Hacking Question Can someone post a photo of Efuses?

BvanBart

Gaming addict #2 and some
Member
Joined
Apr 16, 2007
Messages
1,315
Trophies
1
Age
36
Location
Bikini Bottom
XP
1,466
Country
Netherlands
Quick google search for Efuse would do the trick.
 

Attachments

  • efuse1.png
    efuse1.png
    49.8 KB · Views: 5,342

Urbanshadow

Well-Known Member
Member
Joined
Oct 16, 2015
Messages
1,578
Trophies
0
Age
32
XP
1,712
Country
Yes I know but is it what ?

It's a fuse you can "program" (burn) at will (via software). Avoids certain electronic signals reaching certain electronic components, and they have a meaning (both signal and no signal).

Once a efuse is "programmed" it can't be unset again.
Majorly used to notify device builders if the hardware or software had been manipulated in some unwanted way.
 
  • Like
Reactions: Xyphoseos

cybrian

Well-Known Member
Member
Joined
Sep 14, 2009
Messages
111
Trophies
1
XP
549
Country
United States
http://switchbrew.org/index.php?title=Fuses

Basically the way it works is this: certain firmware updates burn (set) fuses in a region of the efuse memory. If the firmware version on the Switch’s internal memory is x then you’ll need y fuses set for it to boot. You can always set more fuses, but can never unset them. Therefore, as firmware version x increases, fuse count y may increase as well, and will never decrease.

This allows the console to check whether its memory has been tampered with to attempt a downgrade: if a firmware is on the system that requires 4 fuses burnt (3.0.1 does), and through an eMMC backup or otherwise the console’s firmware is manually downgraded back to 3.0.0, which requires 3 fuses burnt, the Switch will check the fuse count while booting and see it’s 4 and not 3, and it will not boot, and will likely blow another fuse in order to allow Nintendo to detect why it’s not booting. that way if you send it in for service, they can send it right back to you saying you voided your warranty by tampering with the firmware.

There is no known way to bypass fuse checks without having full control of the boot procedure. The Xbox 360 uses eFuses the same way to prevent downgrades, and it has definitely done its job there — as far as I know it’s not possible to downgrade Xbox 360 firmware, and the later its kernel version is the more difficult it is to hack the system. The “reset glitch hack” on the Xbox 360 involves programmatically triggering a reset repeatedly on the processor while sending bad data to the data lines on it (very specific data, very precise timing, and so on) eventually “glitching” it out causing it to load the hacked data that bypasses protection. It’s possible an exploit like this can be found for the Tegra X1 that would be able to be used on the Switch, but I oversimplified it and glossed over how precise it is — we’d need to know a lot more about the inner workings of the Switch and its Tegra X1 bootloader and so on for it to even be worth investigating.

In short, you’re not going to find a way to unset these fuses without violating laws of physics, but with very, very extensive knowledge of critical internals it MAY be possible to skip them from being checked in the first place, or to prevent them from mattering.
 

FAST6191

Techromancer
Editorial Team
Joined
Nov 21, 2005
Messages
36,798
Trophies
3
XP
28,284
Country
United Kingdom
In short, you’re not going to find a way to unset these fuses without violating laws of physics
I don't know if I would go that far. Atomic force microscopes, some of the decapping/trace reconstruction stuff and a whole lot of effort could see either a bridge/bypass wire built or the thing redone.

It is some incredibly rare and hard to come by tech, and the people to operate it are similarly rare but I would say it is well within current tech, never mind presently understood laws of physics. I doubt we will see it hit even "doctoral student has some fun" level* within the next few decades, and prior to then it will probably be cheaper to spin off a run of compatible chips (if a future FPGA equivalent can't outright replicate it, ignoring entirely the option to maybe find private keys somehow), but again I don't think I would look at the laws of physics as the barrier.

*a source of a few choice hacks over the years.
 

migles

All my gbatemp friends are now mods, except for me
Member
Joined
Sep 19, 2013
Messages
8,033
Trophies
0
Location
Earth-chan
XP
5,299
Country
China

cybrian

Well-Known Member
Member
Joined
Sep 14, 2009
Messages
111
Trophies
1
XP
549
Country
United States
I don't know if I would go that far. Atomic force microscopes, some of the decapping/trace reconstruction stuff and a whole lot of effort could see either a bridge/bypass wire built or the thing redone.

It is some incredibly rare and hard to come by tech, and the people to operate it are similarly rare but I would say it is well within current tech, never mind presently understood laws of physics. I doubt we will see it hit even "doctoral student has some fun" level* within the next few decades, and prior to then it will probably be cheaper to spin off a run of compatible chips (if a future FPGA equivalent can't outright replicate it, ignoring entirely the option to maybe find private keys somehow), but again I don't think I would look at the laws of physics as the barrier.

*a source of a few choice hacks over the years.

No, you actually are wrong. These things are measured in nanometers. You can’t make a jumper wire nanometers in size and install it. Not to mention decapping a chip is insanely expensive and doesn’t even always yield much of anything useful.
 

FAST6191

Techromancer
Editorial Team
Joined
Nov 21, 2005
Messages
36,798
Trophies
3
XP
28,284
Country
United Kingdom
No, you actually are wrong. These things are measured in nanometers. You can’t make a jumper wire nanometers in size and install it. Not to mention decapping a chip is insanely expensive and doesn’t even always yield much of anything useful.
I know they are usefully measured in nm - there is a nice SEM shot up above which says as much.
Decapping is not that bad and is done by for fun these days

You would probably want to do a bunch of them to narrow down the dimensions needed but that is cheap enough.
Depending upon how many layers you might be in for a fun time recreating whatever you drilled through to get down to the fuse level but again it is not impossible (I can't recall if it was the video above or another on the subject which detailed how the security measures where a single layer is dedicated to being a massive single trace and breaking it anywhere should break the circuit, so they connected a wire across the start and end point).
Back to the efuses wires is perhaps the wrong term but one that is understandable, manipulation of conductors on that level is doable (one need not necessarily recreate the fuse as much as just bypass it after all)
http://www.bbc.co.uk/news/science-environment-22364761

So again probably largely theoretical at this point but the techniques I would look to are well established and have operated at the levels necessary. I agree it is unproven, and hideously expensive/impractical, however I reckon with the above stuff in place it is a far cry from physics says no which was what I took issue with.
 

weatMod

Well-Known Member
Member
Joined
Aug 24, 2013
Messages
3,305
Trophies
2
Age
47
XP
3,337
Country
United States
An efuse would be on the order of a hundred nanometers in size (a few hundred atoms). That's 0.000001 inches. For comparison, a human red blood cell is 6,000-8,000 nm and a human hair is approximately 80,000-100,000 nm.
but if these things are so small and presumably work like normal fuse, from the pic posted it almost looks like a glob of solder on there
then wouldn't they be unset or set by heat? like if you have a reflow done then would they just all melt open? or melt and flow and be closed?
if they are so small then wouldn't heat effect them, if not then why?
 

planetarian

Well-Known Member
Member
Joined
Aug 5, 2014
Messages
143
Trophies
0
Age
37
XP
384
Country
United States
but if these things are so small and presumably work like normal fuse, from the pic posted it almost looks like a glob of solder on there
if they are so small then wouldn't heat effect them, if not then why?
I'm not an expert, but I think that's backwards; remember, you're looking at something extraordinarily tiny -- it seems like the dark areas are the actual conductive part, and the process of 'burning' the efuse actually removes the conductive material from the signal path (exposing the non-conductive silvery substrate).

see: http://www.google.com/patents/US6624499
 

cybrian

Well-Known Member
Member
Joined
Sep 14, 2009
Messages
111
Trophies
1
XP
549
Country
United States
I'm not an expert, but I think that's backwards; remember, you're looking at something extraordinarily tiny -- it seems like the dark areas are the actual conductive part, and the process of 'burning' the efuse actually removes the conductive material from the signal path (exposing the non-conductive silvery substrate).

see: http://www.google.com/patents/US6624499

Yes, and these are not made of alloys meant to flow at low temperatures, like solder, either. Solder is designed to have an extremely low melting point.

Not to mention that heat isn’t what actually blows the fuse. It’s electromigration, which is affected by, but not related to, heat. Or at least that’s how I understand it — I don’t know much about semiconductor physics, and you need to in order to truly understand the mechanics of these things.

Also, sure, if someone was willing to invest tens of millions of dollars just to bypass the eFuses in the Switch, it might be possible. You’d need semiconductor fabrication firms, which is just not remotely feasible. Not to mention a minor update to the chip would send you on the wrong path or at least disrupt your work heavily.

It’d be cheaper to buy every commercially released Switch game and an entire indie developer to have them write software for you.
 

Site & Scene News

Popular threads in this forum

General chit-chat
Help Users
    Psionic Roshambo @ Psionic Roshambo: "Impossible he memorized every book on the planet..." +2