Exploit Targets Nvidia Tegra-Based Nintendo Systems

Researchers have found an exploit in Nvidia Tegra X1-based systems that they say cannot be patched.

UPDATE – Nvidia sought to downplay a vulnerability discovered in its Tegra X1-based systems in a recently published notice.

“A researcher indicates that a person with physical access to older Tegra-based processors could connect to the device’s USB port, bypass the secure boot and execute unverified code,” said Nvidia in the notice. The company said it is actively evaluating the issue and “conferring with partners.”

“This issue cannot be exploited remotely, even if the device is connected to the Internet. Rather, a person must have physical access to an affected processor’s USB connection to bypass the secure boot and run unverified code,” said the notice.

Nvidia also said that they are not aware of any malicious compromise of Tegra-based devices. The company said its Tegra X2 lineup, as well as Nvidia GPUs, are not impacted by the security flaw.

The notice comes after researchers said they found an exploit for a vulnerability in Nvidia Tegra X1-based Nintendo systems that they say cannot be patched.

Hackers with ReSwitched said they were able to exploit a feature on Nvidia’s line of Tegra embedded processors called Tegra Recovery Mode. This vulnerability allows attackers to copy code into the protected application stack, essentially enabling them to run arbitrary code on the device.

There is no patching available that would fix this issue, according to Katherine Temkin of hacking group ReSwitched, who found the vulnerability, and wrote about it in a post.

“The relevant vulnerability is the result of a ‘coding mistake’ in the read-only bootrom found in most Tegra devices. This bootrom can have minor patches made to it in the factory (‘ipatches’), but cannot be patched once a device has left the factory,” said Temkin in her post.

Temkin said that the coldboot vulnerability exists in the processors’ Tegra Recovery Mode (RCM), which is a program that sends code to a Tegra device when it goes into recovery mode.

The glitch creates a way for hackers to work around the lock-out protections usually safeguarding the chip’s bootROM. BootROM is a small and critical piece of mask ROM embedded in the processor chip, containing code that is the first to be executed by the processor when the device has been reset.

In order to exploit the bug in RCM, the Tegra-based Nintendo device must first be in USB recovery boot mode, meaning that it would be connected to a PC with a USB cable.

ReSwitched on a Github report detailed various proof of concepts for coders to set off RCM on their switches – such as grounding a Joy-Con pin and holding the volume up button while booting up the switch.

From there, “the USB software stack provided inside the boot instruction rom (IROM/bootROM) contains a copy operation whose length can be controlled by an attacker,” according to the report.

By constructing a USB control request, an attacker can then leverage the vulnerability to copy the contents of an attacker-controlled buffer over the active execution stack, “gaining control of the Boot and Power Management Processor (BPMP) before any lock-outs or privilege reductions occur,” according to the report.

Nintendo has been concerned about protecting its system security from hackers – even refusing to provide backup options for saved games to other devices or microSD cards due to possible security issues.

For gamers, the exploit means that they will now have this option to back up games – but it also raises the possibility that hackers can load arbitrary payloads into the memory through RCM, or copy attacker-controlled values over the execution stack, researchers say.

Temkin said that she notified both Nintendo and Nvidia of the issue. Nvidia declined to comment.

Randy Copeland, CEO of system builder Velocity Micro, which uses Nvidia chips to build enthusiast systems, said he hasn’t heard anything from Nvidia about potential security issues on the chips.

But he said isn’t worried about the vulnerability due to the fact that attackers need physical control of the device.

“To use this hack, you would have to have physical possession of the device, which limits the danger to having it hacked by a friend or having it stolen,” he told Threatpost.

ReSwitched said the recommended mitigation is to correct the USB control request handler so that it “always correctly constrains the length to be transmitted,” which must be handled according to the type of device.

However, “for a device already in consumer hands, no solution is proposed. Unfortunately, access to the fuses needed to configure the device’s ipatches was blocked when the ODM_PRODUCTION fuse was burned, so no bootROM update is possible. It is suggested that consumers be made aware of the situation so they can move to other devices, where possible,” said the company.

Suggested articles