If you have a Nintendo Switch gaming console, you’re going to want to listen up. As initially reported by Ars Technica, it would appear that a new “exploit chain” for Nvidia Tegra X1-based systems outlines an unpatchable process to run random code on all — that’s right, all — Nintendo Switches. Hacker Katherine Temkin and her team at ReSwitched published an outline of the Fusée Gelée coldboot vulnerability, as well as a proof-of-concept payload that works on the Switch.
The exploit takes advantage of a vulnerability found in the Tegra X1’s USB recovery mode and somehow manages to avoid the lockout operations that normally guard the chip’s bootROM. By forcing a bad “length” argument, a hacker could effectively force the system to “request up to 65,535 bytes per control request.” That amount of data overflows the direct memory access buffer in the bootROM, which opens the data up for attack and allows a hacker to run arbitrary code.
“By carefully constructing a USB control request, an attacker can leverage this vulnerability to copy the contents of an attacker-controlled buffer over the active execution stack, gaining control of the Boot and Power Management processor (BPMP) before any lock-outs or privilege reductions occur,” Temkin wrote of her discovery. And of course, the worst part of all of this seems to be that it cannot be fixed.
“Since this bug is in the Boot ROM, it cannot be patched without a hardware revision, meaning all Switch units in existence today are vulnerable, forever,” wrote fail0verflow. “Nintendo can only patch Boot ROM bugs during the manufacturing process.”
While actually executing the exploit would take quite a bit of skill, the steps to do so have now been fully outlined, which means that theoretically, anyone who wanted to take advantage of the serious bug could do so. So why are white-hat hackers posting all of this information online? As Temkin noted, the exploit is “notable due to the significant number and variety of devices affected, the severity of the issue, and the immutability of the relevant code on devices already delivered to end users. This vulnerability report is provided as a courtesy to help aid remediation efforts, guide communication, and minimize impact to users.”
There could be one nugget of good news to come from this, however — it appears the exploit has opened up the possibility of running emulators on Switch, including the famous “Dolphin” for GameCube and Wii games. The games aren’t running all that well with the emulator, but as every GameCube game ever made now works with Dolphin, it’s an exciting prospect to play them on Switch. Of course, the legality of doing so has been called into question, with Nintendo taking a stand against it.
As it stands, there are about 15 million Nintendo Switch consoles out and about in the world, so it is, in fact, a serious problem. We will keep you updated as the situation continues to develop.
Updated on April 26: Included information on the exploit’s relationship to the Dolphin emulator.
