An unpatchable flaw was found in Nvidia Tegra X1 chip

Apr 23, 2018 23:02 GMT  ·  By

Hardware hacker Kate Temkin of ReSwitched team publicly disclosed a vulnerability in the Nvidia Tegra X1 chip that could let anyone hack a Nintendo Switch gaming console with just a simple trick.

Kate Temkin dubbed the vulnerability as Fusée Gelée, and it affects the Tegra Recovery Mode of Nvidia Tegra line of embedded processors, including the Tegra X1 chip that powers all current Nintendo Switch consoles. The flaw is described as an "unpatchable" method for running arbitrary code on the Nintendo Switch.

"Unfortunately, this bug affects a significant number of Tegra devices beyond the Switch, and beyond even the X1 included in the Switch. I can tell you, it wasn't fun to find a bug with such a broad impact; it significantly complicated the ethics involved," writes Kate Temkin in an extensive FAQ.

While it isn't perfect, the Fusée Gelée cold/bootrom vulnerability will apparently let anyone hack a Nintendo Switch console to run arbitrary code without even opening the device, by using a simple piece of wire to short out a specific pin on the right Joy-Con connector, as suggested by the fail0verflow team on Twitter.

The vulnerability affects Nvidia's Tegra SoCs (system on chip) independent of the software stack available on the respective device. It is believed to affect all of Nvidia's Tegra SoCs released before the T186 / X2, allowing for early bootROM code execution, fully compromising of on-device secrets.

It isn't the first time Nintendo Switch gets hacked

Of course, this isn't the first time the Nintendo Switch gets hacked as the fail0verflow hacking group managed earlier this year to run the Debian GNU/Linux operating system on the gaming console using a similar hardware exploit called ShofEL2, which Nintendo apparently can't patch through firmware updates.

In fact, it looks to us like this is the same vulnerability, and fail0verflow tweeted earlier that, "we have a 90-day responsible disclosure window for ShofEL2 ending on April 25th. Since another person published the bug so close to our declared deadline, we're going to wait things out. Stay tuned."

fail0verflow also managed to turn the Nintendo Switch into a Linux-powered tablet using the KDE Plasma desktop environment, and they installed the Dolphin emulator to play famous The Legend of Zelda: Twilight Princess action-adventure game that's only available on the Wii, Wii U, and GameCube gaming consoles.

To demonstrate bootROM execution, a proof of concept for Fusée Gelée was published by Kate Temkin, which includes an example payload that exposes information from the Nintendo Switch's protected IROM and fuses. Temkin is also working on a custom bootloader for the Ninentedo Switch called Atmosphère.