• Sign in to Neowin Faster!

    Create an account on Neowin to contribute and support the site.

Sign in to follow this  

The "unpatchable" exploit that makes every current Nintendo Switch hackable

Recommended Posts

branfont    212

A newly published "exploit chain" for Nvidia Tegra X1-based systems seems to describe an apparently unpatchable method for running arbitrary code on all currently available Nintendo Switch consoles.  Hardware hacker Katherine Temkin and the hacking team at ReSwitched released an extensive outline of what they're calling the Fusée Gelée coldboot vulnerability earlier today, alongside a proof-of-concept payload that can be used on the Switch.

 

"Fusée Gelée isn't a perfect, 'holy grail' exploit—though in some cases it can be pretty damned close," Temkin writes in an accompanying FAQ.

 

The exploit, as outlined, makes use of a vulnerability inherent in the Tegra X1's USB recovery mode, circumventing the lock-out operations that would usually protect the chip's crucial bootROM. By sending a bad "length" argument to an improperly coded USB control procedure at the right point, the user can force the system to "request up to 65,535 bytes per control request." That data easily overflows a crucial direct memory access (DMA) buffer in the bootROM, in turn allowing data to be copied into the protected application stack and giving the attacker the ability to run arbitrary code.

 

On the Switch, the hardest part of the exploit seems to be forcing the system into USB recovery mode. To do this without opening the system requires shorting out a certain pin on the right Joy-Con connector (the bit on the side of the system where the Joy-Con clicks into place). The hacking team at Fail0verflow tweeted a picture of a small plug-in device that can apparently provide this short-out easily, and the team joked that a simple piece of wire from the hardware store can do so today. Temkin also tweeted a picture suggesting that simply exposing and bending the pin in question would also work.

 

 

 

 

 

Full article@ Ars Technica

Share this post


Link to post
Share on other sites
Andrew    2,860

Hopefully this doesn't kill software releases and sales à la NDS / PSP :/ Nintendo has been working on a new SoC for a few months now though; presumably because they were notified of the exploit, so if you want one of these exploit capable Switches buy one soon.

Share this post


Link to post
Share on other sites
Vandalsquad    515

I assume this has been blown wide open now? I'm seeing entire switch rom library dumps happening on private torrent sites. Not that I've looked into what's happening as this progresses much at the moment.

Share this post


Link to post
Share on other sites
+warwagon    13,113

So you are saying now would be a great time to buy a switch.

  • Haha 1

Share this post


Link to post
Share on other sites
DKAngel    314

cant do much with it until home brew is actually written for it, but all current models are exploitable until they do a hardware revision 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.