Every Nintendo Switch Now Hackable Thanks To An Unpatchable NVIDIA Tegra Exploit

ReSwitched

Nintendo has shipped around 15 million hybrid Switch consoles to date, and that number will continue to grow, especially as more AAA titles land on the system. That's good news for Nintendo. The bad news (for Nintendo), however,  is that each and every one of them is vulnerable to a hack that could allow the execution of arbitrary code, and there does not appear to be a way of fixing it.

Hardware hacker and modder Katherine Temkin and the hacking team at ReSwitched published an "exploit chain" for the Switch that goes into great detail on the security flaw. They're calling it the Fusée Gelée coldboot vulnerability, and in short, it leverages a vulnerability that exists in the NVIDIA Tegra X1's USB recovery mode. The exploit bypasses lock-out operations that normally would protect the chip's bootROM.

"As this vulnerability allows arbitrary code execution on the Boot and Power Management Processor (BPMP) before any lock-outs take effect, this vulnerability compromises the entire root-of-trust for each processor, and allows exfiltration of secrets e.g. burned into device fuses," Temkin explains.

The exploit works by forcing the Switch into USB recovery mode by shorting a pin on the right Joy-Con controller. There is a special plug-in device that makes this easy, and once in there, a payload is sent during the USB check that forces the system to "request up to 65,353 byes per control request," which is way more than the console can handle. That in turn causes a DMA buffer overflow in the bootROM, providing hackers access to what is supposed to be a protected area.

What makes this so tricky for Nintendo and NVIDIA is that neither company can just issue a software patch to fix the flaw. Once the chip leaves the factory, there is nothing that can be done, at least in terms of directly addressing the issue. What Nintendo could do instead, however, is push an update that checks whether a Switch has been hacked when accessing its servers, and then ban those systems.

Now that this vulnerability is made public, it's probably just a matter of time before a hacker or modder figures out how to leverage it to emulate games on the Switch. There are legitimate use case scenarios for hacking a Switch, though the concern for Nintendo is that users would be able to run pirated games. We'll just have to wait and see how this all plays out, and how Nintendo decides to handle the situation.

Thumbnail/Top Image Source: GitHub via Katherine Temkin

Via:  Arstechnica
Show comments blog comments powered by Disqus