BootROM Patched Switches Appear At Retail

Vena

Community Resettler
Member
Oct 25, 2017
1,942
#1
As many know, nVidia had an "oopise" with 10-years worth of SoCs which suffered from an unpatchable, critical bootloader flaw that allowed arbitrary code to be run in recovery mode (RCM) at boot, forfeiting any security on the system. This flaw affected the entire Tegra line and its predecessors going back 10 years. (As many have failed to properly delineate, RCM is not the actual flaw. It is just a standard recovery mode for fixing broken Switches.)

This flaw was found in the Switch by fail0veflow and reported last year. This flaw led to a boom in homebrew progress and development, but of course this allowed for malware piracy groups to create and market piracy mod-chips to load payloads at boot in RCM and hjack the system. And roughly 18million switches are vulnerable to that flaw. (This has resulted in large ban waves for pirates, some bricked switches from stupid people bridging the wrong pins and frying their motherboards, to DRMed piracy dongles with stolen community code and brickcode in them... because why not? To all sorts of other nonsense and bullshit, such as hacking. And of course, a lot of emulator work and good old-fashioned homebrew.)

To the surprise of no one, Nintendo (and nVidia) have rolled out an updated hardware that is fixed from this arbitrary write-flaw through a system known as iPatches. These are fuses with specific bits of code that fix flaws in the boot processes and other hardware level operations. These cannot be applied after leaving the factory (as the fuse allowing them to be written or edited is blown).



What does this mean?

Well it means that the bootflaw is no longer a viable path and so now it becomes a question of software exploits in the kernel/system and updating once again starts to close exploits. (So if you bought that dongle, its useless if you run out of old Switches.) Now you have to face Nintendo's rather secure kernel but because these units were actually made some time ago they still (some) come with 4.0.1 which still has a software flaw, known at Deja Vu in the community (again, thanks to nVidia… because why stop at a hardware flaw when your entire GPU driver stack can be compromised). This flaw was largely patched as of 5.0.0 and is being held for the eventual Mariko Switch (which isn't out yet, and this change isn't said revision). It is unlikely that this flaw will be released until Mariko or until a firmware patch completely closes it as it is our only path currently known into reaching TrustZone and bypassing Nintendo's rather tight security.

This iPatch fix likely occurred many months ago but we're only now seeing it at retail. Because it ships with 4.0.1 and not 5.x, you can date the time of manufacture to very early this year, so Nintendo was on top of the flaw after its submission by f0f.

Long Story Short: If you want a homebrew-able Switch, buy one now and do not update to 5.x.

If you send in for repair, you'll get a replaced SoC.
 
Last edited:
Oct 25, 2017
5,645
#5
It’s pretty gross that it got so far. Hopefully this stops the rampant piracy that could’ve resulted.
What a screw up from Nvidia hoping for Switch to be the start of a 20 year partnership
 
Oct 25, 2017
7,305
#8
10 years ago? Did they realise the mistake only some years ago?? Why not release the switch with the harware fixed?
The flaw itself wasn’t fully explored until it came into a consumer product that had the most user benefit from it. Which is probably how it slipped out of sight from nVidia until recently.
 
Oct 27, 2017
709
#9
It’s pretty gross that it got so far. Hopefully this stops the rampant piracy that could’ve resulted.
What a screw up from Nvidia hoping for Switch to be the start of a 20 year partnership
The blame cannot fall 100% to Nvidia. Nintendo bought a vanilla Tegra with a 10 year old flaw. Blame the willing buyer.
 
Oct 25, 2017
1,463
Argentina
#11
The flaw itself wasn’t fully explored until it came into a consumer product that had the most user benefit from it. Which is probably how it slipped out of sight from nVidia until recently.
Because the exploit wasnt discovered until after the switch came out, it just says the vulnerability affects all tegra chips 10 years back
That's logical. Thanks!
 
OP
OP
Vena

Vena

Community Resettler
Member
Oct 25, 2017
1,942
#14
The blame cannot fall 100% to Nvidia. Nintendo bought a vanilla Tegra with a 10 year old flaw. Blame the willing buyer.
It is 100% nVidia. Even a custom chip would have likely carried this flaw if based on Tegra.
 
Oct 27, 2017
358
#15
Wow. Glad I bought my Switch early. All nice and hacked, and running backups of my SNES and GBA collection.

Edit:

It is 100% nVidia. Even a custom chip would have likely carried this flaw if based on Tegra.
EVERY piece of hardware and software on the market has some sort of vulnerability SOMEWHERE, and if people are dedicated enough, they'll find it. There is no such thing as an unbreachable system, and this flaw went unexploited for 10 years. NVIDIA didn't do anything wrong, any more than Intel did with the Spectre bug.
 
Oct 25, 2017
5,098
#19
If you have an older model Switch, can this security flaw be fixed or are they pretty much all still exploitable?
 
Oct 25, 2017
7,305
#20
If you have an older model Switch, can this security flaw be fixed or are they pretty much all still exploitable?
Hardware based, all they can do is keep banning the people bold enough to go online with a hacked switch. And catch any of the ones dumb enough to update their firmware.
 
Jan 25, 2018
3,439
#22
If you have an older model Switch, can this security flaw be fixed or are they pretty much all still exploitable?
Nope. They need to fix it in the bootrom so your current device is exploitable.

Good to see Nintendo/Nvidea fixed this in newer Switches.
 
Nov 10, 2017
4,868
#25
It’s pretty gross that it got so far. Hopefully this stops the rampant piracy that could’ve resulted.
What a screw up from Nvidia hoping for Switch to be the start of a 20 year partnership
Its all about piracy bc home brew isn't a thing.

(I'm not @'ing you specifically, just the first post of its ilk that I wanted to single out)
 
Oct 27, 2017
267
#26
I'm particularly interested in the fact that this quiet revision to the current hardware is not the rumored Mariko model. This discovery alone already makes it more convincing that Mariko could be a worthwhile upgrade.
 
Oct 27, 2017
401
#29
My guess is they will wait to announce any upgrade until PY 2019. They won't want to kill the sales momentum going into the holidays. If they would announce an upgrade they would have to drop the current hardware price.
 

Jahranimo

Community Resettler
Member
Oct 25, 2017
2,920
#30
Furukawa's influence is already making waves at Nintendo.

This should be better with preventing less online shenanigans as we go on for now.
 
Jun 21, 2018
30
#31
I wish the modding scene the best of luck in getting through this hurdle. As somebody unfamiliar with how any of this works, how likely is it that that within a couple of years the Switch will be just as free as 3DS and Wii U are today?
 
Oct 28, 2017
735
#33
So can I just use my flawed day one Switch for now, keep updating the OS, and then one day have it be my hacked Switch after a Switch 2/Pro/XL comes out?

Or do you need both the hardware flaw and a 4.x OS to have a device worth hacking?
 
Oct 27, 2017
2,734
Costa Rica
#38
Seriously? Full homebrew, modding games, and piracy? Is online safe to use on these hacked Switches?
Yes. Homebrew. Game patches. Piracy is as easy as it was on 3DS (people can download games they don't own directly from Nintendo servers). Cheating.

However, Nintendo is banning people who play pirate games or use modded games. Using CFW only is safe for now.
 
Oct 25, 2017
3,215
#39
Shame, I do envision the switch as being the perfect homebrew handheld due to it's ability to play so many cutting edge titles in addition to the homebrew aspects and emulation aspects of so many prior gens. But then again the inevitable rampant piracy would be a pain in the ass for Nintendo so I understand their change.
 
OP
OP
Vena

Vena

Community Resettler
Member
Oct 25, 2017
1,942
#42
Yes. Homebrew. Game patches. Piracy is as easy as it was on 3DS (people can download games they don't own directly from Nintendo servers). Cheating.

Nintendo is banning people who play pirate games though or use modded games. Using CFW only is safe for now.
Downloading from the CDN results in a blacklist eventually, so no. It's not like the 3DS.
 

Kokonoe

Banned
Member
Oct 26, 2017
5,150
#45
Seriously? Full homebrew, modding games, and piracy? Is online safe to use on these hacked Switches?
It's still early, but yes. People have even been able to get Dolphin emulator to work on it with low FPS but playable. Near 30 FPS for a lot of games.
 
Oct 27, 2017
2,734
Costa Rica
#46
Downloading from the CDN results in a blacklist eventually, so no. It's not like the 3DS.
I'm not referring to using your own cert so no risks :)
It may change on the future but for now it's like the 3DS. In the future anything can change.

(apart from the normal ban for using games you don't own of course)
 
OP
OP
Vena

Vena

Community Resettler
Member
Oct 25, 2017
1,942
#47
I'm not referring to using your own cert so no risks :)

(apart from the normal ban for using games you don't own of course)
CDN downloading requires a cert, it doesn't matter who's it is. It gets blacklisted and eventually you run out of real certs to pass dauth.

Poking the CDN is stupid on this system.
 
Jun 21, 2018
30
#49















You need to reply to this in order to see this content.
It already is... The Switch has been fully hacked.
Yes. Homebrew. Game patches. Piracy is as easy as it was on 3DS (people can download games they don't own directly from Nintendo servers). Cheating.

However, Nintendo is banning people who play pirate games or use modded games. Using CFW only is safe for now.
Downloading from the CDN results in a blacklist eventually, so no. It's not like the 3DS.
It's still early, but yes. People have even been able to get Dolphin emulator to work on it with low FPS but playable. Near 30 FPS for a lot of games.
Seriously? Full homebrew, modding games, and piracy?
1. Yes

Is online safe to use on these hacked Switches?
2. No
I see. Thank you all for the clarifications.
 
Oct 27, 2017
2,734
Costa Rica
#50
CDN downloading requires a cert, it doesn't matter who's it is. It gets blacklisted and eventually you run out of real certs to bypass dauth.
For now all requests to the atum server are accepted. This is extremely poor design as both system modules/applets and eShop content share the Atum server.

Will it change on the future? Maybe. For now it's no diferrent than 3DS in the end.