This week, two hacking groups have independently released methods that allow a user to jailbreak the Switch, which one group is already using to run a ported version of Linux on Nintendo’s device. The worse news for Nintendo—the hackers say the exploit is due to a bug in the system’s processor chip, meaning that Nintendo can’t patch it out in a firmware update.
The flaw revolves around the Switch’s Tegra processor’s USB Recovery Mode, or RCM, which hackers say can be easily overflowed with data using another computer tethered via the USB connection. Doing so makes it possible to bypass the security surrounding the Boot ROM, effectively opening Pandora’s box in terms of what can be installed and run on the machine. This includes transforming the Switch into a handheld that can run Linux in addition to its standard “Horizon” operating system.
While hackers had hinted at this vulnerability back in January of this year, this is first time several groups have discussed in detail how it works and what the consequences will be. The exploits were announced yesterday by the hacking group ReSwitched, which is calling its method Fusée Gelée, and today by Fail0verflow, which calls its ShofEL2. While both methods involve different code, the steps are similar and utilize the same bug in Nvidia’s Tegra X1 processor. Because the bug is in the chip’s hardware, rather than the code, the groups say that there is not much Nintendo can do at this point besides fixing it for the consoles it sells in the future.
“Since this bug is in the Boot ROM, it cannot be patched without a hardware revision, meaning all Switch units in existence today are vulnerable, forever,” the group Fail0verflow wrote on its blog. It’s unclear when Nintendo and Nvidia became aware of the problem and whether or not the companies have begun taking steps to address it, but since there are already 14.8 million Switches out in the wild, the vulnerability is already widespread, and includes any Android devices which also use the Tegra X1.
While initiating the exploit is extremely complex, and not currently user-friendly enough for your average Switch owner to attempt, an important part of it relies on shorting the number 10 Pin in the Switch’s right-hand Joy-Con connector. This what initiates the Tegra chip’s recovery mode, at which point users can take advantage of the flaw in the chip allowing data overflow to access the Boot ROM. It’s a pretty devastating bug in terms of security for the console as well, with consequences far beyond hackers simply being able to run custom operating systems. “Since the vulnerability occurs very early in the boot process, it allows extraction of all device data and secrets, including the Boot ROM itself and all cryptographic keys,” the group wrote.
Both exploits are currently in their early stages. Fail0verflow claims it has Dolphin, the GameCube and Wii emulator, running on Switch, which foretells a future in which Switch owners can load up their devices with classic Nintendo games (or anything else) without paying a dime. But the method is not exactly user-friendly at this point, so it’s unlikely the average Switch owner will want to go messing around with hardware-level tricks just to play Luigi’s Mansion.
Fail0verflow, in its FAQ, writes that it’s easy to break platforms like Switch by running bad software on them. “We already caused temporary damage to one LCD panel with bad power sequencing code,” it wrote. “If your Switch catches on fire or turns into an Ouya, it’s not our fault.”
These two exploits are how people have been able to upload the system’s Boot Rom data to places like Pastebin, where it appeared over the weekend, leading other people to begin sharing their own information about the security flaw as well. ReSwitched decided to share its breakdown of what it’s calling the “Fusée Gelée coldboot vulnerability” this week, ahead of a more complete explanation of its findings on June 15.
“Fusée Gelée was responsibly disclosed to Nvidia earlier, and forwarded to several vendors (including Nintendo) as a courtesy,” wrote ReSwitched hacker Katherine Temkin in an FAQ about the exploit.
Fail0verflow, whose exploit utilizes the same bug in the Tegra chip, decided to likewise reveal its own findings alongside everyone else’s in an attempt, it says, to separate its work from the attempts at software piracy that will likely follow from it. “The bug will be made public sooner or later, likely sooner, so we might as well release now along with our Linux boot chain and kernel tree, to make it very clear that we do this for fun and homebrew, and nothing else,” the group wrote in its post.
These exploits aren’t the only way that hackers are trying to open up the Switch to run all software. As Ars Technica reports, another group called Team-Xecuter has been working on a modchip it plans to sell that would also allow custom code to be executed on the Switch. ReSwitched’s announcement of the Fusée Gelée bug could be partially an attempt to get ahead of that group’s release, whose methods Temkin disagrees with.
“Not just do they publicly endorse piracy, and seek to profit from keeping information to a few people, but they’re also willing to drop a 0-day that affects a broad swathe of devices on the public without any responsible disclosure,” she wrote in her FAQ. “All in all, I think that Team Xecuter seems to be without morals or scruples, and I am happy to do as much as I can to reduce their profitability and thus disincentivize these kinds of awful behaviors.”
While it seems that Nintendo’s ability to address the flaw in the Switches currently on the market is limited, it could still alter the hardware it sells in the future. Eurogamer’s Digital Foundry speculates that it’s possible the T214 Tegra processor referenced in a Switch 5.0.0 firmware update could signal the company already has plans to move away from the compromised T210 model the exploits are currently dependent on. Nintendo did not immediately respond to a request by Kotaku for comment.