Question Can someone post a photo of Efuses?

Discussion in 'Switch - Hacking & Homebrew' started by Enryx25, Aug 31, 2017.

  1. Enryx25
    OP

    Enryx25 GBAtemp Regular

    Member
    223
    123
    Jan 25, 2016
    Italy
    I want to see how big they are :)
     


  2. B4rtj4h

    B4rtj4h Gaming addict #2 and some

    Member
    406
    43
    Apr 16, 2007
    Netherlands
    Bikini Bottom
    Quick google search for Efuse would do the trick.
     

    Attached Files:

  3. linuxares

    linuxares GBAtemp Psycho!

    Member
    3,092
    1,243
    Aug 5, 2007
    They are microscopic and are inside the chips.
     
    Enryx25 likes this.
  4. MatMaf

    MatMaf Member

    Newcomer
    49
    64
    Jun 5, 2016
    United States
    That's a really good picture
     
    -pm-, Tomato Hentai, julialy and 3 others like this.
  5. Xyphoseos

    Xyphoseos Hack or no games

    Member
    828
    71
    Jun 29, 2016
    France
    What is it ?
     
  6. Alkéryn

    Alkéryn Master of cookies ~

    Member
    1,517
    1,884
    Mar 15, 2015
    France
    Albategnius, Moon
    Efuses
     
  7. Xyphoseos

    Xyphoseos Hack or no games

    Member
    828
    71
    Jun 29, 2016
    France
    Yes I know but is it what ?
     
  8. Urbanshadow

    Urbanshadow GBAtemp Maniac

    Member
    1,293
    471
    Oct 16, 2015
    It's a fuse you can "program" (burn) at will (via software). Avoids certain electronic signals reaching certain electronic components, and they have a meaning (both signal and no signal).

    Once a efuse is "programmed" it can't be unset again.
    Majorly used to notify device builders if the hardware or software had been manipulated in some unwanted way.
     
    Xyphoseos likes this.
  9. cybrian

    cybrian Advanced Member

    Newcomer
    76
    36
    Sep 14, 2009
    United States
    http://switchbrew.org/index.php?title=Fuses

    Basically the way it works is this: certain firmware updates burn (set) fuses in a region of the efuse memory. If the firmware version on the Switch’s internal memory is x then you’ll need y fuses set for it to boot. You can always set more fuses, but can never unset them. Therefore, as firmware version x increases, fuse count y may increase as well, and will never decrease.

    This allows the console to check whether its memory has been tampered with to attempt a downgrade: if a firmware is on the system that requires 4 fuses burnt (3.0.1 does), and through an eMMC backup or otherwise the console’s firmware is manually downgraded back to 3.0.0, which requires 3 fuses burnt, the Switch will check the fuse count while booting and see it’s 4 and not 3, and it will not boot, and will likely blow another fuse in order to allow Nintendo to detect why it’s not booting. that way if you send it in for service, they can send it right back to you saying you voided your warranty by tampering with the firmware.

    There is no known way to bypass fuse checks without having full control of the boot procedure. The Xbox 360 uses eFuses the same way to prevent downgrades, and it has definitely done its job there — as far as I know it’s not possible to downgrade Xbox 360 firmware, and the later its kernel version is the more difficult it is to hack the system. The “reset glitch hack” on the Xbox 360 involves programmatically triggering a reset repeatedly on the processor while sending bad data to the data lines on it (very specific data, very precise timing, and so on) eventually “glitching” it out causing it to load the hacked data that bypasses protection. It’s possible an exploit like this can be found for the Tegra X1 that would be able to be used on the Switch, but I oversimplified it and glossed over how precise it is — we’d need to know a lot more about the inner workings of the Switch and its Tegra X1 bootloader and so on for it to even be worth investigating.

    In short, you’re not going to find a way to unset these fuses without violating laws of physics, but with very, very extensive knowledge of critical internals it MAY be possible to skip them from being checked in the first place, or to prevent them from mattering.
     
    Asdolo, MeAndHax, WadsRUs and 9 others like this.
  10. Supercool330

    Supercool330 GBAtemp Advanced Fan

    Member
    685
    139
    Sep 28, 2008
    United States
    An efuse would be on the order of a hundred nanometers in size (a few hundred atoms). That's 0.000001 inches. For comparison, a human red blood cell is 6,000-8,000 nm and a human hair is approximately 80,000-100,000 nm.
     
    Last edited by Supercool330, Sep 4, 2017
    MeAndHax, WadsRUs and godreborn like this.
  11. FAST6191

    FAST6191 Techromancer

    pip Reporter
    23,341
    9,120
    Nov 21, 2005
    I don't know if I would go that far. Atomic force microscopes, some of the decapping/trace reconstruction stuff and a whole lot of effort could see either a bridge/bypass wire built or the thing redone.

    It is some incredibly rare and hard to come by tech, and the people to operate it are similarly rare but I would say it is well within current tech, never mind presently understood laws of physics. I doubt we will see it hit even "doctoral student has some fun" level* within the next few decades, and prior to then it will probably be cheaper to spin off a run of compatible chips (if a future FPGA equivalent can't outright replicate it, ignoring entirely the option to maybe find private keys somehow), but again I don't think I would look at the laws of physics as the barrier.

    *a source of a few choice hacks over the years.
     
  12. LightOffPro

    LightOffPro Member

    Newcomer
    24
    41
    Jun 10, 2016
    Portugal
  13. migles

    migles Mei the sexiest bae

    Member
    GBAtemp Patron
    migles is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    6,795
    4,556
    Sep 19, 2013
    Saint Kitts and Nevis
    my dad works for nintendo.
    with the info posted above, who needs google?

    @cybrian the lurkers are awesome, only come out of the shadows to say something really good. really loved that explanation
    and @FAST6191 not a lurker, but always awesome.
     
    TotalInsanity4 likes this.
  14. cybrian

    cybrian Advanced Member

    Newcomer
    76
    36
    Sep 14, 2009
    United States
    No, you actually are wrong. These things are measured in nanometers. You can’t make a jumper wire nanometers in size and install it. Not to mention decapping a chip is insanely expensive and doesn’t even always yield much of anything useful.
     
  15. zoogie

    zoogie simple pimp tool

    Member
    6,237
    7,908
    Nov 30, 2014
    United States
  16. FAST6191

    FAST6191 Techromancer

    pip Reporter
    23,341
    9,120
    Nov 21, 2005
    I know they are usefully measured in nm - there is a nice SEM shot up above which says as much.
    Decapping is not that bad and is done by for fun these days

    You would probably want to do a bunch of them to narrow down the dimensions needed but that is cheap enough.
    Depending upon how many layers you might be in for a fun time recreating whatever you drilled through to get down to the fuse level but again it is not impossible (I can't recall if it was the video above or another on the subject which detailed how the security measures where a single layer is dedicated to being a massive single trace and breaking it anywhere should break the circuit, so they connected a wire across the start and end point).
    Back to the efuses wires is perhaps the wrong term but one that is understandable, manipulation of conductors on that level is doable (one need not necessarily recreate the fuse as much as just bypass it after all)
    http://www.bbc.co.uk/news/science-environment-22364761

    So again probably largely theoretical at this point but the techniques I would look to are well established and have operated at the levels necessary. I agree it is unproven, and hideously expensive/impractical, however I reckon with the above stuff in place it is a far cry from physics says no which was what I took issue with.
     
  17. Pippin666

    Pippin666 SSF43DE Master

    Member
    1,812
    247
    Mar 30, 2009
    Canada
    Montreal, Qc
    I just can't wait for when people will start thread abour Switch bricking because of eFuses ... I'm gonna fap reading ya'll crying.

    Pip'
     
    MeowMeowMeow and Enryx25 like this.
  18. weatMod

    weatMod GBAtemp Advanced Maniac

    Member
    1,914
    600
    Aug 24, 2013
    United States
    but if these things are so small and presumably work like normal fuse, from the pic posted it almost looks like a glob of solder on there
    then wouldn't they be unset or set by heat? like if you have a reflow done then would they just all melt open? or melt and flow and be closed?
    if they are so small then wouldn't heat effect them, if not then why?
     
  19. planetarian

    planetarian GBAtemp Regular

    Member
    132
    145
    Aug 5, 2014
    United States
    I'm not an expert, but I think that's backwards; remember, you're looking at something extraordinarily tiny -- it seems like the dark areas are the actual conductive part, and the process of 'burning' the efuse actually removes the conductive material from the signal path (exposing the non-conductive silvery substrate).

    see: http://www.google.com/patents/US6624499
     
  20. cybrian

    cybrian Advanced Member

    Newcomer
    76
    36
    Sep 14, 2009
    United States
    Yes, and these are not made of alloys meant to flow at low temperatures, like solder, either. Solder is designed to have an extremely low melting point.

    Not to mention that heat isn’t what actually blows the fuse. It’s electromigration, which is affected by, but not related to, heat. Or at least that’s how I understand it — I don’t know much about semiconductor physics, and you need to in order to truly understand the mechanics of these things.

    Also, sure, if someone was willing to invest tens of millions of dollars just to bypass the eFuses in the Switch, it might be possible. You’d need semiconductor fabrication firms, which is just not remotely feasible. Not to mention a minor update to the chip would send you on the wrong path or at least disrupt your work heavily.

    It’d be cheaper to buy every commercially released Switch game and an entire indie developer to have them write software for you.