Switch boot procedure is now documented in switchbrew, and it has downgrade protection with fuses.

Discussion in 'Switch - Hacking & Homebrew' started by gabru, Jul 26, 2017.

  1. GerbilSoft

    GerbilSoft GBAtemp Addict

    Member
    2,061
    2,268
    Mar 8, 2012
    United States
    On 3DS, there's three different types of boot signatures:
    • Standard eMMC boot
    • NTR cartridge boot
    • Wi-Fi SPI flash boot
    You can't take a FIRM binary signed for NTR cartridge boot and install it on the eMMC FIRM partition because the signature won't validate. I would assume the same is true for Switch; something signed for cartridge boot wouldn't work for eMMC boot and vice-versa.

    (Note that even with sighax, the required signature is different for the three boot methods, so you can't directly take a sighaxed FIRM for eMMC and run it from an NTR cartridge.)
     
    Tomato Hentai and TotalInsanity4 like this.


  2. Yami Anubis ZX

    Yami Anubis ZX Advanced Member

    Newcomer
    82
    26
    Mar 20, 2016
    United States
    That is inevitable. Plus replacing a motherboard would be a waste considering it costs them money and also the fact that there having trouble manufacturing the parts because of the ongoing Foxconn debacle. It would also be very stupid on Nintendo to not have a back up plan for fixing there devices.
     
    Last edited by Yami Anubis ZX, Aug 5, 2017
    Tomato Hentai and TotalInsanity4 like this.
  3. TimX24968B

    TimX24968B "That guy"

    Member
    1,354
    274
    Oct 28, 2015
    United States
    Nowhere
    Isn't this how samsung uses knox on their devices to check for warranty?
     
    TotalInsanity4 likes this.
  4. TheMCNerd2017

    TheMCNerd2017 Member

    Newcomer
    35
    12
    Jun 21, 2017
    United States
    I believe so.
     
    Roomsaver likes this.
  5. Platinum Lucario

    Platinum Lucario GBAtemp Fan

    Member
    494
    221
    May 17, 2014
    Australia
    Warrnambool, Victoria, Australia
    This is actually more advanced than what Sony did with their PS3 console (which the PS3 had factory firmware value hardcoded onto the CPU, so it couldn't be downgraded past that version). The Nintendo Switch System-on-Chip (Nvidia Tegra X1) uses eFuses, which the Bootloader checks the amount of times the fuses on the CPU has been burnt. If there was some CFW or something that could act as a Anti-Fuse in which could block the fuses from being burnt, or something that could change the value in the Bootloader and the Userland, then something could be achieved from it.

    But yeah, downgrades will not be possible unless the downgrades can somehow be patched with those number of eFuses of the newest firmware on it. But that in itself would be pointless. The best course of action, would be to just not update the system, and have some other Nintendo Switch for normal gaming.
     
  6. Noctosphere

    Noctosphere Moon furries | Official follower of Skiddon't-ism

    Member
    2,032
    1,894
    Dec 30, 2013
    Canada
    Between three furries women
    Id like to know too because it means they have a limit of how many update they can launch, right?
     
  7. Roomsaver

    Roomsaver GBAtemp Advanced Fan

    Member
    951
    243
    Sep 7, 2015
    United States
    garfield kart grand prix
    I don't believe so. The fuses are for downgrade protection so Nintendo will know if you've tampered with the software.
     
  8. Noctosphere

    Noctosphere Moon furries | Official follower of Skiddon't-ism

    Member
    2,032
    1,894
    Dec 30, 2013
    Canada
    Between three furries women
    From what ive read, if 3 fuses are burnt, then youre supposed to be on 3,0
    So that mean they cant burn more fuses than there is in the switch, but i guess they wont burn a fuse at every update, maybe once every x,0,0 update
     
  9. aut0mat3d

    aut0mat3d GBAtemp Regular

    Member
    115
    60
    Mar 15, 2017
    Australia
    As on the latest 3.01 release all Keys were changed and (due the change of the keys) all Sysmodules, etc. are changed/recompiled with new Keys i am pretty sure also additional fuses were used.
    So: If we get homebrew on consoles <= 3.00 in the Future we are stuck on playing Games <=3.00 until Bootloader is hacked IMHO
     
  10. WiiFoundLove

    WiiFoundLove GBAtemp Regular

    Member
    197
    62
    Jan 18, 2015
    Afghanistan
    Yes, they do.
     
  11. Eddypikachu

    Eddypikachu GBAtemp Fan

    Member
    386
    147
    Mar 25, 2015
    United States
    nvm :P
     
    Last edited by Eddypikachu, Aug 7, 2017
  12. Selver

    Selver 13,5,1,14,9,14,7,12,5,19,19

    Member
    203
    276
    Dec 22, 2015
    There are at least two distinct sets of eFuses that have an associated count. One set is confirmed to be used for downgrade protection.
    Other eFuses also exist. It is not unreasonable to imagine that an eFuse would be set aside as a method to "blacklist" a console from online play, for example.

    It's simpler than that. Remember that a repair will always update the system to the latest released firmware.
    Therefore, if Nintendo has a repair cartridge, that repair cartridge is likely also programmed to only work on systems with EXACTLY that number of fuses burnt. (if fewer are burnt, then it could burn them and reboot; if more are burnt then it would likely panic).
    Then, Nintendo would simply provide an updated image for the repair cartridge to authorized repair centers.

    This would result in any repair cartridge image, even if ever escaped into the wild, being usable only until the next firmware update.
     
    Tomato Hentai likes this.
  13. Futurdreamz

    Futurdreamz GBAtemp Advanced Maniac

    Member
    1,655
    917
    Jun 15, 2014
    Canada
    Does it only count the fuses burnt or does it keep track of exactly which fuses are burnt? So if the right number of fuses are burnt but fuses 1 and 9 are burnt instead of 1 and 2, wouldn't it panic?
     
  14. Noctosphere

    Noctosphere Moon furries | Official follower of Skiddon't-ism

    Member
    2,032
    1,894
    Dec 30, 2013
    Canada
    Between three furries women
    fuses that blow to prevent downgrade
    possibility of a fuse that blow to ban your console
    and maybe more hardware protection

    With all the knowledge we have so far on the switch, would you think it is risky to hack the console?
    I'm asking developper, please no nooby answer thanks
     
    TimX24968B likes this.
  15. Selver

    Selver 13,5,1,14,9,14,7,12,5,19,19

    Member
    203
    276
    Dec 22, 2015
    See http://switchbrew.org/index.php?title=Fuses#eFuses for more info on the fuses.
    See http://switchbrew.org/index.php?title=Package1#Main for more info on at least one of the anti-downgrade checks.

    Yes.
     
  16. SquidGuy

    SquidGuy Member

    Newcomer
    49
    1
    Jan 1, 2017
    Poland
    You may never know...
    well would it be possible to spoof?
     
  17. StarGazerTom

    StarGazerTom GBAtemp Advanced Fan

    Member
    815
    528
    Feb 2, 2015
    To my knowledge, unless something was discovered super early in the boot process, I highly doubt it. Even the 360 doesn't have an efuse spoofer yet. Simply a reader program, which is, again, super early.
    I'd say it's nigh-impossible.
     
  18. SquidGuy

    SquidGuy Member

    Newcomer
    49
    1
    Jan 1, 2017
    Poland
    You may never know...
    wait so, if you buy a switch with FW 2.0 does that mean the will be no burnt eFuses?
     
  19. StarGazerTom

    StarGazerTom GBAtemp Advanced Fan

    Member
    815
    528
    Feb 2, 2015
    There is likely 1 burnt fuse. Each update that's coded to burn a fuse will increase the increment by 1.
     
  20. TimX24968B

    TimX24968B "That guy"

    Member
    1,354
    274
    Oct 28, 2015
    United States
    Nowhere
    what happens once all the fuses are burnt? or is there such a large number of fuses that its not the case? wondering if that kind of protection would fail if they ran out of fuses to burn.