Earlier this year hackers started to show evidence of an exploit that allowed you to load custom software on a Nintendo Switch game console. Theoretically that opens the door for homebrew applications, modified games, or even running an alternate operating system such as a GNU/Linux distribution on Nintendo’s latest game system. It could also make it possible to run pirated games, which is why console makers usually don’t encourage this sort of thing.

But now a team of hackers called ReSwitched have described a bootrom vulnerability called Fusée Gelée that makes it possible for anyone to hack a Nintendo Switch… assuming you’re willing to do a little hardware hacking too.

While this security vulnerability could also make it possible for someone else to hack your device, they’d need physical access to your hardware. So the risk of someone installing code on your Switch without your knowledge isn’t all that great.

Katherine Temkin

ReSwitched team member Katherine Temkin says the vulnerability affects the NVIDIA Tegra X1 processor used in all 15 million Nintendo Switch consoles sold to date, as well as other devices with Tegra X1 processors. And it cannot be patched via a software update. The only way for Nintendo and NVIDIA to create devices that aren’t vulnerable would be to release new hardware.

That said, it does take a little bit of work to hack your own Switch. In order to exploit the Fusée Gelée vulnerability, you’ll need to put the Nintendo Switch into USB recovery mode, which requires shorting out a pin on the right Joy-Con connector. You could do that by bending a pin, using a wire, or eventually by purchasing a small accessory designed just for that purpose.

Update: Some folks are also 3D printing devices for shorting the pin… or coming up with lower-tech solutions. 

And there is a chance you’ll damage your $300 game console by attempting to hack it. So proceed with caution.

For now, the Fusée Launcher is basically just a sample payload that lets you hack a Switch and add software that doesn’t do much of anything. Eventually ReSwitch plans to release a custom firmware version called Atmosphère that will allow users to run homebrew games and applications. The first release of Atmosphère is tentatively scheduled for this summer.

Meanwhile, the folks at another hacking team, fail0verflow, had also discovered the vulnerability exploited by Fusée Gelée, and they’ve released their own exploit, called ShofEL2.  It’s already possible to use it to load a full-fledged GNU/Linux-based operating system such as Arch on a Switch console.

Both hacker teams had disclosed the vulnerability to affected parties including NVIDIA and Nintendo and both had been planning to wait for a period of time before releasing them to the public, in order to allow those companies a chance to come up with strategies for addressing the bugs. But this weekend somebody published details about the vulnerability, so both fail0verflow and ReSwitched went ahead and made their work public.

That opens the door for homebrew, custom firmware, and other hacks (including, possibly, piracy). And while I wouldn’t be surprised to see Nintendo start shipping new Switch devices that are protected from the vulnerability, even if that happens there will still be millions of affected devices already in the wild.

I suspect we’ll start to see eBay and Craigslist sellers highlight the hackable nature of used 1st-gen Switch hardware pretty soon.

Update: NVIDIA has issued a response to the vulnerability, confirming that it exists, but highlighting that “this issue cannot be exploited remotely, even if the device is connected to the Internet. Rather, a person must have physical access to an affected processor’s USB connection to bypass the secure boot and run unverified code.”

via Ars Technica, The Register, Slashdot and Katherine Temkin’s technical write-up of the Fusée Gelée vulnerability (PDF)

 

Support Liliputing

Liliputing's primary sources of revenue are advertising and affiliate links (if you click the "Shop" button at the top of the page and buy something on Amazon, for example, we'll get a small commission).

But there are several ways you can support the site directly even if you're using an ad blocker* and hate online shopping.

Contribute to our Patreon campaign

or...

Contribute via PayPal

* If you are using an ad blocker like uBlock Origin and seeing a pop-up message at the bottom of the screen, we have a guide that may help you disable it.

Subscribe to Liliputing via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 9,544 other subscribers

7 replies on “Nearly 15 million Nintendo Switches are now hackable (other NVIDIA Tegra X1 devices too)”

  1. IIRC, one of the main purposes of the exploit hunt over the past few months (other than fun) is to back up save games to external media, which the Switch doesn’t currently let you do. Several early adopters whose Switch console overheated or was otherwise irreparably damaged lost hours of save game data.

    That said, piracy is inevitable. But considering that there is already a Nintendo Switch emulator in the works (even if it’s in the beginning stages of Alpha and cannot run anything), Switch piracy isn’t long coming. This may have just accelerated it quite a bit.

  2. Lesson to learn for Nintendo from the 3DS: If it’s hacked, disable it all the way. If you let it access the e-shop, they will pirate all the games. Right now even if your 3DS is hacked, Nintendo detects it and disables it it can still access the eShop. And guess what, you can download any game from the eShop for free on the hacked 3DS. Not sideload it, there is no need for a pirate server. You can connect to Nintendo’s own server and get the game for free. And I guess Nintendo can let the 7 year old 3DS do this as it’s phased out, but the 1 year old Switch would get screwed over royally if pirating becomes easy and without consequences. You can’t even argue that it’s hard to get games for the switch or that they are grossly overpriced.

    1. Seems like the existing teams are focusing on separate custom firmwares, and not modifying the fw of the Switch OS itself. Partially as a way of not encouraging piracy, and also separating your hacked and official OS experiences. That way you can have all the homebrew you want without worrying about getting banned from the eShop.

      Additionally, even though Nintendo can’t patch the exploit with software -they could still use software to detect if you’re running an altered Switch OS and prevent you from doing certain things like accessing the eShop.

Comments are closed.