An unknown group of hackers has posted a link to the Tegra X1 bootrom on pastebin. Various sources have confirmed the content of that link to be the “real deal”.

In the wake of the release, hacker @q3k has released .IDC files (script files to use with the popular debugger IDA) for people looking to investigate the bootrom, as reported by maxconsole. Other people have mentioned that the rom misses some of the Switch specific patches, but others have been quick to mention that such patches are openly available on switchbrew.

The release of the Tegra bootrom is not useful for the typical “end user” of Nintendo Switch hacks. However, it is a very interesting piece of software for hackers: the bootrom has most likely been acquired though glitching, a series of hardware techniques that not many hackers are familiar with, let alone having access to the required hardware. Because of that, getting the bootrom in itself is not the easiest thing to do, and therefore it is likely that the Tegra bootrom had, until now, been circulating only in fairly private circles.

With access to this piece of software, multiple software hackers could start looking for flaws in the Tegra bootrom. We already know such vulnerabilities exist, since multiple groups have been mentioning them in their work, including Team Xecuter, Reswitched, and Fail0verflow.

Reswitched in particular are scheduled to release a full Custom Firmware along with the Tegra bootrom exploits, sometimes this summer. But it is possible that this leak could precipitate the release of the Atmosphere Custom Firmware. Hacker Ktemkin and other people in Reswitched have been holding off releasing the exploit “too soon” until documentation for everything is ready. But if other groups start finding and revealing Tegra bootrom vulnerabilities, that point could quickly become moot.



Tegra X1 Bug (Nintendo Switch)

And because hacking is easy; the Tegra X1 Bug.

Tegra X1 RCM forgets to limit wLength field of 8 byte long Setup Packet in some USB control transfers. Standard Endpoint Request GET_STATUS (0x00) can be used to do arbitrary memcpy from malicious RCM command and smash the Boot ROM stack before signature checks and after Boot ROM sends UID. Need USB connection and way to enter RCM (Switch needs volume up press and JoyCon pin shorted).

To:
ReSwitched
fail0verflow
SwitchBrew
BBB
Team Xecuter
Team SALT

Reminder: Real hackers hack in silence. You all suck.


"Game Over."


F8001BE1190CAED74BBDDAD78667877C84D1A128

Posted: Apr 23, 2018 9:01 pm
Last Updated: Apr 23, 2018 9:15 pm
Related Forum: Gaming Discussion

Source: http://wololo.net/2018/04/23/nintendo-switch-tegra-x1-bootrom-leaked-precipitate-custom-firmware-release/