Hacking Switch boot procedure is now documented in switchbrew, and it has downgrade protection with fuses.

[gabru]

More info in: http://switchbrew.org/index.php?title=Package1

Downgrade check
The bootloader will check if someone attempted to downgrade it. A fuse array will be checked, if too many fuses are burnt the bootloader will detect a downgrade attempt. The fuse array and the expected number of burnt fuses is different on unit type 0 (non-retail) and unit type 1 (retail).

Panic
The panic function does the following things:

• It clears the stack
• It disables(?) and clears the security engine
• It sets a fuse (so that Nintendo knows that you attempted to mess with the bootloader)
• It clears the key area
• It clears the data for stage 2
• It signals over the debug interface that a panic occurred until the Switch is reset.

 

[Gnarmagon]

As long as the OTP Dump isn't below the newest Version....is everything fine ^^

 

[SciresM]

As long as the OTP Dump isn't below the newest Version....is everything fine ^^

The switch doesn't have an "OTP dump"...I don't think you understand what those words mean...

 

[Futurdreamz]

They certainly took a pretty hardball stance on this system. Even if it does get hacked, it may be very possible that it will always be a difficult procedure, that kills online.


That reminds me... I wonder if Voice Chat is actually coming to the Switch, but only as a mandatory update that kills all exploits.

 

[Deleted-355425]

meh this is what xbox 360 had, still got *****

 

[Cyan]

I fixed your thread's title.

 

[TheZander]

I fixed your thread's title.

how did you change it? I would assume replace not with now?

 

[delta nite]

• Registers are setup
• A device (?) is powered on
• Flags are set on the clock-reset registers
• [3.0.0+] The security engine address is setup
• [3.0.0+] Bit30 of offset 0x800 of the security engine is checked: if set, panic.
• The SKU info is checked. If it doesn't match 0x83, panic.
• Fuse coherency is checked, potentially panicking.
• The copy of the BCT left by the bootROM is checked. If the version field doesn't match the expected version field, panic.
• Anti-downgrade fuses are checked, potentially panicking.
• [1.0.0-2.3.0] Fuse programming is disabled until next reboot.
• The memory controller is powered on and setup to allow GPU DMA to the IRAM. This will be needed to interact with the Falcon and with the security engine.
• [1.0.0-2.3.0] The security engine address is setup
• [1.0.0-2.3.0] Bit30 of offset 0x800 of the security engine is checked: if set, panic.

So apparently 3.0.0 made a few changes on the order security engine setup happens. Maybe they became aware of a possible exploit happening on older versions?

 

[migles]

does this mean if someone does attempt downgrade the switch the fuses will be blown and you have to send it to nintendo to repair?
or it's that type of self reset fuses?

 

[asper]

does this mean if someone does attempt downgrade the switch the fuses will be blown and you have to send it to nintendo to repair?
or it's that type of self reset fuses?

Efuses

 

[yardie]

As long as the OTP Dump isn't below the newest Version....is everything fine ^^

Lol clueless

 

[Deleted User]

Ask the people over at the 360 Scene what Efuses can do lol

Many people will blow up the Switches soon...

 

[FAST6191]

meh this is what xbox 360 had, still got raped.

Did the 360 have a tamper flag? I don't recall mention of this (mostly just if you flashed the wrong NAND flash the right one and try again, that or hope you did not burn a few more fuses by flashing a current update or something).
While I am fully prepared for it to be rendered moot by something it would on the face of it seem to be a fairly fundamental change, at least as far as ease of exploration and care needed for end users of the hacks.

 

[XDee]

meh this is what xbox 360 had, still got raped.

Xbox360 had 2 security flaws which allowed for this to happen: it had separate power supply pin for the fuses, and the early versions of firmware didn't check for the presence of voltage on the fuse supply pin. None of the modern CPUs have separate supply for security fuses anymore, the lesson has been learned. Not saying the Switch is immune to hacking, but probably it will be more difficult than just desoldering the power resistor to disable the fuses.

 

[Cyan]

how did you change it? I would assume replace not with now?

oh, you are right, it was "switch blog procedure is nos"
I replaced blog, but I guess I mis-replaced "nos", I didn't check switchbrew.
ok, I fixed it again, sorry

 

[Gnarmagon]

The switch doesn't have an "OTP dump"...I don't think you understand what those words mean...

What do you exactly mean with this ?
Do you mean the Switch doesn't have the OTP Keys or that there is no exploit avaible to get them ?

The OTP's are used for signing/encrypting the Payloads to be legit on our Consoles ?
Does only the 3ds has the OTP's ? (I am sure that I heared on the 33c3 Derrek talking about Wii U OTP Dumping)

-> For a Loaderhax on the Switch are the OTP's required
-> hopefully for the Dump of them is in 3 Years not a Version below 3.0.0 required so I don't have to downgrade...

Please apologize that I am talking in Questions

 

[TheDarkGreninja]

Nintendo actually thought ahead?!

Minding blowing stuff.

--------------------- MERGED ---------------------------

Efuses

God damn, wikipedia updates fast.

 

[Deleted User]

its quite funny that derrek didnt talk about the Efuses

But Fuses yes or no if you have the Trust Zone and the Root Key you can bypass the protection

 

[PabloMK7]

Some are not understanding what the fuses do. In the process of updating the console, it burns a certain number of fuses. Let's say that for 3.0 the cpu have exactly 3 fuses burnt. (The update process burns them). Then you succefully downgrade to 1.0. Since having version 1.0 means you should have ONLY a single burnt fuse, the bootrom will detect that you have 3 fuses burnt, (because you updated to 3.0 at some point) so it will panic. And no, there is no way to un-burn the fuses.

 

[Deleted-355425]

Just use exploits for current firmware's, fuck the efuses.

--------------------- MERGED ---------------------------

Just to add, this is an effective method but come one people, this is Nintendo we are talking about.. and exploits are going to be found throughout the switches whole firmware life.