Nintendo Switch Secure Boot

Discussion in 'Switch - Hacking & Homebrew' started by adam235, Mar 9, 2017.

  1. adam235
    OP

    adam235 Newbie

    Newcomer
    7
    39
    Mar 9, 2017
    Ethiopia
    I you want to know something more about how the boot process for the switch works just check

    http://www.androidroot.mobi/pages/the-inner-workings-of-secure-boot-key-and-nvflash/

    You will get the APX device when you remove the NAND from the motherboard and reboot the device with an attached USB 3.0 cable.

    Then you can use:
    https://github.com/NVIDIA/tegrarcm

    or you can use my fork with the needed changes:
    https://github.com/pgarba/tegrarcm
    (I'm not sure if i'm using the right RCM version but I guess time will show ...)

    to communicate with the device. Don't miss to add the right IDs to the usb.h file and make the needed changes to main.c and usb.c

    So what's missing now is a the AES key or some workaround as suggested by the androidroot people.

    Does anyone have the firmware 2.0 files from the online update ?

    Btw:
    One possible way to flash a new firmware on older Tegra devices:
    https://forum.xda-developers.com/wiki/Wheelie
     
    Last edited by adam235, Mar 9, 2017
    Madridi, Noroxus, iAqua and 28 others like this.


  2. jimmyleen

    jimmyleen GBAtemp Maniac

    Member
    1,152
    196
    Feb 28, 2016
    Some one comes along and posts this kind of information and no one has anything to say?



    Edit: if this topic was about the 3ds on release day people would be jumping up and down with excitement :rolleyes:.
     
    Last edited by jimmyleen, Mar 11, 2017
    iAqua likes this.
  3. linuxares

    linuxares GBAtemp Addict

    Member
    2,991
    1,181
    Aug 5, 2007
    Unknown person, 3 posts only, lot's of what sounds like speculations and not actual proof of anything. The person itself can do it and show it.
     
    TheCyberQuake and dimmidice like this.
  4. Memoir

    Memoir A Hero to Zero

    Member
    GBAtemp Patron
    Memoir is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    4,475
    4,001
    Jun 24, 2007
    United States
    Wyoming
    Nah, too thought out to be some random e troll. Then again, who knows?
     
  5. linuxares

    linuxares GBAtemp Addict

    Member
    2,991
    1,181
    Aug 5, 2007
    I agree. I think a lot of people though Bushing came out of the blue trying to fix brick Wii's. And he was successful.
     
  6. dubbz82

    dubbz82 GBAtemp Maniac

    Member
    1,493
    806
    Feb 2, 2014
    United States
    Big problem is a missing AES key. That might not be trivial to retrieve for a while. The idea SEEMS sound on the surface though (then again, I'm far from an expert in this regard).
     
  7. TesseractStorm

    TesseractStorm Advanced Member

    Newcomer
    60
    13
    Feb 16, 2017
    United States
    Sounds like what I recall from devices on Tegra chipsets in the past.
     
  8. adam235
    OP

    adam235 Newbie

    Newcomer
    7
    39
    Mar 9, 2017
    Ethiopia
    Maybe I should do some video and post it on twitter and then point to it ;)

    But it was allready shown by someone else that when you remove the NAND it will come up the the NVIDA APX (DFU) device
    (https://twitter.com/maximus64_/status/838242952199688192)

    lsusb ouput:

    Bus 003 Device 036: ID 0955:7321 NVidia Corp.
    Couldn't open device, some information will be missing
    Device Descriptor:
    bLength 18
    bDescriptorType 1
    bcdUSB 2.00
    bDeviceClass 0
    bDeviceSubClass 0
    bDeviceProtocol 0
    bMaxPacketSize0 64
    idVendor 0x0955 NVidia Corp.
    idProduct 0x7321
    bcdDevice 1.02
    iManufacturer 1
    iProduct 2
    iSerial 0
    bNumConfigurations 1
    Configuration Descriptor:
    bLength 9
    bDescriptorType 2
    wTotalLength 32
    bNumInterfaces 1
    bConfigurationValue 1
    iConfiguration 0
    bmAttributes 0xc0
    Self Powered
    MaxPower 32mA
    Interface Descriptor:
    bLength 9
    bDescriptorType 4
    bInterfaceNumber 0
    bAlternateSetting 0
    bNumEndpoints 2
    bInterfaceClass 255 Vendor Specific Class
    bInterfaceSubClass 255 Vendor Specific Subclass
    bInterfaceProtocol 255 Vendor Specific Protocol
    iInterface 0
    Endpoint Descriptor:
    bLength 7
    bDescriptorType 5
    bEndpointAddress 0x81 EP 1 IN
    bmAttributes 2
    Transfer Type Bulk
    Synch Type None
    Usage Type Data
    wMaxPacketSize 0x0200 1x 512 bytes
    bInterval 0
    Endpoint Descriptor:
    bLength 7
    bDescriptorType 5
    bEndpointAddress 0x01 EP 1 OUT
    bmAttributes 2
    Transfer Type Bulk
    Synch Type None
    Usage Type Data
    wMaxPacketSize 0x0200 1x 512 bytes
    bInterval 0
     
  9. Dungeonseeker

    Dungeonseeker GBAtemp Regular

    Member
    188
    100
    Mar 28, 2016
    Unknown person who has his own fork of the hacking tool to tailor his specific needs. I mean he obviously knows something about what he's attempting if he's forked the tool and made switch specific changes to it.
     
  10. jt_1258

    jt_1258 GBAtemp Maniac

    Member
    1,335
    653
    Aug 21, 2016
    United States
    well he could have been someone who has just been lurking for some time now and finally made an account, so he might know some things already
     
  11. DoJo_Master

    DoJo_Master GBAtemp Advanced Fan

    Member
    605
    154
    May 7, 2013
    Canada
    What ever the case is this information looks to be ground breaking as of now
     
  12. linuxares

    linuxares GBAtemp Addict

    Member
    2,991
    1,181
    Aug 5, 2007
    Not ground breaking, it's standard Nvidia shield parts at the moment. But I commend OP to continue. I like new people coming in but after seen both the Wii U and 3DS scene in the early start. I'm extremely sceptic to new accounts claming success instantly.

    I don't discredit OP here at all, but people have trolled before and we don't want people (newbies? People that don't know what they do?) coming up with broken Switches because they want to try the same thing.
     
  13. 2Hack

    2Hack HYPiavelli

    Member
    2,158
    4,872
    Nov 26, 2014
    Canada
    Underground
    well, this exploit may not lead to instant full access but they do deserve the credit. The browser has been the source for exploits in both the 3DS and the Wii U so it's not unreasonable. The previous fake exploits we've seen are those that claim to have full access for only "1337$". The group that released this aren't some randos, so we can have faith in them.

    also, for those that brick their consoles, that's the tax for doing something without understanding the gravity of what they are messing with. They will always be there.
     
  14. adam235
    OP

    adam235 Newbie

    Newcomer
    7
    39
    Mar 9, 2017
    Ethiopia
    peteruk likes this.
  15. julialy

    julialy Homebrewer

    Member
    1,628
    557
    Nov 26, 2012
    United States
    United States
  16. ImAStalker

    ImAStalker Member

    Newcomer
    19
    0
    Apr 1, 2016
    United States
    Proof?
     
  17. Ranomez

    Ranomez Advanced Member

    Newcomer
    64
    22
    Feb 13, 2016
    Romania
    I'd be careful with playing around with APX mode cause if Nintendo made any mistake just putting the console in APX mode could mean a permanent brick/permanent read-only NAND as in the case of the HTC One X...
     
    DoJo_Master likes this.
  18. Felek666

    Felek666 Archdemon | #AMDForever

    Member
    3,221
    3,299
    Jan 3, 2017
    Poland
    reddit.com/r/satania/
    Because Switch is a damn phone. You can't flash any firmware unless you modify OS itself to allow that. [or make redirect request to boot OS from SDCard]
     
  19. GerbilSoft

    GerbilSoft GBAtemp Addict

    Member
    2,016
    2,216
    Mar 8, 2012
    United States
    What makes it a "phone"? It definitely doesn't have a modem for any sort of cellular reception.
     
    Shadowfied likes this.
  20. Felek666

    Felek666 Archdemon | #AMDForever

    Member
    3,221
    3,299
    Jan 3, 2017
    Poland
    reddit.com/r/satania/
    I only referenced it as a argument. Most people flash their firmwares on phones. [Uncommonly firmwares are made for tablets although that's not really common in Android scene especially if your tablet is chinese one]