最後更新: 2019-06-25

目錄

 

• Hardware
•  
• SXOS 雙系統
•  

---

Hardware

 

Tegra X1 SoC

 - Cortex-A57 X 4
 - Cortex-A53 X 4
 - Maxwell 架構 GPU X 256

 

---

Switch 充電

 

主機 USB Type-C 輸出入的功率為 39W（15V/2.6A）

行動電源還須支援 USB Power Delivery 功能

 

---

Switch 支援的記憶卡

 

支援格式包括 microSD, microSDHC 及 microSDXC

選購記憶卡時, 讀寫速度建議至少每秒 60~90MB, 且支援 UHS-I 技術

 * 使用microSDXC記憶卡時連接網路進行主機更新 (因為要 exfat driver)

 * The Nintendo Switch only speaks UHS-I, so there's no advantage to buying a UHS-II or UHS-III card

讓 Switch 認可新內存卡

...

 

---

破解原理

 

fusee-gelee vulnerability

Recovery Modus (按住主機的音量+鍵, 再按電源鍵)

這個漏洞位於唯讀的Bootrom

 

---

Jigs

 

Jigs hold a wire in place so the correct pins (10 and a Ground) are shorted every time.

1,2,7 Ground

i.e.

1-short->10

 

---

注入軟件

 

PC

• TegraRcmSmash(CLI)
• TegraRcmGUI

Android

• Rekado (https://github.com/MenosGrante/Rekado/releases)
• nxloader (https://github.com/DavidBuchanan314/NXLoader/releases)

 

---

OS

 

NS-Atmosphere(http://www.ns-atmosphere.com/en/)

ReiNX (https://reinx.guide/)

SX OS (https://sx.xecuter.com/) # 收費

• RCM tool (dongle)
• Jig

 

---

Hardware Injector

 

NS-Atmosphere Injector

NS-Atmosphere.bin --- NS-Atmosphere Programmer ---> 注入器

 

---

payload

 

SX OS

ReiNX

NS-Atmosphere.bin

Hekate (https://github.com/CTCaer/hekate)

 

---

boot loader

 

Parses ini files from microsd

hekate - CTCaer (https://github.com/CTCaer/hekate/releases)

- Custom Nintendo Switch bootloader, firmware patcher, and more.

 

---

efuse

 

System version - Expected number of burnt fuses (retail)

1.0.0           1
2.0.0-2.3.0     2
3.0.0           3
3.0.1-3.0.2     4
4.0.0-4.1.0     5
5.0.0-5.1.0     6
6.0.0-6.1.0     7
6.2.0           8
7.0.0-8.0.1     9
8.1 =           10

Tools to check number osf efuse

• Briccmii

 

---

AutoRCM

 

Why should I enable AutoRCM?

It is recommended to enable AutoRCM before updating your system firmware with ChoiDujourNX.

Booting in the RCM will not burn fuses, but a normal system boot will burn fuses and disable the possibility downgrade in the future.

If you want to keep fuses unburned, you can do so with autoRCM, as the switch never gets the change to burn them after updating when using autoRCM

Disadvantages of autoRCM

When completely discharged, your switch will take a very long time to charge while in RCM.

AutoRCM 原理

AutoRCM is a controlled brick, bricking a part of the boot0/1 to make the console believe it's bricked and boot straight to RCM (recovery mode).

Note: Before you freak out if the switch's screen stays black when you power on your switch after activating autoRCM, it's not bricked. it's in RCM.

Remark

the system will power off like usual. But after 10-15 seconds,
it will automatically enter RCM and drain the battery as long as its left that way.
This applies to using the power options menu's "power off", and for holding the power button for 12 seconds.

There is no way to fully power off the system while Horizon is loaded
when you have AutoRCM without it entering RCM.

 

---

Stealth Mode

 

 

---

SXOS load an external payload via the Boot Menu

 

Steps to reproduce:

1.  Fire up the console via SX Pro Dongle & Jig
2.  Wait for Boot Menu to load
3. Choose "Options"
4. Choose "Payloads"

 

---

NS Tools

 

incognito (https://github.com/blawar/incognito)

Wipes personal information from your Nintendo Switch by removing it from prodinfo.

 

Checkpoint               # Manage your saves

EdiZon

Lockpick_RCM

ChoiDujouNX          # For upgrade/downgrade system

Goldleaf                   # Files manager

NX-Shell

Lithium                    # Games Installation Tool

Tinfoil                      # support xci and nsp games

hb App Store

tools set

https://github.com/switchbrew

 

---

Using sxos without dongle

 

Download the SX Loader from sx.xecuter.com ( payload.bin ),

then use NXLoader (Android) or TegraRCMSmash (Windows).

 

---

PC Tools

 

nxmtp

# Files transfer using Type-C cable

https://github.com/liuervehc/nxmtp/releases

 

---

ROM Tools

 

XCI-Explorer

 XCI、NSP 文件信息查詢工具

  - 能對XCI空白區域進行裁剪以減小XCI文件體積

  - 能提取XCI分區中的文

  - 提取或替換xci的證書

https://github.com/StudentBlake/XCI-Explorer/releases

.NET Framework 4.7.2 Runtime Required

4nxci

XCI --> NSP

 

---

nsp -> nsz

 

NSZ 與 NSPZ 分別

NSZ/XCZ:

• GitHub Project: https://github.com/nicoboss/nsz
• Uses solid compression by default.
• Block compression can be enabled using the -B option. Block compression will be the default for XCZ
• Decrypts all sections while keeping the first 0x4000 bytes encrypted. Puts informations needed to encrypt inside the header.
• Already widely used. Supported by Tinfoil, SX Installer v3.0.0 and probably a lot of other software in the future

NSPZ/XCIZ:

• GitHub Project: https://github.com/nicoboss/nsZip
• Block compression (allowing random read access to play compressed games)
• Decrypts the whole NCA

Install & Upgrade

# Python 3.6

[install]

pip install -r requirements.txt

[upgrade]

pip install nsz --upgrade

準備

keys.txt at the location of nsz.py/nsz.exe

Please dump your keys using https://github.com/shchmue/Lockpick_RCM/releases

Always keep your keys up to date as otherwise newer games can't be decrypted anymore.

Usage Example

# -l LEVEL          # Default: 18, Max: 22
# -C                  # Compress NSP/XCI

nsz --level 22 -C title1.nsp

-i, --info            Show info about title or file