I got 99 secure devices but a Nintendo Switch ain't one: If you're using Nvidia's Tegra boot ROM I feel bad for you, son

Unpatchable vuln found, exploited to run custom code

Fusée Gelée demo, image by Kate Temkin
A pwned Nintendo Switch ... Image by Kate Temkin

Updated Security researcher Kate Temkin has released proof-of-concept code dubbed Fusée Gelée that exploits a bug in Nvidia's Tegra chipsets to run custom code on locked-down devices.

Temkin, who participates in the Nintendo Switch hacking project ReSwitched, has developed a cold-boot hack for the games console that takes advantage of an unpatchable blunder in the Tegra boot ROM.

She's also working on customized Switch firmware called Atmosphère, which can be installed via Fusée Gelée.

Essentially, Fusée Gelée exploits a vulnerability during a Switch's startup to commandeer the gadget and execute unofficial software. This is useful for unlocking the locked-down Nintendo Switch so that home-brew games, custom firmware and operating systems, and other code can be run.

You'll need physical access to the hardware during power-up to perform Fusée Gelée and then run your own software – it's not something that can be pulled off over the air nor after the thing has booted up.

In a blog post outlining her findings earlier this month, Temkin explained: "The relevant vulnerability is the result of a 'coding mistake' in the read-only boot ROM found in most Tegra devices."

Nvidia GeForce

Looking to nab Nvidia's GeForce chips? You need cash and patience

READ MORE

Full details of the bug is set to be revealed on June 15, 2018, unless it is made public by others first – a parallel effort to create custom firmware for the Switch using the vulnerability, or one substantially similar, is underway by a group called Team Xecuter.

The vulnerability is said to affect Tegra chips prior to T186/X2, released in 2016, so it's not just the Nintendo Switch that's potentially vulnerable. Other gear using the affected chipset is also potentially at risk.

Temkin reckoned the issue is present in all Nintendo Switches. The nature of the flaw is such that it will require a hardware revision to fix. The boot ROM, which contains the programming bug, accepts minor patches in the factory but cannot be updated afterwards, according to Temkin. That means once a vulnerable machine rolls off of the assembly line, the vulnerability is baked in and cannot be mitigated.

Temkin said the cockup was responsibly disclosed to and forwarded to other vendors that use Tegra embedded processors, including Nintendo.

In a summary of her work, Temkin described Fusée Gelée as "a cold boot vulnerability that allows full, unauthenticated arbitrary code execution from an early boot ROM context via Tegra Recovery Mode (RCM) on Nvidia's Tegra line of embedded processors."

The issue is that the USB software stack in the Tegra boot ROM calls a memory copy function with a length parameter that can be defined by an attacker, allowing the processor's execution stack to be overwritten by an oversized copy operation. It's pretty much game over after that: now you can point the processor at whatever code you want having scribbled over its stack, which contains return addresses.

"By carefully constructing a USB control request, an attacker can leverage this vulnerability to copy the contents of an attacker-controlled buffer over the active execution stack, gaining control of the Boot and Power Management processor (BPMP) before any lock-outs or privilege reductions occur," Temkin's paper explained.

Successful exploitation compromises the processor's root-of-trust and provides the attacker with access to secrets burned into device fuses, as well as allowing arbitrary code execution.

An Nvidia spokesperson declined to comment when prodded by The Register. ®

Updated to add

In an email to The Register, Temkin said she has decided to make the full exploit public.

“The disclosure agreement I had with Nvidia – which is documented in that report – agreed that public disclosure will occur if any other research group publicly discloses the vulnerability,” she explained.

“While I won’t go into details, this occurred over the last 24 hours, and so I felt this was the appropriate time to release the documentation I have. This is the documentation for one of our relevant boot ROM vulnerabilities, and a full release of relevant exploit. The date of June 15th is no longer relevant.

“In general, I’m of the belief that once someone’s shared an unpatchable exploit like this – even if only posted to ‘underground’ communities as a zero-day – the disclosure cadence significantly changes, as malicious actors are able to pick up the releases, read through the relative dearth of information, and develop solutions that can impact the public and their devices. At that point, I’d much prefer the public be informed of the details of the exploit so that everyone knows how to best defend against malicious actors – hence my agreement with Nvidia.”

The status of various Switch vulnerabilities can be found here. And here's a link to another researcher’s version of the exploit.

Sponsored: Minds Mastering Machines - Call for papers now open


Biting the hand that feeds IT © 1998–2018