On Monday, anyone looking to hack their Switch or run their own software on it got some good news and more good news. An exploit has been released that opens the homebrew floodgates—and because it’s hardware-based, Nintendo can’t just patch it.
The news of the unpatchable exploit first broke when Katherine Temkin and her colleagues at the ReSwitched hacking team dropped the outline for the “Fusée Gelée” vulnerability. “The relevant vulnerability is the result of a ‘coding mistake’ in the read-only bootrom found in most Tegra devices,” Temkin explained in an accompanying FAQ. “This bootrom can have minor patches made to it in the factory (‘ipatches’), but cannot be patched once a device has left the factory.”
The fact is, it’s far from a plug and play hack. You’d need some technical savvy to pull this off yourself, but that’s what’s great about the DIY community: they’ll keep figuring out how to make it easier for everyone else.
In short, the exploit takes advantage of a flaw in the Nvidia Tegra X1 chip. Normally, the chip would prevent access to its bootROM, but you can get around that by forcing the system into USB recovery mode and overflowing a direct memory access (DMA) buffer. That’s where things start to make the casual Switch-owner nervous. To force the USB recovery mode requires shorting out a single pin on the right Joy-Con connector.
It just so happens that Temkin isn’t the only group that found this flaw. Hacking team fail0verflow tweeted that they were observing a 90-day responsible disclosure window that would’ve ended on April 25th, but since the cat is already out of the bag, they were moving forward with their release. First, fail0verflow tweeted a pic of a little device that would make shorting the USB pin a simple procedure:
Then, the team dropped their own explanation of the flaw as well as a tethered bootROM exploit and Linux for the Switch. They’ve been working on this for a while, and they previously showed off video of the operating system running on Nintendo’s hardware. Fail0verflow also teased the hell out of gamers by tweeting an image of The Legend of Zelda: The Wind Waker running on the Switch, suggesting they got the Dolphin emulator working on the device.
On its blog, fail0verflow explained that it began the responsible disclosure process with Google 90 days ago because Tegra chips are often used in Android devices. It’s a nasty vulnerability, but it’s mitigated by the fact that a bad actor would need physical access to a device to compromise it. That also means that for Nintendo to fix the issue, it will have to do so in the manufacturing process for future consoles. Software exploits can be nullified by Nintendo with a simple update. However, Nintendo could also shut off online functions for a device if it detects that it has been hacked.
Fail0verflow emphasized that it was releasing this info for the homebrew crowd that wants to tinker with their Switches and make new things, rather than encouraging piracy. I can’t emphasize strongly enough that you shouldn’t try this if destroying your Switch isn’t something you’d be comfortable with. In the readme file for the bootROM, fail0verflow writes, “If your Switch catches fire or turns into an Ouya, it’s not our fault.”
The Switch hacking crowd is already extremely excited about developing this thing further. A bootloader known as Atmosphère has been in the works for some time and its developer tweeted that Monday’s release means that anyone who is interested can now help contribute to its development. If nerve-wracking hardware hacks continue to be required, you can expect to see devices that are all set up and ready to go being sold by third-parties. For those who are ready to jump in today, happy hacking.