Switch TrustZoneHax on 4.x

nintendo-switch-15-1-630x354.jpg

The ReSwitched Hacking Team have done it again. motezazer, ktemkin and SciresM have achieved code execution on 4.1.0, the latest version at the time of writing this, via deja vu at TrustZone level. This means devices on 4.1.0 and below will be able to gain access to the whole system. SciresM strongly advises to not update in the future.

After less than a year, the Switch hacking team has moved extremely fast and now have got full access on the latest version. The progress being made is incredible, and in comparison, the 3DS took around 2 years to get ARM9 access. The scene is looking very promising so far and we are very lucky to have such talented people working on the Switch.

:arrow: Source
 
Last edited by Deleted member 381889,

ZachyCatGames

Well-Known Member
Member
Joined
Jun 19, 2018
Messages
3,398
Trophies
1
Location
Hell
XP
4,207
Country
United States
I remember someone said we can boot any CFW without care about furse count because ignoring count feature of hakate or something similar. So can we downgrade to 4.0 and take advanced of Trust Zone vulnerability without care about burning furses?
No, fuse checks are done by pk1ldr, which is first code ran on the system after the bootrom

The only way to bypass them is by using a payload that runs before pk1ldr, but at that point Deja Vu is pointless
 
Last edited by ZachyCatGames,

8BitWonder

Small Homebrew Dev
Member
Joined
Jan 23, 2016
Messages
2,488
Trophies
1
Location
47 4F 54 20 45 45 4D
XP
5,315
Country
United States
I remember someone said we can boot any CFW without care about furse count because ignoring count feature of hakate or something similar. So can we downgrade to 4.0 and take advanced of Trust Zone vulnerability without care about burning furses?
You cannot use hekate if your switch is ipatched, so downgrading to a firmware with a lower fuse count (on an ipatched switch) would give you a fancy new paper-weight.

However those whose switches are vulnerable to fusee-gelee could downgrade to 4.X or lower for TZ hacks. But there wouldn't be much point since they can already push payloads.
 
Last edited by 8BitWonder,
  • Like
Reactions: Massive20

smf

Well-Known Member
Member
Joined
Feb 23, 2009
Messages
6,638
Trophies
2
XP
5,835
Country
United Kingdom
However those whose switches are vulnerable to fusee-gelee could downgrade to 4.X or lower for TZ hacks. But there wouldn't be much point since they can already push payloads.

You can only downgrade to 4.x if you haven't already burnt 5.x+ fuses. If you have then you can only boot your switch if you use RCM payloads, so deja vu is pointless.

If you saved your fuses then you can downgrade and use deja vu, which is still pointless until you can have emunand let you run newer games. Once emunand is out then it will come down to whether you think not carrying a dongle is better than having to go through all the hassle of deja vu (which I haven't seen an untethered version of yet)
 
Last edited by smf,

smf

Well-Known Member
Member
Joined
Feb 23, 2009
Messages
6,638
Trophies
2
XP
5,835
Country
United Kingdom
Where can find it and what does it allows to do at the moment, i was under impression it's still in work.

I haven't seen an exploit chain for 4.x or later, I assume he means deja vu is public. But deja vu is not an exploit chain, it's only one single part.
 

aos10

Yuuki chan
Member
Joined
Apr 10, 2012
Messages
4,756
Trophies
2
Age
38
XP
4,026
Country
Saudi Arabia
There's currently public implementations of every single exploit in Deja Vu for firmwares <=4.1.0 ;). You can stop hating now :)
Only from 1 to 3.0.0
3.0.1 and 3.0.2 not working i guess.

=====

I have a question about this, so everytime i need to boot Deja Vu i need to use a local server hosted a file and use the news from the switch to boot to cfw?
 

ZachyCatGames

Well-Known Member
Member
Joined
Jun 19, 2018
Messages
3,398
Trophies
1
Location
Hell
XP
4,207
Country
United States
I haven't seen an exploit chain for 4.x or later, I assume he means deja vu is public. But deja vu is not an exploit chain, it's only one single part.
Nope. I mean all the exploits in the chain used for 4.x are public and also have public implementations
 

ZachyCatGames

Well-Known Member
Member
Joined
Jun 19, 2018
Messages
3,398
Trophies
1
Location
Hell
XP
4,207
Country
United States
Can you link to them?
browserhax and nspwn are already in pegaswitch. Scires posted nvhax shit on discord (check pins in #switch-hacking-meta). And there’s a few Deja Vu implementations (specifically for 1.0 and 3.0).

Somebody still needs to put everything together for it to actually be useful though
 

RobinMeade

Active Member
Newcomer
Joined
Apr 26, 2019
Messages
42
Trophies
0
Age
25
XP
140
Country
Zimbabwe
I happen to have patched Switch on 4.1.0. Is there any sort of step by step how to install the exploit?
What does it allow for? Both Homebrew and backups or just one of those?
Apologize if I’m asking in wrong thread was linked here from another thread as the solution. TIA
 

kylum

Well-Known Member
Member
Joined
Dec 8, 2008
Messages
394
Trophies
1
XP
1,477
Country
United States
@RobinMeade follow this guide here it has everything you will need to know in getting started, you will be using caffeine. Hopefully you haven’t connected to the internet for sometime or you could have what is called supernag and it blocks everything. I personally have no experience with patched units but this will help you through the process.

If you can exploit your switch than I strongly suggest setting up emummc. It a must in your situation to play newer games legit or otherwise.

Good luck
 
Last edited by kylum,
  • Like
Reactions: RobinMeade

RobinMeade

Active Member
Newcomer
Joined
Apr 26, 2019
Messages
42
Trophies
0
Age
25
XP
140
Country
Zimbabwe
@RobinMeade follow this guide here it has everything you will need to know in getting started, you will be using caffeine. Hopefully you haven’t connected to the internet for sometime or you could have what is called supernag and it blocks everything. I personally have no experience with patched units but this will help you through the process.

If you can exploit your switch than I strongly suggest setting up emummc. It a must in your situation to play newer games legit or otherwise.

Good luck
On the website you provided at the end it says this:

The guide will soon be updated with instructions on using emuMMC, which redirects all read and write operations on the internal memory to the SD card. With this, even if you accidentally brick within CFW, your Switch will still function properly. If any of the above scares you, strongly consider waiting for the guide to be updated with emuMMC information.

Curious if anyone has any ETA as to when that supposed to happen?
 

RobinMeade

Active Member
Newcomer
Joined
Apr 26, 2019
Messages
42
Trophies
0
Age
25
XP
140
Country
Zimbabwe
Ok, so I am not sure what this means. I'm doing the DNS settings step and 3 time it told me it connected to the internet, however ONCE it told me that the network requires registration. I press NEXT and... nothing happened. I pressed connect again and this time and claimed to have connected to the internet (the 3 little icons) however when I run test it always claims it failed the test. I'm not sure if it indeed is connecting to the internet or is not, but it's connecting through the DNS specified. I'd rather not get the supernag.

EDIT: Is the PegaScape page supposed to load on it's own, just kick in, or am I supposed to turn on the browser? The guide makes it look like the page just launches on it's own?
EDIT2: You can see I was able to again get the registration screen, and when I selected NEXT, it immediately performs connection 2nd time and it just passes. Is it overwriting the DNS settings the second time? I know I set fake DNS on my PS4 and I never had that issue that it was redirected wrong. It always gets to the hack screen.
EDIT3: It went as far as:

Tap the Album icon. This should load hbmenu.

And it froze there! Is it possible that it's connecting to wrong DNS in the background on it's own in the mean time?
EDIT4: Nope, it gets stuck on the Album issue. I see ok, I can even press home button (takes me back to Pega Scape screen) and it freezes. Any ideas anyone?
EDIT5: WTF?? I pulled the SD card out and...... I can still perform the hack (it still goes only as far as the white screen after I press Album)
 

Attachments

  • IMG_3570.jpg
    IMG_3570.jpg
    34 KB · Views: 88
  • IMG_3571.jpg
    IMG_3571.jpg
    31.6 KB · Views: 83
Last edited by RobinMeade,

kylum

Well-Known Member
Member
Joined
Dec 8, 2008
Messages
394
Trophies
1
XP
1,477
Country
United States
You have to have your SD card formatted to fat32 and have it setup for the number of partitions you are going to use. You also need all the correct files setup on the SD card for everything to work(atmosphere, hekate, sigpatches...). Then when paegascape works you load caffeine not homebrew. Tap box then power. Switch will reboot into hekate where you setup EmuMMC.

edit- just seen your reply to the other post. There is a guide and video tutorial above your post. If you watch the video it shows 4.0.0 detected and he is on 4.1.0 so it’s probably just the way it was written.
 
Last edited by kylum,

RobinMeade

Active Member
Newcomer
Joined
Apr 26, 2019
Messages
42
Trophies
0
Age
25
XP
140
Country
Zimbabwe
You have to have your SD card formatted to fat32 and have it setup for the number of partitions you are going to use. You also need all the correct files setup on the SD card for everything to work(atmosphere, hekate, sigpatches...). Then when paegascape works you load caffeine not homebrew. Tap box then power. Switch will reboot into hekate where you setup EmuMMC.
Thank you. I am just following the guide and that's what it says to click the HBloader although I'm talking in another thread now and indeed I see that people I are formatting their cards in certain way and hitting caffeine.
I assumed the guide you linked to is A to Z guide, perhaps it's just supplemental to overall larger guide and I started in the middle somewhere?
 

kylum

Well-Known Member
Member
Joined
Dec 8, 2008
Messages
394
Trophies
1
XP
1,477
Country
United States
Thank you. I am just following the guide and that's what it says to click the HBloader although I'm talking in another thread now and indeed I see that people I are formatting their cards in certain way and hitting caffeine.
I assumed the guide you linked to is A to Z guide, perhaps it's just supplemental to overall larger guide and I started in the middle somewhere?
Seen your other post after I posted. I edited the above post. But yes the guide is an A to Z guide, everything is there if you use the navigation tab at the top. Where you should have started at the beginning. My apologies as I figured you had everything ready to go but was unsure how to do the emuMMC part which is why I linked to just that part in my second link. Just read everything in the guide for the other thread and you will be fine.
 
Last edited by kylum,

RobinMeade

Active Member
Newcomer
Joined
Apr 26, 2019
Messages
42
Trophies
0
Age
25
XP
140
Country
Zimbabwe
Ah, I see. As I said I thought that was guide ONLY for patched units, I didn't realize it's a supplement. I'll have to read it from beginning, I'm not sure if I'll be able to separate information for unpatched vs patched and don't put something on my NS that shouldn't be there!

EDIT: So I'm looking through it all and I have to say the guide unfortunately is not full proof at all. I still don't see at what point does it say how to format SD card, only what to put on it (which I did) or I simply don't see it. And I see in other guides it mentions to format and partition it in specific way.
 
Last edited by RobinMeade,

Site & Scene News

Popular threads in this forum

General chit-chat
Help Users
    Xdqwerty @ Xdqwerty: ssssey ioBtneicnA@