Hacking Do you think that hackers will ever take full control of the switch?

[smf]

How is Boot2 more powerful than FuseeGelee?

Because it's permanent, not tethered.

I don’t know much about Wii stuff. Does that exploit get ran before execution is handed over to the OS?

Yes, boot 2 is what loads the OS.

If I remember right, it executes in the last part of the booting process (Boot2) before Nand or any IOS is touched.
(I'm a bit hazy on Wii too though, so someone correct me if I'm wrong).

Well it's loaded from nand, as is boot1 (boot0 is loaded from mask rom).

An untethered coldboot exploit would be worse than our current tethered coldboot exploit because it would require you to be on a certain firmware version.

If we're talking about a hypothetical made up untethered coldboot exploit, then why can't we make one up that runs on all firmwares?

 

[Draxzelex]

If we're talking about a hypothetical made up untethered coldboot exploit, then why can't we make one up that runs on all firmwares?

Because we would need something that we can hijack that is executed before the fuse check of which does not seem like a very extensive list of avenues.

 

[smf]

Because we would need something that we can hijack that is executed before the fuse check of which does not seem like a very extensive list of avenues.

It's not an extensive list, currently there are zero entries. So until there are some workable methods, then you can't really say anything about them.

 

[Draxzelex]

It's not an extensive list, currently there are zero entries. So until there are some workable methods, then you can't really say anything about them.

I don't get it, you initially responded with lets make an untethered coldboot exploit and now you're saying there is none. Pick one.

 

[Silent_Gunner]

They can modify all system files just fine. The problem is that the firmware will see that the changes haven't been signed by Nintendo, and refuse to boot.

So unless Nintendo's private key gets leaked, or some other bootloader-stage exploit is found, both of which are very unlikely to ever happen, this is as close as we'll get.

And that's fine. If you want a CFW without a jig or payload dongle, go find a switch running 4.1.0. Otherwise, be happy with what we have. Because based on information SciresM has posted, I highly doubt we'll see anything better anytime soon, if at all. But I'd say we have about as much "full control" as we could ever hope for. You can run Linux, you can run Android, you've got 3 good CFWs to pick from (4 if you count Kosmos - I just consider that to be "pre-packaged" Atmosphere though.) In Horizon, we have custom themes, even animated ones. We have all sorts of homebrew, including emulators and ports of PC games. We have system modules that give added functionality like background music and FTP services. We even have cheats and game mods. I'm not sure what more you could hope for, other than booting without RCM payloads.

Would it be possible, theoretically speaking, to downgrade to that OFW via ChouDujourNX and use the method you described for booting into CFW?

 

[ZachyCatGames]

Well it's loaded from nand, as is boot1 (boot0 is loaded from mask rom).

Fusee is more powerful then .

 

[RHOPKINS13]

Would it be possible, theoretically speaking, to downgrade to that OFW via ChouDujourNX and use the method you described for booting into CFW?

No, but only because the Switch uses eFuses. 4.1.0 expects the Switch to have 5 burned eFuses. If it sees that there are more than that, it will refuse to boot. 8.1.0 expects 10, and 9.x expects 11.

You can downgrade to 4.1.0 and use Hekate to bypass the fuse check, but in order to do that you'll need to push a payload, which defeats the purpose of downgrading to 4.1.0.

 

[Silent_Gunner]

No, but only because the Switch uses eFuses. 4.1.0 expects the Switch to have 5 burned eFuses. If it sees that there are more than that, it will refuse to boot. 8.1.0 expects 10, and 9.x expects 11.

You can downgrade to 4.1.0 and use Hekate to bypass the fuse check, but in order to do that you'll need to push a payload, which defeats the purpose of downgrading to 4.1.0.

So that's why my Switch would never turn on until I accidentally updated to 9.0 on my hacked Switch...

 

[Dax_Fame]

I feel like I'm not explaining myself properly or not properly understanding people's responses lol...

• I'm NOT comparing Android running on whatever to Horizon running on the Switch
• I'm comparing Android running on the Switch to Horizon running on the Switch
• I'm comparing the performance of the same software (Retroarch) running on the same hardware but on a different OS

I'm wondering why it is that there are more cores and better performance on the exact same hardware. What is the reason for this beyond full access to the hardware, if it's supposedly not the reason?

 

[Andalitez]

yes, but actually no

 

[Ericthegreat]

Do you think that hackers will ever take full control of the switch

Edit on 7/10 at 3:06 for clarity: I mean being able to modify system files and have them work by full control

Yes probably, might even be the big hack that enables cfw on newer devices.

 

[smf]

Fusee is more powerful then .

Fusee loses points for being tethered.

--------------------- MERGED ---------------------------

I don't get it, you initially responded with lets make an untethered coldboot exploit and now you're saying there is none. Pick one.

No, I said "make one up" as in pretend there is one.

You're pretending there is one with specific limitations. You said that was a problem, so I suggested we could just pretend there was one without those limitations instead.

Problem solved.

 

[ZachyCatGames]

Fusee loses points for being tethered.

It being tethered doesn’t impact how much power it gives you over the system.

 

[smf]

It being tethered doesn’t impact how much power it gives you over the system.

Ok, then it seems it's equal with Wii, PS3, xbox, DSi then.

There are actually very few exploits less powerful than fusee

 

[ZachyCatGames]

Ok, then it seems it's equal with Wii, PS3, xbox, DSi then.

There are actually very few exploits less powerful than fusee

It’s not equal to the Wii’s exploit, dunno about the other systems. Fusee is an exploit in the bootrom, which is the first code that’s ran on the bpmp when booting the system, it would be equivalent to a boot0 exploit on Wii if one existed.

 

[spotanjo3]

Everything is always hackable.. No matter what. It is just "when". It will take time but everything will be hackable, yes.

 

[ZachyCatGames]

Everything is always hackable.. No matter what. It is just "when". It will take time but everything will be hackable, yes.

That’s wrong, having exploitless code is possible and has been done.

 

[DaniPoo]

That's my understanding, but said key would be highly illegal to distribute even if it did get cracked. And these keys are practically uncrackable - it's more likely that it would be leaked by someone working for Nintendo. And I think it's safe to say Nintendo has probably limited access to all but a very few select employees for this key.

I thought private key's were unique for each system thus being called private? No point in "leaking" private keys as noone is going to be able to use them.
Also I though we were able to dump pretty much everything already. I'm also curious whats left.. My guess is the bootloader perhaps?

--------------------- MERGED ---------------------------

That’s wrong, having exploitless code is possible and has been done.

Now really sure what you are talking about with the exploitless code stuff.. But how is azoreseuropa wrong in his statement?

 

[FAST6191]

I thought private key's were unique for each system thus being called private? No point in "leaking" private keys as noone is going to be able to use them.
Also I though we were able to dump pretty much everything already. I'm also curious whats left.. My guess is the bootloader perhaps?

Private keys in this case refers to the idea of public-private key cryptography aka asymmetric cryptography. There are things that can be done with system level/user/device level keys.



https://www.khanacademy.org/computi...tro/v/the-internet-encryption-and-public-keys



If you have the private key then you can essentially make whatever code you like appear as though Nintendo gave it their blessing. This is what was generated for the PS3 back when ( https://media.ccc.de/v/27c3-4087-en-console_hacking_2010 ), though not so many things use elliptical based stuff as much as prime numbers (or probably primes numbers as the case may be).

 

[ZachyCatGames]

I'm also curious whats left.. My guess is the bootloader perhaps?

--------------------- MERGED ---------------------------



Now really sure what you are talking about with the exploitless code stuff.. But how is azoreseuropa wrong in his statement?

bootrom, pk1ldr and package1 have been dumped. Everything except some TSEC and Lotus shit has been publicly dumped/dumpable.

They’re saying that everything is exploitable/hackable, which is straight up untrue