The Nintendo Switch has been blown wide open by an unfixable hack

Vaughn Highfield April 24, 2018

The Nintendo Switch has been hacked. That’s right, you can now – with a bit of technical knowledge – blow Nintendo’s baby wide open, and it appears to be purely down to an exploit found in Nvidia’s Tegra X1 processor that powers the Switch and Shield TV.

The Nintendo Switch has been blown wide open by an unfixable hack

The “exploit chain” comes from hardware hacker Katherine Temkin and the ReSwitched hacking team. In an extensive outline of what they’ve dubbed the Fusée Gelée coldboot vulnerability they developed and demonstrated a proof-of-concept payload to be used on the Switch.

One reason why this is such a troublesome hack for both Nintendo and Nvidia is how it’s seemingly unfixable. Because the hack makes use of an exploit in the Tegra X1 bootROM, it can’t be modified once it leaves manufacturing. This means there are 14.8 million Switches out there that are vulnerable to the exploit and could be hacked to run a whole manner of different games and programmes.

Previously, Nintendo has mitigated against any exploits of its systems by patching them out as they’ve always been developed at a software level. Anyone who wants to connect to Nintendo’s servers would find themselves needing to update the device firmware which would then update to block known software-level exploits. This method isn’t useful when it’s a hardware-level workaround.

nintendo_switch_hack_2

READ NEXT: The best Nintendo Switch games

We’ve asked Nintendo for comment on the matter, but there is a chance it can still find a way to stop hacked consoles from jumping online. Just like it did with detecting and blocking early pirated copies of Pokémon Sun & Moon on Nintendo 3DS, it could do the same with hacked games and block those devices from connecting to Nintendo’s servers.

However, as Ars Technica points out, many Nintendo Switch owners who have been attempting to hack their consoles aren’t doing it to pirate games. Instead, these players are breaking their Switches so they can back up internal save data to SD card – a feature the Switch currently doesn’t offer – so they don’t lose everything if their system breaks.

How does the Nintendo Switch hack work?

Without getting too complex, Fusée Gelée makes use of a vulnerability inherent in the Tegra X1’s USB recovery mode, circumventing lock-out operations that would usually be in place to protect its crucial bootROM. Users then send a bad “length” argument to force the system to “request up to 65,535 bytes per control request” which overflows a crucial direct memory access (DMA) buffer in the bootROM, thus busting the doors open for information to be copied right into the protected storage area. This means you can now run arbitrary code on your Switch with no problem.

However, it’s not so simple to achieve that thousands of people will inadvertently access and exploit it. To kick the Nintendo Switch into USB recovery mode you’ll need to actually short out a very specific pin on the right Joy-Con connector on the side of the Switch’s main body. Hacking team Fail0verflow created their own 3D-printed plug that an do just that, but you can also just use a piece of wire or paperclip to short circuit it too.

The initial release from Temkin is simply intended to be a proof-of-concept, a payload to simply show you that it’s possible to jump into the Switch and get it to display information that’s usually protected. However, in time, custom bootloaders will come – such as Atmosphère from console hacking enthusiast SciresM.

What happens now?

Temkin states that she’s notified Nvidia and Nintendo, and others who buy and use Tegra chips, to give them time to resolve the problem as best as possible before she went live with her findings. However, other hacking groups have discovered the exploit too, forcing her hand in revealing information sooner than she had planned.

Fail0verflow later uploaded a photo of a hacked Switch running Dolphin emulator running a Japanese version of Gamecube game Wind Waker – indicating that the Tegra X1 in the Switch is capable of Gamecube emulation.

The hacking team went one step further by releasing its own Tegra X1 bootROM exploit alongside a Linux Launcher for Nintendo Switch.

Piracy is certainly a major concern for Nintendo, but Nvidia also uses its Tegra chips for edge computing purposes with its smart city products like smart cameras. If these devices are capable of the same exploit, far more nefarious things could be done than playing some unauthorised classics on the go.

UPDATE: Nvidia responded to our request for comment with a spokesperson for the enterprise side of the business explaining that they are “aware of a security issue involving Nvidia Tegra Recovery Mode (RCM) on some older Tegra-based devices. A person with physical access to these Tegra-based processors could connect to the device’s USB port, bypass the secure boot and execute unverified code.”

Interestingly, Nvidia states that “the issue cannot be exploited remotely, even if the device is connected to the internet. Nvidia GPUs are not affected.” Surely a sigh of relief for any of you wondering if just anyone can rock up and hack into your Nintendo Switch.

In regards to Nvidia’s edge computing products and smart city devices, Nvidia explained that “Jetson TK1 and Jetson TX1-based products incorporate affected Tegra processors. The ability of a person to bypass secure boot depends on a number of factors, including whether the end product has implemented secure boot and has a physically accessible USB port.”

Nvidia also clarified that the “Nvidia Tegra X2, which was launched in 2016, and later Tegra SOCs such as Xavier, are not affected.”