Discussion Bricking your Switch on purpose or: How AutoRCM works

Discussion in 'Switch - Exploits, Custom Firmwares & Soft Mods' started by mnemonicpunk, May 19, 2018.

  1. mnemonicpunk
    OP

    mnemonicpunk Advanced Member

    Newcomer
    3
    May 10, 2018
    Germany
    Bricking your Switch on purpose or: How AutoRCM works

    Since the Fusée Gelée and ShofEL2 exploits have been made public, people have used their jig, paperclip, piece of bent wire or - for those among us who are extraterrestrial androids - extraordinarily thin metal thumbs to trigger RCM mode on the Switch. And it works reasonably well.

    But of course people have been thinking if there may a better way to get into RCM.

    One such proposed way is bricking your Switch. No really, hear me out, that is a valid way of achieving it that has been discussed several times over the last few weeks on the ReSwitched discord.

    It goes like this: Normally the Switch starts up, checks the integrity of various of its software contents, then boots into Horizon (the OS of the Switch, the part that actually runs games). BUT: If the check of boot0 fails, the Switch thinks something is wrong and panics. Instead of booting Horizon it switches into RCM, probably because Nintendo were expecting you to send it in and have some technician repair it by flashing a fresh image onto the NAND.

    But as we all know by now, RCM has other uses. So if you really wanted to, you could intentionally corrupt part of your boot0 so the Switch thinks it is fucked beyond recovery and boots into RCM every time you power it up.

    It should go without saying but I’ll say it anyway: This method is very dangerous. It could brick your Switch even beyond recovery and RCM if something goes wrong.

    Depending on how you corrupt your boot0, it is possible to reverse this process. You could call it “install and uninstall” if you were so inclined but it is really bricking and unbricking.

    With that explanation out of the way, I want to quote an FAQ that has been making the rounds:

    • Q: How does the AutoRCM feature work?
    • A: The AutoRCM feature makes a tiny modification to your system's on-board storage via software, and from there on you will ONLY need the dongle (and won't have to press the volume key) when booting your console.
    • Please note: With the AutoRCM feature installed, your Switch will only boot up with the SX Pro Dongle inserted or by any other USB-C launching method currently available. Once booted, you can always uninstall AutoRCM through SX OS.

    With what we know from the above explanation, we can now parse this feature and understand what it does:

    AutoRCM corrupts your boot0 via software. From then on it will ONLY ever boot to RCM. Attaching a dongle like the one TX sells or using a smartphone or PC with USB-C cable you can (and must) load a payload to boot your console, but you will not need to insert a jig or hold the Volume+ key because it ALWAYS boots to RCM.

    So if you want to use this method be aware of how dangerous it is. Team Xecuter may call it AutoRCM, I call it “bricking your Switch on purpose”. Because that’s what it is.


    Additional information:

    About the term "brick": There are two kinds of brick, a semi-brick and a full brick.

    A full brick is what we get when something goes wrong with the procedure, like if the PRODINFO partition or hardware of the console was damaged during the process. A brick of this variety can not be restored and will, depending on severity of the damage, not even function as a homebrew device. This is the worse kind of brick. The kind of brick that AutoRCM turns your console into when it works as intended is usually recoverable and can, if the info that was disrupted during the procure has been backed up or is generally known, be restored to its previous working condition. That is what we would call a semi-brick. In this state or if the corrupted information were to be lost, you would also still be able to use your Switch for homebrew, just not for commercial games.


    Any further questions? Let me know. :)
     
    Last edited by mnemonicpunk, May 20, 2018
  2. notimp

    notimp GBAtemp Advanced Maniac

    Member
    8
    Sep 18, 2007
    TX's big innovation on the switch hacking scene was bricking their users Switches on purpose. Thats novel.

    Brings a whole new meaning to "we have our first brick".
     
    Alex119098, ac2pic, fedehda and 14 others like this.
  3. Viri

    Viri GBAtemp Addict

    Member
    11
    Sep 13, 2009
    United States
    So, bricking your Switch leads to piracy? It's not a bug, it's a feature?
     
  4. TR_mahmutpek

    TR_mahmutpek medic

    Member
    6
    Jul 28, 2015
    Turkey
    Holy sh!t, thats the explanation!
     
    TheLemonLord likes this.
  5. naddel81

    naddel81 GBAtemp Addict

    Member
    6
    Dec 14, 2009
    United States
    I knew they were behing Brickway (TM)!
     
    fedehda, retrofan_k and TheLemonLord like this.
  6. mnemonicpunk
    OP

    mnemonicpunk Advanced Member

    Newcomer
    3
    May 10, 2018
    Germany
    I know this is supposed to be a joke but technically RCM is in no way related to piracy. ^^
     
  7. msaraiva

    msaraiva Advanced Member

    Newcomer
    4
    Oct 28, 2007
    Brazil
    I don’t think that’s how it works. It’s probably setting a system flag to trigger RCM:

    http://switchbrew.org/index.php?title=Recovery_Mode

     
    Last edited by msaraiva, May 19, 2018
  8. mnemonicpunk
    OP

    mnemonicpunk Advanced Member

    Newcomer
    3
    May 10, 2018
    Germany
    RCM is NOT recovery mode. One (Recovery) is part of the Switch while the other (RCM) is part of the Tegra X1 in the Switch itself. Apart from that it *used* to be possible to trigger RCM in software but was secured by Nintendo in 2.1 and is no longer possible unless you run a 1.0.0 firmware.
     
    awtgrduzwt5r9, jakibaki, Rai and 3 others like this.
  9. msaraiva

    msaraiva Advanced Member

    Newcomer
    4
    Oct 28, 2007
    Brazil
    I stand corrected. But AFAIK, there’s no such thing as a “boot0” on the Switch. The Tegra BootROM is the first-stage loader. You might be thinking of boot2...
     
  10. mnemonicpunk
    OP

    mnemonicpunk Advanced Member

    Newcomer
    3
    May 10, 2018
    Germany
    Boot partition 0 (commonly called boot0 over at ReSwitched) contains, among other things, the partition table and the keyblob which is used to setup all the crypto stuff the Switch uses. You can learn more at

    http://switchbrew.org/index.php?title=Flash_Filesystem

    It is not an executable software but rather a partition that contains boot-critical information.
     
  11. msaraiva

    msaraiva Advanced Member

    Newcomer
    4
    Oct 28, 2007
    Brazil
    The way you put it on the first post sounded like you’re refering to it as if it was similiar to the Wii / Wii U boot0, not a boot partition on the NAND. :)
     
  12. CapitanSburro

    CapitanSburro GBAtemp Regular

    Member
    4
    May 17, 2018
    United States
    Matrix
    AutoRCM is for people with suicidal tendencies :D
     
  13. CatmanFan

    CatmanFan I actually prefer being an artist more now.

    Member
    7
    Aug 14, 2016
    Morocco
    Oh, wow. That puts a WHOLE NEW definition to what Team Xecuter were doing... :unsure:
     
    ry755, SCOTT0852 and Centergaming like this.
  14. Hyokai

    Hyokai Member

    Newcomer
    1
    May 19, 2018
    Germany
    so my questions is: is it harmful to use the Xecuter OS because of the AutoRCM? I mean we can always switch back to Original FW and i have always a USB - C cabel and phone in my bag when i am traveling with my Nintendo Switch if it crashes or the batterie dies :P.

    i am just curious because i your first post it sounds like a bad idea to use it kinda... thanks for answering :)
     
  15. mnemonicpunk
    OP

    mnemonicpunk Advanced Member

    Newcomer
    3
    May 10, 2018
    Germany
    As long as the AutoRCM is installed on your system you can not switch back to the original firmware. It will simply refuse to boot.

    The people over at ReSwitched have considered the possibility of doing this weeks ago and discarded it so far because they were worried they would fuck up someones Switch permanently. And those are the people writing AMS, the fusee gelee launcher, TegraRCMSmah, libnx and so on.

    The main question is this: Did Team Xecuter implement it in an entirely safe and removable way? The honest answer is: I don't know.
     
  16. CapitanSburro

    CapitanSburro GBAtemp Regular

    Member
    4
    May 17, 2018
    United States
    Matrix
    Enabling AutoRCM is your choice, the SX OS will have it disabled by default
     
    The9thBit likes this.
  17. Hyokai

    Hyokai Member

    Newcomer
    1
    May 19, 2018
    Germany
    ok then we need to wait for more information at this point. thanks for the answer

    How do you know this?
     
  18. CapitanSburro

    CapitanSburro GBAtemp Regular

    Member
    4
    May 17, 2018
    United States
    Matrix
    • Q: How does the tool (jig) and dongle operate? Are they needed everytime you turn on the console?
      A:
      If you don't want to make any (software) modifications to your Switch Console, both the Tool (jig) and dongle are needed every boot.
      SX OS has an optional "AutoRCM" feature that can be installed to your Switch Console such that the jig tool is not needed anymore on boot.
     
  19. gamesquest1

    gamesquest1 Nabnut

    Moderator
    21
    GBAtemp Patron
    gamesquest1 is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    Sep 23, 2013
    not really, a very exact "break" to trigger rcm at boot isn't really "dangerous" and should be easily reversible if/when you don't want it any more

    sure if people are concerned about not having a way to boot the system while out assuming devs fix sleep mode and stuff then it would be a really neat solution, its just a matter of personal choice, and I'm sure it wont be long for someone to make a TX style standalone dongle for use when out and about


    hmm I guess that's an interesting point, if its a 1 time install and no dongle required I guess they have some additional exploit at play, I guess when its out it will probably be copied by open source devs, there is only so much TX can do to protect that kind of exploit
     
    Last edited by gamesquest1, May 19, 2018
  20. mnemonicpunk
    OP

    mnemonicpunk Advanced Member

    Newcomer
    3
    May 10, 2018
    Germany
    Yup. Appears to be completely optional. I'm drawing attention to it because I noticed many people consider this an important selling point and I want them to know what they are buying.
     
    TheLemonLord and The9thBit like this.
Loading...