Hacking Switch boot procedure is now documented in switchbrew, and it has downgrade protection with fuses.

[GerbilSoft]

And you are not getting what I am saying. If Nintendo sets up any easy way to bypass the eFuses then someone is going to figure out how it works and apply it to other consoles. If this is true, then it's only a matter of time before someone tips apart a fixed Switch and figures out how it was done.

On 3DS, there's three different types of boot signatures:

• Standard eMMC boot
• NTR cartridge boot
• Wi-Fi SPI flash boot

You can't take a FIRM binary signed for NTR cartridge boot and install it on the eMMC FIRM partition because the signature won't validate. I would assume the same is true for Switch; something signed for cartridge boot wouldn't work for eMMC boot and vice-versa.

(Note that even with sighax, the required signature is different for the three boot methods, so you can't directly take a sighaxed FIRM for eMMC and run it from an NTR cartridge.)

 

[Yami Anubis ZX]

And you are not getting what I am saying. If Nintendo sets up any easy way to bypass the eFuses then someone is going to figure out how it works and apply it to other consoles. If this is true, then it's only a matter of time before someone tips apart a fixed Switch and figures out how it was done.

That is inevitable. Plus replacing a motherboard would be a waste considering it costs them money and also the fact that there having trouble manufacturing the parts because of the ongoing Foxconn debacle. It would also be very stupid on Nintendo to not have a back up plan for fixing there devices.

 

[TimX24968B]

Isn't this how samsung uses knox on their devices to check for warranty?

 

[TheMCNerd2017]

Isn't this how samsung uses knox on their devices to check for warranty?

I believe so.

 

[Platinum Lucario]

This is actually more advanced than what Sony did with their PS3 console (which the PS3 had factory firmware value hardcoded onto the CPU, so it couldn't be downgraded past that version). The Nintendo Switch System-on-Chip (Nvidia Tegra X1) uses eFuses, which the Bootloader checks the amount of times the fuses on the CPU has been burnt. If there was some CFW or something that could act as a Anti-Fuse in which could block the fuses from being burnt, or something that could change the value in the Bootloader and the Userland, then something could be achieved from it.

But yeah, downgrades will not be possible unless the downgrades can somehow be patched with those number of eFuses of the newest firmware on it. But that in itself would be pointless. The best course of action, would be to just not update the system, and have some other Nintendo Switch for normal gaming.

 

[Noctosphere]

How many fuses does the console have?

Id like to know too because it means they have a limit of how many update they can launch, right?

 

[Roomsaver]

Id like to know too because it means they have a limit of how many update they can launch, right?

I don't believe so. The fuses are for downgrade protection so Nintendo will know if you've tampered with the software.

 

[Noctosphere]

I don't believe so. The fuses are for downgrade protection so Nintendo will know if you've tampered with the software.

From what ive read, if 3 fuses are burnt, then youre supposed to be on 3,0
So that mean they cant burn more fuses than there is in the switch, but i guess they wont burn a fuse at every update, maybe once every x,0,0 update

 

[aut0mat3d]

i guess they wont burn a fuse at every update, maybe once every x,0,0 update

As on the latest 3.01 release all Keys were changed and (due the change of the keys) all Sysmodules, etc. are changed/recompiled with new Keys i am pretty sure also additional fuses were used.
So: If we get homebrew on consoles <= 3.00 in the Future we are stuck on playing Games <=3.00 until Bootloader is hacked IMHO

 

[WiiFoundLove]

Isn't this how samsung uses knox on their devices to check for warranty?

Yes, they do.

 

[Eddypikachu]

nvm

 

[Selver]

The fuses are for downgrade protection so Nintendo will know if you've tampered with the software.

There are at least two distinct sets of eFuses that have an associated count. One set is confirmed to be used for downgrade protection.
Other eFuses also exist. It is not unreasonable to imagine that an eFuse would be set aside as a method to "blacklist" a console from online play, for example.

Or, the repair cartridge could bypass the eFuses altogether.

Which would be a dangerous thing to release to the wild.

It's simpler than that. Remember that a repair will always update the system to the latest released firmware.
Therefore, if Nintendo has a repair cartridge, that repair cartridge is likely also programmed to only work on systems with EXACTLY that number of fuses burnt. (if fewer are burnt, then it could burn them and reboot; if more are burnt then it would likely panic).
Then, Nintendo would simply provide an updated image for the repair cartridge to authorized repair centers.

This would result in any repair cartridge image, even if ever escaped into the wild, being usable only until the next firmware update.

 

[Futurdreamz]

There are at least two distinct sets of eFuses that have an associated count. One set is confirmed to be used for downgrade protection.
Other eFuses also exist. It is not unreasonable to imagine that an eFuse would be set aside as a method to "blacklist" a console from online play, for example.



It's simpler than that. Remember that a repair will always update the system to the latest released firmware.
Therefore, if Nintendo has a repair cartridge, that repair cartridge is likely also programmed to only work on systems with EXACTLY that number of fuses burnt. (if fewer are burnt, then it could burn them and reboot; if more are burnt then it would likely panic).
Then, Nintendo would simply provide an updated image for the repair cartridge to authorized repair centers.

This would result in any repair cartridge image, even if ever escaped into the wild, being usable only until the next firmware update.

Does it only count the fuses burnt or does it keep track of exactly which fuses are burnt? So if the right number of fuses are burnt but fuses 1 and 9 are burnt instead of 1 and 2, wouldn't it panic?

 

[Noctosphere]

fuses that blow to prevent downgrade
possibility of a fuse that blow to ban your console
and maybe more hardware protection

With all the knowledge we have so far on the switch, would you think it is risky to hack the console?
I'm asking developper, please no nooby answer thanks

 

[Selver]

Does it only count the fuses burnt or does it keep track of exactly which fuses are burnt? So if the right number of fuses are burnt but fuses 1 and 9 are burnt instead of 1 and 2, wouldn't it panic?

See http://switchbrew.org/index.php?title=Fuses#eFuses for more info on the fuses.
See http://switchbrew.org/index.php?title=Package1#Main for more info on at least one of the anti-downgrade checks.

would you think it is risky to hack the console?

Yes.

 

[SquidGuy]

Because of efuse backed downgrade protection, unless there is a way that we can skip said downgrade protection, it is unlikely we will see downgrading on the Switch.

If there ISN'T a skip or something we can do avoid it, we will NOT downgrading.

Efuse downgrade protections have proven to be very handy, when done right.

well would it be possible to spoof?

 

[Deleted User]

well would it be possible to spoof?

To my knowledge, unless something was discovered super early in the boot process, I highly doubt it. Even the 360 doesn't have an efuse spoofer yet. Simply a reader program, which is, again, super early.
I'd say it's nigh-impossible.

 

[SquidGuy]

if i do understand it the fuses are not limited what so ever but they get burned once the console updates

even if you buy the console at FW 2.0

wait so, if you buy a switch with FW 2.0 does that mean the will be no burnt eFuses?

 

[Deleted User]

wait so, if you buy a switch with FW 2.0 does that mean the will be no burnt eFuses?

There is likely 1 burnt fuse. Each update that's coded to burn a fuse will increase the increment by 1.

 

[TimX24968B]

There is likely 1 burnt fuse. Each update that's coded to burn a fuse will increase the increment by 1.

what happens once all the fuses are burnt? or is there such a large number of fuses that its not the case? wondering if that kind of protection would fail if they ran out of fuses to burn.