Researcher finds ‘unpatchable’ vulnerability in Nintendo Switch consoles

24 Apr 2018

Nintendo Switch. Image: leungchopan/Shutterstock

A Nintendo Switch vulnerability dubbed ‘Fusée Gelée’ has been discovered.

The Nintendo Switch is a major success story for the Japanese games company, with high demand continuing since its launch in March 2017.

ReSwitched is a collective that documents the console’s hardware, software and general development, and a major hardware vulnerability has been found in the machine’s Nvidia Tegra X1-based system, with potential for running arbitrary code on all currently available Nintendo Switch consoles. Hacker and member Kate Temkin is behind the discovery.

The exploit is what is known as a ‘cold boot hack’, which means physical access to the console hardware during power-up is required to perform ‘Fusée Gelée’. The vulnerability could pave the way for homebrew games or custom firmware.

How does Fusée Gelée work?

The exploit is in Tegra X1’s USB recovery mode, which can allow circumvention of lock-out operations that would usually act as protectors of the chip’s bootROM. Users can essentially send what Ars Technica describes as a bad ‘length’ argument to an incorrectly coded USB control procedure.

This then allows the user to request huge amounts of data per control request. The volume of data then overflows a direct memory access buffer within the bootROM. Data can then be copied into the protected application stack, providing the opportunity to run arbitrary code.

Other gadgets also use the same Tegra chips and Temkin posited that the issue is present in all current Nintendo Switches. It would theoretically need a hardware revision in order to be remedied, but the bootROM only accepts minor factory patches and cannot be updated afterwards, she said. A chip-level issue such as this one presents some difficulties for Nintendo, as a simple online downloadable update is not a possibility.

Temkin added that this is not entirely a bad thing. “This immutability is actually a good thing in terms of security. If it were possible to apply patches to the bootROM after a unit had been shipped, anyone with a sufficiently powerful exploit would be able to make their own patches, bypassing boot security. It also means that any Switch currently affected will continue to be able to use Fusée Gelée throughout its life.”

Nintendo and Nvidia are aware

Temkin created a ‘proof of concept’ Python program and payload, which can be used to display usually protected information from the bootROM, and more details of the exploit will be published on 15 June.

Nvidia and Nintendo were notified about the vulnerability and Temkin said she was publicising it now as there is “potential for a lot of bad to be done by any parties who independently discover these vulnerabilities”.

She claimed: “Fusée Gelée isn’t a perfect, ‘holy grail’ exploit, though in some cases it can be pretty damned close.”

Another group known as Failoverflow also released its own Tegra X1 bootROM exploit, but warned it could possibly inflict some damage on hardware.

Nintendo Switch. Image: leungchopan/Shutterstock

Ellen Tannam was a journalist with Silicon Republic, covering all manner of business and tech subjects