An insane flow of released happened over the past 24h on the Nintendo Switch scene, following the leak of the Tegra bootrom by an unknown hacking group yesterday.

A few minutes ago, team fail0verflow have released their own implementation of the hack, along with a port of Linux for the Nintendo Switch. The hack is compatible with all Nintendo Switch devices independently of their firmware (unless we're mistaken, the necessary hardware revision to fix the bug has started to hit the stores only very recently).

Fail0verflow were actually intending to release their whole work on April 25th, in compliance with their disclosure window of the Tegra vulnerability. The leak from yesterday has accelerated their release by a couple days.

Fail0verflow's Tegra exploit relies on the Tegra's USB Recovery Mode (RCM), and it appears to be the same vulnerability vector as Kate Temkin's Fusee Gelee (ktemkin has disclosed her exploit a few hours ago too, technically beating Fail0verflow to the punch, and we will be writing about that as well as we catch up on the news).

The release, as it is right now, is not really end-user friendly, but fail0verflow say hackers should have no difficulty setting things up.

In practice, you will have to boot the Nintendo Switch in recovery mode (according to Fail0verflow, this can be done by holding the Volume Up, Home, and Power buttons at the same time on the console itself) while having it connected via USB to a computer ready to serve the exploit. We've seen more complex ways to launch hacks than this one, in particular in such early days.

Download ShofEL2 and Linux patches for Nintendo Switch
Fail0verflow's release can be fetched from their various github repositories below. You will have to build the stuff yourself.

[ Register or Signin to view external links. ]
[ Register or Signin to view external links. ]
[ Register or Signin to view external links. ]
[ Register or Signin to view external links. ]
[ Register or Signin to view external links. ]

Tegra X1 Bug (Nintendo Switch)

And because hacking is easy; the Tegra X1 Bug.

Tegra X1 RCM forgets to limit wLength field of 8 byte long Setup Packet in some USB control transfers. Standard Endpoint Request GET_STATUS (0x00) can be used to do arbitrary memcpy from malicious RCM command and smash the Boot ROM stack before signature checks and after Boot ROM sends UID. Need USB connection and way to enter RCM (Switch needs volume up press and JoyCon pin shorted).

To:
ReSwitched
fail0verflow
SwitchBrew
BBB
Team Xecuter
Team SALT

Reminder: Real hackers hack in silence. You all suck.


"Game Over."


F8001BE1190CAED74BBDDAD78667877C84D1A128