Hacking Discussion Bricking your Switch on purpose or: How AutoRCM works

nic_rf

Member
Newcomer
Joined
May 17, 2018
Messages
9
Trophies
0
Age
33
XP
970
Country
Canada
Does it a way to modify the boot rom on horizon? If it possible, some asm can made a goto an specific address?
 

CapitanSburro

Well-Known Member
Member
Joined
May 17, 2018
Messages
107
Trophies
0
Age
33
Location
Matrix
XP
603
Country
United States
not really, a very exact "break" to trigger rcm at boot isn't really "dangerous" and should be easily reversible if/when you don't want it any more

sure if people are concerned about not having a way to boot the system while out assuming devs fix sleep mode and stuff then it would be a really neat solution, its just a matter of personal choice, and I'm sure it wont be long for someone to make a TX style standalone dongle for use when out and about
I'm not sure anybody would want to beta test this feature though ;)
 
  • Like
Reactions: Sammy_Lee

mnemonicpunk

Well-Known Member
OP
Newcomer
Joined
May 10, 2018
Messages
78
Trophies
0
Age
38
XP
318
Country
Germany
Does it a way to modify the boot rom on horizon? If it possible, some asm can made a goto an specific address?
No, the bootrom can not be modified. If it could. Nintendo would simply patch out Fusee Gelee. That is in fact what they are doing with the new Mariko revision of the Switch, which features a new board that is very likely immune against the FG exploit.
 

Hyokai

Member
Newcomer
Joined
May 19, 2018
Messages
12
Trophies
0
Age
33
XP
98
Country
Germany
  • Q: How does the tool (jig) and dongle operate? Are they needed everytime you turn on the console?
    A:
    If you don't want to make any (software) modifications to your Switch Console, both the Tool (jig) and dongle are needed every boot.
    SX OS has an optional "AutoRCM" feature that can be installed to your Switch Console such that the jig tool is not needed anymore on boot.

WoW sometimes i am just blind... then i wont install the AutoRCM feature. It is so easy with some tinefoil and a smartphone to get into rcm mode. First attempt yesterday and success. i never failed with it lol. Thanks for help :).
But maybe we will hear something from atmosphere in 2weeks because i always liked emunand (looking back at the good old 3ds)
 

gamesquest1

Nabnut
Former Staff
Joined
Sep 23, 2013
Messages
15,153
Trophies
2
XP
12,247
I'm not sure anybody would want to beta test this feature though ;)
I'm sure someone could rig up their emmc to allow direct nand restores to cover all eventualities, but afaik nand restores can be done from within rcm mode so I don't see why it would be any more dangerous than booting into rcm mode normally as long as people have a valid nand backup
 

Maximilious

Whistles a familiar tune
Member
Joined
Nov 21, 2014
Messages
2,571
Trophies
1
XP
1,865
Country
United States
As long as the AutoRCM is installed on your system you can not switch back to the original firmware. It will simply refuse to boot.

Xecuter said the AutoRCM (system modification to boot0 - also speculation at this point but strongly suggested by your post) is reversible.
 

TheSynthax

Well-Known Member
Member
Joined
Apr 29, 2018
Messages
223
Trophies
0
XP
540
Country
United States
As long as the AutoRCM is installed on your system you can not switch back to the original firmware. It will simply refuse to boot.

The people over at ReSwitched have considered the possibility of doing this weeks ago and discarded it so far because they were worried they would fuck up someones Switch permanently. And those are the people writing AMS, the fusee gelee launcher, TegraRCMSmah, libnx and so on.

The main question is this: Did Team Xecuter implement it in an entirely safe and removable way? The honest answer is: I don't know.
Flipping one bit anywhere in the bootchain will result in failed checks and a "corrupted" state. This will not render stock FW unbootable, but you will need to use an internal modchip, an external dongle, a phone, or a PC to boot the console. Stock, CFW, or Linux doesn't matter.
 

cpasjuste

Well-Known Member
Member
Joined
Aug 27, 2015
Messages
1,108
Trophies
1
Age
44
XP
4,584
Country
France
As long as the AutoRCM is installed on your system you can not switch back to the original firmware. It will simply refuse to boot.

The people over at ReSwitched have considered the possibility of doing this weeks ago and discarded it so far because they were worried they would fuck up someones Switch permanently. And those are the people writing AMS, the fusee gelee launcher, TegraRCMSmah, libnx and so on.

The main question is this: Did Team Xecuter implement it in an entirely safe and removable way? The honest answer is: I don't know.
Sorry to break your dream but there is some high level devs/hackers in TX, I mean more talented than reswitched members an such.
 
Last edited by cpasjuste,

The Real Jdbye

*is birb*
Member
Joined
Mar 17, 2010
Messages
23,702
Trophies
5
Location
Space
XP
14,588
Country
Norway
This is actually not a terrible idea. Technically A9LH also worked by corrupting the boot partition (firm) although corrupting it in a very specific way. And that was still insanely popular with few bricks reported, fewer as time went on and the process was perfected.
The simplicity of this method (you literally only need to change a single byte) means there's also less that could go wrong and restoring the system to OFW is easier. So easy that you wouldn't even need a backup. Even if you don't know what the original byte was, worst case you would have to try editing the corrupted byte 256 times to find it. Which is kind of a pain but it could be automated by a RCM payload.

Of course you'd still need a dongle or a PC/phone and a cable/OTG adapter every time you wanted to boot, so it's a bit of a hassle and not true coldboot. But it does make the process slightly easier and you don't have to worry about misplacing/losing your jig since you won't be needing it more than once (and those things are tiny and easy to lose)

RCM is kind of our saving grace here, you can't brick RCM and as long as you have it it's very hard to permanently brick a Switch. Even if you lose your NAND backup or never made one in the first place, if you dump the keys, it should still be possible to recreate the NAND with future tools, or simply replace what's broken if the NAND is still somewhat intact. Earlier Nintendo consoles didn't have anything like this (well there was Bootmii but that was unofficial, and still possible to overwrite) except ntrboot which was only discovered recently.
 
Last edited by The Real Jdbye,

gamesquest1

Nabnut
Former Staff
Joined
Sep 23, 2013
Messages
15,153
Trophies
2
XP
12,247
The real question is, once you've booted into Horizon with this "corruption" are you likely to be easily detectable for a ban?
well the CFW could just automatically patch the byte change to correct it in the eyes of the system, assuming everyone gets their ducks in a row and agree on a unified brick process (assuming a few different CFWs/loaders end up being released
 
Last edited by gamesquest1,

mnemonicpunk

Well-Known Member
OP
Newcomer
Joined
May 10, 2018
Messages
78
Trophies
0
Age
38
XP
318
Country
Germany
This is actually not a terrible idea. Technically A9LH also worked by corrupting the boot partition (firm) although corrupting it in a very specific way. And that was still insanely popular with few bricks reported, fewer as time went on and the process was perfected.
The simplicity of this method (you literally only need to change a single byte) means there's also less that could go wrong and restoring the system to OFW is easier. So easy that you wouldn't even need a backup. Even if you don't know what the original byte was, worst case you would have to try editing the corrupted byte 256 times to find it. Which is kind of a pain but it could be automated by a RCM payload.

Of course you'd still need a dongle or a PC/phone and a cable/OTG adapter every time you wanted to boot, so it's a bit of a hassle and not true coldboot. But it does make the process slightly easier and you don't have to worry about misplacing/losing your jig since you won't be needing it more than once (and those things are tiny and easy to lose)
That is how I hope they plan to do it. We'll see how transparent they are about their process going forward.
 

gamesquest1

Nabnut
Former Staff
Joined
Sep 23, 2013
Messages
15,153
Trophies
2
XP
12,247
It could but how likely is TX to actually do it and how would we even find out with it being closed source :/
well you dump the nand after their patch is done and compare it, but from the TX description it sounds like they have a totally automatic solution that would be effectively dongle free......idk how they done it (assuming they aren't being a little deceptive and that's only on certain firmwares)

I'm just wondering if the anti downgrade stuff only applies to the OS and maybe you can downgrade the part that deals with a autoRMC boot method, then patch out the downgrade checks before booting into the OS.....but again that just mindless guessing, I guess we will find out soon enough
 
Last edited by gamesquest1,

mnemonicpunk

Well-Known Member
OP
Newcomer
Joined
May 10, 2018
Messages
78
Trophies
0
Age
38
XP
318
Country
Germany
well you dump the nand after their patch is done and compare it, but from the TX description it sounds like they have a totally automatic solution that would be effectively dongle free......idk how they done it (assuming they aren't being a little deceptive and that's only on certain firmwares)
TX specifically states that you will still need the dongle. What you don't need is the jig and to hold Vol+ while booting.
 

gamesquest1

Nabnut
Former Staff
Joined
Sep 23, 2013
Messages
15,153
Trophies
2
XP
12,247
TX specifically states that you will still need the dongle. What you don't need is the jig and to hold Vol+ while booting.
ahhhhhh ok, that was what I was thinking initially but then misread the quote before, that makes much more sense :D

I'm guessing it wont be too long for someone to make a tiny RCM boot tool similar to TX's
 

ANTONIOPS

Well-Known Member
Member
Joined
Jan 15, 2016
Messages
126
Trophies
0
Age
32
XP
862
Country
Spain
Since the console enters in rcm when the nand module is unplugged, couldn't we use a custom chip connected to the usb internally and to the nand module keeping the nand pins open for a couple of seconds so the console has time to enter in rcm mode and then inject the payload via the usb connection?
 

mnemonicpunk

Well-Known Member
OP
Newcomer
Joined
May 10, 2018
Messages
78
Trophies
0
Age
38
XP
318
Country
Germany
Since the console enters in rcm when the nand module is unplugged, couldn't we use a custom chip connected to the usb internally and to the nand module keeping the nand pins open for a couple of seconds so the console has time to enter in rcm mode and then inject the payload via the usb connection?
Yes, disconnecting the eMMC is another way of entering RCM.

I think something similar was discussed on RS already. Don't know where the discussion went though. From my own personal knowledge of the hardware I'd say it is possible but not as easy as you make it sound.
 

Site & Scene News

Popular threads in this forum

General chit-chat
Help Users
    Psionic Roshambo @ Psionic Roshambo: https://thedirect.com/culture/marvel-dc-hollywood-stars-endorsing-donald-trump