The Nintendo Switch may soon be a haven for hackers, but not the kind that want your data — the kind that want to run SNES emulators and Linux on their handheld gaming consoles. A flaw in an Nvidia chip used by the Switch, detailed today, lets power users inject code into the system and modify it however they choose.
The exploit, known as Fusée Gelée, was first hinted at by developer Kate Temkin a few months ago. She and others at ReSwitched worked to prove and document the exploit, sending it to Nvidia and Nintendo, among others.
Update: Because this sort of thing is a matter of pride in the homebrew community, it should be added that the exploit was in fact first publicly noted by fail0verflow in early January, but independently discovered and documented by Temkin and others. The former discusses their method in a blog post here.
Although responsible disclosure is to be applauded, it won’t make much difference here: this flaw isn’t the kind that can be fixed with a patch. Millions of Switches are vulnerable, permanently, to what amounts to a total jailbreak; only new ones with code tweaked at the factory will be immune.
That’s because the flaw is baked into the read-only memory of the Nvidia Tegra X1 used in the Switch and a few other devices. It’s in the “Boot and Power Management Processor” to be specific, where a misformed packet sent during a routine USB device status check allows the connected device to send up to 64 kibibytes (65,535 bytes) of extra data that will be executed without question. You need to get into recovery mode first, but that’s easy.
As you can imagine, getting arbitrary code to run on a device that deep in its processes is a huge, huge vulnerability. Fortunately it’s only available to someone with direct, physical access to the Switch. But that in itself makes it an extremely powerful tool for anyone who wants to modify their own console.
Modding consoles is done for many reasons, and indeed piracy is among them. But people also want to do things Nintendo won’t let them, like back up their saved games, run custom software like emulators or extend the capabilities of the OS beyond the meager features the company has provided.
Temkin and her colleagues had planned to release the vulnerability publicly on June 15 or when someone releases the vulnerability independent of them — whichever came first. It turned out to be the latter, which apparently came as a surprise to no one in the community. The X1 exploit seems to have been something of an open secret.
The exploit was released anonymously by some hacker and Temkin accordingly published the team’s documentation of it on GitHub. If that’s too technical, there’s also some more plain-language chatter about the flaw in a FAQ posted earlier this month.
I emailed Temkin with a few questions. She wrote back that she encourages any interested developers to build on top of the work ReSwitched has done; “that’s the point of open-sourcing things like this.”
She also explained the origin of the hack’s French name:
“‘Fusée Gelée’ literally translates to ‘Frozen Rocket,’ and it’s a play on the name of the Switch’s operating system, which is called Horizon,” she wrote. “This is a coldboot exploit that launches payloads ‘above the Horizon’– hence ‘frozen rocket.'”
In addition to Temkin, failOverflow announced a small device that will short a pin in the USB connector and put the device into recovery mode, prepping it for exploitation. And Team-Xecuter was advertising a similar hardware attack months ago.
The answer to the most obvious question is no, you can’t just fire this up and start playing Wave Race 64 (or a pirated Zelda) on your Switch 15 minutes from now. The exploit still requires technical ability to implement, though as with many other hacks of this type, someone will likely graft it to a nice GUI that guides ordinary users through the process. (It certainly happened with the NES and SNES Classic Editions.)
Although the exploit can’t be patched away with a software update, Nintendo isn’t powerless. It’s likely that a modified Switch would be barred from the company’s online services (such as they are) and possibly the user’s account, as well. So although the hacking process is, compared with the soldering required for modchips of decades past, low on risk, it isn’t a golden ticket.
Furthermore, Nintendo is reportedly working on a hardware revision to the Switch that would use an updated and not-as-hackable new Tegra chip and possibly add more RAM.
That said, Fusée Gelée will almost certainly open the floodgates for developers and hackers who care little for Nintendo’s official ecosystem and would rather see what they can get this great piece of hardware to do on their own.
When contacted for comment, Nintendo said that “We have nothing to announce on this topic.” Nvidia published this security notice acknowledging the issue, which affects a handful of other devices, such as its own Shield tablet and the Google Pixel C.