Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Tuesday April 24 2018, @09:21PM   Printer-friendly
from the unswitched dept.

A newly published "exploit chain" for Nvidia Tegra X1-based systems seems to describe an apparently unpatchable method for running arbitrary code on all currently available Nintendo Switch consoles. Hardware hacker Katherine Temkin and the hacking team at ReSwitched released an extensive outline of what they're calling the Fusée Gelée coldboot vulnerability earlier today, alongside a proof-of-concept payload that can be used on the Switch.

"Fusée Gelée isn't a perfect, 'holy grail' exploit—though in some cases it can be pretty damned close," Temkin writes in an accompanying FAQ.

The exploit, as outlined, makes use of a vulnerability inherent in the Tegra X1's USB recovery mode, circumventing the lock-out operations that would usually protect the chip's crucial bootROM. By sending a bad "length" argument to an improperly coded USB control procedure at the right point, the user can force the system to "request up to 65,535 bytes per control request." That data easily overflows a crucial direct memory access (DMA) buffer in the bootROM, in turn allowing data to be copied into the protected application stack and giving the attacker the ability to run arbitrary code.

[...] In the FAQ, Temkin says she has previously notified Nvidia and vendors like Nintendo about the existence of this exploit, providing what she considers an "adequate window [for Nvidia] to communicate with [its] downstream customers and to accomplish as much remediation as is possible for an unpatchable bootROM bug."

That said, Temkin writes that she's publicizing the exploit now in part because of "the potential for a lot of bad to be done by any parties who independently discover these vulnerabilities." There are also hints that other groups were threatening to publish a similar exploit ahead of Team ReSwitched's planned summer roll out, forcing today's "early" disclosure.

[Update: Shortly after this piece went live, Fail0verflow alleged that it had been holding to "a 90-day responsible disclosure window for ShofEL2 ending on April 25th. Since another person published the bug so close to our declared deadline, we're going to wait things out. Stay tuned." That update also included a screen of the Dolphin emulator apparently running Nintendo's Legend of Zelda: Wind Waker on a Nintendo Switch.]

[Further update: When it rains, it pours. Fail0verflow has now released its own ShofEL2 Tegra X1 bootROM exploit alongside a Nintendo Switch Linux loader, ahead of that planned April 25 launch. While the command-line steps to run the exploit don't seem too onerous for the technically inclined, the group warns "it's stupidly easy to blow up embedded platforms like this with bad software (e.g. all voltages are software-controlled). We already caused temporary damage to one LCD panel with bad power sequencing code. Seriously, do not complain if something goes wrong."]


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by DeathMonkey on Wednesday April 25 2018, @06:03PM

    by DeathMonkey (1380) on Wednesday April 25 2018, @06:03PM (#671741) Journal

    Use your words.

    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2