Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Tuesday April 24 2018, @09:21PM   Printer-friendly
from the unswitched dept.

A newly published "exploit chain" for Nvidia Tegra X1-based systems seems to describe an apparently unpatchable method for running arbitrary code on all currently available Nintendo Switch consoles. Hardware hacker Katherine Temkin and the hacking team at ReSwitched released an extensive outline of what they're calling the Fusée Gelée coldboot vulnerability earlier today, alongside a proof-of-concept payload that can be used on the Switch.

"Fusée Gelée isn't a perfect, 'holy grail' exploit—though in some cases it can be pretty damned close," Temkin writes in an accompanying FAQ.

The exploit, as outlined, makes use of a vulnerability inherent in the Tegra X1's USB recovery mode, circumventing the lock-out operations that would usually protect the chip's crucial bootROM. By sending a bad "length" argument to an improperly coded USB control procedure at the right point, the user can force the system to "request up to 65,535 bytes per control request." That data easily overflows a crucial direct memory access (DMA) buffer in the bootROM, in turn allowing data to be copied into the protected application stack and giving the attacker the ability to run arbitrary code.

[...] In the FAQ, Temkin says she has previously notified Nvidia and vendors like Nintendo about the existence of this exploit, providing what she considers an "adequate window [for Nvidia] to communicate with [its] downstream customers and to accomplish as much remediation as is possible for an unpatchable bootROM bug."

That said, Temkin writes that she's publicizing the exploit now in part because of "the potential for a lot of bad to be done by any parties who independently discover these vulnerabilities." There are also hints that other groups were threatening to publish a similar exploit ahead of Team ReSwitched's planned summer roll out, forcing today's "early" disclosure.

[Update: Shortly after this piece went live, Fail0verflow alleged that it had been holding to "a 90-day responsible disclosure window for ShofEL2 ending on April 25th. Since another person published the bug so close to our declared deadline, we're going to wait things out. Stay tuned." That update also included a screen of the Dolphin emulator apparently running Nintendo's Legend of Zelda: Wind Waker on a Nintendo Switch.]

[Further update: When it rains, it pours. Fail0verflow has now released its own ShofEL2 Tegra X1 bootROM exploit alongside a Nintendo Switch Linux loader, ahead of that planned April 25 launch. While the command-line steps to run the exploit don't seem too onerous for the technically inclined, the group warns "it's stupidly easy to blow up embedded platforms like this with bad software (e.g. all voltages are software-controlled). We already caused temporary damage to one LCD panel with bad power sequencing code. Seriously, do not complain if something goes wrong."]


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by vux984 on Tuesday April 24 2018, @11:24PM (3 children)

    by vux984 (5045) on Tuesday April 24 2018, @11:24PM (#671416)

    "A car is full of serviceable parts, and requires access to the innards for normal operation"

    Nope.

    "which includes basic weekly checks and maintenance."

    I'm sure your manufacturer would love you to have to make a weekly maintenance pit-stop. You should be thankful they aren't allowed to do that.

    But even so I'm not sure what you are on about. I haven't opened the engine lid (I'd say 'hood' but one of the cars is a 911) of either of my cars in months, possibly years now. I'm still adamant that I should be allowed to, but in practice, if I had to open the lid between service intervals, something is wrong with the car. You could maybe make the argument that you need to top up your radiator or wiper fluid... but if you need to top up your radiator between regular service intervals, your car is broken, and the wiper fluid... again... if you gave them the choice, they'd easily argue that it should only be done by a qualified tech who knows not to under / over fill it, and knows what to top it up with, etc. If you let them, they'd redefine it as non-user serviceable in a heartbeat.

    As for it being a shitty analogy to a tablet, not really. The tinkering with a tablet type of device is much more about the software end of things than all the 'parts' inside the shell; and the restrictions and limitations on adjusting and controlling the software are 100% artificial; the same as bolting the hood of your car shut would be. The analogy holds up very well.

    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2  
  • (Score: 0) by Anonymous Coward on Wednesday April 25 2018, @04:26AM (2 children)

    by Anonymous Coward on Wednesday April 25 2018, @04:26AM (#671511)

    You're supposed to check the oil level on most cars fairly frequently. The 911's manual says to do it every time you fuel up.

    • (Score: 0) by Anonymous Coward on Wednesday April 25 2018, @07:21AM

      by Anonymous Coward on Wednesday April 25 2018, @07:21AM (#671535)

      Might not be a 1960es model 911.

      My 1991 Toyota has a warning light on the dash that turns on when the oil level gets below half way between max and min, and I'd expect that technology to have reached Germany by now.

    • (Score: 2) by vux984 on Thursday April 26 2018, @02:49AM

      by vux984 (5045) on Thursday April 26 2018, @02:49AM (#671996)

      "The 911's manual says to do it every time you fuel up."

      My 911 does an electronic self check everytime I turn it on, when the key is first turned to accessory before turning the engine on; you can wait for it to complete, or you can just turn the key. This check is most accurate once the car is warmed up; so making a point of waiting for it to complete when you fill up for gas is pretty much ideal.