![]() Advertisementįurther Reading How Nintendo may be encouraging Switch hacking by trying to stop itWhile the potential to aid software pirates is likely of primary concern to Nintendo, there are plenty of legal and handy reasons to make use of an exploit like this. That's an important security measure if the bootROM itself is secure but a big problem if the bootROM is exploited, as seems to be the case here (Nintendo and Nvidia were not immediately available to respond to a request for comment). What makes this exploit particularly worrisome for Nintendo and other Tegra vendors is that it apparently can't be fixed via a simple downloadable patch the flawed bootROM in question can't be modified once the Tegra chip leaves the factory. Temkin also tweeted a picture suggesting that simply exposing and bending the pin in question would also work. The hacking team at Fail0verflow tweeted a picture of a small plug-in device that can apparently provide this short-out easily, and the team joked that a simple piece of wire from the hardware store can do so today. To do this without opening the system requires shorting out a certain pin on the right Joy-Con connector (the bit on the side of the system where the Joy-Con clicks into place). ![]() On the Switch, the hardest part of the exploit seems to be forcing the system into USB recovery mode. By sending a bad "length" argument to an improperly coded USB control procedure at the right point, the user can force the system to "request up to 65,535 bytes per control request." That data easily overflows a crucial direct memory access (DMA) buffer in the bootROM, in turn allowing data to be copied into the protected application stack and giving the attacker the ability to run arbitrary code. The exploit, as outlined, makes use of a vulnerability inherent in the Tegra X1's USB recovery mode, circumventing the lock-out operations that would usually protect the chip's crucial bootROM. "Fusée Gelée isn't a perfect, 'holy grail' exploit-though in some cases it can be pretty damned close," Temkin writes in an accompanying FAQ. Hardware hacker Katherine Temkin and the hacking team at ReSwitched released an extensive outline of what they're calling the Fusée Gelée coldboot vulnerability earlier today, alongside a proof-of-concept payload that can be used on the Switch. ![]() Kate Temkin / ReSwitched reader comments 126Ī newly published "exploit chain" for Nvidia Tegra X1-based systems seems to describe an apparently unpatchable method for running arbitrary code on all currently available Nintendo Switch consoles.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |