Immutable Nvidia Tegra bootROM flaw opens door to Nintendo Switch exploits

The Nintendo Switch quickly become the company's fastest selling console in its enduring history after its release last year and has since become the subject of close examination. This has led to the discovery of easter eggs such as the hidden message tucked away inside the Pro Controller as well as a concealed tribute to the late Satoru Iwata, former President and CEO of Nintendo, in the form of the NES Golf game inside the console's code. While these secrets were more fun than functional, a new finding could well crack open the Switch to running arbitrary code.

In a report published on GitHub, Katherine Temkin and the ReSwitched team have disclosed a vulnerability, dubbed "Fusée Gelée", found in Nvidia's Tegra embedded processor, specifically its bootROM. At present, it is believed that the flaw exists in Tegra SOCs manufactured before the T186/X2 and could be used to "load arbitrary code onto the main CPU Complex (CCPLEX) "application processors" at the highest possible level of privilege". However, this relies on being able to boot affected devices into USB recovery mode in conjunction with a Linux or macOS computer to push an executable to the Switch using a Python script.

As luck would have it, the fail0verflow team had tweeted an image of a device designed to short a pin in the slot meant for the right Joy-Con on the console and presumably holding the up volume button at boot to activate the recovery mode. Otherwise, more adventurous Switch owners can open up the console and disconnect the eMMC storage but, of course, this would void the product warranty. The group has since published its own bootROM exploit, called ShofEL2, over on GitHub along with the following disclaimer:

If your Switch catches fire or turns into an Ouya, it's not our fault. It's stupidly easy to blow up embedded platforms like this with bad software (e.g. all voltages are software-controlled). We already caused temporary damage to one LCD panel with bad power sequencing code. Seriously, do not complain if something goes wrong.

While this development may have people thinking that Nintendo will soon issue a patch, it seems that option is off the table according to ReSwitched, given that "the ODM_PRODUCTION fuse was burned, so no bootROM update is possible". Temkin also explained in an FAQ article that "any Switch currently affected will continue to be able to use Fusée Gelée throughout its life". As such, this would mean that new Switch hardware would have to ship with a bootROM that mitigates this issue or with another Tegra-based processor that is not affected by the problem.

Source: ReSwitched (GitHub) via Ars Technica

Report a problem with article
Previous Story

Instagram makes uploading to Stories more convenient with new update

Next Story

Roku Channel app adds free live news; Roku OS 8.1 to include multicast private listening

13 Comments - Add comment

Advertisement