew. Also, wouldn't there be a way to load a different cert temporarily into RAM to bypass a ban(like how 3DS hyperbans can be bypassed)?

The certificate key data is stored encrypted using keydata only available to TrustZone. This is burned in at the factory as the system rolls off the production line and is unique as in only one number to one Switch that is generated by some unknown entropic generator. The SSL module retrieves this on boot, passes it through TrustZone (through SPL), and its decrypted and the system "identifies" itself.

Thus the Switch, at boot on the lowest level of security, is given an identity that is unique to it.

So I assume it's stored in the same place where the Keys and other console-unique info is stored? And I assume the cert is not loaded into RAM either, which means that injecting a completely different one into RAM would not work?

Yes, its in TrustZone. And even if you could somehow bypass the check and pass in another 'identity', it would effectively be meaningless as it'd just be banned as well. As such no one will/would share their cert numbers, and you also cannot generate certs that do not exist.

 

[dAVID_]

but when will we be we be able to load gaems from sd???

I'm very happy that people want to dedicate their precious time into helping the community, and reverse engineering is always difficult.

 

[MichiS97]

but when will we be we be able to load gaems from sd???

I'm very happy that people want to dedicate their precious time into helping the community, and reverse engineering is always difficult.

Next week. I promise.

 

[TheMCNerd2017]

The certificate key data is stored encrypted using keydata only available to TrustZone. This is burned in at the factory as the system rolls off the production line and is unique as in only one number to one Switch that is generated by some unknown entropic generator. The SSL module retrieves this on boot, passes it through TrustZone (through SPL), and its decrypted and the system "identifies" itself.

Thus the Switch, at boot on the lowest level of security, is given an identity that is unique to it.

Yes, its in TrustZone. And even if you could somehow bypass the check and pass in another 'identity', it would effectively be meaningless as it'd just be banned as well. As such no one will/would share their cert numbers, and you also cannot generate certs that do not exist.

Why would the other 'identity' get banned as well if you do manage to bypass the check? I assume Ninty checks for other inconsistencies as well(like mismatched unique data)?

 

[SciresM]

Why would the other 'identity' get banned as well if you do manage to bypass the check? I assume Ninty checks for other inconsistencies as well(like mismatched unique data)?

I think you misunderstand -- the identity itself is a piece of data Nintendo can verify the authenticity of. Changing it would break that, and you'd be rejected by default.

 

[DocAmes1980]

It bans you from all services, including the free ones.

Not trying to be a smartass, but what free services? The eShop, BookFace/Twatter integration and what else? The console hardly has any services or extra features.

 

[V-Temp]

Not trying to be a smartass, but what free services? The eShop, BookFace/Twatter integration and what else? The console hardly has any services or extra features.

NicoNico, Netflix (not yet live), games with free online components, etc. Anything that has to go through Nintendo will be blocked, now some services may not do such checks and will just go to their owner's services but they are also usually subscription services any way so you're not really gaining anything.

Pokemon, for instance, I expect to be free/have many free elements such as trading/battling because of all of the children who will be playing the game.

 

[TheMCNerd2017]

I think you misunderstand -- the identity itself is a piece of data Nintendo can verify the authenticity of. Changing it would break that, and you'd be rejected by default.

And changing it to a different one(even temporarily) breaks the authenticity. Actually, what happens if you try to connect to online services if you are banned? Does it display an error message like the 3DS?

 

[Classicgamer]

Great job!

As a layman I love learning about the technicalities of the Switch and how it works. I have a second 3.0.0 Switch in the drawer just waiting for superb portable emulation. I’d love to help test stuff. It’s great having such a powerful portable being cracked open for homebrew.

The primary Switch is 100% digital purchases I don’t need carts holding me back

 

[DocAmes1980]

And changing it to a different one(even temporarily) breaks the authenticity. Actually, what happens if you try to connect to online services if you are banned? Does it display an error message like the 3DS?

I think it's safe to assume that yes, it does. I know you were asking SciresM but your question is kinda pointless. The anticipation of knowing what the banned error msg says will be satiated when people start getting blacklisted. I'm pretty sure the msg would originate from Nintendo's end so I don't see the devs being able to find it in the system software. It's nice to see the devs on here. I don't think we should inundate them with trivial questions.