Could it be possible to downgrade the switch somewhen

Discussion in 'Switch - Hacking & Homebrew' started by Noctosphere, Dec 3, 2017.

Thread Status:
Not open for further replies.
  1. evandixon

    evandixon PMD Researcher

    Member
    1,689
    810
    May 29, 2009
    United States
    Blowing efuses won't harm your device; in this context, they're like regular memory that can only ever be written to once. If too many fuses are blown, the software will assume that means a downgrade happened, and the software will refuse to boot.
     
  2. mikey420

    mikey420 GBAtemp Advanced Fan

    Member
    551
    173
    Dec 11, 2015
    United States
    The switch bootrom is unlikely to control the efuse verification as this changes with each update. In short if the bootrom can be exploited we could negate the efuses and install whatever software version we wish but at that point a downgrade would be useless as we already have hardware control at boot time and can patch the latest software version. Basically downgrading the switch would require hacks that would make downgrading it absolutely pointless. So no we will not see a software downgrade for the switch and if we do its not going to be useful for anyone besides a developer who for whatever reason wants to revert to an older build of the software.
     
  3. Noctosphere
    OP

    Noctosphere Moon furries | Official follower of Skiddon't-ism

    Member
    GBAtemp Patron
    Noctosphere is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    2,390
    2,343
    Dec 30, 2013
    Canada
    Between three female furries
    why would i cry? did i said i wanted homebrew?

    — Posts automatically merged - Please don't double post! —

     
  4. Ryccardo

    Ryccardo WiiUaboo

    Member
    3,558
    1,697
    Feb 13, 2015
    Italy
    Imola
    That's an interesting point actually - some processors are designed to coldboot from a choice of more than one memory address, usually selected by specific pin connections - not that said pins have to be externally available, of course!

    The bootrom or early further stage loaders themselves could have similiar logic, as seen in multiple nerd-friendly tech products (mainly ebook readers and raspberry pi competitors) - which the Switch most likely isn't, or if it is will enforce some checks anyway (see 3DS and WiiU) - but with it having allegedly been dumped by the known few, it would be relatively simple to [dis]prove...
     
    DayVeeBoi likes this.
  5. Risingdawn

    Risingdawn Tempallica

    Member
    693
    501
    May 22, 2010
    United Kingdom
    If you could exploit the bootrom you would be able to find the keys to decrypt and sign your own FW, which we refer to as Custom Firmware. This would be the point you could basically do anything you wanted from lv0.

    Unless alot has changed since I last messed about with this stuff you can't change anything of the bootrom, it's read only and flashed on in the factory, once it's there that's it. You can exploit flaws in the code but you can't rewrite or patch it.

    You really have no need to either ofc because the fuse check should come after the bootrom at lv0. I could be wrong though it's been a very long time and much has changed/advanced over the years.
     
    SirNapkin1334 likes this.
  6. TheCyberQuake

    TheCyberQuake Certified Geek

    Member
    3,439
    2,290
    Dec 2, 2014
    United States
    Las Vegas, Nevada
    Actually, bootrom on switch is updateable iirc. It's why reswitched has said the console could deal with a sighax-like exploit without being a permanent problem like on the 3ds.
     
  7. SirNapkin1334

    SirNapkin1334 Renound Aritst

    Member
    471
    89
    Aug 20, 2017
    United States
    Land of Magical Elves (and indie programmers)
    Yes. But you would have to exploit the bootrom before lockout, because after lockout not only can you not write to it, but you can't even read it.

    — Posts automatically merged - Please don't double post! —

    Well, that would likely be something appending to the bootrom, which is loaded afterwords. This is a bad idea, though. If we could trick the switch into installing a non-legit update crafted by a hacker, we could do anything to it.
     
    Risingdawn likes this.
  8. mikey420

    mikey420 GBAtemp Advanced Fan

    Member
    551
    173
    Dec 11, 2015
    United States
    If the bootrom is updateable it's not a bootrom. There would have to be a lower level control scheme in place to verify this software.... in short by definition a bootrom is read only
     
  9. SirNapkin1334

    SirNapkin1334 Renound Aritst

    Member
    471
    89
    Aug 20, 2017
    United States
    Land of Magical Elves (and indie programmers)
    Yes. That's what I said, the bootrom is not being updated, it's likely something else that the bootrom leads into. A sort of post-boot, pre-os program.
     
  10. Risingdawn

    Risingdawn Tempallica

    Member
    693
    501
    May 22, 2010
    United Kingdom
    It would be the Boot loader that is next in the chain I guess, in theory the bootrom should be absolute but potentially the Boot loader would be patchable.

    If you could update the bootrom that's very brave, on the one hand yes you could fix vulnerability but if someone already had the master keys they could sign their own!
     
  11. SirNapkin1334

    SirNapkin1334 Renound Aritst

    Member
    471
    89
    Aug 20, 2017
    United States
    Land of Magical Elves (and indie programmers)
    If you could update the bootrom, it would be by definition not a bootrom.
     
    Risingdawn likes this.
  12. magico29

    magico29 GBAtemp Regular

    Member
    GBAtemp Patron
    magico29 is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    259
    50
    Aug 2, 2017
    United States
    i don't think so baby,my advice: do not ever update your switch and be patient soon or later we gonna take over baby!!
     
  13. Risingdawn

    Risingdawn Tempallica

    Member
    693
    501
    May 22, 2010
    United Kingdom
    It would be a bootfunction! lol
     
  14. RedBlueGreen

    RedBlueGreen GBAtemp Maniac

    Member
    1,150
    364
    Aug 10, 2015
    Canada
    I'm sure it can be downgraded eventually. But you'd have to have complete control over the console to be able to do that. You'd have to be able to bypass the eFuse checks (which would likely require some sort of CFW), or be able to force the console to boot even if it fails the check (which would still likely require CFW).

    It'll probably be years before somebody manages to reverse engineer the Switch to the point that's possible.
     
  15. SirNapkin1334

    SirNapkin1334 Renound Aritst

    Member
    471
    89
    Aug 20, 2017
    United States
    Land of Magical Elves (and indie programmers)
    Nah, I think that the eFuse requirement is hardcoded into the bootrom. Even with full control, we still couldn't modify it. YOU CAN NEVER CHANGE OR PATCH A BOOTROM. THAT IS THE DEFINITION OF A BOOTROM. READ-ONLY—NO CHANGING!!
     
  16. mikey420

    mikey420 GBAtemp Advanced Fan

    Member
    551
    173
    Dec 11, 2015
    United States
    Chances are the efuse check is part of the early boot chain so we would likely need a bootrom hack to be able to do this. We would not need a bootrom hack to patch out security functions... in short downgrading is not useful.

    — Posts automatically merged - Please don't double post! —

    Unlikely as the efuse values change with each update meaning whatever verifying this needs to be updateable
     
    TheCyberQuake likes this.
  17. TheCyberQuake

    TheCyberQuake Certified Geek

    Member
    3,439
    2,290
    Dec 2, 2014
    United States
    Las Vegas, Nevada
    Bypassing efuse in software is likely impossible, but there could be hardware methods to bypass efuses. Hardware glitching and trickery could get it done, but I don't think it could feasibly fit in the switch shell anyway.
     
  18. TheCyberQuake

    TheCyberQuake Certified Geek

    Member
    3,439
    2,290
    Dec 2, 2014
    United States
    Las Vegas, Nevada
    I'm fairly certain there is already documentation on where in the boot process the efuse check is done and panics if failed.
     
  19. RedBlueGreen

    RedBlueGreen GBAtemp Maniac

    Member
    1,150
    364
    Aug 10, 2015
    Canada
    We don't necessarily know that though. Until the Switch has a lot of reverse engineering done on it. All we know is that the check seems to happen early on.
    Do you have the source? I'm not familiar with the Switch homebrew scene. The last thing I heard was that the bootrom was dumped.
     
    Last edited by RedBlueGreen, Dec 4, 2017
  20. mikey420

    mikey420 GBAtemp Advanced Fan

    Member
    551
    173
    Dec 11, 2015
    United States
    I should check as I think you may well be right. I recall reading something on this regard recently.

    — Posts automatically merged - Please don't double post! —

    For those wondering here is a fairly complete article in this regard.

    http://wololo.net/2017/08/24/nintendo

    — Posts automatically merged - Please don't double post! —

    From what I'm reading the boot loader will panic which would mean the check is defeatable but it would be pointless. Downgrading would require more than a kernel or root exploit which is all one would need to be able to temp jailbreak a device anyways.
     
Thread Status:
Not open for further replies.