A few minutes ago, team fail0verflow have released their own implementation of the hack, along with a port of Linux for the Nintendo Switch. The hack is compatible with all Nintendo Switch devices independently of their firmware (unless we’re mistaken, the necessary hardware revision to fix the bug has started to hit the stores only very recently).
Fail0verflow were actually intending to release their whole work on April 25th, in compliance with their disclosure window of the Tegra vulnerability. The leak from yesterday has accelerated their release by a couple days.
Fail0verflow’s Tegra exploit relies on the Tegra’s USB Recovery Mode (RCM), and it appears to be the same vulnerability vector as Kate Temkin‘s Fusee Gelee (ktemkin has disclosed her exploit a few hours ago too, technically beating Fail0verflow to the punch, and we will be writing about that as well as we catch up on the news).
The release, as it is right now, is not really end-user friendly, but fail0verflow say hackers should have no difficulty setting things up.
In practice, you will have to boot the Nintendo Switch in recovery mode (according to Fail0verflow, this can be done by holding the Volume Up, Home, and Power buttons at the same time on the console itself) while having it connected via USB to a computer ready to serve the exploit. We’ve seen more complex ways to launch hacks than this one, in particular in such early days.
Download ShofEL2 and Linux patches for Nintendo Switch
Fail0verflow’s release can be fetched from their various github repositories below. You will have to build the stuff yourself.
https://github.com/fail0verflow/shofel2
https://github.com/fail0verflow/switch-arm-trusted-firmware
https://github.com/fail0verflow/switch-coreboot
https://github.com/fail0verflow/switch-u-boot
https://github.com/fail0verflow/switch-linux
Jokes aside, we have a 90-day responsible disclosure window for ShofEL2 ending on April 25th. Since another person published the bug so close to our declared deadline, we're going to wait things out. Stay tuned.
— fail0verflow (@fail0verflow) April 23, 2018
Tegra X1 Bug (Nintendo Switch)
And because hacking is easy; the Tegra X1 Bug.
Tegra X1 RCM forgets to limit wLength field of 8 byte long Setup Packet in some USB control transfers. Standard Endpoint Request GET_STATUS (0x00) can be used to do arbitrary memcpy from malicious RCM command and smash the Boot ROM stack before signature checks and after Boot ROM sends UID. Need USB connection and way to enter RCM (Switch needs volume up press and JoyCon pin shorted).
To:
ReSwitched
fail0verflow
SwitchBrew
BBB
Team Xecuter
Team SALT
Reminder: Real hackers hack in silence. You all suck.
"Game Over."
F8001BE1190CAED74BBDDAD78667877C84D1A128
Posted:
Last Updated:
Related Forum: Gaming Discussion
Source: http://wololo.net/2018/04/24/nintendo-switch-fail0verflow-release-shofel2-nvidia-tegra-exploit-along-linux-switch/
"Nintendo Switch: Fail0verflow release ShofEL2 (Nvidia Tegra exploit)" :: Login/Create an Account :: 3 comments