Hacking Switch bootrom warmboot exploit

[Phoenixrite]

I

It is for 1.0-4.1 not just 4.1

The xploit is out now so ...now what super marikos?

 

[guily6669]

Make one.

My IQ is too low 4 that . I only learned basic C++ crap and the biggest crap I did was a automotive stand like app .

I will simply keep waiting for Atmosphere, I bought the 3DS back then and waited like 2 years with it on the shelf until GW arrived so I can totally wait for atmosphere and I even have Zelda to play and I only played it a bit and don't even turn my Switch on for months...

But I still hope that after atmosphere is fully finished some communities could start fully modding it, I would really want nightly builds to test like on the Xbox Original days...

Anyway I would simply be happy with just atmosphere and a good backup loading added later, however I would kill for clocks\temps telemetry a good built-in file explorer and some file basic media player functionality like opening some movie codecs and some picture formats, its sad that Xbox360 FSD never had that built-in, but was still pretty damn good, though nothing compared to the holy grail of the XBMC back in the Xbox original days.

 

[Mr. Wizard]

XBMC back in the Xbox original days

Mine's still running with a chameleon chip.

 

[jakkal]

I

The xploit is out now so ...now what super marikos?

where is it?
i dont see it

 

[Mr. Wizard]

where is it?
i dont see it

http://retrohacked.com/files/category/23-switch-exploits/

If you mean Deja Vu, it's a ghost.

 

[guily6669]

Mine's still running with a chameleon chip.

I used the hot-swapping software mod on mine as it had the HDD that has a rubber X that kinda works with hot-swapping.

But my friend's Xbox had other HDD, I tested and even made a permanent ground cable while hot-swapping but just after connecting power bang it just died, I guess they were really right that the other HDDS wouldnt work

Had to solder a TX chip, don't even remember which

 

[Phoenixrite]

Nintendo have the exploit hasn't been formally released might take a while if the reswitched people don't release what they know about the warmboot xploit, is team xecuter going to persue this xploit?

 

[YigglyPoof]

well the people that were constantly asking to update and did so because they wanted to use SXOS are basicly fucked now

Or you could be smart and update without burning fuses. Best of both worlds . I enjoy SX OS on 5.1.0 till ReiNX comes out, then I restore my nand and POOF! Now I'm on 3.0.0, and if I'm lucky, I have coldboot.

Only sad part is my cartridge slot won't work on the lower firmware (thanks TX ), I hope they figure out how to downgrade the cartridge slot's firmware in the future.

 

[Mr. Wizard]

Or you could be smart

That's a stretch with most people on here...

 

[guily6669]

Or you could be smart and update without burning fuses. Best of both worlds . I enjoy SX OS on 5.1.0 till ReiNX comes out, then I restore my nand and POOF! Now I'm on 3.0.0, and if I'm lucky, I have coldboot.

Only sad part is my cartridge slot won't work on the lower firmware (thanks TX ), I hope they figure out how to downgrade the cartridge slot's firmware in the future.

The cartridge part could actually become a HUGE problem if someone gets a full softmod that would require a certain game as a entry point, however most likely they would probably support entering RCM and use something like LayeredFS that could do the trick too instead of needing to actually have the cartridge game.

But lucky you that your on 3.0, I'm on 3.02 which is worse.

Nintendo have the exploit hasn't been formally released might take a while if the reswitched people don't release what they know about the warmboot xploit, is team xecuter going to persue this xploit?

The problem is really that from the exploit to have something fully working seem to be a lot hard, specially from FW 3.02 to 4.1, at least that's what SciresM said (both are very difficult to implement and the higher the tier, the harder it is and above 4.1 = Good Luck 4 now...).

If the exploit could be working, I'm totally sure that you can be sure TX will also add it.

 

[YigglyPoof]

The cartridge part could actually become a HUGE problem if someone gets a full softmod that would require a certain game as a entry point, however most likely they would probably support entering RCM and use something like LayeredFS that could do the trick too instead of needing to actually have the cartridge game.

But lucky you that your on 3.0, I'm on 3.02 which is worse.

Hopefully it won't require a game, but if it does, maybe (just maybe) I could use SX OS? Idk

 

[Mr. Wizard]

The cartridge part could actually become a HUGE problem if someone gets a full softmod that would require a certain game as a entry point, however most likely they would probably support entering RCM and use something like LayeredFS that could do the trick too instead of needing to actually have the cartridge game.

But lucky you that your on 3.0, I'm on 3.02 which is worse.

This is why I am still on 3.0.0 I've waited this long. Plus I was expecting it to take way longer than this anyway. Not jumping the gun until the kinks are worked out.

The problem is really that from the exploit to have something fully working seem to be a lot hard, specially from FW 3.02 to 4.1, at least that's what SciresM said.

If the exploit could be working, I'm totally sure that you can be sure TX will also add it.

They said the same thing about trying to find an initial exploit like FG, but look what happened. You never know until you look.

 

[guily6669]

This is why I am still on 3.0.0 I've waited this long. Plus I was expecting it to take way longer than this anyway. Not jumping the gun until the kinks are worked out.


They said the same thing about trying to find an initial exploit like FG, but look what happened. You never know until you look.

But the FG after Kate discovered it I think the work was going pretty good and yeah, ended up looking easier than what it looked like (4 ppl like me).

But 4 the other exploits I also have no clue, the only thing I have seen was SciresM saying they were just too much of a hassle to implement right now and the fact that his main project is atmosphere surely won't help in regards to exploit development 4 now.

However after all this rush and how everything got leaked so damn fast I'm even thinking 3.01 could actually have the full untethered softmod either warmboot or coldboot still in this current year or maybe I'm just crazy... All we know is 1.0 will have in the very near future .

 

[Mr. Wizard]

But the FG after Kate discovered it I think the work was going pretty good and yeah, ended up looking easier than what it looked like (4 ppl like me).

But 4 the other exploits I also have no clue, the only thing I have seen was SciresM saying they were just too much of a hassle to implement right now and the fact that his main project is atmosphere surely won't help in regards to exploit development 4 now.

However after all this rush and how everything got leaked so damn fast I'm even thinking 3.01 could actually have the full untethered softmod either warmboot or coldboot still in this current year or maybe I'm just crazy... All we know is 1.0 will have in the very near future .

Isn't it 1.0 - 3.0.0? And if based on FW why can't we just downgrade to get it? We can already bypass fuse checks. That's what I did with my 3DS ages ago.

 

[guily6669]

Only FW 1 is publicly known to have a major exploit that can give full access (SciresM said atmosphere full release would come even first for 1.0, maybe that is not valid anymore after RCM+FG development).

Then up to FW 3.01 has different exploit that I think can lead to coldboot too if I remember well and 3.02 to 4.1 can have a wamboot exploit, but they are hard to implement.

And the other FW which I can't even remember (maybe 2.3?) that has FakeNews maybe someone later could find a way to warmboot to atmosphere (though theres no way publicly known to do that there).

About downgrading, sadly even though we can downgrade, after the E-fuses are burnt we still have to enter RCM and run trough hekate to load the old FW and we can't sign a custom FW without nintendo master key for Firmware signing which wouldnt require any exploit to hack the console...

 

[Mr. Wizard]

Only FW 1 is publicly known to have a major exploit that can give full access (SciresM said atmosphere full release would come even first for 1.0, maybe that is not valid anymore after RCM+FG development).

Then up to FW 3.01 has different exploit that I think can lead to coldboot too if I remember well and 3.02 to 4.1 can have a wamboot exploit, but they are hard to implement.

And the other FW which I can't even remember (maybe 2.3?) that has FakeNews maybe someone later could find a way to warmboot to atmosphere (though theres no way publicly known to do that there).

About downgrading, sadly even though we can downgrade, after the E-fuses are burnt we still have to enter RCM and run trough hekate to load the old FW and we can't sign a custom FW without nintendo master key for Firmware signing which wouldnt require any exploit to hack the console...

That's not what he said. Where does it say 1.0.0 is definite?

And someone should change this then:

Source: https://gbatemp.net/threads/firmware-status.495078/

 

[guily6669]

What do you mean by definitive?

FW 1.0 is the holy grail and its a different exploit than the other tiers...

The new exploits won't require jigs and sending payloads (only 3.02-4.1 I think is needed once to install).

And the ones getting coldboot (theoretically speaking later) like 1.0 will be definitive as permanent loading to CFW from power OFF, the others with Warmboot will require something every boot to load into CFW, but at least won't need jigs and sending payloads.

But anyway everything is subjective to change with new discoveries\development who knows if even that same exploit for 3.02 to 4.1 that is known theoretically to be able to do warmboot could later lead to a similar different exploit that could coldboot...

 

[Mr. Wizard]

What do you mean by definitive?

FW 1.0 is the holy grail and its a different exploit than the other tiers...

The new exploits won't require jigs and sending payloads (only 3.02-4.1 I think is needed once to install).

And the ones getting coldboot (theoretically speaking later) like 1.0 will be definitive as permanent loading to CFW from power OFF, the others with Warmboot will require something every boot to load into CFW, but at least won't need jigs and sending payloads.

But anyway everything is subjective to change with new discoveries\development who knows if even that same exploit for 3.02 to 4.1 that is known theoretically to be able to do warmboot could later lead to a similar different exploit that could coldboot...

I think I can speak for everyone here when I say, huh?

Can you post anything to back up whatever it is you are trying to say?

 

[Nickbo]

In case anyone wants to go looking for the bootrom exploit that caused this ktempkin drama, it's related to SDRAM warmboot.
Apparently there is a flaw in the bootrom that lets you takeover the bootrom itself when the bootrom is executing code during a warmboot reset.

How it fits together is you set up some special values in memory and trigger a warmboot reset. If you did it correctly it will trigger the vulnerability and will jump to your code, thus taking over the bootrom.
If you have a 4.1 exploit to trigger warm boot reset, you can have a softmod that does this.


Obviously I left out a few details, but someone more skilled knows where to look now...

Nice copy paste from the other thread

 

[guily6669]

I think I can speak for everyone here when I say, huh?

Can you post anything to back up whatever it is you are trying to say?

You have there in the pic you posted <3.02 higher than that..."coldboothax"...your F* (this is all theoretically speaking that coldboot can be achieved up to 3.01).

In that same thread you posted Kate says 1.0 is the holy grail FW...


And the rest is from following them for a long time that there is different exploits for different tiers of FW and basically the lower the easier it is and 1.0 is just a different beast than can have everything in theory.

And about the downgrade, there is no way known to downgrade officially other than having to enter RCM and send a payload every boot which even if 1.0 gets coldboot soon, you will still need to enter RCM+payload every time you turn the console OFF and run trough hekate defeating the softmod purpose (unless they find a new way of using that to achieve it later, but with the burned e-fuses I don't think it will ever load ).

ps: But someone that can remember better about everything reported, can maybe fix my post if I said something wrong or just clear everything for you.