A newly revealed “exploit chain” for Nvidia Tegra X1-based systems appears to define an apparently unpatchable method for running arbitrary code on all the presently available Nintendo Switch consoles. The hardware hacker Katherine Temkin along with the hacking team released an extensive outline of what they are calling the Fusée Gelée coldboot vulnerability earlier today, alongside a proof-of-concept payload that could be used on the Switch. In an accompanying FAQ, Temkin wrote, “Fusée Gelée isn’t perfect, ‘holy grail’ exploit—though in some cases it can be pretty damned close.”
As outlined, the exploit, makes use of vulnerability inherent in the Tegra X1’s USB recovery mode, circumventing the lock-out operations, which usually would protect the chip’s important bootROM. By sending a bad “length” argument to an improperly coded USB control procedure at the right point, the users could force the system to “request up to 65,535 bytes per control request.” That data overflows easily an important direct memory access (DMA) buffer in the bootROM, in turn letting the data to be copied into the protected application stack and extending the attacker the ability to run the arbitrary code.
The toughest part of the exploit, on the Switch, appears to be forcing the system into the USB recovery mode. To do this without opening the system needs shorting out a particular pin on the right Joy-Con connector (the bit on the side of the system where the Joy-Con clicks into place). The hacking team at the FailOverflow tweeted an image of a small plug-in device, which apparently could provide this short-out easily, and the team joked that a simple piece of wire from the hardware store could do so today. Temkin too tweeted an image suggesting that simply exposing and bending the pin in the question would also work.
The thing that makes this exploit particularly worrisome for the Nintendo and the other Tegra vendors is that it apparently cannot be fixed through a simple downloadable patch; the flawed bootROM in the question cannot be modified once the Tegra chip leaves the factory. That is a crucial security measure if the bootROM is secure itself but a huge problem if the bootROM is exploited, as appears to be the case here.
Temkin wrote, “Unfortunately, access to the fuses required to configure the device’s ipatches was blocked when the ODM_PRODUCTION fuse was burned, so no bootROM update is possible. It is suggested that consumers be made aware of the situation so they can move to other devices, where possible.”
That suggestion unlikely is to be of much use to Nintendo that already has shipped over 14.8 million apparently vulnerable Switch systems to the public. The earlier software-level exploits of Nintendo systems could be mitigated through downloadable system updates that Nintendo attempts to force on the users by making them a need for new software and access to Nintendo’s online servers.
That would not be useful for a chip-level bootROM exploit like the one in the case. But Nintendo is not completely powerless in the situation. Even if and when the exploit is widely spread, Nintendo might still be able to detect the “hacked” systems when they sign on to Nintendo’s servers. The company then could ban those systems from using the Switch’s online functions.