“Fusée Gelée” Is An Unpatchable Nintendo Switch Exploit, Every Switch Unit Is Vulnerable To It

A future-proof Nintendo Switch hack emerged earlier this year and references for a new SOC were found in firmware 5.0 shortly after that and now an unpatchable Nintendo Switch exploit, Fusée Gelée, has surfaced that makes every Switch unit vulnerable.

This unpatchable Nintendo Switch hack was revealed by hacker Katherine Temkin and the hacking team at ReSwitched as they rolled out a detailed outline of how this Nintendo Switch exploit works.

The group is calling this exploit the Fusée Gelée coldboot vulnerability and the group has also rolled out a proof-of-concept that can be used on any Switch unit. The exploit is basically related to Nvidia Tegra X1 chip which unfortunately also powers the Nintendo Switch.

The exploit uses the Tegra X1’s USB recovery mode vulnerability that circumvents the lock-out functionality whose job is to protect the bootROM. The way this Nintendo Switch exploit works is that it sends a bad “length” argument to USB control procedure at the right point and the user can get the system to request up to 65,535 bytes per control.

What it does is that it makes a crucial direct memory access (DMA) buffer in bootROM to overflow and allowing the data to be copied and giving the hacker the ability to run arbitrary code on Nintendo Switch.

However, getting the Switch to get into the USB recovery mode is the most difficult part of making the exploit work which requires shorting out a pin on the right Joy-Con connector.

Nintendo Switch Exploit

Hacker group Fail0verflow has come up with a solution for that and has introduced a small device that can short the required pin. Hacker Katherine Temkin also noted that simple bending the pin will work just fine.

The reason why this exploit could make things difficult for Nintendo is that it is unpatchable as the bootROM can’t be modified once Tegra chip leaves the production. According to the hacker:

Unfortunately, access to the fuses needed to configure the device’s ipatches was blocked when the ODM_PRODUCTION fuse was burned, so no bootROM update is possible. It is suggested that consumers be made aware of the situation so they can move to other devices, where possible.

What this means is that Nintendo needs to seriously consider a new SOC for Nintendo Switch which will make the upcoming batch of Switch safe against these exploits. As for the Switch units already available in the market, they will remain vulnerable.

What is interesting is that Fail0verflow has revealed that it had been holding “a 90-day responsible disclosure window for ShofEL2” and also revealed an image showcasing Dolphin emulator running Legend of Zelda: Wind Waker on Nintendo Switch.

However, Fail0verflow has already rolled out its own ShofEL2 Tegra X1 bootROM exploit along with the Nintendo Switch Linux loader.

What do you think of this Nintendo Switch exploit? Let us know in the comments.

Source: Arstechnica