Over the last year, plenty of hackers have been poking around the Nintendo Switch in search of ways to exploit the system. Things got off to a really quick start with a browser exploit and by January this year, kernel access was achieved, paving the way for Homebrew software. Now, the first permanent bootrom exploit has been released for the Switch, allowing anyone to run ‘unsigned’ software on the system.
The exploit relies on the Tegra chip powering not just the Nintendo Switch, but multiple Android-based devices too. After discovering the exploit, the folks at Fail0verflow disclosed it to Google’s Project Zero team, but at this point the 90-day window has passed and multiple other hacking groups have discovered the exploit, which is why it is now being made public. Currently, it is believed that Nintendo won’t be able to patch this exploit with a firmware update, instead it would require a hardware revision.
Here is the technical explanation of the bug from Fail0verflow’s post: “The Tegra X1 (also known as Tegra210) SoC inside the Nintendo Switch contains an exploitable bug that allow taking control over early execution, bypassing all signature checks. This bug is in the RCM mode, which is a USB-based rescue mode intended for initial flashing of Tegra devices and recovery of bricked devices. Normally, RCM mode only allows signed images to be loaded, but thanks to the bug, arbitrary code execution is possible.”
Essentially what this means is that in order to run unsigned code on the Switch, a user would need to force it into ‘RCM mode’ and execute the USB-based exploit. Entering RCM mode is very simple, if any of you have installed a custom ROM on Android before, then you’ll be familiar with the process already. However, executing the USB bug is a little more complicated and requires using “very long control transfers” which will work with vanilla Linux on a PC with an xHCI controller (USB 3.0) or a PC with an EHCI (USB 2.0) controller and a specific kernel patch.
You can head over to the Fail0ver post for the full technical breakdown, but the gist of the situation is that once all of the technical stuff is out of the way, a user would be free to run any unsigned code they want on the Nintendo Switch. This paves the way for legitimate homebrew software, but it also paves the way for piracy. Since this is something that can affect every Nintendo Switch unit currently in circulation, Nintendo will likely be looking to clamp down and release a hardware revision soon.
KitGuru Says: Nintendo consoles have a history of running into issues with exploits and piracy. R4 cards were particularly prominent in the Nintendo 3DS days, and Gateway cards took over later into the 3DS lifespan. However, given that this Switch exploit is baked directly into the hardware, it will be much tougher for Nintendo to fix.