Switch boot procedure is now documented in switchbrew, and it has downgrade protection with fuses.

Discussion in 'Switch - Hacking & Homebrew' started by gabru, Jul 26, 2017.

  1. gabru
    OP

    gabru Member

    Newcomer
    14
    25
    Aug 22, 2016
    More info in: http://switchbrew.org/index.php?title=Package1

    Downgrade check

    The bootloader will check if someone attempted to downgrade it. A fuse array will be checked, if too many fuses are burnt the bootloader will detect a downgrade attempt. The fuse array and the expected number of burnt fuses is different on unit type 0 (non-retail) and unit type 1 (retail).

    Panic
    The panic function does the following things:
    • It clears the stack
    • It disables(?) and clears the security engine
    • It sets a fuse (so that Nintendo knows that you attempted to mess with the bootloader)
    • It clears the key area
    • It clears the data for stage 2
    • It signals over the debug interface that a panic occurred until the Switch is reset.
     
    Last edited by gabru, Jul 26, 2017
    matpower, dAVID_, Zacchi4k and 19 others like this.
  2. Gnarmagon

    Gnarmagon Noob <3

    Member
    498
    77
    Dec 12, 2016
    Germany
    As long as the OTP Dump isn't below the newest Version....is everything fine ^^
     
  3. SciresM

    SciresM GBAtemp Advanced Fan

    Member
    596
    1,861
    Mar 21, 2014
    United States
    The switch doesn't have an "OTP dump"...I don't think you understand what those words mean...
     
    matpower, EdTheNerd, Ra1d and 43 others like this.
  4. Futurdreamz

    Futurdreamz GBAtemp Advanced Maniac

    Member
    1,760
    1,004
    Jun 15, 2014
    Canada
    They certainly took a pretty hardball stance on this system. Even if it does get hacked, it may be very possible that it will always be a difficult procedure, that kills online.


    That reminds me... I wonder if Voice Chat is actually coming to the Switch, but only as a mandatory update that kills all exploits.
     

    Attached Files:

    Last edited by Futurdreamz, Jul 26, 2017
    StarTrekVoyager likes this.
  5. mech

    mech ♥️♥️♥️♥️♥️♥️♥️♥️

    Member
    4,912
    3,169
    Oct 26, 2014
    Vanuatu
    meh this is what xbox 360 had, still got *****
     
    Last edited by BORTZ, Jul 27, 2017 - Reason: I do not condone the use of that word
    iAqua, VinLark, EpicLPer and 8 others like this.
  6. Cyan

    Cyan GBATemp's lurking knight

    Global Moderator
    18,572
    8,917
    Oct 27, 2002
    France
    Engine room, learning
    I fixed your thread's title.
     
    EpicLPer, gamecaptor and gabru like this.
  7. TheZander

    TheZander member

    Member
    1,092
    775
    Feb 1, 2008
    United States
    how did you change it? I would assume replace not with now?
     
  8. delta nite

    delta nite Member

    Newcomer
    36
    28
    Sep 18, 2010
    United States
    So apparently 3.0.0 made a few changes on the order security engine setup happens. Maybe they became aware of a possible exploit happening on older versions?
     
  9. migles

    migles Mei the sexiest bae

    Member
    GBAtemp Patron
    migles is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    6,994
    4,704
    Sep 19, 2013
    Saint Kitts and Nevis
    my dad works for nintendo.
    does this mean if someone does attempt downgrade the switch the fuses will be blown and you have to send it to nintendo to repair?
    or it's that type of self reset fuses?
     
    DaMan and DarthDub like this.
  10. asper

    asper GBAtemp Advanced Fan

    Member
    651
    330
    May 14, 2010
    United States
    Efuses
     
    EpicLPer, rom1stel, DaMan and 3 others like this.
  11. yardie

    yardie GBAtemp Fan

    Member
    429
    361
    Mar 27, 2016
    United States
    Lol clueless
     
    Ra1d, EpicLPer, xKDCx and 2 others like this.
  12. Natehaxx

    Natehaxx Advanced Member

    Newcomer
    74
    54
    Jul 26, 2017
    Eritrea
    Ask the people over at the 360 Scene what Efuses can do lol

    Many people will blow up the Switches soon...
     
    Last edited by Natehaxx, Jul 27, 2017
    Subtle Demise likes this.
  13. FAST6191

    FAST6191 Techromancer

    pip Reporter
    23,716
    9,588
    Nov 21, 2005
    United Kingdom
    Did the 360 have a tamper flag? I don't recall mention of this (mostly just if you flashed the wrong NAND flash the right one and try again, that or hope you did not burn a few more fuses by flashing a current update or something).
    While I am fully prepared for it to be rendered moot by something it would on the face of it seem to be a fairly fundamental change, at least as far as ease of exploration and care needed for end users of the hacks.
     
  14. XDee

    XDee Member

    Newcomer
    12
    8
    Jun 13, 2016
    Xbox360 had 2 security flaws which allowed for this to happen: it had separate power supply pin for the fuses, and the early versions of firmware didn't check for the presence of voltage on the fuse supply pin. None of the modern CPUs have separate supply for security fuses anymore, the lesson has been learned. Not saying the Switch is immune to hacking, but probably it will be more difficult than just desoldering the power resistor to disable the fuses.
     
  15. Cyan

    Cyan GBATemp's lurking knight

    Global Moderator
    18,572
    8,917
    Oct 27, 2002
    France
    Engine room, learning
    oh, you are right, it was "switch blog procedure is nos"
    I replaced blog, but I guess I mis-replaced "nos", I didn't check switchbrew.
    ok, I fixed it again, sorry :P
     
    Subtle Demise likes this.
  16. Gnarmagon

    Gnarmagon Noob <3

    Member
    498
    77
    Dec 12, 2016
    Germany
    What do you exactly mean with this ?
    Do you mean the Switch doesn't have the OTP Keys or that there is no exploit avaible to get them ?

    The OTP's are used for signing/encrypting the Payloads to be legit on our Consoles ?
    Does only the 3ds has the OTP's ? (I am sure that I heared on the 33c3 Derrek talking about Wii U OTP Dumping)

    -> For a Loaderhax on the Switch are the OTP's required
    -> hopefully for the Dump of them is in 3 Years not a Version below 3.0.0 required so I don't have to downgrade...

    Please apologize that I am talking in Questions :(
     
    Last edited by Gnarmagon, Jul 27, 2017
  17. TheDarkGreninja

    TheDarkGreninja How could you hate that face?

    Member
    2,284
    970
    Aug 25, 2014
    On his bed
    Nintendo actually thought ahead?!

    Minding blowing stuff.

    — Posts automatically merged - Please don't double post! —

    God damn, wikipedia updates fast.
     
    Zacchi4k and NekoMichi like this.
  18. Natehaxx

    Natehaxx Advanced Member

    Newcomer
    74
    54
    Jul 26, 2017
    Eritrea
    its quite funny that derrek didnt talk about the Efuses

    But Fuses yes or no if you have the Trust Zone and the Root Key you can bypass the protection
     
    adrifcastr and Subtle Demise like this.
  19. PabloMK7

    PabloMK7 Red Yoshi! ^ω^

    Member
    1,807
    1,113
    Feb 21, 2014
    Spain
    Yoshi's Island
    Some are not understanding what the fuses do. In the process of updating the console, it burns a certain number of fuses. Let's say that for 3.0 the cpu have exactly 3 fuses burnt. (The update process burns them). Then you succefully downgrade to 1.0. Since having version 1.0 means you should have ONLY a single burnt fuse, the bootrom will detect that you have 3 fuses burnt, (because you updated to 3.0 at some point) so it will panic. And no, there is no way to un-burn the fuses.
     
  20. mech

    mech ♥️♥️♥️♥️♥️♥️♥️♥️

    Member
    4,912
    3,169
    Oct 26, 2014
    Vanuatu
    Just use exploits for current firmware's, fuck the efuses.

    — Posts automatically merged - Please don't double post! —

    Just to add, this is an effective method but come one people, this is Nintendo we are talking about.. and exploits are going to be found throughout the switches whole firmware life.
     
    Subtle Demise likes this.