Hacking Switch boot procedure is now documented in switchbrew, and it has downgrade protection with fuses.

gabru

gabru

Well-Known Member
OP
Newcomer
Level 4
Joined
Aug 22, 2016
Messages
82
Trophies
0
Age
28
XP
477
Country
Spain
More info in: http://switchbrew.org/index.php?title=Package1

Downgrade check
The bootloader will check if someone attempted to downgrade it. A fuse array will be checked, if too many fuses are burnt the bootloader will detect a downgrade attempt. The fuse array and the expected number of burnt fuses is different on unit type 0 (non-retail) and unit type 1 (retail).

Panic
The panic function does the following things:
  • It clears the stack
  • It disables(?) and clears the security engine
  • It sets a fuse (so that Nintendo knows that you attempted to mess with the bootloader)
  • It clears the key area
  • It clears the data for stage 2
  • It signals over the debug interface that a panic occurred until the Switch is reset.
 
Last edited by gabru,
  • Like
Reactions: matpower, dAVID_, lAkdaOpeKA and 19 others
Futurdreamz

Futurdreamz

Well-Known Member
Member
Level 10
Joined
Jun 15, 2014
Messages
2,276
Trophies
1
Age
32
XP
2,128
Country
Canada
They certainly took a pretty hardball stance on this system. Even if it does get hacked, it may be very possible that it will always be a difficult procedure, that kills online.


That reminds me... I wonder if Voice Chat is actually coming to the Switch, but only as a mandatory update that kills all exploits.
 

Attachments

  • Untitled.png
    Untitled.png
    5.1 KB · Views: 1,053
Last edited by Futurdreamz,
  • Like
Reactions: StarTrekVoyager
D

delta nite

Well-Known Member
Newcomer
Level 7
Joined
Sep 18, 2010
Messages
86
Trophies
1
XP
1,186
Country
United States
Switchbrew said:
  • Registers are setup
  • A device (?) is powered on
  • Flags are set on the clock-reset registers
  • [3.0.0+] The security engine address is setup
  • [3.0.0+] Bit30 of offset 0x800 of the security engine is checked: if set, panic.
  • The SKU info is checked. If it doesn't match 0x83, panic.
  • Fuse coherency is checked, potentially panicking.
  • The copy of the BCT left by the bootROM is checked. If the version field doesn't match the expected version field, panic.
  • Anti-downgrade fuses are checked, potentially panicking.
  • [1.0.0-2.3.0] Fuse programming is disabled until next reboot.
  • The memory controller is powered on and setup to allow GPU DMA to the IRAM. This will be needed to interact with the Falcon and with the security engine.
  • [1.0.0-2.3.0] The security engine address is setup
  • [1.0.0-2.3.0] Bit30 of offset 0x800 of the security engine is checked: if set, panic.
Click to expand...
So apparently 3.0.0 made a few changes on the order security engine setup happens. Maybe they became aware of a possible exploit happening on older versions?
 
migles

migles

All my gbatemp friends are now mods, except for me
Member
Level 15
Joined
Sep 19, 2013
Messages
8,033
Trophies
0
Location
Earth-chan
XP
5,299
Country
China
does this mean if someone does attempt downgrade the switch the fuses will be blown and you have to send it to nintendo to repair?
or it's that type of self reset fuses?
 
  • Like
Reactions: DaMan and DarthDub
D

Deleted User

Guest
Ask the people over at the 360 Scene what Efuses can do lol

Many people will blow up the Switches soon...
 
Last edited by ,
  • Like
Reactions: Subtle Demise
FAST6191

FAST6191

Techromancer
Editorial Team
Level 33
Joined
Nov 21, 2005
Messages
36,798
Trophies
3
XP
28,321
Country
United Kingdom
mech said:
meh this is what xbox 360 had, still got raped.
Click to expand...
Did the 360 have a tamper flag? I don't recall mention of this (mostly just if you flashed the wrong NAND flash the right one and try again, that or hope you did not burn a few more fuses by flashing a current update or something).
While I am fully prepared for it to be rendered moot by something it would on the face of it seem to be a fairly fundamental change, at least as far as ease of exploration and care needed for end users of the hacks.
 
XDee

XDee

Member
Newcomer
Level 4
Joined
Jun 13, 2016
Messages
15
Trophies
0
Age
32
XP
447
Country
mech said:
meh this is what xbox 360 had, still got raped.
Click to expand...

Xbox360 had 2 security flaws which allowed for this to happen: it had separate power supply pin for the fuses, and the early versions of firmware didn't check for the presence of voltage on the fuse supply pin. None of the modern CPUs have separate supply for security fuses anymore, the lesson has been learned. Not saying the Switch is immune to hacking, but probably it will be more difficult than just desoldering the power resistor to disable the fuses.
 
Gnarmagon

Gnarmagon

Noob <3
Member
Level 6
Joined
Dec 12, 2016
Messages
647
Trophies
0
Age
22
XP
794
Country
Germany
SciresM said:
The switch doesn't have an "OTP dump"...I don't think you understand what those words mean...
Click to expand...
What do you exactly mean with this ?
Do you mean the Switch doesn't have the OTP Keys or that there is no exploit avaible to get them ?

The OTP's are used for signing/encrypting the Payloads to be legit on our Consoles ?
Does only the 3ds has the OTP's ? (I am sure that I heared on the 33c3 Derrek talking about Wii U OTP Dumping)

-> For a Loaderhax on the Switch are the OTP's required
-> hopefully for the Dump of them is in 3 Years not a Version below 3.0.0 required so I don't have to downgrade...

Please apologize that I am talking in Questions :(
 
Last edited by Gnarmagon,
PabloMK7

PabloMK7

Red Yoshi! ^ω^
Developer
Level 15
Joined
Feb 21, 2014
Messages
2,604
Trophies
2
Age
24
Location
Yoshi's Island
XP
5,021
Country
Spain
Some are not understanding what the fuses do. In the process of updating the console, it burns a certain number of fuses. Let's say that for 3.0 the cpu have exactly 3 fuses burnt. (The update process burns them). Then you succefully downgrade to 1.0. Since having version 1.0 means you should have ONLY a single burnt fuse, the bootrom will detect that you have 3 fuses burnt, (because you updated to 3.0 at some point) so it will panic. And no, there is no way to un-burn the fuses.
 
  • Like
Reactions: Deleted User, orionsnebula, Xzi and 2 others
D

Deleted-355425

Guest
Just use exploits for current firmware's, fuck the efuses.

--------------------- MERGED ---------------------------

Just to add, this is an effective method but come one people, this is Nintendo we are talking about.. and exploits are going to be found throughout the switches whole firmware life.
 
  • Like
Reactions: Subtle Demise

Site & Scene News

Go to forum More news

Popular threads in this forum

The MIG Switch Thread

Kingdom Come Deliverance Nswitch MOD

Homebrew Tutorial  Building Pagascape from source to running Self Hosted mode on Windows and MSYS

mig switch not working/updating??

Hacking Homebrew Tutorial  Portable PegaScape (Win32)

Hacking Misc  Getting the MIG Switch to load an XCI dump without its original Initial Data

Fusee.bin with the new Pre-release of Atmoshere 1.7.0

DBI language error

General chit-chat
Help Users
  • No one is chatting at the moment.
    Psionic Roshambo @ Psionic Roshambo: @SylverReZ, Indeed lol