Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Tuesday April 24 2018, @09:21PM   Printer-friendly
from the unswitched dept.

A newly published "exploit chain" for Nvidia Tegra X1-based systems seems to describe an apparently unpatchable method for running arbitrary code on all currently available Nintendo Switch consoles. Hardware hacker Katherine Temkin and the hacking team at ReSwitched released an extensive outline of what they're calling the Fusée Gelée coldboot vulnerability earlier today, alongside a proof-of-concept payload that can be used on the Switch.

"Fusée Gelée isn't a perfect, 'holy grail' exploit—though in some cases it can be pretty damned close," Temkin writes in an accompanying FAQ.

The exploit, as outlined, makes use of a vulnerability inherent in the Tegra X1's USB recovery mode, circumventing the lock-out operations that would usually protect the chip's crucial bootROM. By sending a bad "length" argument to an improperly coded USB control procedure at the right point, the user can force the system to "request up to 65,535 bytes per control request." That data easily overflows a crucial direct memory access (DMA) buffer in the bootROM, in turn allowing data to be copied into the protected application stack and giving the attacker the ability to run arbitrary code.

[...] In the FAQ, Temkin says she has previously notified Nvidia and vendors like Nintendo about the existence of this exploit, providing what she considers an "adequate window [for Nvidia] to communicate with [its] downstream customers and to accomplish as much remediation as is possible for an unpatchable bootROM bug."

That said, Temkin writes that she's publicizing the exploit now in part because of "the potential for a lot of bad to be done by any parties who independently discover these vulnerabilities." There are also hints that other groups were threatening to publish a similar exploit ahead of Team ReSwitched's planned summer roll out, forcing today's "early" disclosure.

[Update: Shortly after this piece went live, Fail0verflow alleged that it had been holding to "a 90-day responsible disclosure window for ShofEL2 ending on April 25th. Since another person published the bug so close to our declared deadline, we're going to wait things out. Stay tuned." That update also included a screen of the Dolphin emulator apparently running Nintendo's Legend of Zelda: Wind Waker on a Nintendo Switch.]

[Further update: When it rains, it pours. Fail0verflow has now released its own ShofEL2 Tegra X1 bootROM exploit alongside a Nintendo Switch Linux loader, ahead of that planned April 25 launch. While the command-line steps to run the exploit don't seem too onerous for the technically inclined, the group warns "it's stupidly easy to blow up embedded platforms like this with bad software (e.g. all voltages are software-controlled). We already caused temporary damage to one LCD panel with bad power sequencing code. Seriously, do not complain if something goes wrong."]


Original Submission

Related Stories

Nintendo Begins Locking Out Switch Hackers From Online Services 15 comments

Nintendo Switch hackers are being banned from online services

Not long after its March launch last year, it was revealed that a GPU exploit in the Nintendo Switch could be used to run unofficial software, like pirated games and homebrew ROMs. Since then, the Switch's hacking community has grown, and the discovery of a new 'unpatchable' exploit last month has only made the console more attractive to pirates and homebrew fans.

Nintendo isn't taking the assault on its walled garden lightly, however, and is taking steps to crack down and dissuade users from taking advantage of the security holes.

The Japanese company has begun banning hacked consoles from its online services, sending error notifications when users attempt to log in. According to the message, "The use of online services on this console is currently restricted by Nintendo," and users will need to "Contact Customer Support via the Nintendo Support Website".

Also at Nintendo Life.

Previously: Nintendo Switch Homebrew Mode Coming Soon Due to NVIDIA Tegra X1 Exploit
Hacking Group Fail0verflow Shows Linux Running on the Nintendo Switch
The "Unpatchable" Exploit That Makes Every Current Nintendo Switch Hackable [Updated]

Related: Nintendo Switch is Fastest-Selling US Home Console


Original Submission

Nintendo Reveals "Switch Lite", a Smaller and Cheaper Version of its Popular Gaming Device 4 comments

Submitted via IRC for AndyTheAbsurd

Nintendo reveals new Switch Lite, a smaller and cheaper version of popular Switch gaming device

Nintendo on Wednesday unveiled the Nintendo Switch Lite, a smaller and cheaper version of its popular Switch device. The Switch Lite is meant solely for handheld play, as opposed to the larger Switch that lets gamers connect to a TV. It also has a smaller screen; no kickstand; and does not come with detachable Joy-Con controllers — akin to the Game Boy or Nintendo DS. But it does have a new D-pad; a longer battery life; can play all Switch games; and allows for multiplayer via wireless controllers and Nintendo Switch Online.

Think I'll go with the bigger, more expensive - and far more capable - version. Hopefully the price comes down after this new device comes out.

takyon: Nintendo announces Switch Lite handheld console with updated Nvidia Tegra SoC

Previous reports stated that Nintendo will integrate updated hardware for all new variants, and this is in line with a recent analysis coming from Tirias Research principal analyst Jim McGregor, who informs that "the new Nintendo Switch [Lite] will take advantage of two generations of die shrinks to its Nvidia Tegra processor... By joining the joycons to the main body of the Switch, Nintendo will squeeze out the expensive and sophisticated wireless joycons and create a mobile-first Switch platform. The die shrink of the Nvidia Tegra processor will provide better battery life and a meaningful [graphics] upgrade."

Also at Bloomberg.

See also: Nintendo Switch Lite's trade-off of whimsy for practicality is a good one
The new Nintendo Switch Lite undermines what made the original Switch so special
The Nintendo Switch Lite is the right move coming at the right time from Nintendo
Nintendo says the Switch Lite isn't going to replace the 3DS (more accurately, they won't end support for 3DS)

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 2, Offtopic) by Anonymous Coward on Tuesday April 24 2018, @09:51PM (1 child)

    by Anonymous Coward on Tuesday April 24 2018, @09:51PM (#671361)

    Yup. Transgender [youtu.be].

    Every time.

  • (Score: 4, Interesting) by bob_super on Tuesday April 24 2018, @09:51PM (16 children)

    by bob_super (1357) on Tuesday April 24 2018, @09:51PM (#671362)

    That data easily overflows a crucial direct memory access (DMA) buffer

    In sadly unsurprising news, it's 2018 and you still can own systems with buffer overflows that magically execute code.

    Once again, with apologies to Tom Lehrer:
    Sanitize, Sanitize,
    Let no input evade your eyes
    Sanitize, Sanitize

    • (Score: 3, Informative) by Anonymous Coward on Tuesday April 24 2018, @10:19PM (15 children)

      by Anonymous Coward on Tuesday April 24 2018, @10:19PM (#671378)

      Also in sadly unsurprising news, massive amounts of people buy devices that are intentionally hostile towards the idea that users should have freedom and control over them.

      • (Score: 3, Interesting) by bob_super on Tuesday April 24 2018, @10:40PM (14 children)

        by bob_super (1357) on Tuesday April 24 2018, @10:40PM (#671387)

        Leaving aside the fact that 99% of users do not give a shit about tinkering with the Tegra in their device, what exactly do you plan on doing with your now-open video console? More precisely, does any of the things you want to do with it, make sense for the manufacturer to have to deal with the consequences of? Letting you tinker with the hardware or the files adds significant costs, either because you break hardware, or because every piece of software has to check the integrity of every file it accesses to prevent instability or game tampering (e.g. tweak your own game, break network play).

        • (Score: 4, Interesting) by vux984 on Tuesday April 24 2018, @10:51PM (6 children)

          by vux984 (5045) on Tuesday April 24 2018, @10:51PM (#671394)

          "More precisely, does any of the things you want to do with it, make sense for the manufacturer to have to deal with the consequences of?"

          That's why you support car manufacturer's right to bolt the hood shut and require you to bring it to a dealer for service?
          What does any of the things you want to do with it, make sense for the manufacturer to have to deal with the consequences of?

          That adds significant costs. Maybe you'll break something. Or make something unstable. Or you'll disable the pollution controls, or remove the rev-limiter, or turn off their in car advertising tracking systems. Or you'll fix it yourself with the wrong parts. Or god knows what else.

          But you're right there is nothing in the manufacturer's interest in allowing any of that to be possible.

          But the manufacturer sold it to me, that means its mine now, and I should have a few rights to the things that are mine... even if its not always strictly in the manufacturers best interest. Its in MY best interest.

          • (Score: 2, Disagree) by bob_super on Tuesday April 24 2018, @10:58PM (5 children)

            by bob_super (1357) on Tuesday April 24 2018, @10:58PM (#671402)

            Just in case you didn't notice: A car is full of serviceable parts, and requires access to the innards for normal operation, which includes basic weekly checks and maintenance.
            Pretty shitty analogy for a tablet.

            I'm not defending the manufacturers who lock down. I'm reacting to someone who bitches that they should be able to tinker with everything, and people are terrible for buying stuff that isn't designed for tinkering, as if there was no cost associated with that.

            • (Score: 2) by vux984 on Tuesday April 24 2018, @11:24PM (3 children)

              by vux984 (5045) on Tuesday April 24 2018, @11:24PM (#671416)

              "A car is full of serviceable parts, and requires access to the innards for normal operation"

              Nope.

              "which includes basic weekly checks and maintenance."

              I'm sure your manufacturer would love you to have to make a weekly maintenance pit-stop. You should be thankful they aren't allowed to do that.

              But even so I'm not sure what you are on about. I haven't opened the engine lid (I'd say 'hood' but one of the cars is a 911) of either of my cars in months, possibly years now. I'm still adamant that I should be allowed to, but in practice, if I had to open the lid between service intervals, something is wrong with the car. You could maybe make the argument that you need to top up your radiator or wiper fluid... but if you need to top up your radiator between regular service intervals, your car is broken, and the wiper fluid... again... if you gave them the choice, they'd easily argue that it should only be done by a qualified tech who knows not to under / over fill it, and knows what to top it up with, etc. If you let them, they'd redefine it as non-user serviceable in a heartbeat.

              As for it being a shitty analogy to a tablet, not really. The tinkering with a tablet type of device is much more about the software end of things than all the 'parts' inside the shell; and the restrictions and limitations on adjusting and controlling the software are 100% artificial; the same as bolting the hood of your car shut would be. The analogy holds up very well.

              • (Score: 0) by Anonymous Coward on Wednesday April 25 2018, @04:26AM (2 children)

                by Anonymous Coward on Wednesday April 25 2018, @04:26AM (#671511)

                You're supposed to check the oil level on most cars fairly frequently. The 911's manual says to do it every time you fuel up.

                • (Score: 0) by Anonymous Coward on Wednesday April 25 2018, @07:21AM

                  by Anonymous Coward on Wednesday April 25 2018, @07:21AM (#671535)

                  Might not be a 1960es model 911.

                  My 1991 Toyota has a warning light on the dash that turns on when the oil level gets below half way between max and min, and I'd expect that technology to have reached Germany by now.

                • (Score: 2) by vux984 on Thursday April 26 2018, @02:49AM

                  by vux984 (5045) on Thursday April 26 2018, @02:49AM (#671996)

                  "The 911's manual says to do it every time you fuel up."

                  My 911 does an electronic self check everytime I turn it on, when the key is first turned to accessory before turning the engine on; you can wait for it to complete, or you can just turn the key. This check is most accurate once the car is warmed up; so making a point of waiting for it to complete when you fill up for gas is pretty much ideal.

            • (Score: 3, Interesting) by jmorris on Wednesday April 25 2018, @01:18AM

              by jmorris (4844) on Wednesday April 25 2018, @01:18AM (#671455)

              What is the cost here? It costs extra to design intricate DRM systems into the SoC, it costs to implement the full lockdown across the entire software stack and ecosystem.

              Of course the upside is cash money, game console manufacturers can extract monopoly rents from software publishers for access to their hardware. And make no mistake, it is their hardware no matter how much money changes hands for he who controls a thing, owns that thing.

        • (Score: 2, Interesting) by Anonymous Coward on Wednesday April 25 2018, @02:26AM (2 children)

          by Anonymous Coward on Wednesday April 25 2018, @02:26AM (#671471)

          Leaving aside the fact that 99% of users do not give a shit about tinkering with the Tegra in their device

          This is the wrong way to look at it. If a device completely respects a users' freedoms (as in, it doesn't require any proprietary software or blobs whatsoever), then even non-technical users benefit because they can use what others create for that device. They also benefit because such devices would be less likely to abuse them in other ways (digital restrictions management, spying, etc.). I would also add that respecting someone's freedoms is a benefit in and of itself.

          More precisely, does any of the things you want to do with it, make sense for the manufacturer to have to deal with the consequences of?

          My concerns are freedom and ethics, not the ability of manufacturers to make more money. Their ability to make money by doing evil is only an explanation of why they do what they do, not a justification.

          • (Score: 2) by Dr Spin on Wednesday April 25 2018, @08:43AM (1 child)

            by Dr Spin (5239) on Wednesday April 25 2018, @08:43AM (#671548)

            My concerns are freedom and ethics, not the ability of manufacturers to make more money

            Then you are thoroughly un-American, and should turn yourself in to the nearest authorities.

            --
            Warning: Opening your mouth may invalidate your brain!
        • (Score: 2) by Bot on Wednesday April 25 2018, @10:33AM (2 children)

          by Bot (3902) on Wednesday April 25 2018, @10:33AM (#671572) Journal

          > make sense for the manufacturer to have to deal with the consequences of?

          what the stratospherically flying fuck has the manufacturer to do with what I program into MINE programmable device?

          has contemporary propaganda eliminated the concept of ownership? what do you pay money for, the privilege of being spied upon and?

          --
          Account abandoned.
          • (Score: 2) by bob_super on Wednesday April 25 2018, @04:30PM (1 child)

            by bob_super (1357) on Wednesday April 25 2018, @04:30PM (#671685)

            > what I program into MINE programmable device

            Therein lies the crux of the problem. You did not buy a user-programmable device.
            You bought a gaming platform, subsidized by the expected game attachment rate, on which the manufacturer tells people all players are equal, and invests a lot of money on "it just works" stability and anti-tampering features.
            Tinkerers with friendly or malicious intent can threaten the whole ecosystem, and preventing that outcome is not cheap. Before you object that big companies dying is not a bad thing, don't forget how many people work for indie game companies publishing on those platforms.

            You can buy yourself programmable devices all day. There are thousands, and many are much cheaper than a game console, and after a couple years, much more powerful for the money. You can see the consoles as a challenge to break into, and that's not a bad thing. But you can't object that the maker of the cheap connected game ecosystem has pretty good reasons to not let you ruin their 9 to 10-figure investment in the process.

            • (Score: 2) by Bot on Wednesday April 25 2018, @09:56PM

              by Bot (3902) on Wednesday April 25 2018, @09:56PM (#671891) Journal

              No, I buy a programmable device that the previous owner did not want me to blah blah. It is not an ASIC.

              --
              Account abandoned.
        • (Score: 2) by sjames on Wednesday April 25 2018, @10:42AM

          by sjames (2882) on Wednesday April 25 2018, @10:42AM (#671574) Journal

          Leaving aside the fact that 99% of users do not give a shit about tinkering with the Tegra in their device

          If they give it about 10 seconds worth of thought, they will realize that even if they have no idea what to do with it, they should be happy if others have that access.

          Remember the 2600? Remember when Activision figured out how to produce games for it? Atari wasn't so sure that was in their best interest, but owners of the console sure thought so if Activision's income is any guide.

          And the only way it cost Atari anything is that they then had to compete the way Smith intended.

          As a side note, when software can fry the hardware, it's because of shitty hardware 99 times out of 100. In that vast majority of cases, the manufacturer deserves any costs incurred. In that final 1%, perhaps they should document the issue and disclaim warranty rather than leaving it as a trap of last resort to punish people who tinker with stuff that they unquestionably own.

  • (Score: 4, Interesting) by crafoo on Tuesday April 24 2018, @10:58PM (3 children)

    by crafoo (6639) on Tuesday April 24 2018, @10:58PM (#671401)

    Good. The faster we can bring all purchased hardware back under full control of the owner, the better. The faster all DRM is compromised and rendered ineffective, the better.

    • (Score: 4, Insightful) by Anonymous Coward on Tuesday April 24 2018, @11:45PM (1 child)

      by Anonymous Coward on Tuesday April 24 2018, @11:45PM (#671421)

      This doesn't get us any closer to freedom; rather, this exposes the Tyranny that is growing, and it just helps the Tyranny become stronger. This is not a good thing.

      • (Score: 4, Insightful) by Bot on Wednesday April 25 2018, @10:35AM

        by Bot (3902) on Wednesday April 25 2018, @10:35AM (#671573) Journal

        > This doesn't get us any closer to freedom
        blind obedience does not do that either.

        --
        Account abandoned.
    • (Score: 2) by Wootery on Friday April 27 2018, @09:12AM

      by Wootery (2341) on Friday April 27 2018, @09:12AM (#672527)

      You mean 'DRM' to mean the machinery that prevents running arbitrary code on the device? Or to mean the machinery that prevents unauthorised playing of published games? Or both?

(1)