Switch Hack Tegra

The Nintendo Switch was hacked back in February to run Linux, but now a team has revealed a flaw that enables users to run arbitrary code through an exploit of an unpatchable flaw in the console’s Nvidia Tegra X1 chip. That’s right, it’s at the silicon level of the Tegra X1 chip’s USB recovery mode, which normally prevents hardware hackers from accessing the system’s bootROM, thus the vulnerability allows for the entire ‘root-of-trust’ for the processor to be compromised. Continue reading for another video and more information.

“The USB software stack provided inside the boot instruction rom (IROM/bootROM) contains a copy operation whose length can be controlled by an attacker. By carefully constructing a USB control request, an attacker can leverage this vulnerability to copy the contents of an attacker-controlled buffer over the active execution stack, gaining control of the Boot and Power Management processor (BPMP) before any lock-outs or privilege reductions occur,” said Katherine Temkin, a hardware hacker from the ReSwitched hacking teacm.