The 'Unpatchable' Exploit That Makes Every Current Nintendo Switch Hackable

An anonymous reader quotes a report from Ars Technica: A newly published "exploit chain" for Nvidia Tegra X1-based systems seems to describe an apparently unpatchable method for running arbitrary code on all currently available Nintendo Switch consoles. Hardware hacker Katherine Temkin and the hacking team at ReSwitched released an extensive outline of what they're calling the Fusee Gelee coldboot vulnerability earlier today, alongside a proof-of-concept payload that can be used on the Switch. "Fusee Gelee isn't a perfect, 'holy grail' exploit -- though in some cases it can be pretty damned close," Temkin writes in an accompanying FAQ. The exploit, as outlined, makes use of a vulnerability inherent in the Tegra X1's USB recovery mode, circumventing the lock-out operations that would usually protect the chip's crucial bootROM. By sending a bad "length" argument to an improperly coded USB control procedure at the right point, the user can force the system to "request up to 65,535 bytes per control request." That data easily overflows a crucial direct memory access (DMA) buffer in the bootROM, in turn allowing data to be copied into the protected application stack and giving the attacker the ability to run arbitrary code. The exploit can't be fixed via a downloadable patch because the flawed bootROM can't be modified once the Tegra chip leaves the factory. As Temkin writes, "unfortunately, access to the fuses needed to configure the device's ipatches was blocked when the ODM_PRODUCTION fuse was burned, so no bootROM update is possible. It is suggested that consumers be made aware of the situation so they can move to other devices, where possible." Ars notes that Nintendo may however be able to detect "hacked" systems when they sign on to Nintendo's servers. "The company could then ban those systems from using the Switch's online functions."

Sounds promising

So if I'm understanding TFS correctly users might be able to take control of their devices and use them for something other than their intended purpose?

Sounds good to me!

Re:Sounds promising

[Darinbob]

I wouldn't call this an exploit. I find it bizarre that the world takes these extreme measures to lock down a purchased product as a matter of fact, instead of treating it as a violation of consumer rights. Now there are devices where such paranoia is reasonable, but I don't think this is reasonable in a consumer game market.

Local only?

[Enigma2175]

So it's an bug that can only be exploited locally, is this really a big deal? I'm not worried that people can now run arbitrary code on hardware they own.

Re:Local only?

[Darinbob]

Is that bad?

Re:Local only?

[Darinbob]

I had mentioned to a coworker who is a console game user, and he was surprised and taken aback that people who weren't sleazeballs were modding their games on PCs. He thought we were being very risky to change the UI in Skyrim. I think there's been a lot of astroturfing to convince players that only cheaters would modify games.

Glad

[AndyKron]

I'm sure glad I don't know what this is.

In other words

[Opportunist]

It's finally time to get one now that you may actually own one?

Nintendo, again leaving the competition in the dust when it comes to building what the users really want!

Why "move to other devices"?

[K.+S.+Kyosuke]

It is suggested that consumers be made aware of the situation so they can move to other devices, where possible

Why the hell would they do that? Because the device's general utility has suddenly improved?

Re:Why "move to other devices"?

[Gavagai80]

It's like the guards at the prison all quit and removed the gates on their way out... and so the prisoners are being urged to pool their own money to hire new guards and rebuild the gates ASAP for their safety.

Re:Why "move to other devices"?

[Xenx]

I don't know why your average person using a Switch would be overly concerned about the security of it. But, somehow in the off chance that you're in a position where you do.. technically this would be a risk. It's better to suggest not using it, and then letting the user make the choice on their own.

Re:Why "move to other devices"?

[AmiMoJo]

I think she was referring to Nintendo and other users of the Nvidia chip that has this flaw. The only way they can fix it in future devices is to move to a different system-on-chip.

Nintendo will probably have to hope that Nvidia creates a new version of this part, because moving to a different SoC isn't really a good option because it would create fragmentation.

Re:Why "move to other devices"?

[AmiMoJo]

All they have to do is fix the boot ROM.

That's easier said than done.

This is an industrial system-on-chip. They can't just update the software whenever they feel like pushing out a new version. Their customers require it to be stable and unchanging because they have to certify each version and want to buy exactly the same part for the lifetime of the product, which for things like cars and industrial machinery can be 10+ years.

A change will require a new part number, and they will either have to convince big customers to adopt the new version and certify all their software on both new and old, or they will have to keep supplying them with the old one and come up with some mitigations such as removing test points to make the hack harder.

Nintendo is probably one of the more flexible customers in that they probably can adopt a new version, but for people like car manufacturers using Tegra parts for safety critical systems like driver aids / self driving it's a huge pain. They may opt to ignore the problem because modifying your car is less of an issue for them than modifying your console is for Nintendo.

2 choices

[TheDarkener]

1) Hack your switch and be able to turn it into an awesome, open device able to emulate and do all sorts of things it wasn't designed to do, or

2) Keep it unhacked and be able to play new games that come out that require the latest Nintendo updates (of which I'm sure you would be blocked from when they detect that your system has been hacked).

This was the same deal with the Wii.

Re: Correction

[Bing+Tsher+E]

Finally we can play Tux Racer on the Switch!

The "attacker" you say?

[chispito]

Is "attacker" what you call an owner unlocking his or her device? Do you call people who root their Android devices, or people who jailbreak their iOS devices "attackers?"

Re: Correction

[jimtheowl]

" .. funny that FOSSies .."

MS is trying hard to portray themselves as the new friends of 'FOSSies'. You are not helping them.

".. several proprietary games have been hand-hacked using hex editors with great results"

If you think that the purpose of FOSS is to hack games, you are missing the big picture. Even in the context of a gaming console, it is mostly about the journey, not the destination. Hacked consoles have never made a dent in the game console market. Perhaps worth noting is that the vendor has an incentive to keep the console locked so they can sell it under cost and expect to recover the profits.

It can be especially problematic to the vendor if consoles are bought in massive quantities to act in a cluster as opposed to a game platform

".. the real threat to user freedom came from a GPL kernel locked ..."

Open source software and open hardware are connected but distinct and not mutually exclusive issues. Open systems vs proprietary hardware is not a new thing.

".. phone of mine crapped its own /system partition and I cannot reinstall the OS.. (like I can with evil non-free Windows .."

So.. you are the guy who bought that last Windows phone?

Re:Banned from online?

This is a shitty development for Nintendo and game developers.

Apart from their sales-drones going into panic-mode I doubt they will see much impact.

There have been exploits for many platforms before this. When they show up people have already bought most of the games they were going to buy anyway and it is not like a large part of the consumer base will use the exploit.
The users of the exploit will mainly be gamers that couldn't afford getting the games they wanted before or those who wants to play games they weren't willing to pay for.
Apart from that it will be a handful of homebrew developers or speedrunners that wants in-game timestamping that will use it.

Essentially a bunch of people will have fun with it and Nintendo and game developers won't lose much because of it.
The thing that could harm their bottom line is if someone sets up shop and sells hacked consoles to the less technology-savvy, but if anyone does that they become a pretty convenient target for Nintendo.

Real-world implication of the hack

[DrYak]

I find it funny that FOSSies were super worried about access to the source code (never mind that several proprietary games have been hand-hacked using hex editors with great results, without the need for a line of source code)

The problem is that all the hand-hacks that you mention, even if successfully done in practice, are theoretically against copyright and other DCMA-alike laws (though in some jurisdictions they are expressly covered by local "fair use"-alike exception. I think you *could* be allow to bypass security to access your own device that you own in several European countries).

So even if it was done, it's something that in theory we would not be allowed to. The whole idea behind copyleft licenses (like the GPL family) is to expressly allow end-users to modify the code running on device they own in this way.

and the real threat to user freedom came from a GPL kernel locked behind locked bootloaders and locked root access. Nice foresight there Mr Stallman!

Yeah, and if you were paying attention, Stallman did not only foresee it, he was even the one to come up with a name for that : he suggested "tivoization" named after the first device with widespread public knowledge to have such signed firmware locking the access.

The whole reasons to release a new "version 3" of the GPL was exactly to complain agaisnt companies who abuse GPL code by locking it behind signature checks in the bootloader.
It's for company that pretend to follow the letter of GPLv2 (by publishing the code) while at the same time violating its spirit (finding a loophole so the users is free to study and modify the code, just not the peculiar install that is running on the company's hardware that the user has bought. You could modify the code published by Tivo, but you could only install it on a self-built PVR/PCTV, you cannot upload your mods to your own Tivo).

But hey, you were probably among the first to complain about the "restictiveness" of GPLv3, how it's even more an evil virus than the previous GPLs, etc.

(NOTE: Linus refused to switch Linux to GPLv3.
- for a practical reason, because currently the Linux license says "GPL version 2" without adding the optionnal "or any future". So switching to GPLv3 would have required to comb through the git log to find every single last developer/patch submitter/Etc. that is still responsible for lines of codes that are still present in the modern linux (survived later patching and code removal), and then ask every single one of them to confirm accepting the license change.
- for theoretical reasons : Linus considers himself a pragmatist. Current GPLv2 already allows users to at least see the code, and play around with it and learn from what the publishers have modified. The maker of the device gets to decide what goes with their device (barring user access using signatures). The user get to vote with their wallet and decide which maker they want to support).

(Also, I suspect that the forking that did happen back in recent history around controversial re-licensing (see XFree86 vs Xorg).
Also, GPLv3 was seen as controversial by some companies. See Apple : even if the newer GPLv3-ed GCC are popular elsewhere, Apple did decide to stick with pre-GPLv3 older GCC 4.2, and has been progressively replacing everything with LLVM as their default supported compiler.
Given that, Linus might have been right to be afraid of losing marketshare / mindshare by switching to GPLv3)

Cue in eternal debates of corporate developers finding that BSD is more free because more permissive, and end users finding that GPL is more free because it enforces the end-users' freedoms being kept.

Now excuse me, an Android phone of mine crapped its own /system partition and I cannot reinstall the OS (like I can with evil non-free Windows) because locked bootloader. No, honestly.

Yup, so why don't you go and hand hexedit it wi

Re: Correction

[jimtheowl]

I'm not sure if you are trying to provoke some kind of reaction by talking about Stallman blessing suff and the Linux kernel, but Stallman's predictions or lack thereof are of no interest to me. I'm a BSD user myself and prefer using products with that license (less hassle to redeploy) but favor the GPL when it is important that new code remains open (for example: paid by the public).

As far as what 'most people' want, you can base market decisions on that, not freedom.

I sure care about having access to source code, even when I don't know if I'll ever have time to look at it. You don't have to, but perhaps should stop trying to push others into that hole.