Security Researchers Find ‘Unpatchable’ Vulnerability in Nintendo Switch Consoles

Heads up, Nintendo Switch fans — you soon might be able to run custom ROMs on your Switch, or back up games to your own hard drives.

According to a new report from Ars Technica, hackers have revealed how the Nintendo Switch can be made to run arbitrary code through an exploit of an unpatchable flaw in the console’s Nvidia Tegra X1 chip.

Hardware hacker Katherine Temkin and the hacking team at ReSwitched have released an extensive outline of what they’re calling the “Fusée Gelée” coldboot vulnerability earlier today, alongside a proof-of-concept payload that can be used on the Switch.

Here’s the summary from github:

This report documents Fusée Gelée, a coldboot vulnerability that allows full, unauthenticated arbitrary code execution from an early bootROM context via Tegra Recovery Mode (RCM) on NVIDIA’s Tegra line of embedded processors. As this vulnerability allows arbitrary code execution on the Boot and Power Management Processor (BPMP) before any lock-outs take effect, this vulnerability compromises the entire root-of-trust for each processor, and allows exfiltration of secrets e.g. burned into device fuses.

“Fusée Gelée isn’t a perfect, ‘holy grail’ exploit—though in some cases it can be pretty damned close,” Temkin writes in an accompanying FAQ.

One reason why this is such a troublesome hack for both Nintendo and Nvidia is how it’s seemingly unfixable. Because the hack makes use of an exploit in the Tegra X1 bootROM, it can’t be modified once it leaves manufacturing. This means there are 14.8 million Switches out there that are vulnerable to the exploit and could be hacked to run a whole manner of different games and programs.

Temkin is also working on a custom ROM for the Switch that she’s calling “Atmosphère.” Once it and the full version of Fusée Gelée are publicly revealed, it’ll be open season on Mario.