Hacking Could it be possible to downgrade the switch somewhen

Status
Not open for further replies.

evandixon

PMD Researcher
Developer
Joined
May 29, 2009
Messages
1,725
Trophies
0
Website
projectpokemon.org
XP
2,313
Country
United States
You will never run out of eFuses, then the system would never work in the end. That's the reason if you upgrade and downgrade, therefore zaps them. You would end up with a physically broken unit.
If there is someway to downgrade, it will be with an external device to hook and bypass the checks.
Blowing efuses won't harm your device; in this context, they're like regular memory that can only ever be written to once. If too many fuses are blown, the software will assume that means a downgrade happened, and the software will refuse to boot.
 

mikey420

Well-Known Member
Member
Joined
Dec 11, 2015
Messages
911
Trophies
0
Age
30
XP
493
Country
United States
The switch bootrom is unlikely to control the efuse verification as this changes with each update. In short if the bootrom can be exploited we could negate the efuses and install whatever software version we wish but at that point a downgrade would be useless as we already have hardware control at boot time and can patch the latest software version. Basically downgrading the switch would require hacks that would make downgrading it absolutely pointless. So no we will not see a software downgrade for the switch and if we do its not going to be useful for anyone besides a developer who for whatever reason wants to revert to an older build of the software.
 

Noctosphere

Nova's Guardian
OP
Member
Joined
Dec 30, 2013
Messages
6,721
Trophies
3
Age
30
Location
Biblically accurate Hell
XP
18,136
Country
Canada
maybe in the future at some time you wont need to be on firmware 3.0.0 to get homebrew but only time can tell
if you want 3.0.0 homebrew buy now one switch on firmware =<3.0.0 and dont cry in some months because you did not or live with the new nice games like mario odyssey or botw + DLC2 and other
why would i cry? did i said i wanted homebrew?

--------------------- MERGED ---------------------------

so... from what I understand, it will be possible somewhen, but, by the time we will get it, it wont be needed anymore

The switch bootrom is unlikely to control the efuse verification as this changes with each update. In short if the bootrom can be exploited we could negate the efuses and install whatever software version we wish but at that point a downgrade would be useless as we already have hardware control at boot time and can patch the latest software version. Basically downgrading the switch would require hacks that would make downgrading it absolutely pointless. So no we will not see a software downgrade for the switch and if we do its not going to be useful for anyone besides a developer who for whatever reason wants to revert to an older build of the software.
 

Ryccardo

Penguin accelerator
Member
Joined
Feb 13, 2015
Messages
7,675
Trophies
1
Age
28
Location
Imola
XP
6,880
Country
Italy
It doesn't work that way. The console is hardcoded to read the bootrom from a specific location.
That's an interesting point actually - some processors are designed to coldboot from a choice of more than one memory address, usually selected by specific pin connections - not that said pins have to be externally available, of course!

The bootrom or early further stage loaders themselves could have similiar logic, as seen in multiple nerd-friendly tech products (mainly ebook readers and raspberry pi competitors) - which the Switch most likely isn't, or if it is will enforce some checks anyway (see 3DS and WiiU) - but with it having allegedly been dumped by the known few, it would be relatively simple to [dis]prove...
 
  • Like
Reactions: DayVeeBoi

Risingdawn

Tempallica
Member
Joined
May 22, 2010
Messages
1,088
Trophies
1
XP
1,700
Country
United Kingdom
If you could exploit the bootrom you would be able to find the keys to decrypt and sign your own FW, which we refer to as Custom Firmware. This would be the point you could basically do anything you wanted from lv0.

Unless alot has changed since I last messed about with this stuff you can't change anything of the bootrom, it's read only and flashed on in the factory, once it's there that's it. You can exploit flaws in the code but you can't rewrite or patch it.

You really have no need to either ofc because the fuse check should come after the bootrom at lv0. I could be wrong though it's been a very long time and much has changed/advanced over the years.
 
  • Like
Reactions: SirNapkin1334

TheCyberQuake

Certified Geek
Member
Joined
Dec 2, 2014
Messages
5,012
Trophies
1
Age
28
Location
Las Vegas, Nevada
XP
4,407
Country
United States
SIGH...
YOU CAN'T EDIT BOOTROM. PERIOD.
In fact, after Bootrom Lockout, you can't even Read Bootrom.
Sighax takes advantage of problems in the Bootrom code, specifically in the Signature parser, hence the name Sighax.
Read this for information about how Sighax works.
Actually, bootrom on switch is updateable iirc. It's why reswitched has said the console could deal with a sighax-like exploit without being a permanent problem like on the 3ds.
 

SirNapkin1334

Renound Aritst
Member
Joined
Aug 20, 2017
Messages
1,665
Trophies
1
XP
975
Country
United States
If you could exploit the bootrom you would be able to find the keys to decrypt and sign your own FW, which we refer to as Custom Firmware. This would be the point you could basically do anything you wanted from lv0.

Unless alot has changed since I last messed about with this stuff you can't change anything of the bootrom, it's read only and flashed on in the factory, once it's there that's it. You can exploit flaws in the code but you can't rewrite or patch it.

You really have no need to either ofc because the fuse check should come after the bootrom at lv0. I could be wrong though it's been a very long time and much has changed/advanced over the years.
Yes. But you would have to exploit the bootrom before lockout, because after lockout not only can you not write to it, but you can't even read it.

--------------------- MERGED ---------------------------

Actually, bootrom on switch is updateable iirc. It's why reswitched has said the console could deal with a sighax-like exploit without being a permanent problem like on the 3ds.
Well, that would likely be something appending to the bootrom, which is loaded afterwords. This is a bad idea, though. If we could trick the switch into installing a non-legit update crafted by a hacker, we could do anything to it.
 
  • Like
Reactions: Risingdawn

mikey420

Well-Known Member
Member
Joined
Dec 11, 2015
Messages
911
Trophies
0
Age
30
XP
493
Country
United States
If the bootrom is updateable it's not a bootrom. There would have to be a lower level control scheme in place to verify this software.... in short by definition a bootrom is read only
 

SirNapkin1334

Renound Aritst
Member
Joined
Aug 20, 2017
Messages
1,665
Trophies
1
XP
975
Country
United States
If the bootrom is updateable it's not a bootrom. There would have to be a lower level control scheme in place to verify this software.... in short by definition a bootrom is read only
Yes. That's what I said, the bootrom is not being updated, it's likely something else that the bootrom leads into. A sort of post-boot, pre-os program.
 

Risingdawn

Tempallica
Member
Joined
May 22, 2010
Messages
1,088
Trophies
1
XP
1,700
Country
United Kingdom
Yes. That's what I said, the bootrom is not being updated, it's likely something else that the bootrom leads into. A sort of post-boot, pre-os program.
It would be the Boot loader that is next in the chain I guess, in theory the bootrom should be absolute but potentially the Boot loader would be patchable.

If you could update the bootrom that's very brave, on the one hand yes you could fix vulnerability but if someone already had the master keys they could sign their own!
 

SirNapkin1334

Renound Aritst
Member
Joined
Aug 20, 2017
Messages
1,665
Trophies
1
XP
975
Country
United States
It would be the Boot loader that is next in the chain I guess, in theory the bootrom should be absolute but potentially the Boot loader would be patchable.

If you could update the bootrom that's very brave, on the one hand yes you could fix vulnerability but if someone already had the master keys they could sign their own!
If you could update the bootrom, it would be by definition not a bootrom.
 
  • Like
Reactions: Risingdawn

magico29

Well-Known Member
Member
Joined
Aug 2, 2017
Messages
1,586
Trophies
0
XP
1,895
Country
United States
I know this is a total noob question that has already been answered : No, you can't downgrade the switch because of efuses
Well I just need to know, will it be possible somewhen to hack the switch deep enough to be able to skip the verification of efuses when booting up the console?
please dont call me noob, i know i am
i don't think so baby,my advice: do not ever update your switch and be patient soon or later we gonna take over baby!!
 

RedBlueGreen

Well-Known Member
Member
Joined
Aug 10, 2015
Messages
2,026
Trophies
1
XP
2,538
Country
Canada
I'm sure it can be downgraded eventually. But you'd have to have complete control over the console to be able to do that. You'd have to be able to bypass the eFuse checks (which would likely require some sort of CFW), or be able to force the console to boot even if it fails the check (which would still likely require CFW).

It'll probably be years before somebody manages to reverse engineer the Switch to the point that's possible.
 

SirNapkin1334

Renound Aritst
Member
Joined
Aug 20, 2017
Messages
1,665
Trophies
1
XP
975
Country
United States
I'm sure it can be downgraded eventually. But you'd have to have complete control over the console to be able to do that. You'd have to be able to bypass the eFuse checks (which would likely require some sort of CFW), or be able to force the console to boot even if it fails the check (which would still likely require CFW).

It'll probably be years before somebody manages to reverse engineer the Switch to the point that's possible.
Nah, I think that the eFuse requirement is hardcoded into the bootrom. Even with full control, we still couldn't modify it. YOU CAN NEVER CHANGE OR PATCH A BOOTROM. THAT IS THE DEFINITION OF A BOOTROM. READ-ONLY—NO CHANGING!!
 

mikey420

Well-Known Member
Member
Joined
Dec 11, 2015
Messages
911
Trophies
0
Age
30
XP
493
Country
United States
I'm sure it can be downgraded eventually. But you'd have to have complete control over the console to be able to do that. You'd have to be able to bypass the eFuse checks (which would likely require some sort of CFW), or be able to force the console to boot even if it fails the check (which would still likely require CFW).

It'll probably be years before somebody manages to reverse engineer the Switch to the point that's possible.

Chances are the efuse check is part of the early boot chain so we would likely need a bootrom hack to be able to do this. We would not need a bootrom hack to patch out security functions... in short downgrading is not useful.

--------------------- MERGED ---------------------------

Nah, I think that the eFuse requirement is hardcoded into the bootrom. Even with full control, we still couldn't modify it. YOU CAN NEVER CHANGE OR PATCH A BOOTROM. THAT IS THE DEFINITION OF A BOOTROM. READ-ONLY—NO CHANGING!!
Unlikely as the efuse values change with each update meaning whatever verifying this needs to be updateable
 
  • Like
Reactions: TheCyberQuake

TheCyberQuake

Certified Geek
Member
Joined
Dec 2, 2014
Messages
5,012
Trophies
1
Age
28
Location
Las Vegas, Nevada
XP
4,407
Country
United States
Nah, I think that the eFuse requirement is hardcoded into the bootrom. Even with full control, we still couldn't modify it. YOU CAN NEVER CHANGE OR PATCH A BOOTROM. THAT IS THE DEFINITION OF A BOOTROM. READ-ONLY—NO CHANGING!!
Bypassing efuse in software is likely impossible, but there could be hardware methods to bypass efuses. Hardware glitching and trickery could get it done, but I don't think it could feasibly fit in the switch shell anyway.
 

TheCyberQuake

Certified Geek
Member
Joined
Dec 2, 2014
Messages
5,012
Trophies
1
Age
28
Location
Las Vegas, Nevada
XP
4,407
Country
United States
Chances are the efuse check is part of the early boot chain so we would likely need a bootrom hack to be able to do this. We would not need a bootrom hack to patch out security functions... in short downgrading is not useful.

--------------------- MERGED ---------------------------


Unlikely as the efuse values change with each update meaning whatever verifying this needs to be updateable
I'm fairly certain there is already documentation on where in the boot process the efuse check is done and panics if failed.
 

RedBlueGreen

Well-Known Member
Member
Joined
Aug 10, 2015
Messages
2,026
Trophies
1
XP
2,538
Country
Canada
Nah, I think that the eFuse requirement is hardcoded into the bootrom. Even with full control, we still couldn't modify it. YOU CAN NEVER CHANGE OR PATCH A BOOTROM. THAT IS THE DEFINITION OF A BOOTROM. READ-ONLY—NO CHANGING!!
We don't necessarily know that though. Until the Switch has a lot of reverse engineering done on it. All we know is that the check seems to happen early on.
I'm fairly certain there is already documentation on where in the boot process the efuse check is done and panics if failed.
Do you have the source? I'm not familiar with the Switch homebrew scene. The last thing I heard was that the bootrom was dumped.
 
Last edited by RedBlueGreen,

mikey420

Well-Known Member
Member
Joined
Dec 11, 2015
Messages
911
Trophies
0
Age
30
XP
493
Country
United States
I'm fairly certain there is already documentation on where in the boot process the efuse check is done and panics if failed.
I should check as I think you may well be right. I recall reading something on this regard recently.

--------------------- MERGED ---------------------------

For those wondering here is a fairly complete article in this regard.

http://wololo.net/2017/08/24/nintendo

--------------------- MERGED ---------------------------

From what I'm reading the boot loader will panic which would mean the check is defeatable but it would be pointless. Downgrading would require more than a kernel or root exploit which is all one would need to be able to temp jailbreak a device anyways.
 
Status
Not open for further replies.

Site & Scene News

Popular threads in this forum

General chit-chat
Help Users
  • Veho @ Veho:
    The fuuuuu---
  • Veho @ Veho:
    I thought it was an actual xBox at that price.
  • Sicklyboy @ Sicklyboy:
    I wanna grab a 360 Slim and a 360 E one of these days. Missed the boat of getting them at their lowest though, once they were discontinued. Could've got them for cheap back when I was a broke 20 something working at Target, but then again, I was a broke 20 something working at Target
  • Veho @ Veho:
    Being broke is no fun.
  • K3Nv2 @ K3Nv2:
    @Sicklyboy, $150 isn't that bad for a jtag slim on ebay
  • Veho @ Veho:
    I only wish it was actually playable.
  • Veho @ Veho:
    There's a guy on the Tube of You that makes playable mechanical arcade games out of Lego. This could work on the same principle.
  • Veho @ Veho:
    Just a couple of guys taking their manatee out for some fresh air, why you have to molest them?
  • Veho @ Veho:
    Stupid Chinese shop switched their shipping company and this one is slooooooow.
  • LeoTCK @ LeoTCK:
    STOP BUYING CHINESE CRAP THEN
  • LeoTCK @ LeoTCK:
    SUPPORT LOCAL PRODUCTS, MAKE REVOLUTION
  • LeoTCK @ LeoTCK:
    THEY KEEP REMOVING LOCAL SHIt AND REPLACING WItH INFERIOR CHINESE CRAP
  • LeoTCK @ LeoTCK:
    THATS WHY MY PARTNER CANT GET A GOOTWEAR HIS SIZE ANYMORE
  • LeoTCK @ LeoTCK:
    HE HAS BIG FOOT AND BIG DUCK
  • LeoTCK @ LeoTCK:
    d*ck i mean*
  • LeoTCK @ LeoTCK:
    lol
  • Veho @ Veho:
    Mkay.
  • Veho @ Veho:
    I just ordered another package from China just to spite you.
  • SylverReZ @ SylverReZ:
    Communism lol
  • SylverReZ @ SylverReZ:
    Its OUR products to begin with lol.
  • The Real Jdbye @ The Real Jdbye:
    @LeoTCK actually good quality products are dying out because they can't compete with dropshipped chinese crap
    +1
    The Real Jdbye @ The Real Jdbye: @LeoTCK actually good quality products are dying out because they can't compete with dropshipped... +1