Researcher Discloses “Unpatchable” Nintendo Switch Exploit

Fusee Gelee exploit in actionA security researcher has released a proof-of-concept exploit affecting the Nvidia Tegra line of embedded processors that come with Nintendo Switch devices.

Codenamed “Fusée Gelée,” the PoC is a cold-boot hack that lets a device owner to bypass device-lockdown and run custom code on the Switch.

This exploit opens the door for device owners to run custom games or export data saved on the device, currently forbidden on standard Nintendo Switch handsets.

Fusée Gelée is unpatchable

At the technical level, Fusée Gelée is nothing more than a trivial buffer overflow vulnerability. The problem is its location in the Switch’s bootROM component —found inside the Nvidia Tegra chipset— that controls the device’s boot-up routine.

This component is locked down at the hardware level after leaving the Nintendo factories, meaning they can’t be updated via a firmware patch.

This makes Fusée Gelée unpatchable, and it’s hard to believe Nintendo will recall millions of gaming consoles just to fix a jailbreak.

Exploitation requires forcing Switch in USB recovery mode

Exploiting Fusée Gelée isn’t that complicated either, albeit dangerous. Users need to force the Switch to reboot in USB recovery mode and then use the USB connection to launch a Python script via a console.

Probably the hardest part of the entire hack is forcing the Switch into USB recovery mode, which can be achieved by pressing and shorting two pins on the right Joy-Con connector.

Katherine Temkin, the hacker who discovered the exploit, has published a FAQ page about Fusée Gelée, how users could short the two pins, and the PoC code.

The current PoC code only prints device specific data on the Switch’s
screen, but Temkin promised to publish more scripts and information about exploiting Fusée Gelée on June 15, 2018, when the original disclosure of this vulnerability was planned to take place.

A race for fame

Temkin said she disclosed Fusée Gelée earlier than expected because another team of hardware hackers —Team Xecuter— suggested they are readying to release a similar Switch chip exploit in the coming weeks.

There is a fierce competition between hardware hacking squads, and Temkin wanted to have the first exploit published online. Temkin is a member of team ReSwitched.

But Temkin and Team Xecuter were not the only ones working on a Switch jailbreaking exploit. Just after Temkin’s release of her Fusée Gelée exploit, team Fail0verflow published its own Nvidia Tegra exploit.

Temkin is currently working on improving the Fusée Gelée exploit chain and integrating it into a final modchip jailbreaking toolkit named Atmosphère, which is planned for release in June.

Team Fail0verflow also announced they’d be releasing a custom tool that makes shorting the two Switch USB recovery mode pins a lot more easier.

… but joked that any wire bought from an electronics store should be enough to short the pins…

“Fusée Gelée isn’t a perfect, ‘holy grail’ exploit– though in some cases it can be pretty damned close,” Temkin said.

Nonetheless, Nintendo Switch owners should be very careful in using the Fusée Gelée exploit to mod their consoles, as this could lead to some hardware damage when carried out by inexperienced users, such as shorting other Switch hardware components by accident.

Fusée Gelée vulnerability affects other devices

“Fusée Gelée was responsibly disclosed to NVIDIA earlier, and forwarded to several vendors (including Nintendo) as a courtesy,” Temkin wrote yesterday.

“Unfortunately, this bug affects a significant number of Tegra devices beyond the Switch, and beyond even the X1 included in the Switch. I can tell you, it wasn’t fun to find a bug with such a broad impact; it significantly complicated the ethics involved.”

Once Temkin publishes the full details of the Fusée Gelée vulnerability in June, variations of the exploit chain for other Tegra-chipset-based devices are expected to pop up online.

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Most Popular

To Top