Hacking Nintendo Switch Secure Boot

[adam235]

I you want to know something more about how the boot process for the switch works just check

http://www.androidroot.mobi/pages/the-inner-workings-of-secure-boot-key-and-nvflash/

You will get the APX device when you remove the NAND from the motherboard and reboot the device with an attached USB 3.0 cable.

Then you can use:
https://github.com/NVIDIA/tegrarcm

or you can use my fork with the needed changes:
https://github.com/pgarba/tegrarcm
(I'm not sure if i'm using the right RCM version but I guess time will show ...)

to communicate with the device. Don't miss to add the right IDs to the usb.h file and make the needed changes to main.c and usb.c

So what's missing now is a the AES key or some workaround as suggested by the androidroot people.

Does anyone have the firmware 2.0 files from the online update ?

Btw:
One possible way to flash a new firmware on older Tegra devices:
https://forum.xda-developers.com/wiki/Wheelie

 

[jimmyleen]

Some one comes along and posts this kind of information and no one has anything to say?



Edit: if this topic was about the 3ds on release day people would be jumping up and down with excitement .

 

[linuxares]

Some one comes along and posts this kind of information and no one has anything to say?



Edit: if this topic was about the 3ds people would be jumping up and down with excitement .

Unknown person, 3 posts only, lot's of what sounds like speculations and not actual proof of anything. The person itself can do it and show it.

 

[Kioku]

Unknown person, 3 posts only, lot's of what sounds like speculations and not actual proof of anything. The person itself can do it and show it.

Nah, too thought out to be some random e troll. Then again, who knows?

 

[linuxares]

Nah, too thought out to be some random e troll. Then again, who knows?

I agree. I think a lot of people though Bushing came out of the blue trying to fix brick Wii's. And he was successful.

 

[dubbz82]

Big problem is a missing AES key. That might not be trivial to retrieve for a while. The idea SEEMS sound on the surface though (then again, I'm far from an expert in this regard).

 

[TesseractStorm]

Sounds like what I recall from devices on Tegra chipsets in the past.

 

[adam235]

Maybe I should do some video and post it on twitter and then point to it

But it was allready shown by someone else that when you remove the NAND it will come up the the NVIDA APX (DFU) device
(https://twitter.com/maximus64_/status/838242952199688192)

lsusb ouput:

Bus 003 Device 036: ID 0955:7321 NVidia Corp.
Couldn't open device, some information will be missing
Device Descriptor:
bLength 18
bDescriptorType 1
bcdUSB 2.00
bDeviceClass 0
bDeviceSubClass 0
bDeviceProtocol 0
bMaxPacketSize0 64
idVendor 0x0955 NVidia Corp.
idProduct 0x7321
bcdDevice 1.02
iManufacturer 1
iProduct 2
iSerial 0
bNumConfigurations 1
Configuration Descriptor:
bLength 9
bDescriptorType 2
wTotalLength 32
bNumInterfaces 1
bConfigurationValue 1
iConfiguration 0
bmAttributes 0xc0
Self Powered
MaxPower 32mA
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 0
bAlternateSetting 0
bNumEndpoints 2
bInterfaceClass 255 Vendor Specific Class
bInterfaceSubClass 255 Vendor Specific Subclass
bInterfaceProtocol 255 Vendor Specific Protocol
iInterface 0
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x81 EP 1 IN
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0200 1x 512 bytes
bInterval 0
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x01 EP 1 OUT
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0200 1x 512 bytes
bInterval 0

 

[Dungeonseeker]

Unknown person, 3 posts only, lot's of what sounds like speculations and not actual proof of anything. The person itself can do it and show it.

Unknown person who has his own fork of the hacking tool to tailor his specific needs. I mean he obviously knows something about what he's attempting if he's forked the tool and made switch specific changes to it.

 

[jt_1258]

Unknown person, 3 posts only, lot's of what sounds like speculations and not actual proof of anything. The person itself can do it and show it.

Nah, too thought out to be some random e troll. Then again, who knows?

well he could have been someone who has just been lurking for some time now and finally made an account, so he might know some things already

 

[DoJo_Master]

What ever the case is this information looks to be ground breaking as of now

 

[linuxares]

What ever the case is this information looks to be ground breaking as of now

Not ground breaking, it's standard Nvidia shield parts at the moment. But I commend OP to continue. I like new people coming in but after seen both the Wii U and 3DS scene in the early start. I'm extremely sceptic to new accounts claming success instantly.

I don't discredit OP here at all, but people have trolled before and we don't want people (newbies? People that don't know what they do?) coming up with broken Switches because they want to try the same thing.

 

[2Hack]

Not ground breaking, it's standard Nvidia shield parts at the moment. But I commend OP to continue. I like new people coming in but after seen both the Wii U and 3DS scene in the early start. I'm extremely skeptic to new accounts claiming success instantly.

I don't discredit OP here at all, but people have trolled before and we don't want people (newbies? People that don't know what they do?) coming up with broken Switches because they want to try the same thing.

well, this exploit may not lead to instant full access but they do deserve the credit. The browser has been the source for exploits in both the 3DS and the Wii U so it's not unreasonable. The previous fake exploits we've seen are those that claim to have full access for only "1337$". The group that released this aren't some randos, so we can have faith in them.

also, for those that brick their consoles, that's the tax for doing something without understanding the gravity of what they are messing with. They will always be there.

 

[adam235]

If you want to better understand the Nintendo Switch bootflow.

https://twitter.com/Blips_and_Chitz/status/841646177703608324

 

[uyjulian]

http://http.download.nvidia.com/tegra-public-appnotes/tegra-boot-flow.html

 

[ImAStalker]

Proof?

 

[Ranomez]

I'd be careful with playing around with APX mode cause if Nintendo made any mistake just putting the console in APX mode could mean a permanent brick/permanent read-only NAND as in the case of the HTC One X...

 

[Deleted User]

Because Switch is a damn phone. You can't flash any firmware unless you modify OS itself to allow that. [or make redirect request to boot OS from SDCard]

 

[GerbilSoft]

Because Switch is a damn phone. You can't flash any firmware unless you modify OS itself to allow that. [or make redirect request to boot OS from SDCard]

What makes it a "phone"? It definitely doesn't have a modem for any sort of cellular reception.

 

[Deleted User]

What makes it a "phone"? It definitely doesn't have a modem for any sort of cellular reception.

I only referenced it as a argument. Most people flash their firmwares on phones. [Uncommonly firmwares are made for tablets although that's not really common in Android scene especially if your tablet is chinese one]