Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Tuesday April 24 2018, @09:21PM   Printer-friendly
from the unswitched dept.

A newly published "exploit chain" for Nvidia Tegra X1-based systems seems to describe an apparently unpatchable method for running arbitrary code on all currently available Nintendo Switch consoles. Hardware hacker Katherine Temkin and the hacking team at ReSwitched released an extensive outline of what they're calling the Fusée Gelée coldboot vulnerability earlier today, alongside a proof-of-concept payload that can be used on the Switch.

"Fusée Gelée isn't a perfect, 'holy grail' exploit—though in some cases it can be pretty damned close," Temkin writes in an accompanying FAQ.

The exploit, as outlined, makes use of a vulnerability inherent in the Tegra X1's USB recovery mode, circumventing the lock-out operations that would usually protect the chip's crucial bootROM. By sending a bad "length" argument to an improperly coded USB control procedure at the right point, the user can force the system to "request up to 65,535 bytes per control request." That data easily overflows a crucial direct memory access (DMA) buffer in the bootROM, in turn allowing data to be copied into the protected application stack and giving the attacker the ability to run arbitrary code.

[...] In the FAQ, Temkin says she has previously notified Nvidia and vendors like Nintendo about the existence of this exploit, providing what she considers an "adequate window [for Nvidia] to communicate with [its] downstream customers and to accomplish as much remediation as is possible for an unpatchable bootROM bug."

That said, Temkin writes that she's publicizing the exploit now in part because of "the potential for a lot of bad to be done by any parties who independently discover these vulnerabilities." There are also hints that other groups were threatening to publish a similar exploit ahead of Team ReSwitched's planned summer roll out, forcing today's "early" disclosure.

[Update: Shortly after this piece went live, Fail0verflow alleged that it had been holding to "a 90-day responsible disclosure window for ShofEL2 ending on April 25th. Since another person published the bug so close to our declared deadline, we're going to wait things out. Stay tuned." That update also included a screen of the Dolphin emulator apparently running Nintendo's Legend of Zelda: Wind Waker on a Nintendo Switch.]

[Further update: When it rains, it pours. Fail0verflow has now released its own ShofEL2 Tegra X1 bootROM exploit alongside a Nintendo Switch Linux loader, ahead of that planned April 25 launch. While the command-line steps to run the exploit don't seem too onerous for the technically inclined, the group warns "it's stupidly easy to blow up embedded platforms like this with bad software (e.g. all voltages are software-controlled). We already caused temporary damage to one LCD panel with bad power sequencing code. Seriously, do not complain if something goes wrong."]


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 0) by Anonymous Coward on Wednesday April 25 2018, @04:26AM (2 children)

    by Anonymous Coward on Wednesday April 25 2018, @04:26AM (#671511)

    You're supposed to check the oil level on most cars fairly frequently. The 911's manual says to do it every time you fuel up.

  • (Score: 0) by Anonymous Coward on Wednesday April 25 2018, @07:21AM

    by Anonymous Coward on Wednesday April 25 2018, @07:21AM (#671535)

    Might not be a 1960es model 911.

    My 1991 Toyota has a warning light on the dash that turns on when the oil level gets below half way between max and min, and I'd expect that technology to have reached Germany by now.

  • (Score: 2) by vux984 on Thursday April 26 2018, @02:49AM

    by vux984 (5045) on Thursday April 26 2018, @02:49AM (#671996)

    "The 911's manual says to do it every time you fuel up."

    My 911 does an electronic self check everytime I turn it on, when the key is first turned to accessory before turning the engine on; you can wait for it to complete, or you can just turn the key. This check is most accurate once the car is warmed up; so making a point of waiting for it to complete when you fill up for gas is pretty much ideal.