A security researcher has released a proof-of-concept exploit affecting the Nvidia Tegra line of embedded processors that come with Nintendo Switch devices.
Codenamed « Fusée Gelée, » the PoC is a cold-boot hack that lets a device owner to bypass device-lockdown and run custom code on the Switch.
This exploit opens the door for device owners to run custom games or export data saved on the device, currently forbidden on standard Nintendo Switch handsets.
Fusée Gelée is unpatchable
At the technical level, Fusée Gelée is nothing more than a trivial buffer overflow vulnerability. The problem is its location in the Switch’s bootROM component —found inside the Nvidia Tegra chipset— that controls the device’s boot-up routine.
This component is locked down at the hardware level after leaving the Nintendo factories, meaning they can’t be updated via a firmware patch.
This makes Fusée Gelée unpatchable, and it’s hard to believe Nintendo will recall millions of gaming consoles just to fix a jailbreak.
Exploitation requires forcing Switch in USB recovery mode
Exploiting Fusée Gelée isn’t that complicated either, albeit dangerous. Users need to force the Switch to reboot in USB recovery mode and then use the USB connection to launch a Python script via a console.
Probably the hardest part of the entire hack is forcing the Switch into USB recovery mode, which can be achieved by pressing and shorting two pins on the right Joy-Con connector.
Katherine Temkin, the hacker who discovered the exploit, has published a FAQ page about Fusée Gelée, how users could short the two pins, and the PoC code.
The current PoC code only prints device specific data on the Switch’s
screen, but Temkin promised to publish more scripts and information about exploiting Fusée Gelée on June 15, 2018, when the original disclosure of this vulnerability was planned to take place.
A race for fame
Temkin said she disclosed Fusée Gelée earlier than expected because another team of hardware hackers —Team Xecuter— suggested they are readying to release a similar Switch chip exploit in the coming weeks.
There is a fierce competition between hardware hacking squads, and Temkin wanted to have the first exploit published online. Temkin is a member of team ReSwitched.
But Temkin and Team Xecuter were not the only ones working on a Switch jailbreaking exploit. Just after Temkin’s release of her Fusée Gelée exploit, team Fail0verflow published its own Nvidia Tegra exploit.
Temkin is currently working on improving the Fusée Gelée exploit chain and integrating it into a final modchip jailbreaking toolkit named Atmosphère, which is planned for release in June.
Team Fail0verflow also announced they’d be releasing a custom tool that makes shorting the two Switch USB recovery mode pins a lot more easier.
To read the original article:
https://www.bleepingcomputer.com/news/hardware/researcher-discloses-unpatchable-nintendo-switch-exploit/