A security researcher has released a proof-of-concept exploit affecting the Nvidia Tegra line of embedded processors that come with Nintendo Switch devices.
Codenamed "Fusée Gelée," the PoC is a cold-boot hack that lets a device owner to bypass device-lockdown and run custom code on the Switch.
This exploit opens the door for device owners to run custom games or export data saved on the device, currently forbidden on standard Nintendo Switch handsets.
At the technical level, Fusée Gelée is nothing more than a trivial buffer overflow vulnerability. The problem is its location in the Switch's bootROM component —found inside the Nvidia Tegra chipset— that controls the device's boot-up routine.
This component is locked down at the hardware level after leaving the Nintendo factories, meaning they can't be updated via a firmware patch.
This makes Fusée Gelée unpatchable, and it's hard to believe Nintendo will recall millions of gaming consoles just to fix a jailbreak.
Exploiting Fusée Gelée isn't that complicated either, albeit dangerous. Users need to force the Switch to reboot in USB recovery mode and then use the USB connection to launch a Python script via a console.
Probably the hardest part of the entire hack is forcing the Switch into USB recovery mode, which can be achieved by pressing and shorting two pins on the right Joy-Con connector.
The current PoC code only prints device specific data on the Switch's
screen, but Temkin promised to publish more scripts and information about exploiting Fusée Gelée on June 15, 2018, when the original disclosure of this vulnerability was planned to take place.
Temkin said she disclosed Fusée Gelée earlier than expected because another team of hardware hackers —Team Xecuter— suggested they are readying to release a similar Switch chip exploit in the coming weeks.
There is a fierce competition between hardware hacking squads, and Temkin wanted to have the first exploit published online. Temkin is a member of team ReSwitched.
But Temkin and Team Xecuter were not the only ones working on a Switch jailbreaking exploit. Just after Temkin's release of her Fusée Gelée exploit, team Fail0verflow published its own Nvidia Tegra exploit.
Team Fail0verflow also announced they'd be releasing a custom tool that makes shorting the two Switch USB recovery mode pins a lot more easier.
Introducing our new, revolutionary technology for Nintendo Switch modification. Welcome to SwitchX PRO. Coming soon. pic.twitter.com/d3xGawrW1u— fail0verflow (@fail0verflow) April 23, 2018
... but joked that any wire bought from an electronics store should be enough to short the pins...
And for those who don't want to wait or want a more cost-effective solution, we're also introducing a lite version of SwitchX. Available at your local hardware store TODAY. pic.twitter.com/BlPMmqLGlw— fail0verflow (@fail0verflow) April 23, 2018
"Fusée Gelée isn't a perfect, 'holy grail' exploit-- though in some cases it can be pretty damned close," Temkin said.
Nonetheless, Nintendo Switch owners should be very careful in using the Fusée Gelée exploit to mod their consoles, as this could lead to some hardware damage when carried out by inexperienced users, such as shorting other Switch hardware components by accident.
"Fusée Gelée was responsibly disclosed to NVIDIA earlier, and forwarded to several vendors (including Nintendo) as a courtesy," Temkin wrote yesterday.
"Unfortunately, this bug affects a significant number of Tegra devices beyond the Switch, and beyond even the X1 included in the Switch. I can tell you, it wasn't fun to find a bug with such a broad impact; it significantly complicated the ethics involved."
Once Temkin publishes the full details of the Fusée Gelée vulnerability in June, variations of the exploit chain for other Tegra-chipset-based devices are expected to pop up online.