How the Nintendo Switch prevents downgrades by irreparably blowing its own fuses

40,079 reads

Downgrade prevention has been a cat-and-mouse game between consumers and companies since the inception of remote updates. The Nintendo Switch adopts a worrisome-strategy of preventing firmware downgrades by permanently modifying your device every time it updates. While this isn’t a new concept (the Xbox 360 was doing it back in 2007), it is part of a greater effort to prevent end users from modifying their devices to their liking.

The Nintendo Switch was released on March 3, 2017, and is currently on version 5.0.2

The Nintendo Switch use an Nvidia Tegra X1 SoC, which comes with a fuse driver. This allows it to programmatically blow fuses — permanently modifying the device, making it impossible to revert to a previous state.

How It Works

The boot loader verifies a specific fuse, FUSE_RESERVED_ODM7, to prevent downgrading.[1] Each software version expects a different number of fuses to be blown — if more than is expected, it fails to boot, and if less, it’ll blow those fuses and then proceed to boot. Blowing a fuse is irreversible— once it’s been set it can never be undone. It’s theoretically possible to physically modify the SoC and replace the fuses, but it’s so prohibitively invasive and expensive that it’s not a real option.

There are 256 bits in the set of ODM_RESERVED fuses, and there are 8 ODM_RESERVED. This allows for 32 fuses, or 32 future FW versions (provided they burn a fuse on every major release).

Workarounds

Just this week the first serious exploit of the Switch BootROM was released. This is not a remotely patchable exploit, which means that all ~15 million devices currently out are vulnerable and will continue to be vulnerable for their lifespans. fail0verflow also released a Linux side loader, although as of this writing it is not yet ready for the public.

[1] http://switchbrew.org/index.php?title=Fuses#Anti-downgrade

Tags