The "unpatchable" exploit that makes every current Nintendo Switch hackable


Recommended Posts

A newly published "exploit chain" for Nvidia Tegra X1-based systems seems to describe an apparently unpatchable method for running arbitrary code on all currently available Nintendo Switch consoles.  Hardware hacker Katherine Temkin and the hacking team at ReSwitched released an extensive outline of what they're calling the Fusée Gelée coldboot vulnerability earlier today, alongside a proof-of-concept payload that can be used on the Switch.

 

"Fusée Gelée isn't a perfect, 'holy grail' exploit—though in some cases it can be pretty damned close," Temkin writes in an accompanying FAQ.

 

The exploit, as outlined, makes use of a vulnerability inherent in the Tegra X1's USB recovery mode, circumventing the lock-out operations that would usually protect the chip's crucial bootROM. By sending a bad "length" argument to an improperly coded USB control procedure at the right point, the user can force the system to "request up to 65,535 bytes per control request." That data easily overflows a crucial direct memory access (DMA) buffer in the bootROM, in turn allowing data to be copied into the protected application stack and giving the attacker the ability to run arbitrary code.

 

On the Switch, the hardest part of the exploit seems to be forcing the system into USB recovery mode. To do this without opening the system requires shorting out a certain pin on the right Joy-Con connector (the bit on the side of the system where the Joy-Con clicks into place). The hacking team at Fail0verflow tweeted a picture of a small plug-in device that can apparently provide this short-out easily, and the team joked that a simple piece of wire from the hardware store can do so today. Temkin also tweeted a picture suggesting that simply exposing and bending the pin in question would also work.

 

 

 

 

 

Full article@ Ars Technica

Hopefully this doesn't kill software releases and sales à la NDS / PSP :/ Nintendo has been working on a new SoC for a few months now though; presumably because they were notified of the exploit, so if you want one of these exploit capable Switches buy one soon.

  • 3 weeks later...

I assume this has been blown wide open now? I'm seeing entire switch rom library dumps happening on private torrent sites. Not that I've looked into what's happening as this progresses much at the moment.

  • 2 weeks later...
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Posts

    • Tesla instructor reportedly said staff leave with a 'negative taste in their mouth' by Hamid Ganji Tesla has been making the headlines over the past few months due to Elon Musk's controversy in the Department of Government Efficiency, aka DOGE. People have been marching to the streets, boycotting Tesla, and even setting their already-bought Tesla cars on fire. Tesla temporarily shut down its factory in Austin for the week of Memorial Day, and employees could either take paid time off or attend a series of training sessions. Business Insider now claims to have obtained a recording of the sessions that reveals some interesting details about the Tesla culture and how its employees feel about the company. The Tesla instructor reportedly asked employees to respond if they ever felt "I can't work under these conditions" and were uneasy about the company's constant change. "I know I have," the instructor said. "A lot of people leave this company, and they have kind of a negative taste in their mouth," the Tesla instructor added. "They think: 'Man, it was terrible. It was bad. I got burnt out. I feel like I didn't get anything done, nobody listened to me.'" Hundreds of Tesla employees allegedly attended the meetings, where they were asked to take more responsibility for improving the company's culture. "Leadership has kind of another level of responsibility for trying to guide and direct that culture," the instructor told Tesla staff. "But at the end of the day, it's us as the people on the ground that are the reflection of the culture." Tesla's factory in Austin produces Cybertruck and Model Y. The staff said shutting down the factory for the sake of Memorial Day has been unusual for the company. Elon Musk recently announced that he would leave his position at the White House and added that he'll remain Tesla CEO for another five years. In the meantime, the latest data shows Tesla sales in Europe have dropped 49 percent, and the company's profit in Q1 2025 declined by 71 percent.
    • More like you took offense to the letdown and I find it hilarious. Most people aren’t reading tech blogs, and for those that do, they know what the difference is. So really it’s a non-story to YOU, because you don’t like what it says.
    • Building 100 hospitals around the world would have spent his fortune easily. But that would not keep him at the table with the elites in the world for the rest of his life. Or keep him from chanting about how good he is to the poor people around the globe to the media.
    • Exactly. that's what I use when I do use Windows 10 on my Linux through QEMU/KVM VM (the 'activation' is tied to the UUID of the VM) and, like you said, that Jan 2032 version of Win10, even if decent program/game support ends earlier than Jan 2032, I suspect, for a conservative figure, that we got at least 2-3 years from now (so call it 2027-2028) before Win10 may start to become more of a legitimate issue. but for general usage I suspect we got a 'easy' 2-3+ years. because like you say, as long as browsers don't start to become a issue, all the more reason to continue using Win10 for many, probably most, people. even when it comes to browsers, you mentioned Firefox supports Win7 until end of August etc... but I think it's just ESR releases which, while I get it technically works, are when browser support is getting a bit long-in-the-tooth. but as long as the standard Firefox release is still supported, then one is still easily well within the 'good support range', which my comment basically plays inline with what Werct said, which I suspect comes back to my 2027-2028 estimate before Win10 'starts' to legitimately fade off into the sunset
    • Intel's new GPU driver adds support for FBC: Firebreak, Stellar Blade, and more by Taras Buria Intel has released a new non-WHQL driver under version 32.0.101.6876. The update brings support and optimizations for four games and a single fix for visual artifacts that appear in certain situations. Here is the list of newly-supported games in driver 32.0.101.6876 on systems with Intel Arc B-Series, A-Series, and Intel Core Ultra with built-in Arc graphics: FBC: Firebreak Rematch Stellar Blade Tom Clancy's Rainbow Six Siege X There is also a single bug fixed in today's release: Intermittent visual artifacts may appear in certain usage scenarios. Known issues remain the same as in the latest WHQL release, except for a new bug that causes audio glitches on handheld devices: Certain handheld devices may experience audio glitches and lower-than-expected performance while audio is playing. You can mitigate the problem by following a guide that Intel published on the official forum. It requires reinstalling the graphics and NPU drivers on the affected systems. A proper fix will be available in a future driver update. You can install Intel 32.0.101.6876 non-WHQL driver on PCs with 64-bit Windows 10 and Windows 11 with the following graphics products from Intel: Discrete GPUs Integrated GPUs Intel Arc A-Series (Alchemist) Intel Arc B-Series (Battlemage) Intel Iris Xe Discrete Graphics (DG1) Intel Core Ultra Series 2 (Lunar Lake and Arrow Lake) Intel Core Ultra (Meteor Lake) Intel Core 14th Gen (Raptor Lake Refresh) Intel Core 13th Gen (Raptor Lake) Intel Core 12th Gen (Alder Lake) Intel Core 11th Gen (Tiger Lake) You can download the driver from the official website here. Full release notes are available here (PDF). Keep in mind that this is a non-WHQL driver, which means it could be less stable than certified WHQL drivers.
  • Recent Achievements

    • Dedicated
      jbatch earned a badge
      Dedicated
    • Week One Done
      Leonard grant earned a badge
      Week One Done
    • One Month Later
      portacnb1 earned a badge
      One Month Later
    • Week One Done
      portacnb1 earned a badge
      Week One Done
    • First Post
      m10d earned a badge
      First Post
  • Popular Contributors

    1. 1
      +primortal
      266
    2. 2
      snowy owl
      158
    3. 3
      +FloatingFatMan
      145
    4. 4
      ATLien_0
      140
    5. 5
      Xenon
      131
  • Tell a friend

    Love Neowin? Tell a friend!