Hackers Unlocked Nintendo Switch Bootrom To Run Custom Apps And Games

Here’s a nightmare scenario for Nintendo Switch disclosed. An exploit has been found in the Nvidia’s Tegra X1 processor which appears to unlock Nintendo Switch hardware wide open for customization. Before this hack, Nintendo’s Switch was hacked to run Linux in February, and now it’s clear that hackers could eventually go further and run homebrew apps and games on the gaming console.

The two exploits have been detailed this week that allows hackers to exploit a hardware flaw in the Switch’s processing unit, which gains access to Switch’s operating system. In fact, it is impossible to Nintendo to patch the hardware flaw without releasing a new version of the Switch, meaning that at least 14 million devices are vulnerable.

Hacker Katherine Temkin, working in conjunction with the ReSwitched team, have put together an “exploit chain” which allows a custom payload to be injected to Switch hardware. A technique where we very, very briefly momentarily deprived the processor of power in order to make it misbehave. The team behind this dubbed their vulnerability the Fusée Gelée coldbot vulnerability and have included an extensive write-up and proof-of-concept here on how a custom payload could be used on Nintendos Switch hardware.

Under normal circumstances, a vulnerability would only affect a smaller number of devices running specific firmware and wouldn’t be a huge concern for a manufacturer like Nintendo. However, where the Fusée Gelée coldbot vulnerability is concerned, it seems entirely unpactchable and affects all Nintendo Switch hardware, regardless of the age of the firmware that it’s running. By the way, the hack means it’s jailbroken for life.

The issue lies directly in the heart of the Tegra X1 bootrom, which cannot be modified or even fixed after it leaves the factory. It’s a jailbreak that’s similar to a “tethered” iPhone jailbreak, it needs to be performed on every boot via USB. Nonetheless, the hack doesn’t require a modchip, although it’s likely that third parties will now create Switch hardware mods to assist with the jailbreak.

Those who have knowledge would be able to run homebrew software, customized apps and games (including pirated ones) which allows these programs to be installed and executed on Nintendo’s hardware. Once the exploit is used, it’s undetectable to existing software and allows Switch users to run custom homebrew apps or a fully touch-enabled version of Linux with 3D acceleration support.

Previously, Nintendo was happened to be able to patch hacks through software updates but due to the hardware nature of this vulnerability discovery that simply will not be possible in this instance.

Nintendo will likely be the primary target for software hackers who want to customize their Switch and those who will likely seek to run pirated software and games on the device. Nintendo will also be forced to update its Switch hardware to fully protect against the exploits, as they’re undetectable to existing software and all current models are vulnerable.

While Nintendo isn’t likely to simply accept this vulnerability and allow Nintendo Switch owners to do whatever they want with their devices should some homebrew be released which allows them to take advantage of it. It’s early days for the exploits right now, as there’s no custom firmware available or homebrew tools to make the inevitable widespread piracy and homebrew apps support a reality.

Unfortunately, now a game of cat and mouse has come front as Nintendo will likely try to implement software fixes that hackers will bypass thanks to their low-level access to the system via the hardware exploit. The Japanese company will likely have a trick or two up its sleeves which involve potentially trying to stop device owners from accessing its servers when running a hacked game or software which hasn’t been officially sanctioned for use of the Switch.

Saying that a lot of Switch owners will likely actually want their devices hacked in order to save game data to an SDcard, which, bizarrely, is something which isn’t offered directly by Nintendo at an official level. Until now, Nintendo hasn’t yet made any official comment on the situation, but it’s likely that a slight modification to the future hardware model will have this vulnerability patched sooner rather than later. But for current model in hands of customers, this vulnerability means they are essentially pwned for life.

Next up in Gaming and Hacks:

(Visited 43 times, 1 visits today)