Switch bootrom warmboot exploit

Discussion in 'Switch - Exploits, Custom Firmwares & Soft Mods' started by json, Jul 13, 2018.

  1. json
    OP

    json MUSCLEMAN

    Member
    8
    Aug 9, 2013
    Burkina Faso
    In case anyone wants to go looking for the bootrom exploit that caused this ktempkin drama, it's related to SDRAM warmboot.
    Apparently there is a flaw in the bootrom that lets you takeover the bootrom itself when the bootrom is executing code during a warmboot reset.

    How it fits together is you set up some special values in memory and trigger a warmboot reset. If you did it correctly it will trigger the vulnerability and will jump to your code, thus taking over the bootrom.
    If you have a 4.1 exploit to trigger warm boot reset, you can have a softmod that does this.


    Obviously I left out a few details, but someone more skilled knows where to look now...
     
  2. Draxzelex

    Draxzelex GBAtemp Psycho!

    Member
    12
    Aug 6, 2017
    United States
    New York City
    Inb4 the exploit is leaked
     
  3. Memoir

    Memoir Just a Memory

    Member
    18
    GBAtemp Patron
    Memoir is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    Jun 24, 2007
    United States
    Somewhere, over there!
    "Leaked"..

    Get the tape!
     
    Draxzelex likes this.
  4. V-Temp

    V-Temp GBAtemp Advanced Fan

    Member
    6
    Jul 20, 2017
    United States
    Seems like it was, along with Deja Vu.

    Blowing everything up for any hopes of 5.x/Mariko.
     
    peteruk likes this.
  5. the_randomizer

    the_randomizer The Temp's official fox whisperer

    Member
    22
    GBAtemp Patron
    the_randomizer is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    Apr 29, 2011
    United States
    Dr. Wahwee's castle
    In before a Nintendo defender sells it to Nintendo :lol:
     
  6. V-Temp

    V-Temp GBAtemp Advanced Fan

    Member
    6
    Jul 20, 2017
    United States
    This is seemingly already in Nintendo's hands. The issue is this outs Deja Vu completely.
     
    MarkDarkness and GotKrypto67 like this.
  7. the_randomizer

    the_randomizer The Temp's official fox whisperer

    Member
    22
    GBAtemp Patron
    the_randomizer is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    Apr 29, 2011
    United States
    Dr. Wahwee's castle
    Not that it would benefit people on 5.x.x anyway :P There was never gonna be a softmod for that firmware AFAIK.
     
  8. Draxzelex

    Draxzelex GBAtemp Psycho!

    Member
    12
    Aug 6, 2017
    United States
    New York City
    I hope this brand is good enough
    Warning: Spoilers inside!
     
  9. Memoir

    Memoir Just a Memory

    Member
    18
    GBAtemp Patron
    Memoir is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    Jun 24, 2007
    United States
    Somewhere, over there!
    Y'know? Apparently it's a really good product. Maybe it'll work here. Lord knows we've got some bad leaks in the scene.
     
  10. V-Temp

    V-Temp GBAtemp Advanced Fan

    Member
    6
    Jul 20, 2017
    United States
    5.x still had parts of Deja Vu in it.
     
  11. the_randomizer

    the_randomizer The Temp's official fox whisperer

    Member
    22
    GBAtemp Patron
    the_randomizer is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    Apr 29, 2011
    United States
    Dr. Wahwee's castle
    Doesn't mean anything if it doesn't come to fruition or the end result is never released publicly *shrug*. I didn't see that being released in all honest.
     
    Memoir likes this.
  12. V-Temp

    V-Temp GBAtemp Advanced Fan

    Member
    6
    Jul 20, 2017
    United States
    Well now it will never come to fruition, though. This completely torpedoes a closely kept secret.
     
    TAUSENN likes this.
  13. Memoir

    Memoir Just a Memory

    Member
    18
    GBAtemp Patron
    Memoir is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    Jun 24, 2007
    United States
    Somewhere, over there!
    It might be. There's a chance they're sitting on it until they know for sure it'll work or not on Mariko units. Time will tell. Even if not current devs, someone might.
     
    weatMod and V-Temp like this.
  14. V-Temp

    V-Temp GBAtemp Advanced Fan

    Member
    6
    Jul 20, 2017
    United States
    Not sure any one was sitting on it, not any more.

    This more or less IS Deja Vu, betweeen the warmboot exploit and coldboot enabling which was what DJ promised. Now everyone knows how its done, so whether or not its released, its already pretty much lost.

    Kate was right in what she said on twitter, this was know about already. 5.x fixed this because Nintendo knew about the ability to coldboot on <4.1, which means they knew this exact thing was possible.
     
    Memoir likes this.
  15. Garrincho

    Garrincho GBAtemp Regular

    Member
    2
    Sep 16, 2015
    Uruguay
    Where does this info even come from...?
     
  16. Memoir

    Memoir Just a Memory

    Member
    18
    GBAtemp Patron
    Memoir is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    Jun 24, 2007
    United States
    Somewhere, over there!
    Well, I misworded that. I meant waiting to try and make it work on 5.x. :x

    Apparently there's some traces of it in tact, just no known way to execute it.
     
    V-Temp likes this.
  17. guily6669

    guily6669 GbaTemp is my Drug

    Member
    5
    Jun 3, 2013
    United States
    Doomed Island
    OMG, that's exactly what I needed, THANK YOU SO MUCH.

    Need to fix a 1000L tank of water :D.

    Now tape really fixes every god damn thing:bow:
     
    Subtle Demise and Draxzelex like this.
  18. V-Temp

    V-Temp GBAtemp Advanced Fan

    Member
    6
    Jul 20, 2017
    United States
    Yup you're right, that's been the status of it.

    But now that we know how this works I don't know if this would have worked on Mariko any way, its not a Tegra X1.
     
    Memoir likes this.
  19. Wednesday101

    Wednesday101 Member

    Newcomer
    1
    Jul 13, 2018
    United States
    Would this exploit essentially allow 4.1 users to boot directly into homebrew without a tether?
     
  20. Draxzelex

    Draxzelex GBAtemp Psycho!

    Member
    12
    Aug 6, 2017
    United States
    New York City
    Essentially yes since we have userland based exploits
     
    MarkDarkness likes this.