
The “unpatchable” exploit that makes every current Nintendo Switch hackable - pjl
https://arstechnica.com/gaming/2018/04/the-unpatchable-exploit-that-makes-every-current-nintendo-switch-hackable/
======
leggomylibro
Cool!

It's too bad that the cracking scene seems so vain, though. This article
presented three groups:

* One which wants to sell 'jailbreak' kits to enable piracy, while keeping the details to themselves.

* One which had planned a related disclosure window amongst the broader community for two days from now, and seems to feel somewhat vocally that this release is very similar to their work.

* One which seems like they might have flaunted that window a bit for the credit.

It's amazing and inspiring what these people manage to accomplish, but it'd be
nice to see less stepping on fingers - imagine what might happen if these
groups really cooperated! I guess it's a very reputation-driven scene, but
still...

~~~
spike021
This has always been the case with homebrew/jailbreak scenes, from the PSP to
the PS3/PS4, to iOS, etc.

There will always be squabbles among the different people and groups involved
with finding exploits or developing jailbreak/"hack" "kits".

Following from that, there will also always be people who want to jailbreak
only to pirate games and there will also be groups who want to disclose the
exploits properly, or use them purely for research and non-piracy fun
purposes.

~~~
digi_owl
These squabbles are as old as home computing.

Just check out the amount of name calling and whatsnot thats put into those
cracktros that can be traced at least back to the C64.

~~~
bitwize
To say nothing of internecine squabbles between partisans of various home
computers. C64 r00lz and Spectrum dr00lz (or vice versa). About the only
platform that everyone can agree on is that the PC suxx0rz.

------
mindslight
This doesn't sound like it itself "exploits" anything, just deflates
Nintendo's attempted scheme to _exploit their customers_ by booby trapping
their hardware.

If you rigged your car to destruct 30 minutes after it went out of cell
service, sold it to an unsuspecting buyer, and then laughed when they got
stuck in the desert, you'd be rightfully thrown in jail. But yet these
companies keep attempting to pull the same shit with impunity.

~~~
white-flame
I actually kind of liked the Gameboy approach. You needed to include a byte-
for-byte image of the trademarked Nintendo logo in order for the boot ROM to
run your cartridge. So there were no technical hurdles to running your code in
it, but it just made it legally dangerous to distribute.

~~~
fragmede
Sega tried this with the Dreamcast, and further, tried to enforce it in court.

They lost.

~~~
Someone1234
Indeed but since then the DMCA[0] has radically shifted to the law. Sega would
win today.

[0]
[https://en.wikipedia.org/wiki/Digital_Millennium_Copyright_A...](https://en.wikipedia.org/wiki/Digital_Millennium_Copyright_Act)

~~~
Pharaoh2
IANAL, but the two things seem related, why is GP being down voted? From just
a reading of the wiki pages without much law knowledge it does seem like sega
would win today? What I am getting wrong?

~~~
monocasa
I don't think they would assuming that they wrote their own game and were only
using of Sony's what was necessary to run their own code.

See Chamberlain v. Skylink for a post DMCA case on the matter.

[https://en.m.wikipedia.org/wiki/Chamberlain_Group,_Inc._v._S...](https://en.m.wikipedia.org/wiki/Chamberlain_Group,_Inc._v._Skylink_Technologies,_Inc).

~~~
Pharaoh2
That seems to deal with anti-circumvention provisions and not copyright
provision and not with infringing on trademark/copyright as the GGGGP (white-
flame) seems to be pointing to.

~~~
monocasa
Chamberlain is cited as a rebuttal to the DMCA argument; the DMCA has nothing
to do with trademarks, and therefore I took it's citation to be in reference
to it's anti-circumvention clauses. For the trademark argument, see Sega v.
Accolade's decision.

------
ohthehugemanate
Great news for people who want to use their purchased hardware for things
Nintendo won't allow... Ie watching movies on the great screen, using generic
hdmi adapters, playing games they already purchased for older console
versions, or backing up savegames.

Also great news for people who want to use their hardware for things that are
actively against Nintendo's interests, like playing pirated games.

All around, seems like a story of us: 1, them: 0 story.

~~~
jake_the_third
> backing up savegames

This. I decided against buying a switch because I discovered that it prevents
owners from backing up save files.

I still don't plan to buy a switch until nintendo supports backing up save
files officially like they do with cross-region compatibility. Having to loose
100s of hours of progress for what amounts to an arbitrary reason from a
nintendo bigwig is not something I am willing to stomach.

~~~
letsgetphysITal
Buy used. Nintendo won't get a cent, you'll pay less, and you won't be hit so
hard in the wallet if your device fails after this mod.

------
userbinator
_In the FAQ, Temkin says she has previously notified Nvidia and vendors like
Nintendo about the existence of this exploit, providing what she considers an
"adequate window [for Nvidia] to communicate with [its] downstream customers
and to accomplish as much remediation as is possible for an unpatchable
bootROM bug."_

Why would you even want to do that...? Money? Fame? As I've heard it said
memorably, "would you tell someone who takes you hostage and locks you up,
that the lock is actually trivial to open?" This is just further evidence of a
fact I've noticed for a long time: a lot of security researchers are pro-DRM,
pro-corporatocracy authoritarians, and their vision of "more secure" is a
dystopian nightmare.

I still remember the good old days, when the hacking/cracking scene was
entirely composed of people doing it for the _freedom_ , with no do-gooding
snitches to worry about...

10 years ago, if you shared a way to bypass a DRM scheme in the right places,
it would live on for a long time. Now, it's more likely that some bastard is
going to report it and get it patched in days to weeks.

~~~
Someone1234
This exploit has nothing specifically to do with DRM, and compromises the
entire root of trust chain on devices impacted (including devices which aren't
locked down).

~~~
userbinator
Given that the DRM is precisely about stopping owners from controlling their
devices fully, I'd say it's pretty relevant to this exploit being able to
bypass that.

------
bri3d
This has reasonable parallels to the PSP "Pandora's Battery" exploit, which
put the device into DFU mode using a battery that emulated the factory service
mode jig, and then exploited an issue in the trust chain verification in the
first-stage (mask-ROM) bootloader. Similarly fixable with hardware only, which
came soon after the exploit.

This bootloader bug is much sillier (IMO) than Sony's, though. Sony's was a
series of crypto mistakes in the trust chain verification: it decrypted blocks
in place and there was an issue in the checksum code that left it vulnerable
to a timing attack, so a very, very small valid-but-colliding block had to be
constructed and the rest of the bootloader was then freely-injectable. This
nVidia/Nintendo mistake is an even sillier basic protocol issue.

I think the main lesson here is not to put complex protocol code in your
immutable first-stage mask ROM, and if you do, to limit the surface area as
much as possible, ensure memory safety, and audit the hell out of it.

------
white-flame
I believe this has been known for a while, even though it's just now been
"made public" as far as the press is concerned. In the meantime, disassembly
of OS updates for the Switch imply that they're adding support for a newer
version of the Tegra processor, which many speculate to be a silent hardware
upgrade on new systems to boost security, not for a new model with speed
upgrades.

~~~
epai
Yep! Looks like the silent hardware upgrade happened in v5.0.0 of the OS.

Here's a youtube video published March 13th talking about it:
[https://youtu.be/ZzsbDGDwg1U?t=5m17s](https://youtu.be/ZzsbDGDwg1U?t=5m17s)

And here's a related reddit discussion on the nintendo switch subreddit:
[https://www.reddit.com/r/NintendoSwitch/comments/8588c1/50_w...](https://www.reddit.com/r/NintendoSwitch/comments/8588c1/50_w..).

------
jsiepkes
> By sending a bad "length" argument

Not the first system to go down because of a boundary check failure. Though I
was hoping for something more spectacular.

------
buildbot
I wonder if this exploit would be workable on older Tegra systems, like for
example a Tegra 3 int he digital cockpit on the Audi S3/R8/TT [1] or the K1
they are selling now [2] - it would be really great to be able to modify and
customize those systems.

[1] [https://blogs.nvidia.com/blog/2016/04/25/virtual-
cockpit/](https://blogs.nvidia.com/blog/2016/04/25/virtual-cockpit/) [2]
[http://www.nvidia.com/object/visual-computing-
module.html](http://www.nvidia.com/object/visual-computing-module.html)

~~~
asiekierka
Yes, as far as I know both the Tegra 3 and K1 are vulnerable.

------
mar77i
YAY, they published it!!!

I think this is amazing news. I'm almost fully convinced to buy a Switch now.

------
misterbowfinger
> By sending a bad "length" argument to an improperly coded USB control
> procedure at the right point, the user can force the system to "request up
> to 65,535 bytes per control request." That data easily overflows a crucial
> direct memory access (DMA) buffer in the bootROM, in turn allowing data to
> be copied into the protected application stack and giving the attacker the
> ability to run arbitrary code.

Classic.

------
threeseed
> Nintendo may still be able to detect "hacked" systems when they sign on to
> Nintendo's servers. The company could then ban those systems from using the
> Switch's online functions.

So at least one positive then. Nintendo will be forced to improve their online
services.

------
Thaxll
Switch security is a joke and it's really bad for the players, it means that
people can hack online games fairly easily. fyi Microsoft > Sony > Nintendo in
term of console security.

Edit: For people who down vote me do you work in security field or just down
vote w/o knowledge?

~~~
Skunkleton
People might be down voting you because "Microsoft > Sony > Nintendo" comes
off as grandstanding. As someone in the "security field", you must be aware
that poor communication can tarnish otherwise correct information.

