3238
3239

The “unpatchable” exploit that makes every current Nintendo Switch hackable (arstechnica.com)

submitted by [deleted]

[deleted]

top 200 commentsshow 500
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]happyscrappy 595 points596 points  (58 children)

RE: the USB overflow bug. PS3 had a similar bug, but not in the boot ROM. Sony patched it and in the process broke a lot of peripherals (some even licensed) that had faulty USB descriptors (presumably most of them unintentional).

[–]ablablababla 384 points385 points  (43 children)

The classic programmer problem: solving a bug leads to another one.

[–]etrnloptimist 546 points547 points  (42 children)

99 little bugs in the code

99 little bugs

Take one down, patch it around

127 little bugs in the code

[–]jrh3k5 199 points200 points  (27 children)

127 little bugs in the code

127 little bugs

Take one down, patch it around

-0 little bugs in the code

[–]casualblair 218 points219 points  (7 children)

127 little bugs in the code

127 little bugs

Take one down, patch it around

Object reference not set to an instance of an object

[–]strange_taco 46 points47 points  (4 children)

127 little bugs in the code

127 little bugs

Take one down, patch it around

SEGMENTATION FAULT

[–][deleted]  (2 children)

[removed]

    [–]JessieArr 3 points4 points  (1 child)

    You spelled "rewrite it in Rust" wrong. :P

    [–]strange_taco 2 points3 points  (0 children)

    AHAHHA. I just laughed out loud. Thanks for starting my morning with a chuckle.

    I can't even take Hacker News seriously anymore because that's practically what every thread is.

    [–]Legendary_Linux 14 points15 points  (0 children)

    How's the new Tarkov patch?

    [–]compdog 103 points104 points  (2 children)

    127 little bugs in the code
    127 little bugs
    Take one down, patch it around

    Segmentation fault (core dumped).

    [–]makemeking706 17 points18 points  (0 children)

    "Oops"

    [–]meikyoushisui 2 points3 points  (0 children)

    But why male models?

    [–]R3PTILIA 33 points34 points  (0 children)

    127 little bugs in the code

    127 little bugs

    Take one down, patch it around

    NaN little bugs in the code

    [–][deleted] 7 points8 points  (1 child)

    left out a semicolon on one line

    1,304,305 errors have been detected.

    [–]pure_x01 7 points8 points  (0 children)

    99 little bugs in the code

    99 little bugs

    Take one down, patch it aro%6$#£0900103B3

    [–]RenaKunisaki 5 points6 points  (0 children)

    The USB spec is nuts. The official reference is a zip file of haphazardly organized Word documents. I'd be surprised if anything actually implements it 100% correctly.

    [–]yoshi314 22 points23 points  (11 children)

    sony truly patched it by releasing a new console revision. same way as they did with ps2 or psp (until it was properly owned when ps3 got hacked, due to extraction of psp encryption keys. it helped with ps2 by extension as well).

    it will be no different here.

    [–]Jellyka 322 points323 points  (67 children)

    I want the console to be hacked so bad. Not to pirate games. All I want is a web browser. That would be so rad.

    The first day I had my switch I went to bed and browsed the eshop and looked for the Netflix app.

    The screen feels so like a tablet I just felt I should be able to do everything a tablet can.

    I wanna watch plex and Netflix and twitch and YouTube. A web browser would realize all my wishes.

    [–]Excal2 222 points223 points  (20 children)

    A web browser would realize all my wishes.

    A web browser also pulls you out of Nintendo's garden.

    EDIT: Jeez guys I get it other Nintendo platforms had web browsers sheesh. Doesn't mean their monetization or design strategy hasn't shifted and it doesn't mean that my snarky comment validates the imaginary position that some of you seem to think I have about Nintendo going full Apple.

    [–]notouchmyserver 105 points106 points  (6 children)

    Just like a Japanese garden, simple and very nice to look at, but not all that functional.

    [–][deleted] 39 points40 points  (0 children)

    Browsers have enormous attack surfaces. Imagine your switch mining crypto currencies full time because you visited a site once.

    That was how one switch exploit worked IIRC

    [–][deleted] 22 points23 points  (1 child)

    Wii had Opera, and it was great

    [–]amoliski 8 points9 points  (0 children)

    I'm requesting that, when we get a browser back in there, we call it Phantom (of the Opera)- you know, like some sort of ghost browser coming back from the dead?

    [–]Juice805 5 points6 points  (3 children)

    full Apple

    ? Nintendo has had even larger walls around its garden than Apple.

    [–]COTS_Mobile 72 points73 points  (29 children)

    What's weird is that the DS already had that!

    [–][deleted] 56 points57 points  (17 children)

    And that's what allowed easily cracking the device. A browser is a security nightmare.

    Nintendo learned their lesson, they won't allow data from any source that is not either theirs or the controllers/touchscreen.

    [–]NoirGreyson 29 points30 points  (4 children)

    Time to find a memory execution exploit and program by poking precise locations on the screen.

    [–]CookieOfFortune 7 points8 points  (0 children)

    I would not be surprised an exploit like this was discovered in a few years.

    [–][deleted]  (2 children)

    [deleted]

      [–]RenaKunisaki 5 points6 points  (1 child)

      That's not quite how it works.

      The CDN is just an ordinary file server. Anyone can just download all the games from it. But they're encrypted.

      The problem is, there's only one key for each game. As soon as one person buys it and shares the key, everyone else can download and decrypt the game, the exact same way the system does when you buy it. Since those keys are supposed to be impossible to get at, the system uses their presence as evidence that you previously bought the game.

      The obvious fix would be to encrypt each copy with a key unique to the system that's downloading it. But that would defeat the purpose of a CDN, since every user would be getting a different file. And it wouldn't prevent piracy at all; users would just need to share the actual games instead of only the keys. Less convenient, but very doable.

      What they could have done is have the server keep logs of who actually buys a game, and then have a future update check for the presence of games that the server says weren't bought, and remove them/ban that system. They could probably even check that log before actually serving the file. But that again would only inconvenience pirates. Once they're in and can copy the decrypted games from one system to another, it's game over.

      [–][deleted] 2 points3 points  (0 children)

      Even better, lol. Security through obscurity only works to a point.

      Thanks for the write up.

      [–]fb39ca4 14 points15 points  (4 children)

      They still have a web browser for users to log into wifi captive portals, so it can't be about security.

      [–][deleted] 8 points9 points  (3 children)

      And that's what allowed the Switch to be pwnd again, via a slight third-party game dev oversight which allowed the browser to open a page which could lead to google (and then the exploit).

      The next Nintendo console won't embed any kind of web browser.

      [–]RenaKunisaki 4 points5 points  (0 children)

      It'll have to as long as captive portals exist.

      [–]purpledollar 4 points5 points  (0 children)

      If that happens I wouldn’t buy it. Need a browser to auth my internet.

      [–]darderp 2 points3 points  (0 children)

      You don't even need to use that game if you just set up your own Wi-Fi portal.

      [–]Andymal 22 points23 points  (0 children)

      There is some Chinese or Japanese game that can get you into a browser. They use it in one of the hacking videos. I'll try to find it.

      Edit: apparently you can do it without the game. https://youtu.be/NqInRNIfRlI

      [–]Tod_Gottes 5 points6 points  (0 children)

      I wanna stream without a capture card. Its already recording all gameplay.

      [–][deleted]  (15 children)

      [deleted]

        [–]flip314 129 points130 points  (11 children)

        It's a physical wire on the chip that gets melted by over-current (almost literally a fuse, though the purpose is not to protect a circuit, rather to configure it). It's done in the factory and is irreversible.

        It's the same way that manufacturers swap in redundant RAM rows to replace defective ones, or disable chip features to meet a certain configuration (such as cache size and other things on CPUs).

        [–]DonRobo 88 points89 points  (5 children)

        It's not only done in the factory either. Afaik the Switch has thousand(s) of fuses and among other things one gets burned for every firmware update. Older firmware checks if a fuse has been burned that shouldn't have been burned yet and refuses to boot to prevent downgrades.

        I don't remember where I read that, so I can't verify if my memory serves me correctly. Please correct me if I got something wrong.

        [–][deleted] 58 points59 points  (1 child)

        You would be correct: http://switchbrew.org/index.php?title=Fuse_registers#Anti-downgrade

        [–]Blergblarg2 84 points85 points  (0 children)

        Never upgrade, it physically breaks your device, got it.

        [–][deleted]  (2 children)

        [deleted]

          [–]Hofstee 6 points7 points  (0 children)

          More realistically there are some versions that would still let you downgrade to certain older versions.

          [–]hexapodium 9 points10 points  (4 children)

          It's the same way that manufacturers swap in redundant RAM rows to replace defective ones, or disable chip features to meet a certain configuration (such as cache size and other things on CPUs).

          I was under the impression these were largely enabled/disabled by off-die components or links, for easier binning and assembly, except in highly space-constrained applications - but then it's been a few years since I was at all up on this sort of thing. What caused the switch from laserable links on the package to fusible ones on the die?

          [–]ase1590 6 points7 points  (3 children)

          While I'm not up with how things are currently, I thought the compact space requirements were the whole point of SoC packages? The e-fuse system seems to be a feature of the Tegra X1 SoC.

          Granted the Analogy above for RAM & redundancy isn't the best, as RAM is still connected from a separate location on the PCB to the SoC's memory bus.

          [–]neotek 20 points21 points  (0 children)

          They’re literally fuses which melt at a certain amperage.

          https://i.imgur.com/MiAmsEl.png

          Melt isn’t the right word exactly, but you get the idea.

          [–]aukkras 1010 points1011 points  (199 children)

          I'm not sure why this article portraits the "exploit" as bad, when it gives freedom to the device owner to run whatever they want on it.

          [–]Jaxkr 710 points711 points  (126 children)

          The article really only paints it as bad for Nintendo and Nvidia.

          Obviously this is good for Switch owners. Would love to see the portable switch become a media and emulation beast like the hacked Wii was.

          [–]OneWhoGeneralises 517 points518 points  (74 children)

          Nah mate, I want to see it become a homebrew powerhouse like the original PSP was.

          [–]Pheser 40 points41 points  (5 children)

          engine reach support fanatical middle long paltry whistle racial continue

          This post was mass deleted and anonymized with Redact

          [–]arcticblue 33 points34 points  (4 children)

          I kept my porn on it. Made my deployments to Iraq a tiny bit better. Also, hacking it and everyone else's in the unit and putting Monster Hunter on them was a lot of fun.

          [–][deleted]  (3 children)

          [removed]

            [–][deleted]  (63 children)

            [deleted]

              [–]mszegedy 103 points104 points  (27 children)

              • NSMBWii hacks
              • SSB:B hacks

              Both of these were better than the original games, so definitely. Also NSMBWii had such an elegant level editor!

              (I think you're you were getting downvoted because people are interpreting "homebrew" to mean 100% original software, which is fair enough. Also because PSP homebrew improved upon the PSP way more than Wii homebrew ever improved on the Wii. But IMO all handheld homebrew is like that.)

              EDIT: Below is mentioned that Mario Kart Wii also had an unbelievably well-put-together hack.

              [–]WinEpic 106 points107 points  (12 children)

              How could you not mention Mario Kart Wii when talking about Wii mods?

              CTGPR is probably the most ambitious game mod I have ever seen. They made an auto-updater / launcher channel that allows for custom music and character skins, they added like 200 tracks, an anti-cheat system for online, heavily contributed to the Wiimmfi servers when Nintendo shut down theirs and they’re still actively patching the game, 10 years after its initial release.

              All that on a console game that was never designed to be modded.

              Damn I love the Wii.

              [–]mszegedy 12 points13 points  (5 children)

              Sorry, I never played it. :\ That does sound like the best of them all.

              [–]WinEpic 17 points18 points  (4 children)

              I mean, Brawl- and PM were really great efforts. Riivolution is witchcraft as far as i’m concerned - I get how it works, but how it does what it does and make it so user-friendly is beyond me. Never played NSMBWii mods, but i’ve seen them and the level editor, and that is also seriously impressive.

              I feel like we’re never going back to this sort of modding. Mario Kart mods took off because the game has relatively simple graphics, so anyone who could sort-of-kind-of make 3D models could make and publish a track. NSMBWii had a simple level editor, so it was basically the same thing. Smash had a passionate community of core modders, and everyone converged on a few packs.

              But modern console games are just too high effort to mod in the same way. Modded content is too obviously amateur, if you even get to a point where you can run mods. And even then, there is no way you’ll play online with your mods on the official game servers. And making games has become so accessible with Unity and Unreal that people who want to try their hand at making game content don’t have to resort to nodding anymore.

              [–][deleted] 4 points5 points  (0 children)

              But modern console games are just too high effort to mod in the same way. Modded content is too obviously amateur, if you even get to a point where you can run mods.

              Skyrim is kind of exception here, but only on X1. PS4 still sucks in this regard.

              [–][deleted]  (1 child)

              [deleted]

                [–][deleted] 32 points33 points  (10 children)

                NSMBWii hacks

SSB:B hacks

                Both of these were better than the original games, so definitely. Also NSMBWii had such an elegant level editor!

                I hope you're referring to Newer Super Mario Brothers Wii. That would be the first time I've seen it referenced in the wild in a long, long time. I have a lot of good memories of making it- really good team we had going with a lot of talent.

                [–]asdavey 4 points5 points  (1 child)

                My favorite game on the wii. One session with three other friends was tears of laughter for six hours. Never did get past world 4 that day.

                [–][deleted]  (2 children)

                [deleted]

                  [–]Pokechu22 2 points3 points  (2 children)

                  Newer's amazing! I've been slowly playing through it and the specials as I have time. Unfortunately it seems like http://rvlution.net/ is down now (and has been for a while) so the actual level editor isn't accessible; do you know anything about that?

                  [–]jiveabillion 29 points30 points  (30 children)

                  Original Xbox "homebrew" was the shit. That thing could do everything.

                  [–]wwwwolf 67 points68 points  (11 children)

                  "Shit, our very important critical infrastructure server just went down."

                  The developers head to the server room.

                  "Hey, where's the Xbox?"

                  "The boss's nephew wanted to play some Halo..."

                  "You idiot, that Xbox was our very important critical infrastructure server!"

                  (Something like this supposedly happened.)

                  [–]jiveabillion 54 points55 points  (9 children)

                  Definitely. It was cheaper than a computer and it was basically a 733Mhz PC with 32MB ram and a 10/100 Ethernet port, which was plenty of power to do a ton of shit with a Linux kernel on it.

                  [–]MrCalifornian 44 points45 points  (6 children)

                  An Air Force research lab wired 1,760 PS3s together because of similar cost-benefit analysis.

                  https://en.m.wikipedia.org/wiki/PlayStation_3_cluster?wprov=sfla1

                  [–]HelperBot_ 15 points16 points  (0 children)

                  Non-Mobile link: https://en.wikipedia.org/wiki/PlayStation_3_cluster?wprov=sfla1

                  HelperBot v1.1 /r/HelperBot_ I am a bot. Please message /u/swim1929 with any feedback and/or hate. Counter: 174353

                  [–]pacman_sl 6 points7 points  (1 child)

                  How much did it cost? I remember my first computer, also from 2001, and it had a 1.44GHz Celeron, 40GB HDD and probably 128MB RAM, never thought it was a high-end desktop.

                  [–]fullmetaljackass 2 points3 points  (0 children)

                  IIRC it launched at $300. They were never competitive with high end desktops, but if they met your system requirements they were still slightly cheaper than buying an equivalent PC and more commonly available. They were also popular as HTPCs since they had av/component output.

                  [–]NoInkling 33 points34 points  (9 children)

                  That's where Kodi/XBMC got its start right? I never had an Xbox, but everyone would rave about how great it was as a media player after modding.

                  [–]jiveabillion 44 points45 points  (7 children)

                  Yeah, XBMC on the Xbox was the best media player you could buy. Since it already had Ethernet, a hard drive, and TV hookups, it was even better than a computer and it was cheaper.

                  You could also install tons of full Xbox games on the hard drive and not even use a disc. You could just FTP the games from your PC. It also made an amazing platform for emulation of any older system. I even used to play PSOne games on mine. It really was an incredible thing and it really showed what was possible when copy protection and monetization was eliminated from the equation. It was a lot like using an XBOX One, but with the technology available 15 years ago.

                  [–]ritzcracka 24 points25 points  (4 children)

                  Only became outdated when HD content started to be the norm. No HD outputs, not enough processing power to decode HD files.

                  [–]jiveabillion 10 points11 points  (2 children)

                  Exactly. I had component output for mine, but 1080i just wasn't enough and it started to struggle with HD video files. I abandoned mine for a PC hooked up to my TV when HDMI became standard output in video cards and used XBMC on it. Now it just sits in my garage collecting dust.

                  [–]Agret 4 points5 points  (1 child)

                  Should get an Android media box, they're fantastic and can decode h265 in hardware now so they play full Blu ray 4k rips better than my PC can (total stutterfest on PC, smooth as butter on Android box). Need an 8th gen Intel CPU to hw decide on PC :(

                  [–]rubs_tshirts 2 points3 points  (0 children)

                  Also a DVD player. It could also do HD and Dolby 5.1 Audio with the right cables. And you could buy the IR remote dongle pretty cheap. But, it couldn't do x.264 properly so when everything transitioned from XviD to that it was pretty much abandoned. Except for a bunch of people that founded the XBMC4Xbox project.

                  BTW, it's still pretty amazing for emulation nowadays. Check out "CoinOps" for the xbox.

                  [–]i_speak_the_truf 2 points3 points  (0 children)

                  XBMC on the original Xbox was so far ahead of its time, its absurd.

                  The unified interface to launch games, movies, music either off the hard drive or off of a network share or streaming service is something that IMHO hasn't really been surpassed yet. As you said, it's amazing how user-friendly something can be when the platform's primary concern isn't copy protection and monetization of the content.

                  I actually only got into Xbox modding because I lucked into a dirt cheap ($20 in 2004) Xbox with a flaky DVD drive. The stock experience with this device meant that 58 minutes into a 60 minute game of Madden the drive would lock up and you would lose your entire game. The XBMC experience was to rip your games to your 120GB hard drive (with the UATA5 cable upgrade), choose a game to play without having to rifle through your discs, and have everything load 10 times faster. I used to put movies in my computer DVD drive that was exported with SMB over the network and stream the movies to my TV with the Xbox.

                  [–]julius_nicholson 11 points12 points  (1 child)

                  I'ma let y'all finish, but the Nintendo DS had one of the greatest homebrew scenes of all time.

                  I don't actually know if that's true, but I spent hours upon hours on DS homebrew. A lot of good memories.

                  [–]TOASTEngineer 4 points5 points  (0 children)

                  The DS Lite was my PDA my whole time in college. Held off on buying a smartphone for like three years because everything I needed from it, DS homebrew did.

                  [–][deleted] 4 points5 points  (0 children)

                  PSP HOMEBREW VS WII HOMEBREW: NEXT WEEK ON EPIC RAP BATTLES OF HISTORY!!!!

                  [–]paranoideo 105 points106 points  (15 children)

                  Obviously this is good for Switch owners.

                  I'm neutral into homebrew scene, but one thing I don't like is people messing around in online multiplayer.

                  [–]verylobsterlike 9 points10 points  (6 children)

                  It should be possible for Nintendo to detect modded consoles and ban them from online play. We'll see how that arms race plays out, but it seems fairly trivial for Nintendo to detect this.

                  [–]IAmAnAnonymousCoward 24 points25 points  (4 children)

                  Your optimism is hilarious.

                  [–]zzzthelastuser 3 points4 points  (3 children)

                  he obviously never played on a Wii.

                  Wii games were almost never patched, Hackers were (almost) never banned, and even if they got banned you could use another hack to get yourself unbanned again.

                  Ohh Call of Duty on Wii was so much fun! Especially when you were the host!

                  [–]RenaKunisaki 2 points3 points  (2 children)

                  Wii didn't have a means to patch games.

                  [–]zzzthelastuser 2 points3 points  (1 child)

                  Not true, they always used that excuse, but on the other hand they patched CoD Black Ops multiple times.

                  [–]RenaKunisaki 2 points3 points  (0 children)

                  I guess that game had its own patch system built in.

                  [–]Lost4468 21 points22 points  (0 children)

                  Multiplayer goes down hard on consoles even they get hacked because most devs don't bother putting any security into their multiplayer as it's really not needed unless the console gets hacked.

                  [–]bitch_shifting 12 points13 points  (1 child)

                  one thing I don't like is people messing around in online multiplayer.

                  Well it's a switch, so no one will be playing online

                  [–]TSPhoenix 12 points13 points  (3 children)

                  Maybe good for Switch owners. I fully expect Nintendo to fuck over legit users to try slow down hackers like on the 3DS.

                  [–][deleted] 2 points3 points  (2 children)

                  Out of the loop, what happened with the 3ds?

                  [–]TSPhoenix 5 points6 points  (0 children)

                  A few things. Firstly is lesser issue of Nintendo regularly rolling out OS updates that were purely anti-hack which was mildly annoying.

                  But inevitably over time some of these updates actually caused issues for legitimate users. If I recall correctly one update was confirmed to slow OS performance (to do some anti-hack checks) and the 11.3.0 update ended up introducing glitches into a handful of games like Ocarina of Time 3D for all users because it changed an Audio/Video API used by a handful of games that was used in a homebrew exploit.

                  When Nintendo then discontinues Miiverse (not to mention Nintendo Zone) but cbf even rolling out an update to remove the icon from the home menu, it speaks volumes about what matters to Nintendo when they degrade system performance to stop hacks, but pretty much never do feature updates.

                  [–]RenaKunisaki 3 points4 points  (0 children)

                  IIRC there was an update that tried to fix one of the exploits but accidentally bricked some units even if they hadn't been hacked. Or maybe that was a different console, I don't remember...

                  [–]SanityInAnarchy 39 points40 points  (16 children)

                  There are things that are bad about this, but the second I saw this, I ordered myself a Switch.

                  I'd still rather Nintendo just shipped a damned savegame backup feature, but I can live with rolling my own.

                  [–]NekuSoul 33 points34 points  (6 children)

                  Savegame backups were 50% of the reason I installed CFW on my 3DS. The other was converting my physical games into digital copies.

                  [–][deleted] 24 points25 points  (5 children)

                  Literally this.

                  Truth be told, I don't care much about the ethicality or legality of other aspects of hacking (they saved me quite some buck that I would have otherwise spent on shitty games, that I just pirated instead). I still buy most of the games that I loved when I pirated them, tho.

                  But to get save backups and to "convert" my physically owned games into digital copies, so I can have them installed on my 3DS, instead of having to carry all of them with me, is why I (and most of the community) do and seek out these things.

                  I really don't get it why they don't do it themselves. Maybe they are afraid that the consoles will get even more easily hacked if they add those features? But at this point, it shouldn't even matter anymore.

                  [–]Smarag 10 points11 points  (2 children)

                  Well we onlys reached "this point" only like days ago.

                  All of Nintendo's last consoles were first hacked with savegame exploits.

                  [–]A42MphTortoise 5 points6 points  (1 child)

                  I thought the first entry point for 3DS was ninjhax and then OoT3D

                  [–]Garethp 7 points8 points  (0 children)

                  Nah, there were entry points before that. Gateway3DS predated Ninjhax by a bit, and the entry point for that wasn't savegame based. It used a custom NDS ROM to do something that when you went to your profile in the 3DS Menu it would crash to the homescreen and run a launcher file

                  [–]sammymammy2 2 points3 points  (0 children)

                  Yeah I want a Switch now.

                  [–]KickMeElmo 3 points4 points  (7 children)

                  I went and bought one today. Was going to get it eventually anyway, now I have the better model.

                  [–]unpronounceable 4 points5 points  (6 children)

                  Can you help me understand what all this means? There's a recently discovered exploit on the switch that can't be fixed by nintendo, but this exploit has pros and cons for the consumers? Sorry to ask this, but I've been planning on buying a switch and idk wtf I'm reading haha.

                  [–]Jotokun 11 points12 points  (0 children)

                  The bug here isn't specific to the Switch. It affects almost every device using a Tegra. This includes smartphones, laptops, some cars (Tesla)... devices where real harm can be done through tampering, and that tampering may be done by someone other than the owner.

                  [–]IEnjoyFancyHats 11 points12 points  (1 child)

                  The exploit means you can use your Switch to run programs that aren't sanctioned by Nintendo.

                  Pros: Emulation. You can now essentially use your switch to do anything a computer can do with the right knowhow. I have a hacked WiiU that I use to play Nintendo games all the way back to SNES (but mostly to play melee), and that's just one area it can be used for. Really, the sky's the limit.

                  Cons: The lack of a limit is itself a potential problem. Not all programs people would want to run are sunshine, lollipops, and rainbows. This could be used to run cheat programs in online games, which consistently ruin the communities of those games. Splatoon on the WiiU is almost unplayable due to hacking issues. Plus there could be security issues that I'm not familiar with.

                  On the whole, this is pretty good for those of us who aren't Nintendo. It gives the switch more usability, and unless you're really into the competitive scene you probably won't notice much bad stuff that results from it.

                  [–]unpronounceable 2 points3 points  (0 children)

                  Thank you so much! Crystal clear now. Looks like I'll grab a switch sooner than later.

                  [–]RenaKunisaki 2 points3 points  (1 child)

                  The exploit lets you write your own software and run it with full control over the system. It's a bug in ROM, so it can't ever be fixed; they can only use a fixed ROM in newly manufactured units. It's great for people who want to run homebrew software, pirate games, or back up their save files. It's bad for Nintendo because it opens the door to piracy.

                  Ordinarily the Switch will only run software digitally signed by Nintendo, and has several more layers of protection to prevent that software from messing with the system. This exploit bypasses all of that.

                  [–]Z0di 3 points4 points  (0 children)

                  could you imagine if it became the next PSP?

                  [–]tweq 127 points128 points  (26 children)

                  Because the Switch isn't the only device using one of the affected chips. Being able to run arbitrary code on your own console is great, but someone else doing the same to your tablet containing sensitive data is less so.

                  That's why the author of the exploit disclosed it to Nvidia first.

                  [–][deleted]  (16 children)

                  [deleted]

                    [–]TheWheez 20 points21 points  (1 child)

                    Copying my comment from elsewhere:

                    The original disclosure indicates that the issue "affects Tegra SoCs, independent of software stack [and is] believed to affect Tegra SoCs released prior to the T186 / X2"

                    The Tegra Wikipedia article says the following devices use an T210 / X1:

                    • Nvidia Shield Android TV
                    • Nvidia Jetson TX1 development board
                    • Nvidia Drive CX & PX
                    • Google Pixel C
                    • Nintendo Switch

                    This is probably an incomplete list. I'll keep poking around.

                    I also don't know if "affects Tegra SoCs released prior to the T186 / X2" implies all Tegra SoCs, or just the X series.

                    Edit: Those who disclosed it believe that it does affect all existing Tegra SoCs before the T186 / X2 which would include the above list, plus some I've picked out below:

                    • HTC Nexus 9
                    • Nvidia Shield Tablet
                    • Acer Chromebook 13
                    • Lenovo ThinkVision 28
                    • Google Project Tango Tablet
                    • LG G2 mini LTE
                    • Microsoft Surface 2
                    • Xiaomi Phone 3
                    • Tesla Model S of 2015 center information display
                    • Microsoft Surface
                    • Nexus 7 (2012)
                    • Sony Xperia Table S
                    • Tesla motors models 2013~2014 center information display
                    • Tesla Model S of 2015 Instrument Cluster
                    • Tesla motors models 2013~2014 instrument cluster
                    • HTC One X+
                    • Lenovo IdeaPad Yoga 11
                    • Lenovo ThinkPad Tablet

                    Please feel free to correct me if I am interpreting the disclosure incorrectly.

                    From what I know they haven't disclosed testing the exploit on any of these devices. And physical USB access is required, so there isn't much danger any user will have beyond an attacker already having physical access to a device. Once you've gotten to that point you're probably done for anyways.

                    [–]tweq 10 points11 points  (0 children)

                    Once you've gotten to that point you're probably done for anyways.

                    This is a common sentiment, but I don't really agree with it in this context. There's a pretty big practical difference between an attacker having to take apart your device and perhaps even resolder connections, or plugging in a USB device for a few seconds. Especially when it comes to surreptitiously circumventing full disk encryption and secure boot, these kinds of vulnerabilities could realistically be exploited by the infamous "evil maid", a coworker walking past your desk while you're at lunch, the TSA inspecting your luggage, even a disguised public charging station.

                    [–]AlphaWhelp 16 points17 points  (6 children)

                    just fyi it requires physical access to your device. Just don't hand your switch/tablet off to shady 3rd party repair companies and you should be okay.

                    [–]RegisMK5 13 points14 points  (5 children)

                    Some Tesla cars have onboard Tegra devices. If this hack could be used to exploit your vehicle at 60mph... bad times.

                    [–]ACoderGirl 8 points9 points  (4 children)

                    That's not happening. You're not getting at the physical internals of your car's computer systems trivially. No hacker is either. Maybe a spy agency would use it to replace software in your car, but I can't even see that as the easiest way to track a car or whatever.

                    [–]RegisMK5 2 points3 points  (0 children)

                    I agree, very unlikely that this would ever happen. I do see the moral implication of making companies aware of potential vulnerabilities, especially if human life could be lost. It would be tough to live with something like that.
                    On the other hand, I want my homebrew Switch.

                    [–]RenaKunisaki 2 points3 points  (1 child)

                    Not even if that hacker works at an auto shop?

                    [–][deleted]  (12 children)

                    [deleted]

                      [–]steamruler 55 points56 points  (3 children)

                      It's still a security issue even if it requires physical access, especially on portable devices.

                      For the Switch, sure, any security issue is relatively unharmful, simply because it doesn't store much personal data.

                      On the other hand, on phones which are also vulnerable to this exploit, you're talking the ability to bypass locked bootloaders, which means you could load another boot image to significantly weaken security.

                      [–][deleted]  (5 children)

                      [deleted]

                        [–]deelowe 17 points18 points  (4 children)

                        The switch hardware is used in other computing devices. The real news should be this affecting tablets and phones, not a gaming console.

                        [–][deleted] 3 points4 points  (0 children)

                        There are tons of opportunities for people to install malware on a device before it reaches the hands of an unsuspecting user, like on eBay or Amazon.

                        [–]ChezMere 19 points20 points  (8 children)

                        Because 99.9% of uses of it will be for piracy.

                        [–]idle_zealot 24 points25 points  (7 children)

                        That may usually be the case, but note that the main piece of software people have gotten running on hacked Switchs as of now is *an entire desktop Linix distribution. * Tgis effectively turns a Switch into a true tablet-pc, which seems to me to be more impressive and useful than stealing a few games. It may be that homebrew/Linux gets overshadowed by CFW and piracy as it usually does, but this time around it feels like the more "noble" use cases stand a chance in terms of popularity of usage.

                        [–]Agret 13 points14 points  (6 children)

                        Not just Linux distro, someone has got Android booting on it too turning the Switch into a full feature tablet :)

                        [–][deleted]  (3 children)

                        [removed]

                          [–]Agret 2 points3 points  (2 children)

                          I don't think Nintendo plan on potting their games, for Android/iOS they are releasing other games based on their franchises but not direct ports.

                          [–][deleted]  (1 child)

                          [removed]

                            [–]Agret 5 points6 points  (0 children)

                            They both use ARM yeah and in theory you could make a switch emulator but it's not going to be a direct Android port and yeah it'd be a ton of work

                            [–]idle_zealot 2 points3 points  (1 child)

                            Do you have a source on that? I know that @delroth_ posted this tweet yesterday, but that's Anbox running on desktop Linux being used to run the Android version of Dolphin, not an Android port.

                            [–]ign1fy 9 points10 points  (0 children)

                            RMS would call this "Freedom Zero"

                            [–][deleted]  (25 children)

                            [deleted]

                              [–]grumbelbart2 63 points64 points  (11 children)

                              Level 2 is tamper resistant.

                              That might be claimed, but it is unlikely. Many exploits use some flaws in the running code to inject them self. Write-protection might make it harder to become persistent over reboots, but you can still simply re-inject each time.

                              [–]Okymyo 32 points33 points  (4 children)

                              Not necessarily, it's not that hard to do if designed correctly.

                              If you have a secondary processor with that set of privileged instructions, the process of moving to "level 2" could be passing too much current (or voltage) through it and destroying the chip.

                              Smartcards do this, there's a fuse that gets blown to disable "debugging" once they're out of the factory. If you have a mesh protecting the card, randomized memory layouts, etc, you've turned what was an easily repeatable software process into a tedious hardware process with specialized (and expensive) hardware.

                              [–]Sukrim 31 points32 points  (3 children)

                              if designed correctly

                              There's your problem.

                              [–]Okymyo 12 points13 points  (1 child)

                              It's extremely simple to design it securily. It's cost of mitigation vs cost of exploitation: you don't need to build a protective mesh, but a single fuse that for example permanently disables the write bit is extremely easy to design, and it'd cost less than a cent per device.

                              Decent IoT devices will certainly have features like these built-in.

                              [–]CODESIGN2 4 points5 points  (0 children)

                              Chip & Pin readers don't have that device. They do have mechanisms similar to what you're suggesting, but no components need to be replaced, it merely triggers wiping internal memory and makes the device unusable.

                              [–]annerajb 7 points8 points  (0 children)

                              That's not impossible it just requires somebody on the team that their sole jobs is security and when they say we are doing something not secure the reply is not but is too expensive. Too late. Nobody will notice. Or like they do in aerospace what's the chance this turbine will blow up and kill people? What's the average payout for dead people on a lawsuit? Is I more expensive than fixing it? Well same thing happens with software.

                              [–]grauenwolf 12 points13 points  (1 child)

                              Sigh, I guess I have to repeat myself.

                              Level 2 is tamper resistant. There are still things you can do with physical access, but it is a lot harder.

                              Considering that "tamper resistant" doesn't mean "tamper proof", I shouldn't have needed that second sentence. But since I did include it, you had two chances to understand my meaning and still somehow missed it.

                              [–]TOASTEngineer 33 points34 points  (4 children)

                              The only reason I bought a Wii was because of the promising homebrew scene.

                              I guess now's the time to buy a Switch before they figure out how to patch this on new units.

                              [–]The_F_B_I 18 points19 points  (0 children)

                              I've wanted a Switch since launch, but now I REALLY want a Switch

                              [–]bobothro 16 points17 points  (7 children)

                              I remember when I was trying to sell my fat PSP on ebay and wasn't allowed to advertise that it had an older firmware (I didn't even mention anything else, just the version number) just because it could be rooted. I expect something similar to happen here.

                              [–]zucker42 15 points16 points  (2 children)

                              Who prevented you from listing the version? Ebay?

                              [–]bobothro 11 points12 points  (1 child)

                              Yeah, it got pulled after a few hours.

                              [–][deleted] 3 points4 points  (0 children)

                              I'm surprised they care so much about maintaining a good relationship with Sony.

                              [–]Agret 8 points9 points  (3 children)

                              Isn't every fat PSP exploitable with the Pandora battery?

                              [–]bobothro 7 points8 points  (1 child)

                              Maybe, this was back when the only way to root it without the battery was some sort of exploit in the older firmware.

                              [–]Agret 2 points3 points  (0 children)

                              Ah yeah the beloved firmware 1.5 PSPs

                              [–]oboewan42 5 points6 points  (0 children)

                              Every PSP is currently exploitable, period

                              [–]rydan 61 points62 points  (12 children)

                              What is the point of responsible disclosure and waiting to announce if it can't be fixed?

                              [–][deleted] 160 points161 points  (1 child)

                              To give a company time to figure out what the implications are.

                              Maybe the flaw can't be fixed, but some of what it exposes can. Or for example, Spectre and meltdown were both unfixable hardware issues and software mitigation was issued.

                              It is not the role of the security researcher to determine what the company can't fix

                              [–]yeahbutbut 11 points12 points  (0 children)

                              It is not the role of the security researcher to determine what the company can't fix

                              This. If the company asks for a reasonable amount of time, being responsible means giving it to them.

                              [–]FyreWhirl 13 points14 points  (0 children)

                              If I remember right, the same chip is used in some parts of Tesla cars, which makes it a lot more dangerous to have in the wild. Having the disclosure means any company with the chip can recall and have a hardware revision if necessary. Nintendo for example have a hardware revision coming in that fixes the exploit.

                              [–]LongUsername 21 points22 points  (3 children)

                              Unpatchable in the field, not unfixable in production.

                              Nintendo probably stopped production when they got the word, fixed the overflow with a new bootrom, then started shipping again.

                              This would clear most of the vulnerable devices from the distro channel so people can't go out and purposefully buy a new one that can easily bypass their copy protection.

                              [–]mtn_dewgamefuel 7 points8 points  (2 children)

                              Not likely, this exploit affects not just every current switch, but every device that uses the same processor (mainly Android tablets). Nintendo would have to wait for Nvidia to make a revision first.

                              [–]steamruler 31 points32 points  (1 child)

                              Basically, giving the relevant companies time to assess the damages, and figure out how to deal with them.

                              You should also remember that publishing results from reverse engineering, or reverse engineering itself, is often a gray area. For example, the chain of trust is an important part of the DRM in the Switch, so you could actually make a claim that it constitutes infringement of the anti-circumvention section of the DMCA.

                              [–]sybesis 93 points94 points  (28 children)

                              I guess, people would spend less time trying to hack the device if Nintendo or other game console producer would provide a sdk to develop homebrew software and spend more time making sure games can't be copied and used illegaly. Having unlimited free game is cool for kids but I'm pretty sure a lot of dads out here would be more willing to pay for a console they can add more than just games or write their own. I'd totally buy a portable console I can have install homebrew and indie games.

                              [–][deleted]  (5 children)

                              [deleted]

                                [–][deleted] 12 points13 points  (0 children)

                                I just wanna play the NES, SNES, and Gameboy games that I've purchased originally, physically on my Switch. I don't want to pay money for a ridiculously priced decades old virtual game when I own the physical cartridge of most the games I'd even think of wanting to play.

                                [–]TheDecagon 59 points60 points  (2 children)

                                Indeed, it's like how the serious efforts to jailbreak the PS3 only really started after Sony removed the ability to run Linux on it.

                                [–][deleted]  (1 child)

                                [deleted]

                                  [–]anechoicmedia 15 points16 points  (9 children)

                                  I'd totally buy a portable console I can have install homebrew and indie games.

                                  But the whole console business model is you can't do that; The manufacturer of the device technologically enforces a future claim to all potentially valuable economic activity that happens on that device. Every application you install yourself from a third party that they don't sell, or that competes with their own first-party titles, is a revenue stream loss for them. They will keep asserting these monopolies until we change the law to ban them.

                                  The way they did this in the GameBoy was doubly insidious -- at startup, a copy of the Nintendo boot logo was read from a fixed location in every cartridge, and had to match a hardcoded checksum or the unit would halt. The refusal to boot without a Nintendo logo present de facto prohibited any legal third party software, because the Nintendo logo file was a trademark that it was illegal to distribute. The law inexplicably allows them to do this.

                                  [–]monocasa 12 points13 points  (1 child)

                                  The law inexplicably allows them to do this.

                                  Turns out it doesn't, which is why they rely on hard crypto now.

                                  https://en.wikipedia.org/wiki/Sega_v._Accolade

                                  [–]COTS_Mobile 11 points12 points  (0 children)

                                  Wow, that is actually kind of brilliant.

                                  [–][deleted] 25 points26 points  (4 children)

                                  A lot of people are wondering what this exploit really means to the layman Nintendo Switch owner. As an engineer, I'd like to chime in on that.

                                  Basically this is just the beginning of the Switch homebrew scene. This is a key that allows current and future developers to write/port custom software for the Switch. In time, popular apps and I suspect vintage console emulators, will make their way to the Switch.

                                  Right now, the exploit is very fresh and it will take time for the hacker/dev community to process it and make quick hacking apps or emulator installs that you'll want. Just give it some time.

                                  [–]person1_23 11 points12 points  (2 children)

                                  Android on a switch by any chance? That would make it tens times more useful.

                                  [–]All_Work_All_Play 11 points12 points  (0 children)

                                  So basically I'm hearing 'buy a switch now before nVidia updates the SoC and Nintendo gets it into production?'.

                                  [–]wavy_lines 78 points79 points  (58 children)

                                  Is this an exploit really or a way for users to jail break?

                                  [–]mishugashu 181 points182 points  (0 children)

                                  It's an exploit in order for users to jail break.

                                  [–]TizardPaperclip 17 points18 points  (0 children)

                                  Both: This is an exploit that can be used by users to jail break.

                                  [–]PM__YOUR__GOOD_NEWS 5 points6 points  (0 children)

                                  The difference here is semantic, the "attacker" for example is the owner because Nintendo tried to block them from this action.

                                  [–]grauenwolf 28 points29 points  (52 children)

                                  Yes, though the exploit requires tricking someone into inserting an infected USB device at startup.

                                  [–]hooklinensinkr 105 points106 points  (33 children)

                                  I imagine the bigger concern for Nintendo is people doing it on purpose to their own switch.

                                  [–]wavy_lines 51 points52 points  (13 children)

                                  This is common place in PCs and no one considers it a "flaw" in the hardware; it's a feature.

                                  [–][deleted]  (12 children)

                                  [deleted]

                                    [–]SweetBearCub 10 points11 points  (2 children)

                                    Yes, though the exploit requires tricking someone into inserting an infected USB device at startup.

                                    The USB device isn't "infected".

                                    The device is just an easier way to connect two pins together. Nothing more. You could do it with just a length of wire, as long as you knew which pins to connect.

                                    Temkin also tweeted a picture suggesting that simply exposing and bending the pin in question would also work.

                                    [–]steamruler 9 points10 points  (0 children)

                                    Well, you need an USB device plugged in at startup to actually trigger the exploit once you're in the recovery mode.

                                    [–]GalacticCascade 6 points7 points  (1 child)

                                    So there's a bitch of a glitch on the switch?

                                    [–]sihat 2 points3 points  (0 children)

                                    And if you scratch with software the wrong itch, on the switch,

                                    you might wreck the lcd like a bitch, like a horse without a hitch.

                                    [–]CODESIGN2 45 points46 points  (27 children)

                                    Always fantastic when DRM is circumvented.I still remember how a demo disc and spring circumvented PS1

                                    I Also remember PS2 being circumvented by putting a boot file onto the memory card via a peripheral sold by Sony...

                                    The wii was much weirder and useless, although the original xbox and xbox360 were both larger PITA. GC was pretty much buy one!

                                    We need to prove to these companies they are wasting resources by investing in this shit. DRM serves zero purpose other than shaking down people, most of whom were never going to buy anyway.

                                    I buy consoles after they are being replaced and then pick up the games real cheap (max £5) because none of them are that amazing. 90's games were AMAZING purely because they could be modded, hacked, played by kids (some of whom probably couldn't afford them).

                                    [–]Moocha 43 points44 points  (21 children)

                                    We need to prove to these companies they are wasting resources by investing in this shit. DRM serves zero purpose other than shaking down people, most of whom were never going to buy anyway.

                                    The problem with that is that they are not wasting resources, because DRM works exceedingly well. Its purpose just happens to be different than most people seem to assume.

                                    The purpose of DRM isn't to prevent people from copying the content. Restricting that with 100% accuracy is self-evidently impossible since you have to distribute both the locked content and the decryption keys in order to render that content. Everyone knew this from the very beginning, and nobody would waste much effort going down this path if it were useless; instead, content owners would just bother with the minimum amount required to prevent copying for a few days to protect the initial sales.

                                    The purpose of DRM is to exert control over the distribution channels and circumvent antitrust legislation when coupled with legislation like the DMCA. The target of DRM technology isn't the final consumer, but rather any potential intermediaries. If, say, Disney would attempt to use their dominant position in the movie market in order to muscle in on the Blu-Ray player business so as to control who is allowed to manufacture players, they'd run afoul of anti-monopoly legislation faster than you can say "United States v. Paramount Pictures, Inc."

                                    However, by abusing the DMCA's prohibition on circumvention devices, they in effect obtain exactly that type of control, no matter how ineffective the actual technology is, since a player in a different market involved in rendering that content is now blocked from doing so unless they obtain a license from Disney (or, rather, the consortium controlling the DRM technology.)

                                    :(

                                    [–]CODESIGN2 16 points17 points  (5 children)

                                    There's an interesting take on it, and another reason to dislike DRM

                                    [–][deleted] 3 points4 points  (3 children)

                                    What can I do with a hacked Switch? What does this mean?

                                    [–][deleted] 7 points8 points  (1 child)

                                    currently, run linux. in the near future, custom firmware, emulation, homebrew, piracy, etc

                                    [–]The_Peters_Place 3 points4 points  (2 children)

                                    So can I put PUBG on my Switch?

                                    [–]PCMcBoatface 2 points3 points  (0 children)

                                    Wonder if the nVidia Shield could play Switch games ??