Unpatchable exploit for the Nintendo Switch found by security researchers

Just a heads up, if you buy something through our links, we may get a small share of the sale. It’s one of the ways we keep the lights on here. Click here for more.

Security researchers {re}switched have discovered a vulnerability in the NVIDIA Tegra X1 chip that powers the Nintendo Switch.

This vulnerability opens the possibility for an attacker to run arbitrary code on the console. Dubbed Fusée Gelée by the group, it takes advantage of an issue in the USB hardware stack of the device and bypasses the protections for the critical bootROM.

Apparently, it’s unfixable in current consoles without a recall as any bugfixes would have to be done with a hardware revision at the factory. All 14.8 million Switch consoles that have been sold to date are affected, according to {re}switched. Similar to other hacks for prior consoles, this paves the way for homebrew software and potential piracy.

The exploit, which is fairly complicated, first involves kicking the Switch into USB recovery mode by shorting a pin on the right-hand Joy-Con connector. A payload is then sent at a crucial point during the USB check, forcing the system to “request up to 65,535 bytes per control request,” which has a knock-on effect which causes a DMA buffer overflow in the bootROM. This process gives hackers access to the normally-protected application stack. Once inside the stack, they can exfiltrate any secrets on the hardware or run anything they want.

While it might seem irresponsible to post the full instructions online, the whitehat group say they are acting in the public good. According to the team,

“This vulnerability is notable due to the significant number and variety of devices affected, the severity of the issue, and the immutability of the relevant code on devices already delivered to end users. This vulnerability report is provided as a courtesy to help aid remediation efforts, guide communication, and minimize impact to users.”

They also note that several other groups are working on a similar exploit, including one that is saying that they will sell access.

This is obviously a serious issue for Nintendo to grapple with, and we’ll be keeping an eye on the situation as it develops.

Joe Rice-Jones

Maker, meme-r, and unabashed geek with nearly half a decade of blogging experience at KnowTechie, SlashGear and XDA Developers. If it runs on electricity (or even if it doesn't), Joe probably has one around his office somewhere, with particular focus in gadgetry and handheld gaming. Shoot him an email at joe@knowtechie.com.