Exploit found in Nintendo Switch is impossible to patch, turns it into a hackable platform

By Greg S · 16 replies
Apr 24, 2018
Post New Reply
  1. Due to a recently published exploit for Nvidia's Tegra X1, developers and hardware hackers at ReSwitched and Fail0verflow have been able to demonstrate arbitrary code execution on the Nintendo Switch. The Fusée Gelée (or rather Frozen Rocket) coldboot vulnerability allows for nearly full reign over the device by inserting data into the protected application stack.

    The issue stems from a problem with how the Tegra X1 handles USB recovery mode. By shorting a pin on the Joy-Con connnector, a payload is able to be delivered during a check made to the USB, forcing up to 65,535 bytes to be copied. This in turn causes a direct memory access buffer overflow in the bootROM, allowing for arbitrary code execution to occur in the application stack.

    Since the problem lies in the read-only bootROM of the Tegra, software updates cannot be pushed out to remedy the problem. It is possible for Nvidia to revise future software versions and ship patched chips from this point forward.

    The ReSwitched team has reported that Nvidia was made aware of the vulnerabilities as well as Nintendo in advance before releasing any information. It was also brought to light that many devices beyond Switch consoles are affected by the bugs found. Nvidia's Shield set-top box also utilizes the same Tegra X1 chip.

    Following the release of the exploit chain, it will be possible for pirates and hackers to run modified and emulated games on the Switch. It is now only a matter of time before developers rush to crack DRM on games. Even though Nintendo cannot fix the root of the issue, it is possible to detect that a Switch has been modified so that players can be blocked from accessing online game play.

    If anyone is curious to try tinkering for themselves, it is highly inadvisable without extreme caution given that voltages on the Switch are software controlled. A failed boot attempt could brick the device or damage a number of components.

    Permalink to story.

     
  2. andy06shake

    andy06shake TS Evangelist Posts: 472   +151

    Cracking news!

    Hopefully, this means we might be getting similar products for the Switch like we did with the R4 cards on the NDS console?

    Might even bring alone or help with the development of the likes of Yuzu and RyujiNX emulators.
     
  3. Slappy McPhee

    Slappy McPhee TS Enthusiast Posts: 86   +32

    A bit late to the party eh boys? this dropped yesterday interwebz wide. this will most likely accel the big N's move to the new chip that was discovered to be supported in FW 5.0 to replace the current Tegra to very soon rather than later.
     
  4. davislane1

    davislane1 TS Grand Inquisitor Posts: 4,983   +3,989

    Following the release of the exploit chain, it will be possible for pirates and hackers to run modified and emulated games on the Switch. It is now only a matter of time before developers rush to crack DRM on games. Even though Nintendo cannot fix the root of the issue, it is possible to detect that a Switch has been modified so that players can be blocked from accessing online game play.

    This makes me want a Switch. It's like the N64 and Playstation but modern.
     
  5. andy06shake

    andy06shake TS Evangelist Posts: 472   +151

    Their great wee devices, my kids have both got one each, keeps them quiet but the games are rather costly.

    Bring on the Pirate, eh I mean homebrew software I say!
     
    Last edited: Apr 24, 2018
    davislane1 likes this.
  6. ForgottenLegion

    ForgottenLegion TS Maniac Posts: 178   +171

    WOOOHOO!

    This will certainly make me crack out the Switch more often.
     
  7. Kotters

    Kotters TS Maniac Posts: 310   +210

    The point of this is that it's a soft exploit (barring the shorting of two exposed pins that your Joycons use). A hardware-based exploit of some kind requiring money like a flashcart is a downgrade from what we have here.
     
  8. Mighty Duck

    Mighty Duck TS Booster Posts: 94   +45

    Is there peace at your home? Don't your children fight and insult each other saying that their console is the better one? Or is that something only adults do?

    Edit: After reading well your comment, I realize that you bought your children Switches, not a N64 and a Playstation LOL.
     
  9. andy06shake

    andy06shake TS Evangelist Posts: 472   +151

    Not that I can remember, peace that is.
     
  10. andy06shake

    andy06shake TS Evangelist Posts: 472   +151

    Either way its good news, not everyone's going to want to be shorting out pins through or will know how/be willing to try
    .
     
  11. Kotters

    Kotters TS Maniac Posts: 310   +210

    Why wouldn't you be willing? It's two contacts that your joycons use to charge, right on the rail, exposed. Who isn't willing to bend a paperclip?
     
  12. fktech

    fktech TS Addict Posts: 249   +70

    I want my money back and can I start a Class Action to recover millions? $$$
     
  13. andy06shake

    andy06shake TS Evangelist Posts: 472   +151

    Not me personally, I won't have a problem, but plenty of unqualified peeps won't want to be shorting out pins/contacts whether the rail is exposed or otherwise.
     
  14. Kotters

    Kotters TS Maniac Posts: 310   +210

    Those same people won't want to do software bullshit either. In the population of people willing and able to hack a console or portable, everyone will be able and willing to put a bendy boi on two contacts.
     
  15. andy06shake

    andy06shake TS Evangelist Posts: 472   +151

    The procedure will probably require a few more steps than just shorting a couple of pins.

    This pin shorting takes me back to the C64, if memory serves, you used to be able to reset/edit the hex/memory via shorting out a couple of pins on the back serial port before the Action Replay carts became available, which is kind of why those flourished way back in the day. ;)
     
  16. Kotters

    Kotters TS Maniac Posts: 310   +210

    Shorting the pins and holding Vol Up puts the Switch into a service mode required for the exploit. That's the full extent of the hardware mod.
     
    merikafyeah and andy06shake like this.
  17. woofer

    woofer TS Rookie Posts: 21

    Yeah - we inherit insanity from our kids ;-}
     

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...