The Nintendo Switch may soon become a haven for hackers, but not for those who want your data – those who want to use SNES and Linux emulators on their portable consoles. A flaw in an Nvidia chip used by the Switch, detailed today, allows experienced users to inject code into the system and modify it as they see fit.
The exploit, known as Frozen Rocket, was suggested for the first time by developer Kate Temkin a few months ago. She and others from ReSwitched have worked to prove and document the exploit, sending it among others to Nvidia and Nintendo.
Although responsible disclosure is applauded, it will not make much difference here: this flaw is not one that can be corrected with a patch. Millions of switches are permanently vulnerable to what amounts to a total jailbreak; only new ones whose code has been changed at the factory will be immune.
This is because the flaw is cooked in the Nvidia Tegra X1's ROM used in the Switch and some other devices. It is in the "Boot and Power Management Processor" to be specific, where a package sent incorrectly during a USB device control routine allows the connected device to send up to 64 kibibytes (65,535 bytes) of additional data that will be executed without question. You must first go into recovery mode, but it is easy.
As you can imagine, running arbitrary code on a device as deep in its processes is a huge vulnerability. Fortunately, it is only available to someone with direct and physical access to the Switch. But this makes it an extremely powerful tool for anyone who wants to modify their own console.
Modding consoles is made for many reasons, and indeed piracy is among them. But people also want to do things Nintendo will not let them, like backing up their saved games, run custom software like emulators, or extend the capabilities of the OS beyond the meager features provided by the system. business.
Temkin and his colleagues had planned to publicly release the vulnerability on June 15 or when someone would release the vulnerability regardless of them – whichever came first. It turned out to be the last one, which apparently surprised no one in the community. The X1 exploit seems to have been something of an open secret.
The exploit was published anonymously by a hacker and Temkin released the team's documentation on GitHub. If it's too technical, there's also some plain language chatter about the flaw in a FAQ posted earlier this month. I asked Temkin some more details.
In addition to Temkin, failOverflow has announced a small device that will short a pin in the USB connector and put the device into recovery mode, preparing it for operation. And Team-Xecuter announced a similar hardware attack months ago.
The answer to the most obvious question is no, you can not just start the game and start playing Wave Race 64 (or a hacked Zelda) on your switch in 15 minutes. The exploit still requires a technical ability to implement, though, as with many other hacks of this type, someone will probably graft it to a nice graphical interface that guides ordinary users throughout the process. (It's certainly happened with the classic NES and SNES editions.)
Although the exploit can not be fixed with a software update, Nintendo is not helpless. It is likely that a modified switch will be prohibited to the online services of the company (as they are) and possibly to the user account. So, although the hacking process is, compared to the required welding for modchips of past decades, little risky, it is not a gold ticket.
That said, Frozen Rocket will almost certainly open the door to developers and hackers who care little about Nintendo's official ecosystem and would rather see what they can do on their own.
I asked Nintendo and Nvidia to share my comments with me and I will update them when I hear them.