The Nintendo Switch has been blown wide open by an unfixable hack

By
The Nintendo Switch has been blown wide open by an unfixable hack

Thanks to an exploit at the core of Nintendo Switch's hardware, hackers are now running Gamecube games and more.

The Nintendo Switch has been hacked. That's right, you can now – with a bit of technical knowledge – blow Nintendo's baby wide open, and it appears to be purely down to an exploit found in Nvidia's Tegra X1 processor that powers the Switch and Shield TV.

The “exploit chain” comes from hardware hacker Katherine Temkin and the ReSwitched hacking team. In an extensive outline of what they've dubbed the Fusée Gelée coldboot vulnerability they developed and demonstrated a proof-of-concept payload to be used on the Switch.

One reason why this is such a troublesome hack for both Nintendo and Nvidia is how it's seemingly unfixable. Because the hack makes use of an exploit in the Tegra X1 bootROM, it can't be modified once it leaves manufacturing. This means there are 14.8 million Switches out there that are vulnerable to the exploit and could be hacked to run a whole manner of different games and programmes.

Previously, Nintendo has mitigated against any exploits of its systems by patching them out as they've always been developed at a software level. Anyone who wants to connect to Nintendo's servers would find themselves needing to update the device firmware which would then update to block known software-level exploits. This method isn't useful when it's a hardware-level workaround.

We've asked Nintendo for comment on the matter, but there is a chance it can still find a way to stop hacked consoles from jumping online. Just like it did with detecting and blocking early pirated copies of Pokémon Sun & Moon on Nintendo 3DS, it could do the same with hacked games and block those devices from connecting to Nintendo's servers.

However, as Ars Technica points out, many Nintendo Switch owners who have been attempting to hack their consoles aren't doing it to pirate games. Instead, these players are breaking their Switches so they can back up internal save data to SD card – a feature the Switch currently doesn't offer – so they don't lose everything if their system breaks.

How does the Nintendo Switch hack work?

Without getting too complex, Fusée Gelée makes use of a vulnerability inherent in the Tegra X1's USB recovery mode, circumventing lock-out operations that would usually be in place to protect its crucial bootROM. Users then send a bad “length” argument to force the system to “request up to 65,535 bytes per control request” which overflows a crucial direct memory access (DMA) buffer in the bootROM, thus busting the doors open for information to be copied right into the protected storage area. This means you can now run arbitrary code on your Switch with no problem.

However, it's not so simple to achieve that thousands of people will inadvertently access and exploit it. To kick the Nintendo Switch into USB recovery mode you'll need to actually short out a very specific pin on the right Joy-Con connector on the side of the Switch's main body. Hacking team Fail0verflow created their own 3D-printed plug that an do just that, but you can also just use a piece of wire or paperclip to short circuit it too.

The initial release from Temkin is simply intended to be a proof-of-concept, a payload to simply show you that it's possible to jump into the Switch and get it to display information that's usually protected. However, in time, custom bootloaders will come – such as Atmosphère from console hacking enthusiast SciresM.

What happens now?

Temkin states that she's notified Nvidia and Nintendo, and others who buy and use Tegra chips, to give them time to resolve the problem as best as possible before she went live with her findings. However, other hacking groups have discovered the exploit too, forcing her hand in revealing information sooner than she had planned.

Fail0verflow later uploaded a photo of a hacked Switch running Dolphin emulator running a Japanese version of Gamecube game Wind Waker – indicating that the Tegra X1 in the Switch is capable of Gamecube emulation.

The hacking team went one step further by releasing its own Tegra X1 bootROM exploit alongside a Linux Launcher for Nintendo Switch.

We've asked both Nintendo and Nvidia for comment around this exploit and will update if and when they're able to provide a response. Piracy is certainly a major concern for Nintendo, but Nvidia also uses its Tegra chips for edge computing purposes with its smart city products like smart cameras. If these devices are capable of the same exploit, far more nefarious things could be done than playing some unauthorised classics on the go.

This article originally appeared at alphr.com

Copyright © Alphr, Dennis Publishing
Tags:

Most Read Articles

Hackers using brute-force attacks to infiltrate e-mail systems protected by MFA

Hackers using brute-force attacks to infiltrate e-mail systems protected by MFA

Re-designed Gmail poses new potential threat to 1.4 billion users

Re-designed Gmail poses new potential threat to 1.4 billion users

GitHub now warns you about flaws affecting your Python code

GitHub now warns you about flaws affecting your Python code

My Health Record: the case for opting out

My Health Record: the case for opting out

Would you like to receive

Our Newsletter?