Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Nintendo Operating Systems Security Software

The 'Unpatchable' Exploit That Makes Every Current Nintendo Switch Hackable (arstechnica.com) 96

An anonymous reader quotes a report from Ars Technica: A newly published "exploit chain" for Nvidia Tegra X1-based systems seems to describe an apparently unpatchable method for running arbitrary code on all currently available Nintendo Switch consoles. Hardware hacker Katherine Temkin and the hacking team at ReSwitched released an extensive outline of what they're calling the Fusee Gelee coldboot vulnerability earlier today, alongside a proof-of-concept payload that can be used on the Switch. "Fusee Gelee isn't a perfect, 'holy grail' exploit -- though in some cases it can be pretty damned close," Temkin writes in an accompanying FAQ. The exploit, as outlined, makes use of a vulnerability inherent in the Tegra X1's USB recovery mode, circumventing the lock-out operations that would usually protect the chip's crucial bootROM. By sending a bad "length" argument to an improperly coded USB control procedure at the right point, the user can force the system to "request up to 65,535 bytes per control request." That data easily overflows a crucial direct memory access (DMA) buffer in the bootROM, in turn allowing data to be copied into the protected application stack and giving the attacker the ability to run arbitrary code. The exploit can't be fixed via a downloadable patch because the flawed bootROM can't be modified once the Tegra chip leaves the factory. As Temkin writes, "unfortunately, access to the fuses needed to configure the device's ipatches was blocked when the ODM_PRODUCTION fuse was burned, so no bootROM update is possible. It is suggested that consumers be made aware of the situation so they can move to other devices, where possible." Ars notes that Nintendo may however be able to detect "hacked" systems when they sign on to Nintendo's servers. "The company could then ban those systems from using the Switch's online functions."
This discussion has been archived. No new comments can be posted.

The 'Unpatchable' Exploit That Makes Every Current Nintendo Switch Hackable

Comments Filter:
  • by Anonymous Coward

    Nintendo begins charging for online service in September so I wasn't going to be playing online after that anyway. Losing access to the eShop doesn't matter so much if you're pirating all the games. This is a shitty development for Nintendo and game developers.

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      This is a shitty development for Nintendo and game developers.

      Apart from their sales-drones going into panic-mode I doubt they will see much impact.

      There have been exploits for many platforms before this. When they show up people have already bought most of the games they were going to buy anyway and it is not like a large part of the consumer base will use the exploit.
      The users of the exploit will mainly be gamers that couldn't afford getting the games they wanted before or those who wants to play games they weren't willing to pay for.
      Apart from that it will be a han

  • Sounds promising (Score:2, Insightful)

    by Anonymous Coward

    So if I'm understanding TFS correctly users might be able to take control of their devices and use them for something other than their intended purpose?

    Sounds good to me!

    • by Darinbob ( 1142669 ) on Monday April 23, 2018 @06:29PM (#56491557)

      I wouldn't call this an exploit. I find it bizarre that the world takes these extreme measures to lock down a purchased product as a matter of fact, instead of treating it as a violation of consumer rights. Now there are devices where such paranoia is reasonable, but I don't think this is reasonable in a consumer game market.

      • by Anonymous Coward

        Not when considering that a few years ago all my friends' pre-teen kids had a Nintendo DS/DS2/3DS and none of them had any original games. They all had gotten a Supercard or something similar together with a microSD-card filled with hundreds of ROMs. Using exploits it became too easy to run copied games on the older Nintendo handhelds. You don't need to have any technical how-to, just go to the store and buy a small cartridge, get game ROMs from a friend and pop the microSD-card into the cartridge.

        A console

  • by Anonymous Coward

    The 'Unpatchable' Exploit That Makes Every Current Nintendo Switch ownable by the person in possesion of it, which can be a good thing.

    • Re: Correction (Score:2, Flamebait)

      by kurkosdr ( 2378710 )
      I find it funny that FOSSies were super worried about access to the source code (never mind that several proprietary games have been hand-hacked using hex editors with great results, without the need for a line of source code) and the real threat to user freedom came from a GPL kernel locked behind locked bootloaders and locked root access. Nice foresight there Mr Stallman! Now excuse me, an Android phone of mine crapped its own /system partition and I cannot reinstall the OS (like I can with evil non-free
      • " .. funny that FOSSies .."

        MS is trying hard to portray themselves as the new friends of 'FOSSies'. You are not helping them.

        ".. several proprietary games have been hand-hacked using hex editors with great results"

        If you think that the purpose of FOSS is to hack games, you are missing the big picture. Even in the context of a gaming console, it is mostly about the journey, not the destination. Hacked consoles have never made a dent in the game console market. Perhaps worth noting is that the v
        • The GPLv2 is a free software license, blessed by Stallman himself, and the Linux kernel that uses it has evolved into the worst threat to user freedom (and security), because of locked bootloaders and locked root. You can say that this is not free software, but truth is Stallman failed to predict the real threat to user freedom when he crafted the GPLv2 (the GPLv3 is a classic case of shutting the doors after the wolves have been inside). Living in the ivory tower known as the MIT, he failed to see most peo
          • I'm not sure if you are trying to provoke some kind of reaction by talking about Stallman blessing suff and the Linux kernel, but Stallman's predictions or lack thereof are of no interest to me. I'm a BSD user myself and prefer using products with that license (less hassle to redeploy) but favor the GPL when it is important that new code remains open (for example: paid by the public).

            As far as what 'most people' want, you can base market decisions on that, not freedom.

            I sure care about having access
      • I find it funny that FOSSies were super worried about access to the source code (never mind that several proprietary games have been hand-hacked using hex editors with great results, without the need for a line of source code)

        The problem is that all the hand-hacks that you mention, even if successfully done in practice, are theoretically against copyright and other DCMA-alike laws (though in some jurisdictions they are expressly covered by local "fair use"-alike exception. I think you *could* be allow to bypass security to access your own device that you own in several European countries).

        So even if it was done, it's something that in theory we would not be allowed to. The whole idea behind copyleft licenses (like the GPL family

  • Local only? (Score:4, Insightful)

    by Enigma2175 ( 179646 ) on Monday April 23, 2018 @05:31PM (#56491327) Homepage Journal

    So it's an bug that can only be exploited locally, is this really a big deal? I'm not worried that people can now run arbitrary code on hardware they own.

    • by Anonymous Coward

      You are not but Nintendo is.

    • by ELCouz ( 1338259 )
      This is bad for Nintendo and game developers. At least somebody will come with a custom firmware to export save games so people can back them up.
    • by Arab ( 466938 )
      That's not the point, if you can execute arbitrary code, you can load software onto the system, and that leads to things like the homebrew channel the Wii and Wii U had.
    • Re:Local only? (Score:4, Interesting)

      by Darinbob ( 1142669 ) on Monday April 23, 2018 @06:40PM (#56491593)

      I had mentioned to a coworker who is a console game user, and he was surprised and taken aback that people who weren't sleazeballs were modding their games on PCs. He thought we were being very risky to change the UI in Skyrim. I think there's been a lot of astroturfing to convince players that only cheaters would modify games.

      • I had mentioned to a coworker who is a console game user, and he was surprised and taken aback that people who weren't sleazeballs were modding their games on PCs. He thought we were being very risky to change the UI in Skyrim. I think there's been a lot of astroturfing to convince players that only cheaters would modify games.

        Is it a surprise that console gamers don't know jack? The whole point of consoles is to make games accessible to people who find computers confusing.

  • by AndyKron ( 937105 ) on Monday April 23, 2018 @05:37PM (#56491357)
    I'm sure glad I don't know what this is.
  • by Anonymous Coward

    "The company could then ban those systems from using the Switch's online functions."

    Here's hoping.
    If you want to hack your Switch to run whatever you like when you're offline then you should be free to do so.
    If you're hacking your Switch for aimbots and wallhacks in online games then you can FOAD.

  • by Opportunist ( 166417 ) on Monday April 23, 2018 @05:46PM (#56491391)

    It's finally time to get one now that you may actually own one?

    Nintendo, again leaving the competition in the dust when it comes to building what the users really want!

    • by Anonymous Coward
      No, because all new consoles will likely have this patched. If you wanted a Switch for the purpose of loading custom software once it became possible to do so, you should have bought one as early as you could.
      • All new games released from this point will probably patch your Switch for you.

        • They cannot: that would require burning a new game ROM.

          I think we can safely assume that new devices will have an updated ROM, without the bug,

        • by Khyber ( 864651 )

          "All new games released from this point will probably patch your Switch for you."

          I mean, even reading the fucking summary states that this is purely hardware and no software can fix it, because it's locked down and can't be modified due to burnt-out e-fuses.

  • by K. S. Kyosuke ( 729550 ) on Monday April 23, 2018 @05:48PM (#56491407)

    It is suggested that consumers be made aware of the situation so they can move to other devices, where possible

    Why the hell would they do that? Because the device's general utility has suddenly improved?

    • by Gavagai80 ( 1275204 ) on Monday April 23, 2018 @06:00PM (#56491453) Homepage

      It's like the guards at the prison all quit and removed the gates on their way out... and so the prisoners are being urged to pool their own money to hire new guards and rebuild the gates ASAP for their safety.

    • by Xenx ( 2211586 ) on Monday April 23, 2018 @06:17PM (#56491517)
      I don't know why your average person using a Switch would be overly concerned about the security of it. But, somehow in the off chance that you're in a position where you do.. technically this would be a risk. It's better to suggest not using it, and then letting the user make the choice on their own.
    • by AmiMoJo ( 196126 )

      I think she was referring to Nintendo and other users of the Nvidia chip that has this flaw. The only way they can fix it in future devices is to move to a different system-on-chip.

      Nintendo will probably have to hope that Nvidia creates a new version of this part, because moving to a different SoC isn't really a good option because it would create fragmentation.

      • by tlhIngan ( 30335 )

        I think she was referring to Nintendo and other users of the Nvidia chip that has this flaw. The only way they can fix it in future devices is to move to a different system-on-chip.

        Nintendo will probably have to hope that Nvidia creates a new version of this part, because moving to a different SoC isn't really a good option because it would create fragmentation.

        Not really. The flaw is a bug in the boot ROM. All they have to do is fix the boot ROM. Existing Switches out there are vulnerable to the hack, but

        • by AmiMoJo ( 196126 )

          All they have to do is fix the boot ROM.

          That's easier said than done.

          This is an industrial system-on-chip. They can't just update the software whenever they feel like pushing out a new version. Their customers require it to be stable and unchanging because they have to certify each version and want to buy exactly the same part for the lifetime of the product, which for things like cars and industrial machinery can be 10+ years.

          A change will require a new part number, and they will either have to convince big customers to adopt the new version and

  • by TheDarkener ( 198348 ) on Monday April 23, 2018 @05:52PM (#56491425) Homepage

    1) Hack your switch and be able to turn it into an awesome, open device able to emulate and do all sorts of things it wasn't designed to do, or

    2) Keep it unhacked and be able to play new games that come out that require the latest Nintendo updates (of which I'm sure you would be blocked from when they detect that your system has been hacked).

    This was the same deal with the Wii.

    • by Khyber ( 864651 )

      " Keep it unhacked and be able to play new games that come out that require the latest Nintendo updates"

      Uh, no, because Nintendo can't update the hardware because of burnt fuses in the firmware chip.

    • 3) Buy *two* systems, one to hack and one to play new games. Double the sales! Nintendo is just looking at this wrong.
      • by Shados ( 741919 )

        Assuming they are making a profit on hardware (though I think NIntendo usually is). Makes attach rate on games look bad though.

  • by chispito ( 1870390 ) on Monday April 23, 2018 @08:47PM (#56492045)
    Is "attacker" what you call an owner unlocking his or her device? Do you call people who root their Android devices, or people who jailbreak their iOS devices "attackers?"
    • by AmiMoJo ( 196126 )

      Reading the FAQ she points out that it's not just the Switch that is vulnerable here, it's other devices that use the same SoC and potentially all Tegra X1 parts. They are used in things like in-car nav/entertainment systems, self-driving AI systems, smart TVs and set top boxes, all kinds of stuff.

      The potential for malicious use exists. Reminds me of those smart fridges in Silicon Valley.

      • Reading the FAQ she points out that it's not just the Switch that is vulnerable here, it's other devices that use the same SoC and potentially all Tegra X1 parts. They are used in things like in-car nav/entertainment systems, self-driving AI systems, smart TVs and set top boxes, all kinds of stuff.

        The potential for malicious use exists. Reminds me of those smart fridges in Silicon Valley.

        Did you see anything that suggests this is possible without physical access? In my skim over TFA, nothing jumped out at me as being possible via web/wifi.

  • by Anonymous Coward

    As I scanned the story, I thought, 'Wow, a female doing low-level, really tough,hardware hacking! Waaaaiit, it's gotta be a dude...'
    >Checks youtube video from hack author
    >hacker is clearly, openly a dude in makeup, using the cringe-iest-ever falsetto voice.

    -__-

  • Today I learned that someone running their own code on a machine they bought is considered an "attacker".
  • This is great news, I hope the community comes up with great new ways of using the Switch that Nintendo isn't willing to do.
    Dual booting Android, being able to backup *gasp, such a novel notion* your saves, among several other things that the Switch has the hardware to do, but it doesn't because Nintendo fears it might create a pathway for a hack or something.
    Nintendo might hate it, but this could potentially make the Switch a thousand times more enticing for costumers.
    And yes, pirates will make use of the

"Being against torture ought to be sort of a multipartisan thing." -- Karl Lehenbauer, as amended by Jeff Daiell, a Libertarian

Working...