Separate names with a comma.
Discussion in 'Switch - Hacking & Homebrew' started by Enryx25, Aug 31, 2017.
I want to see how big they are
Quick google search for Efuse would do the trick.
They are microscopic and are inside the chips.
That's a really good picture
What is it ?
Yes I know but is it what ?
It's a fuse you can "program" (burn) at will (via software). Avoids certain electronic signals reaching certain electronic components, and they have a meaning (both signal and no signal).
Once a efuse is "programmed" it can't be unset again.
Majorly used to notify device builders if the hardware or software had been manipulated in some unwanted way.
Basically the way it works is this: certain firmware updates burn (set) fuses in a region of the efuse memory. If the firmware version on the Switch’s internal memory is x then you’ll need y fuses set for it to boot. You can always set more fuses, but can never unset them. Therefore, as firmware version x increases, fuse count y may increase as well, and will never decrease.
This allows the console to check whether its memory has been tampered with to attempt a downgrade: if a firmware is on the system that requires 4 fuses burnt (3.0.1 does), and through an eMMC backup or otherwise the console’s firmware is manually downgraded back to 3.0.0, which requires 3 fuses burnt, the Switch will check the fuse count while booting and see it’s 4 and not 3, and it will not boot, and will likely blow another fuse in order to allow Nintendo to detect why it’s not booting. that way if you send it in for service, they can send it right back to you saying you voided your warranty by tampering with the firmware.
There is no known way to bypass fuse checks without having full control of the boot procedure. The Xbox 360 uses eFuses the same way to prevent downgrades, and it has definitely done its job there — as far as I know it’s not possible to downgrade Xbox 360 firmware, and the later its kernel version is the more difficult it is to hack the system. The “reset glitch hack” on the Xbox 360 involves programmatically triggering a reset repeatedly on the processor while sending bad data to the data lines on it (very specific data, very precise timing, and so on) eventually “glitching” it out causing it to load the hacked data that bypasses protection. It’s possible an exploit like this can be found for the Tegra X1 that would be able to be used on the Switch, but I oversimplified it and glossed over how precise it is — we’d need to know a lot more about the inner workings of the Switch and its Tegra X1 bootloader and so on for it to even be worth investigating.
In short, you’re not going to find a way to unset these fuses without violating laws of physics, but with very, very extensive knowledge of critical internals it MAY be possible to skip them from being checked in the first place, or to prevent them from mattering.
An efuse would be on the order of a hundred nanometers in size (a few hundred atoms). That's 0.000001 inches. For comparison, a human red blood cell is 6,000-8,000 nm and a human hair is approximately 80,000-100,000 nm.
I don't know if I would go that far. Atomic force microscopes, some of the decapping/trace reconstruction stuff and a whole lot of effort could see either a bridge/bypass wire built or the thing redone.
It is some incredibly rare and hard to come by tech, and the people to operate it are similarly rare but I would say it is well within current tech, never mind presently understood laws of physics. I doubt we will see it hit even "doctoral student has some fun" level* within the next few decades, and prior to then it will probably be cheaper to spin off a run of compatible chips (if a future FPGA equivalent can't outright replicate it, ignoring entirely the option to maybe find private keys somehow), but again I don't think I would look at the laws of physics as the barrier.
*a source of a few choice hacks over the years.
with the info posted above, who needs google?
@cybrian the lurkers are awesome, only come out of the shadows to say something really good. really loved that explanation
and @FAST6191 not a lurker, but always awesome.
No, you actually are wrong. These things are measured in nanometers. You can’t make a jumper wire nanometers in size and install it. Not to mention decapping a chip is insanely expensive and doesn’t even always yield much of anything useful.
Heh, the wikipedia article on eFuses even mentions the switch.
I know they are usefully measured in nm - there is a nice SEM shot up above which says as much.
Decapping is not that bad and is done by for fun these days
You would probably want to do a bunch of them to narrow down the dimensions needed but that is cheap enough.
Depending upon how many layers you might be in for a fun time recreating whatever you drilled through to get down to the fuse level but again it is not impossible (I can't recall if it was the video above or another on the subject which detailed how the security measures where a single layer is dedicated to being a massive single trace and breaking it anywhere should break the circuit, so they connected a wire across the start and end point).
Back to the efuses wires is perhaps the wrong term but one that is understandable, manipulation of conductors on that level is doable (one need not necessarily recreate the fuse as much as just bypass it after all)
So again probably largely theoretical at this point but the techniques I would look to are well established and have operated at the levels necessary. I agree it is unproven, and hideously expensive/impractical, however I reckon with the above stuff in place it is a far cry from physics says no which was what I took issue with.
I just can't wait for when people will start thread abour Switch bricking because of eFuses ... I'm gonna fap reading ya'll crying.
but if these things are so small and presumably work like normal fuse, from the pic posted it almost looks like a glob of solder on there
then wouldn't they be unset or set by heat? like if you have a reflow done then would they just all melt open? or melt and flow and be closed?
if they are so small then wouldn't heat effect them, if not then why?
I'm not an expert, but I think that's backwards; remember, you're looking at something extraordinarily tiny -- it seems like the dark areas are the actual conductive part, and the process of 'burning' the efuse actually removes the conductive material from the signal path (exposing the non-conductive silvery substrate).
Yes, and these are not made of alloys meant to flow at low temperatures, like solder, either. Solder is designed to have an extremely low melting point.
Not to mention that heat isn’t what actually blows the fuse. It’s electromigration, which is affected by, but not related to, heat. Or at least that’s how I understand it — I don’t know much about semiconductor physics, and you need to in order to truly understand the mechanics of these things.
Also, sure, if someone was willing to invest tens of millions of dollars just to bypass the eFuses in the Switch, it might be possible. You’d need semiconductor fabrication firms, which is just not remotely feasible. Not to mention a minor update to the chip would send you on the wrong path or at least disrupt your work heavily.
It’d be cheaper to buy every commercially released Switch game and an entire indie developer to have them write software for you.