Hacking Discussion PSA: Do not update to a new firmware immediately (e.g. 6.0)

mariogamer · Aug 29, 2018

8BitWonder said:
Deja Vu is a trustzone exploit (that only works up to 4.1.0 currently), not an rcm exploit. Similar to Jamais Vu:
https://www.reddit.com/r/SwitchHack...is_vu_a_100_trustzone_code_execution_exploit/

Yes i know. But in what is it related since those units come on 4.1.0? I was talking about the xecuter "solution".

8BitWonder · Aug 29, 2018

mariogamer said:
Yes i know. But in what is it related? I was talking about the xecuter "solution".

If it were Deja Vu, then it wouldn't work above 4.1.0. TX made it clear that their coming solution(s) will work on all firmwares, and would technically be from a coldboot state. Heavily implying it's another rcm exploit.

aln1k0 · Aug 29, 2018

I noticed some people are so afraid of losing the ability to play online. No one knows but it is very likely that updating games and firmware will be possible while being completely offline. My question for all of you who wants to play online using xci, nsps - will you be interested in playing with people who can potentially hack their games and cheat (look at PC gaming)? I would personally prefer to not play against cheaters online.

Clydefrosch · Aug 29, 2018

I haven't even played a backup yet, cause I had so much fun just clicking away at the Update Firmware button all week

mariogamer · Aug 29, 2018

8BitWonder said:
If it were Deja Vu, then it wouldn't work above 4.1.0. TX made it clear that their coming solution(s) will work on all firmwares, and would technically be from a coldboot state. Heavily implying it's another rcm exploit.

Ah I don't remember that one from their message.
Other bootrom flaws are already known by dev anyways. But it would be stupid, even for their business, to burn it now.

Rune · Aug 29, 2018

What TX said (or at least implied) was that they have a work around to get the RCM exploit working again, BUT they had to use another exploit (possibly deja vu) to figure out how to get there.

Wolfy · Aug 29, 2018

Erol said:
yup, me too. Nintendo just shot themselves in the foot....

Honestly yeah, if they waited for the banned to inevitably start updating to 6.0.0 and then superbanned it would've made more sense since as soon as they do their pretty much stuck with broken games at that point.

Maybe they WANTED to let us keep the games that bad XD just saying we understand our mistake now Stay! Stayyyyyyyyyyy. Please?

Deleted User · Aug 29, 2018

Thanks a LOT. Saved me from the Update Devil.

8BitWonder · Aug 29, 2018

mariogamer said:
Ah I don't remember that one from their message.
Other bootrom flaws are already known by dev anyways. But it would be stupid, even for their business, to burn it now.

Oh yeah definitely. I'm hoping at least one flaw makes it through Mariko. But it'd be even better if something was held close to EOL, but I get the feeling that won't be the case.

Rune said:
What TX said (or at least implied) was that they have a work around to get the RCM exploit working again, BUT they had to use another exploit (possibly deja vu) to figure out how to get there.

They said that the unit they looked at for the ipatch was 5.1.0 (though of course, that may be fabricated).
Quoted in this thread: https://gbatemp.net/threads/tx-announces-support-coming-soon-for-unhackable-switch-units.513050/

If it were actually from 5.1.0, then they'd have to either have something different than Deja Vu (possibly a workaround for rcm), or some slightly better implementation that allows for trustzone takeover on higher firms.

ZachyCatGames · Aug 29, 2018

Ashura66 said:
They can and they have. The payload loading is a SOFTWARE issue, not a HARDWARE issue. The HARDWARE issue is just enabling you to enter RCM, nothing more. Loading payloads is done via SOFTWARE that can be patched. In fact, current units(As in the most, MOST recent ones) are patched against running payloads. You can still enter RCM obviously but it throws an error and blocks any payloads from being ran

RCM is a hardware feature, not a hardware flaw.

leon8179 · Aug 29, 2018

8BitWonder said:
If it were Deja Vu, then it wouldn't work above 4.1.0. TX made it clear that their coming solution(s) will work on all firmwares, and would technically be from a coldboot state. Heavily implying it's another rcm exploit.

Well, Deja Vu may work above 4.1 though since if 5.0 already fixes the issue, the exploit would have been released already.

mariogamer · Aug 29, 2018

leon8179 said:
Well, Deja Vu may work above 4.1 though since if 5.0 already fixes the issue, the exploit would have been released already.

Parts of it remain unpatched in the bootrom.

Sonic Angel Knight · Aug 29, 2018

Is there any news on new features for this supposed update?

Draxzelex · Aug 29, 2018

Sonic Angel Knight said:
Is there any news on new features for this supposed update?

Supposedly, according to the screenshot from the Discord server, it will come with a system for you to share messages with friends.

Sonic Angel Knight · Aug 29, 2018

Draxzelex said:
Supposedly, according to the screenshot from the Discord server, it will come with a system for you to share messages with friends.

YES, FINALLY! one step closer to being more like steam Lol

No seriously there should be away to send game invites from the game you play regardless if it's friends or not. Jeez

sprockits · Aug 29, 2018

Ashura66 said:
No i'm talking about new SOFTWARE, not HARDWARE. The Switch models i'm referring to aren't the Mariko ones with the new boards, those aren't out yet. The ones i'm referring to have a SOFTWARE PATCH that blocks payloads from loading. Check out the pinned thread called "Switch information by Serial number" all the info is there

Long time GBATemp listener, first time caller.

Having read the Fusee Gelee Disclosure PDF, it seemed pretty adamant the payload exploits read-only code on the chip itself (burned at the factory) and there was no remediation for existing units. So it makes sense that we're going on serial numbers, i.e. hardware serial numbers, to determine which units are patched at the factory and which ones aren't. Otherwise there'd already be firmware updates that block the exploit. This is a seperate issue to putting it into recovery mode with a shorted pin.

One of the reasons this is such an astonishing vulnerability is that it can't be resolved via software updates.

Or have it read it completely wrong?

Ashura66 · Aug 29, 2018

sprockits said:
Long time GBATemp listener, first time caller.

Having read the Fusee Gelee Disclosure PDF, it seemed pretty adamant the payload exploits read-only code on the chip itself (burned at the factory) and there was no remediation for existing units. So it makes sense that we're going on serial numbers, i.e. hardware serial numbers, to determine which units are patched at the factory and which ones aren't. Otherwise there'd already be firmware updates that block the exploit. This is a seperate issue to putting it into recovery mode with a shorted pin.

One of the reasons this is such an astonishing vulnerability is that it can't be resolved via software updates.

Or have it read it completely wrong?

There is a thread here, a pinned one, that specifies which serial numbers are safe and which aren't. But you are correct, the vulnerability that allows unsigned code to run is a hardware one with the TEGRA chipset that the Switch uses. Which is why the new upcoming Mariko units will have a completely different chipset, one that, SUPPOSEDLY, doesn't have this flaw

mariogamer · Aug 29, 2018

sprockits said:
Long time GBATemp listener, first time caller.

Having read the Fusee Gelee Disclosure PDF, it seemed pretty adamant the payload exploits read-only code on the chip itself (burned at the factory) and there was no remediation for existing units. So it makes sense that we're going on serial numbers, i.e. hardware serial numbers, to determine which units are patched at the factory and which ones aren't. Otherwise there'd already be firmware updates that block the exploit. This is a seperate issue to putting it into recovery mode with a shorted pin.

One of the reasons this is such an astonishing vulnerability is that it can't be resolved via software updates.

Or have it read it completely wrong?

Yes you are right.
However they patched it via Ipatches, which can be argued as both software/hardware (written at the factory, but still more simple to install than a new bootrom).
You cannot really consider thosepatched units as new tho.

sprockits · Aug 29, 2018

Ashura66 said:
There is a thread here, a pinned one, that specifies which serial numbers are safe and which aren't. But you are correct, the vulnerability that allows unsigned code to run is a hardware one with the TEGRA chipset that the Switch uses. Which is why the new upcoming Mariko units will have a completely different chipset, one that, SUPPOSEDLY, doesn't have this flaw

I see. The way you said "a software patch to block payloads" made it sound like they're able to remotely block the payload via software updates, which we agree isn't the case.

Ashura66 · Aug 29, 2018

sprockits said:
I see. The way you said "a software patch to block payloads" made it sound like they're able to remotely block the payload via software updates, which we agree isn't the case.

No no, no not what i mean and i apologize for the confusion. While technically it IS a software patch, it's done at the factory for new systems and not something they just roll out for pre existing systems

Hacking Discussion PSA: Do not update to a new firmware immediately (e.g. 6.0)

Well-Known Member

Small Homebrew Dev

Member

Well-Known Member

Well-Known Member

Well-Known Member

Person That Never Was

Deleted User

Guest

Small Homebrew Dev

Well-Known Member

Well-Known Member

Well-Known Member

Well-Known Member

Well-Known Member

Well-Known Member

New Member

Well-Known Member

Well-Known Member

New Member

Well-Known Member

Similar threads

Popular threads in this forum