Nintendo Switch consoles across the world have been rendered vulnerable, thanks to a new permanent exploit unearthed in Nvidia Tegra X1-based systems. The Nintendo Switch Bootrom hack as of now is unpatchable and opens up the hardware for customization.
The issue, which is dubbed Fusée Gelée coldboot, was released by the hardware hacker Katherine Temkin and the hacking team at ReSwitched. The vulnerability has been backed up with the proof-of-concept payload that can be used on the Switch. On its FAQ page, Temkin wrote that “FuséeGelée isn’t a perfect, ‘holy grail’ exploit—though in some cases it can be pretty damned close.”
The vulnerability in the Tegra X1’s USB recovery mode would prevent any lock-out operation that could have been used to protect the chip’s bootROM. The miscreant would be able to request up to 65,535 bytes per control request by sending a bad “length” argument to a sluggishly coded USB control procedure at the right time. The data can travel easily through the direct memory access buffer in the bootROM, allowing data to be copied into the protected applications stack, and thus helping the attacker to run arbitrary code.
“By carefully constructing a USB control request, an attacker can leverage this vulnerability to copy the contents of an attacker-controlled buffer over the active execution stack, gaining control of the Boot and Power Management processor (BPMP) before any lock-outs or privilege reductions occurs,” Temkin wrote of the Nintendo Switch Bootrom hack.
Since the problem lies at the heart of the Tegra X1 bootROM, it comes out clear that there is no patch after the console is shipped to the retailers. It simply means that right now there are around 14.8 million devices around the globe vulnerable to this hack. The problem does not end here as someone with the right insight would be able to run local software, customized apps and games (including pirated).
Temkin mentioned in the FAQ section that the Nintendo Switch Bootrom hack is peculiar due to the number and variety of the devices affected along with the seriousness of the use and the ‘immutability’ of the code on the devices that are already being used by the end users. The vulnerability report is released with the aim of assisting in the rectifying efforts, “guide communication and minimize impact to users,” she said.
She also talks about the Team Xecutor, who according to her is working on the consumer version of the exploit and would sell it in the form of a mod chip or other peripheral device. Team Xecutor believes that their version will work in any Nintendo Switch console irrespective of the firmware installed and would be completely future proof.
For the Switch owners, the Nintendo Switch Bootrom hack as of now would be helpful in displaying the protected information from the Switch’s boot instruction ROM. Timken says that more details about the exploit would be out on June 15. It is likely that the guides and information for the ease of the common public would be published then.
In the FAQ, she also noted that NVIDIA and Nintendo were informed about the exploit beforehand. Timken says that she is publicizing the Nintendo Switch vulnerability in part because if someone with malicious intent cracks the vulnerability, greater harm can be done. Also, she believed that other groups were also looking for an opportunity to publish the similar exploit ahead of ReSwitched’s planned summer rollout, thus forcing the “early” disclosure from her team.
By all means, this is the first public disclosure of a low-level method for hacking the Switch. However, there have been instances in the past where the hackers devised their own methods, like unlocking the copy of NES Golf hidden in every Switch Console. However, those were mainly software vulnerabilities that were taken care of.
The issue is different this time as it concerns the hardware, and therefore, a simple over-the-air patch would not work. The Japanese game maker will, however, not go down without a fight and allow the Nintendo Switch owners to be at the mercy of hackers.
It is likely that Nintendo might have or is already working on a few fixes to stop the device owners from accessing its servers while running a hacked game or software which has not been authorized officially to be used in the Switch. On the other hand, several Switch owners might want their consoles to be hacked so that they can save game data to an SD Card, a feature that is still not available officially.