The Nintendo Switch has been hacked again. And it’s been done in such a fashion that Nintendo may not be able to patch it out with an update. Hacker Katherine Temkin and the hacking group ReSwitched have exploited the Nintendo Switch’s Tegra X1 USB recovery mode to bypass operations that would protect it from such attempts. Suffice to say, without a new Nintendo Switch hardware revision, Nintendo cannot stop this from happening. What this means is, there are at least 14 million Nintendo Switches that can be modified. Once this hack is used, it cannot be detected by existing Switch software. Users can run homebrew apps or even Linux complete with touchscreen support.
At the moment the hack is only in a proof of concept state, requiring to be performed on every boot via USB akin to the tethered iPhone jailbreak. It doesn’t need a mod chip but we won’t be surprised to see eager third-parties looking to create them to aid the process.
Nintendo and Nvidia have been contacted regarding the existence of this vulnerability. The exploit is known as Fusee Gelee, and a detailed report on what it does has been put up by Temkin on Github.
“This report documents Fusee Gelee, a coldboot vulnerability that allows full, unauthenticated arbitrary code execution from an early bootROM context via Tegra Recovery Mode (RCM) on NVIDIA’s Tegra line of embedded processors. As this vulnerability allows arbitrary code execution on the Boot and Power Management Processor (BPMP) before any lock-outs take effect, this vulnerability compromises the entire root-of-trust for each processor, and allows exfiltration of secrets e.g. burned into device fuses,” Temkin’s post reads.
With Nintendo gearing up for an SoC revision for the Nintendo Switch, it is quite likely that newer editions of the hybrid console may not be vulnerable to such exploits. Though we doubt that would stop many from trying.