Hardware Why doesn't Nvidia fix the RCM bug?

samincqu · May 7, 2021

Hi,
As we know all of the HACK on Switch is based on the RCM bug in Tegra bootrom. For years this bug is still there, while Nitendo has sold out 80+ million products and even new chipset was used instead of the old one. Based on my experience in the field of embedded devices, fix the bug and upgrade the bootrom is a very easy job, at least for the newest products. But, do anyone knows why Nvidia does never fix this bug?

ZachyCatGames · May 7, 2021

Nintendo started shipping devices with an ipatch to fix the bug back in 2018, and the bug is completely eliminated on Mariko.

thesjaakspoiler · May 7, 2021

RCM is not a bug but a normal feature on modern microprocessors.
RCM is present on most devices as way to recover the device in case the main (flash) storage fails.
Just like with computers being able to boot from an usb stick.
Technically Nintendo could have disallowed users to use the RCM mode.
But they allowed it, most likely for repairing Switched themselves.
The exploit isn't the RCM mode itself, it's a bug in the USB driver.
As mentioned in the post above, Nintendo fixed that in newer Switches.
The RCM mode itself is still active although it can't execute the exploit anymore.

samincqu · May 7, 2021

thesjaakspoiler said:
RCM is not a bug but a normal feature on modern microprocessors.
RCM is present on most devices as way to recover the device in case the main (flash) storage fails.
Just like with computers being able to boot from an usb stick.
Technically Nintendo could have disallowed users to use the RCM mode.
But they allowed it, most likely for repairing Switched themselves.
The exploit isn't the RCM mode itself, it's a bug in the USB driver.
As mentioned in the post above, Nintendo fixed that in newer Switches.
The RCM mode itself is still active although it can't execute the exploit anymore.

I refered to the bug in RCM mode in Tegra. What I heard is the bootrom copies the payload in the packet to the memory without any limitation. Thus the stack is overwritten by the un-limited payload. This is definitely a bug implemented in the bootrom. And this is what I said "very easy job" to fix -- just limit the payload size and deliver a new bootrom firmware to Nitendo. But till now we still can hack it (include the newest model Marico) by SX_core suite.
I have this question is because I see there is a new hack suite named "HW Fly" is delivered online. In order to hack the Mariko Switch through RCM bug. If Nvidia/Nitendo have fixed the bug I mentioned why the Mariko still can be hacked?

ZachyCatGames · May 7, 2021

samincqu said:
I refered to the bug in RCM mode in Tegra. What I heard is the bootrom copies the payload in the packet to the memory without any limitation. Thus the stack is overwritten by the un-limited payload. This is definitely a bug implemented in the bootrom. And this is what I said "very easy job" to fix -- just limit the payload size and deliver a new bootrom firmware to Nitendo. But till now we still can hack it (include the newest model Marico) by SX_core suite.
I have this question is because I see there is a new hack suite named "HW Fly" is delivered online. In order to hack the Mariko Switch through RCM bug. If Nvidia/Nitendo have fixed the bug I mentioned why the Mariko still can be hacked?

On Erista Nintendo did fix it using an ipatch that limits the size, on mariko it didn't ever exist as mariko doesn't support using the USB2 controller for RCM.
The SX Core/HWFly don't use the RCM bug, they glitch the bpmp during BCT validation to make it think a fake BCT is valid.

linuxares · May 7, 2021

ZachyCatGames said:
On Erista Nintendo did fix it using an ipatch that limits the size, on mariko it didn't ever exist as mariko doesn't support using the USB2 controller for RCM.
The SX Core/HWFly don't use the RCM bug, they glitch the bpmp during BCT validation to make it think a fake BCT is valid.

Sadly this will just become a ton of e-waste since they can't flash new firmware to it. If there isn't a super secret way for them to do it.

Purple_Heart · May 7, 2021

i know its the wrong place but can someone recommend me a person here who does switch repairs? i replaced my sd slot cause my switch didnt read sd cards......but i see that the pins on my mobo are faulty and i cant do it myself.

The Real Jdbye · May 7, 2021

samincqu said:
Hi,
As we know all of the HACK on Switch is based on the RCM bug in Tegra bootrom. For years this bug is still there, while Nitendo has sold out 80+ million products and even new chipset was used instead of the old one. Based on my experience in the field of embedded devices, fix the bug and upgrade the bootrom is a very easy job, at least for the newest products. But, do anyone knows why Nvidia does never fix this bug?

They did. It's been fixed in new Switches since before Mariko. They can't patch existing devices that already have the bug because there is limited room in the SoC for firmware updates and it was already full from the factory.

samincqu · May 8, 2021

ZachyCatGames said:
On Erista Nintendo did fix it using an ipatch that limits the size, on mariko it didn't ever exist as mariko doesn't support using the USB2 controller for RCM.
The SX Core/HWFly don't use the RCM bug, they glitch the bpmp during BCT validation to make it think a fake BCT is valid.

Thanks for your answer. It turns out that sx_core hacks Switch in another way! It makes sense why we can still hack the Switch till now.
Let me search and get to know about the new hack method

Hardware Why doesn't Nvidia fix the RCM bug?

New Member

Well-Known Member

Well-Known Member

New Member

Well-Known Member

The inadequate, autocratic beast!

GBATemp´s weirdest Individual

*is birb*

New Member

Similar threads

Popular threads in this forum

is birb