Hacking Apparently the X1 bootrom was leaked

[Geezerdorf]

As it seems the Tegra X1 bootrom was leaked a couple of hours ago on pastebin.

Now everybody can find the exploit without the hassle of dumping the bootrom themselves.

Let the games begin...

This will make those with the bootrom exploits move, but maybe not that much. The fact that now it's in the public and someone outside of the hacking scene can also contribute with it though, makes this interesting...and dangerous. There'll be a storm brewing on the horizon.

Isn't this massively illegal making the whole bootrom public?

Well, you're using an exploit for unautorized code execution. Depending on your final use for it....it is

 

[Lacius]

Right now sure, but SciresM has said every switch with this tegra has the same vuln and it can only be fixed with a hardware revision. Your switch will eventually be hackable too.

The hardmod he's referring to is for Fusée Gelée. When Fusée Gelée is released this summer, systems on 3.0.1 and higher will require an "easy" hardmod. Systems on 3.0.1-4.1.0 might get access to the private software exploits sometime in the future.

 

[aerios169]

ahh i dont know anithing of soldering i am medic hahaha, =/ thats why i feel fucked haha

 

[Dominator211]

As it seems the Tegra X1 bootrom was leaked a couple of hours ago on pastebin.

Now everybody can find the exploit without the hassle of dumping the bootrom themselves.

Let the games begin...

hallelujah!! hallelujah!! This is Exciting i cannot wait for homebrew to unlock the switches full potential

 

[the_randomizer]

He also didn't release anything and was pretty much driven off the scene so in Sony's eyes. Job done. Sent the message loud and clear.

So then don't reveal your name and keep things under lock and key and then release it anonymously.

 

[Lacius]

ahh i dont know anithing of soldering i am medic hahaha, =/ thats why i feel fucked haha

The "easy" hardmod will likely have a solderless option.

 

[Ryccardo]

Literally typed "Tegra X1 Boot ROM (Nintendo Switch) pastebin" and got a file. So what can we even do with this without some instructions?

You can explore it in a disassembler (which may or may not exist for that specific SOC/subarchitecture) and try finding something interesting,
or you can use it in a low-level emulator (which may or may not exist yet, but the MAME team will certainly like the news),
or you can fully reverse engineer it to understand what it does so that a future emulator may have a freely licensed replacement instead of requiring this rom...

("You" for obvious reasons refers to a generic person, in fact it probably doesn't include "you" )

Isn't this massively illegal making the whole bootrom public?

It's just "regularly illegal", not differently than uploading the newest 80 GB PC game or the install disks of MS-DOS 6.22

Alternative interpretation: nothing is illegal until you are caught AND proven guilty (see kongsnutz)

 

[souler92]

ahh i dont know anithing of soldering i am medic hahaha, =/ thats why i feel fucked haha

its nothing with soldering, you have to open the switch, you have to make a short circuit for a small amount of time on 2 pins everytime you restart the switch tho

 

[Deleted member 399513]

I'm out of the loop here, what can it be used for?

 

[Sephirosu]

You can explore it in a disassembler (which may or may not exist for that specific SOC/subarchitecture) and try finding something interesting,
or you can use it in a low-level emulator (which may or may not exist yet, but the MAME team will certainly like the news),
or you can fully reverse engineer it to understand what it does so that a future emulator may have a freely licensed replacement instead of requiring this rom...

("You" for obvious reasons refers to a generic person, in fact it probably doesn't include "you" )


It's just "regularly illegal", not differently than uploading the newest 80 GB PC game or the install disks of MS-DOS 6.22

Alternative interpretation: nothing is illegal until you are caught AND proven guilty (see kongsnutz)

Ohh interesting. So basically this in the hands of someone that's knowledgeable can actually get the ball rolling. Cooooool. Time to wait then. At least something is out in the wild now without the need to wait for summer.

 

[aerios169]

its nothing with soldering, you have to open the switch, you have to make a short circuit for a small amount of time on 2 pins everytime you restart the switch tho

well it sounds nice, i will wait for tutorals and everything , i hope that this dosent affect nintendo =S

 

[Rune]

Literally typed "Tegra X1 Boot ROM (Nintendo Switch) pastebin" and got a file. So what can we even do with this without some instructions?

Try opening it with RetroArch.

 

[subcon959]

Ohh interesting. So basically this in the hands of someone that's knowledgeable can actually get the ball rolling. Cooooool. Time to wait then. At least something is out in the wild now without the need to wait for summer.

This was probably already in the hands of people who could do anything with it. But of course GBAtemp will hype the hell out of it regardless.

 

[andijames]

You'll still need CFW though so whilst this may accelerate the x1 exploits visibility there's literally nothing that can be done without having something to run on it right?

 

[DeslotlCL]

It's the 3ds drama all over again

Keep the leaks coming boys

 

[Lacius]

its nothing with soldering, you have to open the switch, you have to make a short circuit for a small amount of time on 2 pins everytime you restart the switch tho

We don't know everything about Fusée Gelée and its variants, but Kate has said that users should only have to open up their Switch systems one time.

You'll still need CFW though so whilst this may accelerate the x1 exploits visibility there's literally nothing that can be done without having something to run on it right?

That's correct. We still need Atmosphère to be completed.

 

[Ryccardo]

Ohh interesting. So basically this in the hands of someone that's knowledgeable can actually get the ball rolling. Cooooool. Time to wait then. At least something is out in the wild now without the need to wait for summer.

By the way, "something interesting" is not necessarily an exploitable vulnerability: if you think about the 3DS, while we got lucky and its bootrom ALSO contained the basis for sighax, we also got a truckload of keys out of it - resulting in the ability to encrypt/decrypt the OS and games directly on a PC (which is likely appreciated by high level emulator users), to decrypt the nand with only adding the OTP instead of xorpads to be generated on an already hacked console, ...

 

[smilodon]

Yay, more nothing for the end user!

 

[Gnarmagon]

lmao it's actually legit and decrypted XD

 

[zoogie]

I'm out of the loop here, what can it be used for?

Don't really know. I don't think it's as useful as the 3ds bootrom - it's missing ipatches so some info is missing. There was a concerted effort to dump it so I'm sure there's some use to it.

Summoning an expert
@SciresM