NVIDIA Tegra (Anywhere)

This device type is still in the Wishlist Phase. All information on this page is subject to change.

Most of the team has a modern Tegra device, most commonly, the Nintendo Switch. There is interest in running Ultramarine on these devices, but we haven’t started work on a port yet.

We’re tracking the progress of the Switchroot project, which aims to bring Linux to the Nintendo Switch and other Tegra-based SoCs, such as the Jetson/Xavier/Orin series, the NVIDIA Shield and more.

The boot process for Tegra devices is similar to other ARM-based Android devices, but with slight differences, especially for the Nintendo Switch since it uses a completely custom firmware, due to Nintendo’s security measures. We’ll be mostly documenting the process for the Switch, but the same principles apply to other Tegra devices.

Nintendo Switch

The Switch loads from a 32GB (or 64GB on the OLED model) eMMC, which is a detachable module.

Older revisions of the Switch with the X1 SoC (the original 2017 launch model, AKA the “White Box” or “Erista” SoC) are the most compatible with Linux, since the hardware support for the X1 itself has been mainlined in the Linux kernel. This model is vulnerable to CVE-2018-6242 (Fusée Gelée) which allows for arbitrary code execution in the boot ROM.

Newer revisions of the Switch with the X1+ SoC (the 2019 revision, AKA “Red Box” or “Mariko” SoC) and later models like the Lite and OLED models (also codenamed “Aula”) are not vulnerable to Fusée Gelée, and require a different exploit which is a combination of eMMC interception and a reset glitch to load a custom bootloader. This requires hardware modifications and is not as straightforward as the original exploit.

”Mariko” SoCs are also not yet supported by the mainline Linux kernel, and require a custom kernel to boot.

The most common bootloader payload used to run arbitrary code on the Switch is hekate, a custom bootloader that provides a graphical boot menu and partition manager. It can also be used to dump the eMMC storage data and create an “emuMMC” (a virtualized eMMC partition that can be used to run a backup image of HorizonOS, the stock firmware without modifying the actual eMMC data.)

Implementation

The Switchroot boot process creates a boot menu entry in Hekate that loads U-Boot, which in turn reads a custom boot script that does the following:

  1. (If the user is on a Switch Lite) loads the calibration data for the embedded analog sticks

  2. Loads the device tree blobs (DTB) for the Switch from the SD card

  3. Sets up Linux kernel command line arguments (if configured to do so)

    • Disables the touch screen tuning parameters (optional)
    • Disables HDMI CEC auto-negotiation (optional)
    • Disables WiFi VHT80 bonding (if running the mainline kernel)
    • Force-enables NVENC/NVDEC support and sets the memory address for the framebuffer

  4. Finally, loads the Linux kernel and the initramfs from the SD card

If the boot process fails at any point, the script waits for 10 seconds and then reboots the device.

Ultramarine Notes

To properly support BLS (Boot Loader Specification) on the Switch, we want to slightly modify the U-Boot script to instead chainload another bootloader (such as GRUB, systemd-boot or Submarine) which can then read the BLS configurations and present the user with the boot menu options.