The Nintendo [1] Switch may soon be a haven for hackers, but not the kind that want your data — the kind that want to run SNES emulators and Linux on their handheld gaming consoles. A flaw in an Nvidia chip used by the Switch, [2] detailed today, lets power users inject code into the system and modify it however they choose.
The exploit, known as Fusée Gelée, was first hinted at by developer Kate Temkin[3] a few months ago. She and others at ReSwitched[4] worked to prove and document the exploit, sending it to Nvidia and Nintendo, among others.
Although responsible disclosure is to be applauded, it won’t make much difference here: this flaw isn’t the kind that can be fixed with a patch. Millions of Switches are vulnerable, permanently, to what amounts to a total jailbreak; only new ones with code tweaked at the factory will be immune.
That’s because the flaw is baked into the read-only memory of the Nvidia Tegra X1 used in the Switch and a few other devices. It’s in the “Boot and Power Management Processor” to be specific, where a misformed packet sent during a routine USB device status check allows the connected device to send up to 64 kibibytes (65,535 bytes) of extra data that will be executed without question. You need to get into recovery mode first, but that’s easy.
As you can imagine, getting arbitrary code to run on a device that deep in its processes is a huge, huge vulnerability. Fortunately it’s only available to someone with direct, physical access to the Switch. But that in itself makes it an extremely powerful tool for anyone who wants to modify their own...