When it rains in the homebrew scene, it doesn't pour. It floods.
Earlier today we wrote about how the Nintendo homebrew scene had gotten a major boost from the public announcement of an exploit that affects NVIDIA's Tegra embedded processors, which includes every Nintendo Switch that has been released to date.
Part of the reason for the release was to encourage positive disclosure and the proper handling of critical flaws, according to the authors of the Fusée Gelée vulnerability.
Ever since the Nintendo Switch launched last year, the homebrew community has been actively chipping away at the console to unlock the rest of its hybrid potential. And while some headway has been made, a recent exploit threatens to blow the gates open entirely.
But the announcement of Fusée Gelée has kicked off a bit of a storm, with other groups and identities releasing their security research data and progress to date. Earlier this morning, a hardware hacker for the Dragon Sector CTF team outlined the Tegra X1 Bug in short detail. Another group, fail0verflow, also posted a video with a Linux build on the Switch, showing a working browser that was posting to Twitter:
The same group then published their own exploit, ShofEL2, on their official website. Their efforts were disclosed to Google - because Tegra devices are frequently running off Android software - almost three months ago. They had planned to publicly announce their work on April 25 internationally, but the announcement by other groups and the reveal of Fusée Gelée forced their hand.
"At best, a release by other homebrew teams is inevitable, while at worst, a certain piracy modchip team might make the first move," the post reads, echoing a similar sentiment behind Temkin and the ReSwitched group's announcement.
And in case you were in any doubt about how serious this is, vulnerability wise, fail0verflow wrote that all released Nintendo Switches are affected:
Since this bug is in the Boot ROM, it cannot be patched without a hardware revision, meaning all Switch units in existence today are vulnerable, forever. Nintendo can only patch Boot ROM bugs during the manufacturing process. Since the vulnerability occurs very early in the boot process, it allows extraction of all device data and secrets, including the Boot ROM itself and all cryptographic keys.
Reminder: ShofEL2 cannot be patched in existing units (it will work on *any* firmware, past or future), it allows full access (all keys and secrets), and it is completely undetectable by normal software. You can dual boot Linux and Switch OS with impunity. https://t.co/bqpmqBWkem
— fail0verflow (@fail0verflow) April 24, 2018
The repositories for the exploit have been posted on Github, but they're not built for the average user. The recent flood of disclosures also meant that the fail0verflow haven't posted their full documentation yet, including information about other bootROM bugs within the Switch/Tegra hardware that are supposedly known about (but not publicly disclosed).