There's a newly published “exploit chain” for the popular Nvidia Tegra X-1 based systems which creates an “unpatchable” method for running arbitrary codes on every Nintendo Switch platform available around the globe.
The hardware hacking team at Reswitched, led by Katherine Temkin have now given release to a full tutorial on how to implement the “Fusée Gelée coldboot vulnerability,” which accompanied a proof-of-concept payload for use on the Nintendo Switch console.
The exploit itself makes use of a vulnerability inside of Tegra X1's USB recovery mode, which circumvents the chips built in bootROM lockout operations. It works through sending a bad “length” argument to an improperly coded control procedure of the USB at exactly the correct moment, which then has the ability to force the system into "requesting up to 65,535 bytes per control request."
This then allows data to be copied into a protected application stack by overflowing crucial direct memory access (DMA) buffer in the bootROM which allows the attacker to run arbitrary code.
The only difficulty is when forcing the system into USB recovery mode on the Nintendo Switch, but it can be done by shorting out a certain pin on the right Joy-Con connector (the bit on the side of the system where the Joy-Con clicks into place).
Thankfully, Fail0verflow has a solution to this.
<blockquote class="twitter-tweet" data-lang="en"><p lang="en" dir="ltr">Introducing our new, revolutionary technology for Nintendo Switch modification. Welcome to SwitchX PRO. Coming soon. <a href="https://t.co/d3xGawrW1u">pic.twitter.com/d3xGawrW1u</a></p>— fail0verflow (@fail0verflow) <a href="https://twitter.com/fail0verflow/status/988445232445378561?ref_src=twsrc%5Etfw">April 23, 2018</a></blockquote>
<script async src="https://platform.twitter.com/widgets.js" charset="utf-8"></script>
<blockquote class="twitter-tweet" data-conversation="none" data-lang="en"><p lang="en" dir="ltr">And for those who don't want to wait or want a more cost-effective solution, we're also introducing a lite version of SwitchX. Available at your local hardware store TODAY. <a href="https://t.co/BlPMmqLGlw">pic.twitter.com/BlPMmqLGlw</a></p>— fail0verflow (@fail0verflow) <a href="https://twitter.com/fail0verflow/status/988445419498696706?ref_src=twsrc%5Etfw">April 23, 2018</a></blockquote>
<script async src="https://platform.twitter.com/widgets.js" charset="utf-8"></script>
Nintendo and Tegra both were aware of this exploit, and it cannot be fixed by way of the downloadable patch, making it unique in this regards, because once the Tegra chip leaves the factory? It can't be fixed. Neither Nintendo nor Nvidia have commented on the issue as of yet.
"Unfortunately, access to the fuses needed to configure the device's patches was blocked when the ODM_PRODUCTION fuse was burned, so no bootROM update is possible. It is suggested that consumers be made aware of the situation so they can move to other devices, where possible,” Temkin says.
Nintendo has already shipped a whopping 14.8 million units that are vulnerable to the exploit, but Nintendo still has options.
Nintendo can still detect the hacked systems when a user signs onto Nintendo servers, and could potentially ban those systems from their online services as a result.
Temkin argues that publicizing the exploit is crucial because of "the potential for a lot of bad to be done by any parties who independently discover these vulnerabilities."
She's also suggested that other groups were threatening to publish if Reswitched failed to do so.
For more information visit the Reswitched Github at:
https://github.com/reswitched/fusee-launcher/blob/master/report/fusee_gelee.md
Additional Sources or Relevant Information:
<strong><span style="color:red;">Tips? Info? Send me a message!</span></strong>
~<b>Send Me An E-Mail!</b>
—<i>[email protected]</i>
<b><i>Follow Me On Twitter!</i></b>
<a href="https://www.twitter.com/IWillRedPillU">@IWillRedPillU</a>
<strong><span style="color:red;">Tips? Info? Send me a message!</span></strong>
<span style="margin-top:15px;rgba(42,51,6,0.7);font-size:12px;"><i>Be Sure To Share Our Articles!</i></span>
<span style="margin-top:15px;rgba(42,51,6,0.7);font-size:12px;"><b>The Goldwater</b></span>