Hacking Switch bootrom warmboot exploit

[Deleted User]

In case anyone wants to go looking for the bootrom exploit that caused this ktempkin drama, it's related to SDRAM warmboot.
Apparently there is a flaw in the bootrom that lets you takeover the bootrom itself when the bootrom is executing code during a warmboot reset.

How it fits together is you set up some special values in memory and trigger a warmboot reset. If you did it correctly it will trigger the vulnerability and will jump to your code, thus taking over the bootrom.
If you have a 4.1 exploit to trigger warm boot reset, you can have a softmod that does this.


Obviously I left out a few details, but someone more skilled knows where to look now...

 

[Draxzelex]

Inb4 the exploit is leaked

 

[Kioku]

Inb4 the exploit is leaked

"Leaked"..

Get the tape!

 

[V-Temp]

Inb4 the exploit is leaked

Seems like it was, along with Deja Vu.

Blowing everything up for any hopes of 5.x/Mariko.

 

[the_randomizer]

In before a Nintendo defender sells it to Nintendo

 

[V-Temp]

In before a Nintendo defender sells it to Nintendo

This is seemingly already in Nintendo's hands. The issue is this outs Deja Vu completely.

 

[the_randomizer]

This is seemingly already in Nintendo's hands. The issue is this outs Deja Vu completely.

Not that it would benefit people on 5.x.x anyway There was never gonna be a softmod for that firmware AFAIK.

 

[Draxzelex]

"Leaked"..

Get the tape!

I hope this brand is good enough

Spoiler

 

[Kioku]

I hope this brand is good enough

Spoiler

Y'know? Apparently it's a really good product. Maybe it'll work here. Lord knows we've got some bad leaks in the scene.

 

[V-Temp]

Not that it would benefit people on 5.x.x anyway There was never gonna be a softmod for that firmware AFAIK.

5.x still had parts of Deja Vu in it.

 

[the_randomizer]

5.x still had parts of Deja Vu in it.

Doesn't mean anything if it doesn't come to fruition or the end result is never released publicly *shrug*. I didn't see that being released in all honest.

 

[V-Temp]

Doesn't mean anything if it doesn't come to fruition or the end result is never released publicly *shrug*. I didn't see that being released in all honest.

Well now it will never come to fruition, though. This completely torpedoes a closely kept secret.

 

[Kioku]

Doesn't mean anything if it doesn't come to fruition or the end result is never released publicly *shrug*. I didn't see that being released in all honest.

It might be. There's a chance they're sitting on it until they know for sure it'll work or not on Mariko units. Time will tell. Even if not current devs, someone might.

 

[V-Temp]

It might be. There's a chance they're sitting on it until they know for sure it'll work or not on Mariko units. Time will tell. Even if not current devs, someone might.

Not sure any one was sitting on it, not any more.

This more or less IS Deja Vu, betweeen the warmboot exploit and coldboot enabling which was what DJ promised. Now everyone knows how its done, so whether or not its released, its already pretty much lost.

Kate was right in what she said on twitter, this was know about already. 5.x fixed this because Nintendo knew about the ability to coldboot on <4.1, which means they knew this exact thing was possible.

 

[Garrincho]

Where does this info even come from...?

 

[Kioku]

Not sure any one was sitting on it, not any more.

This more or less IS Deja Vu, betweeen the warmboot exploit and coldboot enabling which was what DJ promised. Now everyone knows how its done, so whether or not its released, its already pretty much lost.

Kate was right in what she said on twitter, this was know about already. 5.x fixed this because Nintendo knew about the ability to coldboot on <4.1, which means they knew this exact thing was possible.

Well, I misworded that. I meant waiting to try and make it work on 5.x. :x

Apparently there's some traces of it in tact, just no known way to execute it.

 

[guily6669]

I hope this brand is good enough

Spoiler

OMG, that's exactly what I needed, THANK YOU SO MUCH.

Need to fix a 1000L tank of water .

Now tape really fixes every god damn thing

 

[V-Temp]

Well, I misworded that. I meant waiting to try and make it work on 5.x. :x

Apparently there's some traces of it in tact, just no known way to execute it.

Yup you're right, that's been the status of it.

But now that we know how this works I don't know if this would have worked on Mariko any way, its not a Tegra X1.

 

[Wednesday101]

Would this exploit essentially allow 4.1 users to boot directly into homebrew without a tether?

 

[Draxzelex]

Would this exploit essentially allow 4.1 users to boot directly into homebrew without a tether?

Essentially yes since we have userland based exploits