Image: Github / reswitched
Ever since the Nintendo Switch launched last year, the homebrew community has been actively chipping away at the console to unlock the rest of its hybrid potential. And while some headway has been made, a recent exploit threatens to blow the gates open entirely.
The Fusée Gelée exploit on Github is a "coldboot vulnerability" in the entire line of NVIDIA Tegra embedded processors, the same tech which the Nintendo Switch is built off.
Developed by one of the members behind ReSwitched, a community site designed to document the Switch's processes and enable the development of homebrew software, the exploit allows a user to execute code on the Tegra chip's boot and power management processor before a fuse kicks in. That 'fuse' basically prevents any further modification of code once it's been initially written to.
The exploit isn't specifically designed for the Switch, but Tegra hardware in general. More in-depth instructions can be found on Github, although knowing a bit of Python might help with the translation.
The kicker for Nintendo, and the relevant bit for anyone who owns a Switch today, can be found at the bottom:
In this case, the recommended mitigation is to correct the USB control request handler such that it always correctly constrains the length to be transmitted. This has to be handled according to the type of device:
- For a device already in consumer hands, no solution is proposed. Unfortunately, access to the fuses needed to configure the device's ipatches was blocked when the ODM_PRODUCTION fuse was burned, so no bootROM update is possible. It is suggested that consumers be made aware of the situation so they can move to other devices, where possible.
- For new devices, the correct solution is likely to introduce an new ipatch or new ipatches that limits the size of control request responses.
Katherine Temkin, who reported the vulnerability on Github, wrote on her personal site that NVIDIA and other vendors, Nintendo included, were notified of the vulnerability ahead of its public disclosure. "Unfortunately, this bug affects a significant number of Tegra devices beyond the Switch, and beyond even the X1 included in the Switch," she wrote.
Temkin also further explained why Nintendo can't just simply patch out the error:
The relevant vulnerability is the result of a 'coding mistake' in the read-only bootrom found in most Tegra devices. This bootrom can have minor patches made to it in the factory ('ipatches'), but cannot be patched once a device has left the factory.
This immutability is actually a good thing in terms of security. If it were possible to apply patches to the bootrom after a unit had been shipped, anyone with a sufficiently powerful exploit would be able to make their own patches, bypassing boot security. It also means that any Switch currently affected will continue to be able to use Fusée Gelée throughout its life.
The reason for the disclosure now: public interest. Another hacking group, Team Xceuter, has already announced plans to sell a mod that will enable homebrew software on the Switch. Temkin, however, accused the group of profiteering and not disclosing vulnerabilities responsibly.
"While it's cool that they want to build technical solutions to Switch-hacking problems, I completely detest what I've seen of their practices and methods ... I think that Team Xecuter seems to be without morals or scruples, and I am happy to do as much as I can to reduce their profitability and thus disincentivise these kinds of awful behaviours," she wrote.
Anyone looking to take advantage of homebrew software in the future will require a MicroSD card, a USB A-to-C cable (think what you charge the Pro Controller or most flagship Android phones with) and, optionally, a screwdriver that will work with the Switch's tinier screws.
The Fusée Gelée coldboot software launcher, which will be included as part of the Atmosphère-NX custom firmware, is scheduled for a release sometime in the Australian winter. Temkin notes that the vulnerability might also be disclosed more publicly by June 15, or beforehand should "another group" release an implementation of their own.