A newly discovered Nintendo Switch exploit allows the attacker to run any code on the processor.
Console hacking is not something that is considered easy so when hacks are discovered and released, many in the gaming and hacking communities take notice. This has certainly been the case of a recent hack discovered for the Nintendo Switch, and it may live on forever because it is unpactchable.
Nvidia Tegra X1
The Tegra X1 is a system on a chip (SoC) designed by Nvidia for mobile devices. Though Nvidia has since developed two newer chips, the Tegra X2 and the Tegra X3, it is the Tegra X1 that is the target of a USB recovery mode exploit.
The Tegra X1’s USB recovery mode has a vulnerability which allows hackers to circumvent the lock-out operations that would have usually protected the chips bootROM.
The Exploit Publication
The vulnerability disclosure, known as Fusée Gelée, is an interesting read because it is not a holy grail exploit but it can be at times, according to Temkin.
It works by sending a bad length argument to an improperly coded USB control procedure, the user can force the system to request, or allocate, up to “65,535 bytes per control request.” Due to the large amounts, the data easily overflows a crucial direct memory access (DMA) buffer in the bootROM. This allows data to be copied into the protected application stack and allow the hacker to run that copied code.
Executing the Vulnerability
According to the release, the Tegra processors include a USB Recovery Mode, also known as RCM, that can be activated under a few circumstances.
- If the processor fails to find a valid Boot Control Table (BCT) + bootloader on its boot media;
- If processor straps are pulled to a particular value e.g. by holding a button combination; or
- If the processor is rebooted after a particular value is written into a power management controller scratch register.
Simply put, you may use a product tweeted by @failOverflow, the photo displayed below.
The idea here is that this device, or using other various methods, shorts out a pin on the right Joy-Con connector, the USB on the side of the system where the Joy-Cons plug in, and forces the system into recovery.
Once booted into the recovery mode, which seems to be the most difficult portion of this hack, as it can damage your device, the team was able to inject code.
If you are interested, you can follow the link provided earlier in the article and see the code and “proof of concept” which is provided. However, please note that this hack does pose serious risks when executing and should not be undertaken by anyone who is not trained or experienced. Even as it stands, there have not been any major developments regarding what can be done with this particular hat, though we are sure this has opened Pandora’s Box on Nintendo and Nvidia.
Patching the Exploit
This exploit is a bit concerning to users and vendor alike because this is not a software error that can be patched via software updates. The Tegra chip, like other chips, cannot be fixed once they have left the factory because the flaw is baked into the bootROM.
This is terrible news for Nintendo, with over 14 million units sold, there is no easy way, if any, to address this. Even if Nintendo addresses this, it will be one of the most costly exploits in Nintendo history.
Should you try it?
We strongly advise against attempting this hack. Unless you are hemorrhaging money and have nothing to do with $200-400 dollars, we suggest you wait for something less costly.
For those who decide to move forward and play around with this hack, let us know what you have accomplished. Since this hack is fairly new, the community is young and you have a chance to contribute to this development in game console hacking.
For the rest of you who would like playing around with other potentially less costly hacks, perhaps try out some iOS jailbreaking here.