Skip to content

Top New Best Ask Show Jobs

The “unpatchable” exploit that makes every current Nintendo Switch hackable (opens in new tab)

(arstechnica.com)

181 pointspjl7y ago72 comments

The “unpatchable” exploit that makes every current Nintendo Switch hackable | Better HN

72 comments

leggomylibro7y ago

Cool!

It's too bad that the cracking scene seems so vain, though. This article presented three groups:

* One which wants to sell 'jailbreak' kits to enable piracy, while keeping the details to themselves.

* One which had planned a related disclosure window amongst the broader community for two days from now, and seems to feel somewhat vocally that this release is very similar to their work.

* One which seems like they might have flaunted that window a bit for the credit.

It's amazing and inspiring what these people manage to accomplish, but it'd be nice to see less stepping on fingers - imagine what might happen if these groups really cooperated! I guess it's a very reputation-driven scene, but still...

This has always been the case with homebrew/jailbreak scenes, from the PSP to the PS3/PS4, to iOS, etc.

There will always be squabbles among the different people and groups involved with finding exploits or developing jailbreak/"hack" "kits".

Following from that, there will also always be people who want to jailbreak only to pirate games and there will also be groups who want to disclose the exploits properly, or use them purely for research and non-piracy fun purposes.

phire7y ago

For example, in the ps3 scene:

Someone developed a exploit, packaged it in usb stick, called it the PSJailbreak, planning to sell it to as a piracy orientated tool. They sent out a few review copies to prove it worked.

One of the reviews obtained a USB trace of the exploit in action, passing it along to a few members of the homebrew scene. The homebrew scene recreated this exploit with an open source implementation (but with the ability to pirate games pirate games superficially patched out) beating the original PSJailbreak to market.

The homebrew scene then set upon developing an open source homebrew devkit.

Many manufactures released their own clone devices of the exploit, the timeframe susgests that they were also working from copies of the PSJailbreak.

It was the homebrew scene who later decimated the PS3 chain of trust, to develop installable modded firmware.

These squabbles are as old as home computing.

Just check out the amount of name calling and whatsnot thats put into those cracktros that can be traced at least back to the C64.

deft7y ago

This is just the surface, with personal politics and clashing personalities obscured. The scene is incredibly dramatic and childish.

The nice thing with the console hacking scene is that the people doing actual useful work and the people causing drama are mostly disjoint sets.

av3csr7y ago

The apex of the scene's pettiness has to be this http://wololo.net/2015/03/18/total-noobs-response-to-latest-... (tl;dr the custom firmware checks if a certain user is using it, if so it formats their memory card)

mindslight7y ago

This doesn't sound like it itself "exploits" anything, just deflates Nintendo's attempted scheme to exploit their customers by booby trapping their hardware.

If you rigged your car to destruct 30 minutes after it went out of cell service, sold it to an unsuspecting buyer, and then laughed when they got stuck in the desert, you'd be rightfully thrown in jail. But yet these companies keep attempting to pull the same shit with impunity.

white-flame7y ago

I actually kind of liked the Gameboy approach. You needed to include a byte-for-byte image of the trademarked Nintendo logo in order for the boot ROM to run your cartridge. So there were no technical hurdles to running your code in it, but it just made it legally dangerous to distribute.

TheSoftwareGuy7y ago

Holy shit. Is that why when you plugged in a cartridge a little weirdly, the nintendo logo would look all weird and the game wouldn't boot? it was a simultaneous legal protection and a harware protection? that was fucking genius!

Sega tried this with the Dreamcast, and further, tried to enforce it in court.

They lost.

samlittlewood7y ago

Interestingly, this could be circumvented - the boot rom does the logo scroll using data from cart, THEN, in a separate loop checks it vs local copy. If you can make the cart read different data at each stage, you are golden!

IIRC Argonaut/Jez San had a POC of this using a very simple hardware bodge, intended as a potential way of publishing Eclipse (What became X) without a Nintendo licence.

Fortunately - Nintendo were interested in the 3D rendering, and that started the SuperFX/Starfox/ARC journey.

dwild7y ago

> it just made it legally dangerous to distribute.

Internet and countries that don't enforce copyright exist you know? You can even get HDCP strippers on Ebay, pretty easily too. Never had any issue finding ISO and roms online, even for the Switch before this hack.

If only the legal side was a good enough security...

If you want a portable device that you can use to run your own software, then go get a tablet that run the Tegra X1, you will get the exact same thing.

freerobby7y ago

Do you by any chance have a source on this? I believe you, this is just such a clever system that I want to read more about it.

crankylinuxuser7y ago

Sounds kind of like a Tesla, now that you mention a car like that. They already will call and threaten you if you own a Tesla and mess around with it under the hood.

https://www.slashgear.com/expect-an-irate-call-if-you-try-to...

How much further will they go? Will they remotely disable it? Or perhaps, they'll send it into "Service Needed" mode and cripple it?

hvidgaard7y ago

It ought to be the law that anything I can do, is fair game. If I fuckup something it shouldn't be under warranty, but only for the issues the tinkering causes. If I can connect to a port in the car I've paid for, and read something, it's not industrial espionage. That is just Tesla being lazy and trying to get security-by-obscurity, instead of a proper secure implementation.

It’s half and half. This scheme defeats Nintendo’s attempt to control what console owners do with their own hardware, it’s true. But it also allows console owners to be exploited by malicious hardware (say, a cheap charger).

Homebrew is cool but 99% of the real world usage is pirated games.

BoorishBears7y ago

Well it’s your choice, open hardware or billions of dollars invested in an industry employing millions of people...

loup-vaillant7y ago

How about an open hardware industry that would employ millions of people? Not to mention the questionable premise that we should have enough work to employ almost everyone. I mean, we're mostly programmers in here. Our primary task is to destroy jobs. Shouldn't free time be a good thing?

yarrel7y ago

False dichotomy.

ohthehugemanate7y ago

Great news for people who want to use their purchased hardware for things Nintendo won't allow... Ie watching movies on the great screen, using generic hdmi adapters, playing games they already purchased for older console versions, or backing up savegames.

Also great news for people who want to use their hardware for things that are actively against Nintendo's interests, like playing pirated games.

All around, seems like a story of us: 1, them: 0 story.

jake_the_third7y ago

> backing up savegames

This. I decided against buying a switch because I discovered that it prevents owners from backing up save files.

I still don't plan to buy a switch until nintendo supports backing up save files officially like they do with cross-region compatibility. Having to loose 100s of hours of progress for what amounts to an arbitrary reason from a nintendo bigwig is not something I am willing to stomach.

letsgetphysITal7y ago

Buy used. Nintendo won't get a cent, you'll pay less, and you won't be hit so hard in the wallet if your device fails after this mod.

voltagex_7y ago

Also archiving games+updates.

I'll be backing up all my carts as soon as possible. Publishers lose code, assets, entire games (or decide to never re-release them).

simcop23877y ago

Not sure about the carts and saves but you can at least push patches and downloaded games to SD cards and back them up. They'll only work for your console as far as I'm aware but that's fine with me.for doing a backup.

userbinator7y ago

In the FAQ, Temkin says she has previously notified Nvidia and vendors like Nintendo about the existence of this exploit, providing what she considers an "adequate window [for Nvidia] to communicate with [its] downstream customers and to accomplish as much remediation as is possible for an unpatchable bootROM bug."

Why would you even want to do that...? Money? Fame? As I've heard it said memorably, "would you tell someone who takes you hostage and locks you up, that the lock is actually trivial to open?" This is just further evidence of a fact I've noticed for a long time: a lot of security researchers are pro-DRM, pro-corporatocracy authoritarians, and their vision of "more secure" is a dystopian nightmare.

I still remember the good old days, when the hacking/cracking scene was entirely composed of people doing it for the freedom, with no do-gooding snitches to worry about...

10 years ago, if you shared a way to bypass a DRM scheme in the right places, it would live on for a long time. Now, it's more likely that some bastard is going to report it and get it patched in days to weeks.

asiekierka7y ago

The exploit concerns most Tegra chips currently on the market, not just the Nintendo Switch. Those are used in, for example, cars. I believe that was part of the reason.

Not to mention, it's not patchable without a hardware revision, so sharing it privately before sharing it publicly, while strongly hinting at that it's not patchable without a hardware revision (which has been done) has the same effect in practice for those wanting to escape Nintendo's jail, while letting those who use the Tegra in security-sensitive environments prepare adequately.

Someone12347y ago

This exploit has nothing specifically to do with DRM, and compromises the entire root of trust chain on devices impacted (including devices which aren't locked down).

userbinator7y ago

Given that the DRM is precisely about stopping owners from controlling their devices fully, I'd say it's pretty relevant to this exploit being able to bypass that.

dsfyu404ed7y ago

>I still remember the good old days, when the hacking/cracking scene was entirely composed of people doing it for the freedom, with no do-gooding snitches to worry about...

>10 years ago, if you shared a way to bypass a DRM scheme in the right places, it would live on for a long time. Now, it's more likely that some bastard is going to report it and get it patched in days to weeks.

From the article it looks like someone else was trying to sell it so she put it in the open for free.

>The release also seems to be partially a response to Team Xecuter, a separate team that is planning to sell a modchip exploit that can allow for similar code execution on the Switch. Temkin writes that she's opposed to Xecuter's explicit endorsement of piracy and efforts "to profit from keeping information to a few people."

userbinator7y ago

If she truly wanted to make it free, why secretly tell Nintendo and nVidia first?

It's a cat-and-mouse game, and this mouse wants to tell the cat how to catch the other mice. In the old scene, you'd be branded a traitor for doing that.

bri3d7y ago

This has reasonable parallels to the PSP "Pandora's Battery" exploit, which put the device into DFU mode using a battery that emulated the factory service mode jig, and then exploited an issue in the trust chain verification in the first-stage (mask-ROM) bootloader. Similarly fixable with hardware only, which came soon after the exploit.

This bootloader bug is much sillier (IMO) than Sony's, though. Sony's was a series of crypto mistakes in the trust chain verification: it decrypted blocks in place and there was an issue in the checksum code that left it vulnerable to a timing attack, so a very, very small valid-but-colliding block had to be constructed and the rest of the bootloader was then freely-injectable. This nVidia/Nintendo mistake is an even sillier basic protocol issue.

I think the main lesson here is not to put complex protocol code in your immutable first-stage mask ROM, and if you do, to limit the surface area as much as possible, ensure memory safety, and audit the hell out of it.

white-flame7y ago

I believe this has been known for a while, even though it's just now been "made public" as far as the press is concerned. In the meantime, disassembly of OS updates for the Switch imply that they're adding support for a newer version of the Tegra processor, which many speculate to be a silent hardware upgrade on new systems to boost security, not for a new model with speed upgrades.

epai7y ago

Yep! Looks like the silent hardware upgrade happened in v5.0.0 of the OS.

Here's a youtube video published March 13th talking about it: https://youtu.be/ZzsbDGDwg1U?t=5m17s

And here's a related reddit discussion on the nintendo switch subreddit: https://www.reddit.com/r/NintendoSwitch/comments/8588c1/50_w....

> By sending a bad "length" argument

Not the first system to go down because of a boundary check failure. Though I was hoping for something more spectacular.

I wonder if this exploit would be workable on older Tegra systems, like for example a Tegra 3 int he digital cockpit on the Audi S3/R8/TT [1] or the K1 they are selling now [2] - it would be really great to be able to modify and customize those systems.

[1] https://blogs.nvidia.com/blog/2016/04/25/virtual-cockpit/ [2] http://www.nvidia.com/object/visual-computing-module.html

asiekierka7y ago

Yes, as far as I know both the Tegra 3 and K1 are vulnerable.

mar77i7y ago

YAY, they published it!!!

I think this is amazing news. I'm almost fully convinced to buy a Switch now.

misterbowfinger7y ago

> By sending a bad "length" argument to an improperly coded USB control procedure at the right point, the user can force the system to "request up to 65,535 bytes per control request." That data easily overflows a crucial direct memory access (DMA) buffer in the bootROM, in turn allowing data to be copied into the protected application stack and giving the attacker the ability to run arbitrary code.

Classic.

threeseed7y ago

> Nintendo may still be able to detect "hacked" systems when they sign on to Nintendo's servers. The company could then ban those systems from using the Switch's online functions.

So at least one positive then. Nintendo will be forced to improve their online services.

Thaxll7y ago

Switch security is a joke and it's really bad for the players, it means that people can hack online games fairly easily. fyi Microsoft > Sony > Nintendo in term of console security.

Edit: For people who down vote me do you work in security field or just down vote w/o knowledge?

Skunkleton7y ago

People might be down voting you because "Microsoft > Sony > Nintendo" comes off as grandstanding. As someone in the "security field", you must be aware that poor communication can tarnish otherwise correct information.

j / k navigate · click thread line to collapse