Your daily selection of the hottest trending gaming news!
According to Forbes – Games
This escalated quickly. First a permanent boot exploit was found in the Nintendo Switch allowing hackers to run unsigned code, alongside confident claims that Nintendo is unable to patch the exploit with software or firmware updates. Weeks later, fail0verflow transformed the Switch into a fully-featured Linux tablet. Now the homebrew — and likely piracy — scenes are about to be cracked wide open as the tools, tips and tricks to execute the Switch hack have gone public.
The multi-step methods to actually bypassing Switch boot security and running your own code are complex, and well above my skill level. As such I’m not going to dive too deeply into them as I’m sure interested parties can simply visit fail0verflow’s detailed blog post containing instructions.
Additionally, Ars Technica spotted an entry on GitHub written by hacker Katherine Temkin of ReSwitched, who discloses details of the vulnerability. Guess what? It’s not just limited to the Nintendo Switch. Temkin has discovered that the exploit extends across Nvidia’s entire line of Tegra X1 processors.
“By carefully constructing a USB control request, an attacker can leverage this vulnerability to copy the contents of an attacker-controlled buffer over the active execution stack, gaining control of the Boot and Power Management processor (BPMP) before any lock-outs or privilege reductions occur,” Temkin writes.
This effectively means that a user can overload a Direct Memory Access (DMA) buffer within the bootROM and then use it to gain high-level access before the security part of the boot process runs. Since this all happens in Read-Only memory, the exploit cannot be patched.
“Since this bug is in the Boot ROM, it cannot be patched without a hardware revision, meaning all Switch units in existence today are vulnerable, forever,” writes fail0verflow. “Nintendo can only patch Boot ROM bugs during the manufacturing process.”
But how do you actually get to this point? First, a user would need to engage the USB recovery mode present in all Tegra-based devices. It’s a lot like the days of tethered jailbreaks on the iPhone, but now we live in a world with 3D printing. And wires…
Hilariously, fail0verflow points out that you can use a simple piece of wire to bridge Pin 10 and Pin 7 on the console’s right Joy-Con connector. They’ve also linked to a 3D-printable accessory that can be created in tandem with a micro-USB connector. It’s only a few short steps, and acts as a “permanent” solution since the exploit needs to be executed at every boot. For now.
After USB recovery mode is active, the exploit needs to be put into play, which can be done with any vanilla Linux distribution on PC, and theoretically most Android phones. The solution for doing the latter has not yet been created. And again, the rest of the process makes my eyes glaze over, but it’s probably catnip for coders who want to get their hands dirty turning the Switch into a homebrew machine.
The Two Sides of the Switch Exploit
With any vulnerability like this, there are always two schools of thought. One is security and public disclosure, and the other is profit and piracy. In her extensive FAQ on the vulnerability itself, Temkin writes that it is “notable due to the significant number and variety of devices affected, the severity of the issue, and the immutability of the relevant code on devices already delivered to end users. This vulnerability report is provided as a courtesy to help aid remediation efforts, guide communication, and minimize impact to users.”
Later she calls out Team Xecutor, who she believes are preparing to sell an easier consumer version of the exploit, likely in the form of a mod chip or other peripheral device. Team Xecutor themselves are boasting that their solution “will work on ANY Nintendo Switch console regardless of the currently installed firmware, and will be completely future proof.”
Wow. At this point Nintendo has shipped roughly 15 million Switch consoles globally, so the implications here are significant. Although it’s a ripe opportunity for homebrew developers to reach a sizable audience on the Switch, you can’t escape the piracy conversation. How Nintendo will combat this is unknown, but you can bet it’s an inevitable battle at this point.
Me? I just want to back up my game saves. If a simple solution surfaces for that as result of this exploit, I’ll be all over it.
As always I’ll keep you updated on these developments. They certainly aren’t slowing down any time soon!
- Got any news, tips or want to contact us directly? Email firstname.lastname@example.org