You are viewing our Forum Archives. To view or take place in current topics click here.
Nintendo Switch: Fail0verflow release ShofEL2 (Nvidia Tegra)
Posted:
Nintendo Switch: Fail0verflow release ShofEL2 (Nvidia Tegra)Posted:
Status: Offline
Joined: May 14, 200816Year Member
Posts: 7,692
Reputation Power: 32314
Status: Offline
Joined: May 14, 200816Year Member
Posts: 7,692
Reputation Power: 32314
An insane flow of released happened over the past 24h on the Nintendo Switch scene, following the leak of the Tegra bootrom by an unknown hacking group yesterday.
A few minutes ago, team fail0verflow have released their own implementation of the hack, along with a port of Linux for the Nintendo Switch. The hack is compatible with all Nintendo Switch devices independently of their firmware (unless we're mistaken, the necessary hardware revision to fix the bug has started to hit the stores only very recently).
Fail0verflow were actually intending to release their whole work on April 25th, in compliance with their disclosure window of the Tegra vulnerability. The leak from yesterday has accelerated their release by a couple days.
Fail0verflow's Tegra exploit relies on the Tegra's USB Recovery Mode (RCM), and it appears to be the same vulnerability vector as Kate Temkin's Fusee Gelee (ktemkin has disclosed her exploit a few hours ago too, technically beating Fail0verflow to the punch, and we will be writing about that as well as we catch up on the news).
The release, as it is right now, is not really end-user friendly, but fail0verflow say hackers should have no difficulty setting things up.
In practice, you will have to boot the Nintendo Switch in recovery mode (according to Fail0verflow, this can be done by holding the Volume Up, Home, and Power buttons at the same time on the console itself) while having it connected via USB to a computer ready to serve the exploit. We've seen more complex ways to launch hacks than this one, in particular in such early days.
Tegra X1 Bug (Nintendo Switch)
A few minutes ago, team fail0verflow have released their own implementation of the hack, along with a port of Linux for the Nintendo Switch. The hack is compatible with all Nintendo Switch devices independently of their firmware (unless we're mistaken, the necessary hardware revision to fix the bug has started to hit the stores only very recently).
Fail0verflow were actually intending to release their whole work on April 25th, in compliance with their disclosure window of the Tegra vulnerability. The leak from yesterday has accelerated their release by a couple days.
Fail0verflow's Tegra exploit relies on the Tegra's USB Recovery Mode (RCM), and it appears to be the same vulnerability vector as Kate Temkin's Fusee Gelee (ktemkin has disclosed her exploit a few hours ago too, technically beating Fail0verflow to the punch, and we will be writing about that as well as we catch up on the news).
The release, as it is right now, is not really end-user friendly, but fail0verflow say hackers should have no difficulty setting things up.
In practice, you will have to boot the Nintendo Switch in recovery mode (according to Fail0verflow, this can be done by holding the Volume Up, Home, and Power buttons at the same time on the console itself) while having it connected via USB to a computer ready to serve the exploit. We've seen more complex ways to launch hacks than this one, in particular in such early days.
Download ShofEL2 and Linux patches for Nintendo Switch
Fail0verflow's release can be fetched from their various github repositories below. You will have to build the stuff yourself.
[ Register or Signin to view external links. ]
[ Register or Signin to view external links. ]
[ Register or Signin to view external links. ]
[ Register or Signin to view external links. ]
[ Register or Signin to view external links. ]
Tegra X1 Bug (Nintendo Switch)
And because hacking is easy; the Tegra X1 Bug.
Tegra X1 RCM forgets to limit wLength field of 8 byte long Setup Packet in some USB control transfers. Standard Endpoint Request GET_STATUS (0x00) can be used to do arbitrary memcpy from malicious RCM command and smash the Boot ROM stack before signature checks and after Boot ROM sends UID. Need USB connection and way to enter RCM (Switch needs volume up press and JoyCon pin shorted).
To:
ReSwitched
fail0verflow
SwitchBrew
BBB
Team Xecuter
Team SALT
Reminder: Real hackers hack in silence. You all suck.
"Game Over."
F8001BE1190CAED74BBDDAD78667877C84D1A128
The following 3 users thanked Sean for this useful post:
#2. Posted:
Status: Offline
Joined: Jun 03, 201014Year Member
Posts: 2,899
Reputation Power: 3713
I really wonder what this little bit it.
F8001BE1190CAED74BBDDAD78667877C84D1A128
- 1useful
- 0not useful
#3. Posted:
Status: Offline
Joined: Feb 15, 201014Year Member
Posts: 269
Reputation Power: 11
Status: Offline
Joined: Feb 15, 201014Year Member
Posts: 269
Reputation Power: 11
Went on TTG for this exact post, looks like it's time to buy a switch
and holy shit, nice seeing you're still around Sean.
and holy shit, nice seeing you're still around Sean.
- 0useful
- 0not useful
You are viewing our Forum Archives. To view or take place in current topics click here.