Hacking Switch Firmware Layout Definitions

[Shadow LAG]

BCPKG2-1-Normal-Main
BCPKG2-2-Normal-Sub

Horizon OS Standard Boot Menu

BCPKG2-3-SafeMode-Main
BCPKG2-4-SafeMode-Sub

Safemode is an alternate boot mode for pulling updates and applying them in case of interruption. This mode can also be accessed via button combo.
(source: http://switchbrew.org/index.php?title=Safemode
)
My Picture of the mode in action (Don't worry I stopped the update)

BCPKG2-5-Repair-Main
BCPKG2-5-Repair-Sub

Maintenance mode:
http://en-americas-support.nintendo...ze-nintendo-switch-without-deleting-save-data

 

[Boot_8046]

Interesting assumption, but I think the recovery (not the RCM) mode is related to the OS while RCM mode is built into the chip itself from the factory.

 

[Shadow LAG]

Interesting assumption, but I think the recovery (not the RCM) mode is related to the OS while RCM mode is built into the chip itself from the factory.

Regarding the Tegra processor, I thought about the mode being stored outside of eMMC as well but I was hoping it would at least be an entry point or loader of sorts is why I'm asking. Could you be more specific when you say related to the OS? That much we know since the file is stored on the eMMC, but I'm going to need a little more specifics than that.

 

[TerraPhantm]

Nintendo's Recovery Mode has zero relation to the Tegra Recovery Mode (RCM). The Tetgra RCM is integral to the CPU. It'll enter RCM mode even if you remove the eMMC altogether.

 

[Kubas_inko]

Regarding the Tegra processor, I thought about the mode being stored outside of eMMC as well but I was hoping it would at least be an entry point or loader of sorts is why I'm asking. Could you be more specific when you say related to the OS? That much we know since the file is stored on the eMMC, but I'm going to need a little more specifics than that.

RCM is baked to SoC.
Related to OS = everything else.

 

[Boot_8046]

Regarding the Tegra processor, I thought about the mode being store outside of eMMC; however, could you be more specific when you say related to the OS? That much we know since the file is stored on the eMMC, but I'm going to need a little more specifics than that.

Unfortunately I don't know much as I'm not actually a hacker/a reverse engineer, I'm only assuming.
I mean, if the switch uses a stock X1 it means that it's the same chip used in everything (like nVidia shield etc.) is identical both hardware wise AND software wise, doesn't it? I'd be happy to learn from more expertises users.

 

[Shadow LAG]

Thank you for the clarification.
Looks like Recovery mode is maintenance mode unfortunately. http://switchbrew.org/index.php?title=Boot_Modes

I did see someone was able to get into RCM cold boot by corrupting a portion of the eMMC firmware intentionally. I am trying to find his post now. If this is the case, I'm wondering if this can be targeted for partition, or if it has to be the bootloader itself that fails to trigger this (useless for us)

EDIT: Updated the first post to document the Firmware block package definitions