The Nintendo Switch hardware has been hacked and cannot be patched by the manufacturer.
Hackers fail0verflow and Kate Temik have delivered exploits, with the Fusee Gelee hack fully documented online.
The system is now open to homebrew software, with a fully-supported touch version of Linux available.
A report by Digital Foundry reckons the exploit “cannot be patched”. Nintendo’s only option, it says, is to “revise the Nvidia Tegra X1 processor itself, patching out the boot ROM bug.”
Here’s a video of Linux on Switch with some horrible music:
“Choosing whether to release an exploit or not is a difficult choice,” said fail0verflow in a blog post.
“Given our experiences with past consoles, we’ve been wary of releasing vulnerability details or exploits for fear of them being used primarily for piracy rather than homebrew.”
“90 days ago, we begun the responsible disclosure process with Google, as Tegra chips are often used in Android devices. The disclosure deadline has now lapsed. The bug will be made public sooner or later, likely sooner, so we might as well release now along with our Linux boot chain and kernel tree, to make it very clear that we do this for fun and homebrew, and nothing else,” said fail0verflow, before admitting it had gone early with the release following the publishing of the Fusee Gelee hack.
It detailed the exploit in full: “The Tegra X1 (also known as Tegra210) SoC inside the Nintendo Switch contains an exploitable bug that allow taking control over early execution, bypassing all signature checks. This bug is in the RCM mode, which is a USB-based rescue mode intended for initial flashing of Tegra devices and recovery of bricked devices. Normally, RCM mode only allows signed images to be loaded, but thanks to the bug, arbitrary code execution is possible.”
“Since this bug is in the Boot ROM, it cannot be patched without a hardware revision, meaning all Switch units in existence today are vulnerable, forever.
“Nintendo can only patch Boot ROM bugs during the manufacturing process. Since the vulnerability occurs very early in the boot process, it allows extraction of all device data and secrets, including the Boot ROM itself and all cryptographic keys. It can also be used to unbrick any Tegra device as long as it has not suffered hardware damage or had irreversible changes (e.g. fuses blown). And since this is a boot-time bug that does not require touching the onboard eMMC storage, its use is completely undetectable to existing software. You can dual-boot Linux (via the USB exploit) and the Switch OS (via normal boot) with impunity, forever, as long as you do not try to make changes to the on-board memory (e.g. you can store the Linux filesystem on a second SD card partition or another SD card).”
Now it’s only a matter of time before pirate software appears on the Switch, while hackers and Nintendo try to outfox each other with back and forth updates to the operating system.