For end users, Monday’s public disclosure of the Fusée Gelée exploit will make it relatively simple to run arbitrary code on the Nintendo Switch and other Nvidia Tegra X1-based hardware. For Kate Temkin and the hackers at Team ReSwitched, though, discovering and publicizing the exploit was full of technical and ethical difficulties.
ReSwitched’s work on the Switch began last year, Temkin tells Ars, with an engineer going by the handle Hedgeberg working on “voltage glitching, a technique where we very, very briefly momentarily deprived the processor of power in order to make it misbehave. On Tegra X1 processors, if you precisely time that power ‘glitch,’ you can actually bypass the point where the system ‘locks’ the bootROM—effectively bypassing the mechanism that keeps the bootROM code secret.”
By October, the team had used this method to extract a copy of that secretive bootROM, and by January, Temkin says she was spending weeks reverse-engineering and documenting that code. That process “involves comparing views of machine code we’d extracted to Nvidia’s technical documentation and gradually inferring what the code was intended to do,” Temkin said.
Other hackers at December’s 34C3 conference also cited Nvidia’s own documentation as key to their own efforts to unlock the Nintendo Switch, saying that “Nvidia backdoored themselves” with a published bypass method.
Hiding in plain sight?
As part of her “day job” as a security contractor and teacher, Temkin says she already maintains a collection of USB hacking tools that helped in reverse-engineering the Tegra’s flawed USB controller code. Once that was done, it was relatively simple to spot the “length request” vulnerability that lets an attacker overflow a DMA buffer and insert code into the application stack, she said. “[It’s] not particularly difficult to find if you had a bit of USB expertise.”
“Interestingly, if I had been less interested in reverse engineering and more in security auditing, I would almost definitely have been able to find this bug without having gained access to the bootROM,” she added. “Some of the standard auditing techniques I teach my students would have easily found the vulnerability.”
Along those same lines, Temkin says Nvidia may have hurt its own hardware security by attempting to hide its bootROM code from the public. “I imagine if their bootROMs were open source, this would have been found almost immediately, and even a binary distribution of the bootROM would have made it so researchers could easily identify the vulnerability, leading to a more immediate fix,” she said.
Temkin says the same basic USB vulnerability has existed in Tegra chips “for the better part of a decade” and only remained hidden for this long because not many people cared much about previous Tegra-powered devices. “I’ve joked before that the best way to get a chip security audited is to put it in a game console,” she said. “If it had been discovered in any of the earlier processors, it could easily have been fixed before Nvidia began implementing the X1.”
In response to a request for comment from Ars Technica, an Nvidia spokesperson pointed us to a security notice posted Tuesday, which notes that “this issue cannot be exploited remotely, even if the device is connected to the Internet. Rather, a person must have physical access to an affected processor’s USB connection to bypass the secure boot and run unverified code.” Nvidia also notes that subsequent Tegra systems (like the X2) and Nvidia GPUs are not affected by the same issue.
Nintendo of America told Ars “we have nothing to announce on this topic.”
Revealing an unpatchable method to unlock every single current X1 chip is not something Team ReSwitched takes lightly, Temkin said. The team disclosed its full report to Nvidia and vendors like Nintendo in March, she said, and signed an agreement with Nvidia to withhold public disclosure until June 15. That agreement became moot, though, when another anonymous group started leaking some of the same vulnerability details publicly early Monday morning. At that point, “we no longer felt there was a benefit to the public to keeping our work private,” Temkin said.
Even before that, though, previous tweets from Team fail0verflow showed that group had already found its own arbitrary code exploit for the Switch (which would, coincidentally, turn out to be the same one Team ReSwitched found, Temkin says). Just knowing that such a vulnerability was out there was “incredibly motivating,” Temkin said. “It’s easier to find yourself motivated to spend weeks on end reverse-engineering when you know that other hackers have found things.”
(Shortly after Temkin released details of Fusée Gelée, fail0verflow published details of its own SofEL2 exploit, including a method for installing Linux on the Nintendo Switch. This came before the end of what fail0verflow says was its own 90-day “responsible disclosure” window, which was set to expire April 25).
With fail0verflow publicizing the existence of an exploit, ReSwitched didn’t see any point in keeping the existence of its own exploit secret from the public, Temkin said. Discussing the vulnerability publicly, she said, can “help to further raise awareness of the flaws in Tegra processors,” while demonstrating “responsible disclosure” and sharing discoveries with the chipmaker first can encourage future cooperation between vendors and security auditors.
Where do we go from here?
That said, Temkin says Team ReSwitched had frequent conversations about the ethical implications of the exploit’s wider disclosure, including the potential that it could lead to users pirating copyrighted games. “It’s difficult to balance the goals of ‘opening up’ closed hardware and preventing things like piracy,” she said. “Unfortunately, enabling people to have full access to their systems inevitably means that some people are going to use that access in ways we don’t agree with.”
“I do strongly disagree with the idea of hiding software exploits and then releasing modchips that use (potentially obfuscated) versions of them,” Temkin continued, referencing Team Xecutor’s parallel effort to develop and sell a Nintendo Switch mod chip using a similar exploit. “I think it’s both unethical—as it gives malicious actors a chance to pick up and use the vulnerabilities before they can be addressed or public knowledge can spread—and against the spirit of knowledge-exchange we want to see in the console-hacking community.”
Going forward, Temkin said Team ReSwitched will continue work on Atmosphère, a customized firmware that could be installed with the Fusée Gelée exploit. The open source project will “enable things like having homebrew applications that you can launch right from the Switch’s home menu,” she said.
As for Nintendo, Temkin said she expects the company will soon release an unadvertised, “silent” update to the Switch hardware. The Switch’s internal code already contains references to a more secure “T214” version of the X1 chip, she says, which could replace the vulnerable “T210” revision that’s in current Switch systems.
As Temkin notes in her Fusée Gelée FAQ, though, all 15-million-plus Switches currently in consumer hands “will continue to be able to use Fusée Gelée throughout its life.” In the cat-and-mouse battle between console hackers and console makers, that’s the kind of discovery that stands out.
- Nintendo Switches Hacked to Run Linux—Unpatchable Exploit Released
- Nintendo reportedly rolling out new, more hack-resistant Switch hardware
- Hackers Have Started Exploiting Drupal RCE Exploit Released Yesterday
- Kernel Exploit for Sony PS4 Firmware 4.05 Released, Jailbreak Coming Soon
- Inside Nintendo’s “perfect” method for detecting online Switch piracy