Hacking Switch boot procedure is now documented in switchbrew, and it has downgrade protection with fuses.

[DeadlyFoez]

If I dunderstand,it does have key data, but not like the 3ds/wiiu

Whether it is in the same fashion as the wii/wiiu/3ds or not does not really matter. If the keys and other data is programmed into any area of memory that can no longer be altered through reasonable means then it would be considered as one time programmable. The only other way that I can see for data for individual consoles to be made was if the data of a certain chip was individually made on the wafer... but that would be hella expensive to do and not practical. So as it always goes, the hardware is all put together and then while still in the factory there is an initial program run on the hardware that assigns a per console key to a memory bank. In most scenarios there is an efuse that gets blown afterwards that prevents that memory bank from ever being written to again. Hence, it is called One Time Programmable.

 

[Selim873]

Some are not understanding what the fuses do. In the process of updating the console, it burns a certain number of fuses. Let's say that for 3.0 the cpu have exactly 3 fuses burnt. (The update process burns them). Then you succefully downgrade to 1.0. Since having version 1.0 means you should have ONLY a single burnt fuse, the bootrom will detect that you have 3 fuses burnt, (because you updated to 3.0 at some point) so it will panic. And no, there is no way to un-burn the fuses.

That's really interesting, actually.

 

[Selver]

So apparently 3.0.0 made a few changes on the order security engine setup happens. Maybe they became aware of a possible exploit happening on older versions?

Highlighting this change in a slightly different light:
[3.0.0+] does the following BEFORE allowing the GPU to DMA to the IRAM:

• The security engine address is setup
• Bit30 of offset 0x800 of the security engine is checked: if set, panic.

Therefore, on v1.0.0 through v2.3.0, the GPU is given permission to DMA to the IRAM ... before the security engine is setup.

If DMA to the IRAM could alter the control flow of the security engine, then this would be a significant security fix.

Note that this fix does not mean an exploit using these permissions existed. It's also possible that this was identified and fixed prior to an exploit existing.

 

[SciresM]

Highlighting this change in a slightly different light:
[3.0.0+] does the following BEFORE allowing the GPU to DMA to the IRAM:

• The security engine address is setup
• Bit30 of offset 0x800 of the security engine is checked: if set, panic.

Therefore, on v1.0.0 through v2.3.0, the GPU is given permission to DMA to the IRAM ... before the security engine is setup.

If DMA to the IRAM could alter the control flow of the security engine, then this would be a significant security fix.

Note that this fix does not mean an exploit using these permissions existed. It's also possible that this was identified and fixed prior to an exploit existing.

I went ahead and documented the flaw the security engine move was meant to fix, because it actually was a real bug fix.

Not really abusable for anything though.

 

[Enryx25]

How many fuses does the console have?

 

[Trumpasaurus]

I found this article in Korean about the efuse. I’m posting it in its entirety rather than a link because some browsers don’t translate. Thought you might find it interesting.
I guess its concept isn’t just anti-piracy? Or is it all PR spin?

One of the most common components that fail in electronic systems is the input fuse. TVs often use mechanical fuses (or "melting fuses"). Manufacturers often rely on mechanical fuses for system protection instead of the more expensive alternative options for lower prices. Unfortunately, the mechanical fuse has to be physically replaced every time it breaks down and it does not work if it melts. In addition, each fuse provides current ratings and trip points and must be carefully stored and maintained.

The mechanical fuse's operating characteristics are clearly contrasted with the electronic fuse, which is called the eFuse. Semiconductor devices such as the TI TPS25921A have a 'self-healing' characteristic that allows the circuit to be reconfigured automatically when the fuse is 'blown'. In addition to limiting current and clamping the output voltage, the eFuse senses the occurrence of overload and protects the downstream circuit by blocking the power supplied to the output of the eFuse, if necessary. Each eFuse provides a variable current limit setting with external resistors, which simplifies inventory management by reducing the unique part number the manufacturer must reserve compared to a mechanical fuse.

Some eFuses can also protect against reverse current by adding an external blocking FET (TPS25924) or incorporating a back-to-back FET (TPS25940). Simply put, eFuse's role is to ensure that the downstream circuit is fully protected against any overcurrent or overvoltage transients.

Compared to mechanical fuses, eFuses more effectively prevent damage to downstream components. During the 'melting' time of the mechanical fuse, the eFuse already protects the circuit. This time difference means that the system designed with eFuse will not be damaged by transient overcurrent or overvoltage, and will return to normal operation once the problem is resolved. On the other hand, the same system designed as a mechanical fuse must be returned to the manufacturer for replacement if the fuse is blown.

Using the eFuse in place of the mechanical fuse on the TV I mentioned earlier can reduce the risk of product failure. If you bought a TV designed for eFuse, the chances of failure were much lower, so shoppers would have enjoyed watching your favorite shows on your new TV, and the manufacturer would have been able to maintain its brand reputation.
​

 

[GerbilSoft]

I found this article in Korean about the efuse. I’m posting it in its entirety rather than a link because some browsers don’t translate. Thought you might find it interesting.
I guess its concept isn’t just anti-piracy? Or is it all PR spin?

That has nothing to do with the CPU eFuses on Switch and other ARM devices. Switch eFuses are basically a one-time programmable ROM that's initially unprogrammed, then has individual bits zeroed as the bootloader is updated.

Sidenote: Those "eFuses" you quoted have actually been in use by Nintendo since at least the Wii. If the AC adapter encounters an overcurrent condition, the electronic fuse shuts off, and you have to unplug the AC adapter, wait around 30 minutes, then try it again. This is a good thing, since replacing a regular fuse is a pain.

 

[Sonic Angel Knight]

So are there any boot secrets like on android or psvita or something?

 

[Trumpasaurus]

That has nothing to do with the CPU eFuses on Switch and other ARM devices. Switch eFuses are basically a one-time programmable ROM that's initially unprogrammed, then has individual bits zeroed as the bootloader is updated.

Sidenote: Those "eFuses" you quoted have actually been in use by Nintendo since at least the Wii. If the AC adapter encounters an overcurrent condition, the electronic fuse shuts off, and you have to unplug the AC adapter, wait around 30 minutes, then try it again. This is a good thing, since replacing a regular fuse is a pain.

Ahh cool. Thanks for clarifying. There's not a whole lot of info about them. It says it was developed by IBM and it's caused some consternation for some people who've wanted to jailbreak their Android phones, but other than that, not a whole lot of information out there.
So it sounds like there are several different eFuses. That's confusing and annoying haha.

 

[Yami Anubis ZX]

So basically the Switch will need a hard mod or mod chips to downgrade, I always found that safer than software mods because you can back up your NAND to your computer using the mod, while software, you need to have it on, hard mod, you need it on aswell but it starts in a safe mode type thing that the mod activates.

I probably don't know much about hard mods other than its dangerous cause you might fry it, so pay someone to do it, while software mods, if you update the official firmware, you need a hard mod but hard mods are there to stay, while soft mods are easier but once a hard mod is implemented, you won't have problems downgrading and such since it will be forced to do it.


Bah I'll just wait for a hard mod and pay someone to hard mod.

 

[aut0mat3d]

How should a hardmod work when most components are within the SOC?
Also most components mounted with BGA (solderpoints under the Chip).........

IMHO you would have to decap the SOC to hardmod

 

[Deleted User]

How should a hardmod work when most components are within the SOC?
Also most components mounted with BGA (solderpoints under the Chip).........

IMHO you would have to decap the SOC to hardmod

i smell grilled switches

 

[Deleted-355425]

i smell grilled switches

Take a look at TX mods for the Xbox 360, they had a board that slots around the BGA and has a spring loaded pin that slips under the chip and presses on a particular ball on the BGA its self to make a contact.

 

[MarioMasta64]

Some are not understanding what the fuses do. In the process of updating the console, it burns a certain number of fuses. Let's say that for 3.0 the cpu have exactly 3 fuses burnt. (The update process burns them). Then you succefully downgrade to 1.0. Since having version 1.0 means you should have ONLY a single burnt fuse, the bootrom will detect that you have 3 fuses burnt, (because you updated to 3.0 at some point) so it will panic. And no, there is no way to un-burn the fuses.

how many fuses are there? does this mean that updates are limited? what about changing from 1.3.1 to 1.3.0 or something like that? are they numeric?

 

[mariogamer]

Take a look at TX mods for the Xbox 360, they had a board that slots around the BGA and has a spring loaded pin that slips under the chip and presses on a particular ball on the BGA its self to make a contact.

Don't know a lot of xbox things butbit's not the same thing, they were exploiting other flaw.

 

[Deleted User]

how many fuses are there? does this mean that updates are limited? what about changing from 1.3.1 to 1.3.0 or something like that? are they numeric?

if i do understand it the fuses are not limited what so ever but they get burned once the console updates

even if you buy the console at FW 2.0

 

[MarioMasta64]

if i do understand it the fuses are not limited what so ever but they get burned once the console updates

even if you buy the console at FW 2.0

interesting. could someone do something about the fuses and force a downgrade?

 

[Deleted User]

well i dont know about that ... only way would maybe to tell the system that you didnt burn the fuse to downgrade it but thats impossible i think.. just look at the xbox360. maybe with the right access you can

but who needs lower firmware anyway if there will be an new exploit

 

[Deleted-355425]

Don't know a lot of xbox things butbit's not the same thing, they were exploiting other flaw.

The point I was getting at is that balls under the chip are very much accessible On a BGA, I quoted the wrong user.

See

 

[Yami Anubis ZX]

Technically someone can create a modchip to downgrade a Switch, modchips help with the Xbox, Xbox 360, and PS3, when I said hard mod, I also meant a mod chip.

Mod chips on PS3 and Xbox 360 help force those systems to downgrade and put cfw on them, while ignoring the efuses, I believe.