**UPDATE** – Nvidia sought to downplay a vulnerability discovered in its Tegra X1-based systems in a recently published notice.
“A researcher indicates that a person with physical access to older Tegra-based processors could connect to the device’s USB port, bypass the secure boot and execute unverified code,” said Nvidia in the [notice](<http://nvidia.custhelp.com/app/answers/detail/a_id/4660>). The company said it is actively evaluating the issue and “conferring with partners.”
“This issue cannot be exploited remotely, even if the device is connected to the Internet. Rather, a person must have physical access to an affected processor’s USB connection to bypass the secure boot and run unverified code,” said the notice.
Nvidia also said that they are not aware of any malicious compromise of Tegra-based devices. The company said its Tegra X2 lineup, as well as Nvidia GPUs, are not impacted by the security flaw.
The notice comes after researchers said they found an exploit for a vulnerability in Nvidia Tegra X1-based Nintendo systems that they say cannot be patched.
Hackers with ReSwitched said they were able to exploit a feature on Nvidia’s line of Tegra embedded processors called Tegra Recovery Mode. This vulnerability allows attackers to copy code into the protected application stack, essentially enabling them to run arbitrary code on the device.
There is no patching available that would fix this issue, according to Katherine Temkin of hacking group ReSwitched, who found the vulnerability, and wrote about it in a [post](<http://www.ktemkin.com/faq-fusee-gelee/?_ga=2.244932365.923496745.1524579881-1628290284.1524579881>).
“The relevant vulnerability is the result of a ‘coding mistake’ in the read-only bootrom found in most Tegra devices. This bootrom can have minor patches made to it in the factory (‘ipatches’), but cannot be patched once a device has left the factory,” said Temkin in her post.
Temkin said that the coldboot vulnerability exists in the processors’ Tegra Recovery Mode (RCM), which is a program that sends code to a Tegra device when it goes into recovery mode.
The glitch creates a way for hackers to work around the lock-out protections usually safeguarding the chip’s bootROM. BootROM is a small and critical piece of mask ROM embedded in the processor chip, containing code that is the first to be executed by the processor when the device has been reset.
In order to exploit the bug in RCM, the Tegra-based Nintendo device must first be in USB recovery boot mode, meaning that it would be connected to a PC with a USB cable.
ReSwitched on a [Github report](<https://fail0verflow.com/blog/2018/shofel2/>) detailed various proof of concepts for coders to set off RCM on their switches – such as grounding a Joy-Con pin and holding the volume up button while booting up the switch.
From there, “the USB software stack provided inside the boot instruction rom (IROM/bootROM) contains a copy operation whose length can be controlled by an attacker,” according to the [report](<https://github.com/reswitched/fusee-launcher/blob/master/report/fusee_gelee.md>).
By constructing a USB control request, an attacker can then leverage the vulnerability to copy the contents of an attacker-controlled buffer over the active execution stack, “gaining control of the Boot and Power Management Processor (BPMP) before any lock-outs or privilege reductions occur,” according to the report.
Nintendo has been concerned about protecting its system security from hackers – even [refusing to provide](<https://mashable.com/2017/06/15/nintendo-switch-saves-reggie/#m.P68w2oAaqi>) backup options for saved games to other devices or microSD cards due to possible security issues.
For gamers, the exploit means that they will now have this option to back up games – but it also raises the possibility that hackers can load arbitrary payloads into the memory through RCM, or copy attacker-controlled values over the execution stack, researchers say.
Temkin said that she notified both Nintendo and Nvidia of the issue. Nvidia declined to comment.
Randy Copeland, CEO of system builder Velocity Micro, which uses Nvidia chips to build enthusiast systems, said he hasn’t heard anything from Nvidia about potential security issues on the chips.
But he said isn’t worried about the vulnerability due to the fact that attackers need physical control of the device.
“To use this hack, you would have to have physical possession of the device, which limits the danger to having it hacked by a friend or having it stolen,” he told Threatpost.
ReSwitched said the recommended mitigation is to correct the USB control request handler so that it “always correctly constrains the length to be transmitted,” which must be handled according to the type of device.
However, “for a device already in consumer hands, no solution is proposed. Unfortunately, access to the fuses needed to configure the device’s ipatches was blocked when the ODM_PRODUCTION fuse was burned, so no bootROM update is possible. It is suggested that consumers be made aware of the situation so they can move to other devices, where possible,” said the company.
{"id": "THREATPOST:462CE0294C12CF76E6C20033D649386B", "vendorId": null, "type": "threatpost", "bulletinFamily": "info", "title": "Exploit Targets Nvidia Tegra-Based Nintendo Systems", "description": "**UPDATE** \u2013 Nvidia sought to downplay a vulnerability discovered in its Tegra X1-based systems in a recently published notice.\n\n\u201cA researcher indicates that a person with physical access to older Tegra-based processors could connect to the device\u2019s USB port, bypass the secure boot and execute unverified code,\u201d said Nvidia in the [notice](<http://nvidia.custhelp.com/app/answers/detail/a_id/4660>). The company said it is actively evaluating the issue and \u201cconferring with partners.\u201d\n\n\u201cThis issue cannot be exploited remotely, even if the device is connected to the Internet. Rather, a person must have physical access to an affected processor\u2019s USB connection to bypass the secure boot and run unverified code,\u201d said the notice.\n\nNvidia also said that they are not aware of any malicious compromise of Tegra-based devices. The company said its Tegra X2 lineup, as well as Nvidia GPUs, are not impacted by the security flaw.\n\nThe notice comes after researchers said they found an exploit for a vulnerability in Nvidia Tegra X1-based Nintendo systems that they say cannot be patched.\n\nHackers with ReSwitched said they were able to exploit a feature on Nvidia\u2019s line of Tegra embedded processors called Tegra Recovery Mode. This vulnerability allows attackers to copy code into the protected application stack, essentially enabling them to run arbitrary code on the device.\n\nThere is no patching available that would fix this issue, according to Katherine Temkin of hacking group ReSwitched, who found the vulnerability, and wrote about it in a [post](<http://www.ktemkin.com/faq-fusee-gelee/?_ga=2.244932365.923496745.1524579881-1628290284.1524579881>).\n\n\u201cThe relevant vulnerability is the result of a \u2018coding mistake\u2019 in the read-only bootrom found in most Tegra devices. This bootrom can have minor patches made to it in the factory (\u2018ipatches\u2019), but cannot be patched once a device has left the factory,\u201d said Temkin in her post.\n\nTemkin said that the coldboot vulnerability exists in the processors\u2019 Tegra Recovery Mode (RCM), which is a program that sends code to a Tegra device when it goes into recovery mode.\n\nThe glitch creates a way for hackers to work around the lock-out protections usually safeguarding the chip\u2019s bootROM. BootROM is a small and critical piece of mask ROM embedded in the processor chip, containing code that is the first to be executed by the processor when the device has been reset.\n\nIn order to exploit the bug in RCM, the Tegra-based Nintendo device must first be in USB recovery boot mode, meaning that it would be connected to a PC with a USB cable.\n\nReSwitched on a [Github report](<https://fail0verflow.com/blog/2018/shofel2/>) detailed various proof of concepts for coders to set off RCM on their switches \u2013 such as grounding a Joy-Con pin and holding the volume up button while booting up the switch.\n\nFrom there, \u201cthe USB software stack provided inside the boot instruction rom (IROM/bootROM) contains a copy operation whose length can be controlled by an attacker,\u201d according to the [report](<https://github.com/reswitched/fusee-launcher/blob/master/report/fusee_gelee.md>).\n\nBy constructing a USB control request, an attacker can then leverage the vulnerability to copy the contents of an attacker-controlled buffer over the active execution stack, \u201cgaining control of the Boot and Power Management Processor (BPMP) before any lock-outs or privilege reductions occur,\u201d according to the report.\n\nNintendo has been concerned about protecting its system security from hackers \u2013 even [refusing to provide](<https://mashable.com/2017/06/15/nintendo-switch-saves-reggie/#m.P68w2oAaqi>) backup options for saved games to other devices or microSD cards due to possible security issues.\n\nFor gamers, the exploit means that they will now have this option to back up games \u2013 but it also raises the possibility that hackers can load arbitrary payloads into the memory through RCM, or copy attacker-controlled values over the execution stack, researchers say.\n\nTemkin said that she notified both Nintendo and Nvidia of the issue. Nvidia declined to comment.\n\nRandy Copeland, CEO of system builder Velocity Micro, which uses Nvidia chips to build enthusiast systems, said he hasn\u2019t heard anything from Nvidia about potential security issues on the chips.\n\nBut he said isn\u2019t worried about the vulnerability due to the fact that attackers need physical control of the device.\n\n\u201cTo use this hack, you would have to have physical possession of the device, which limits the danger to having it hacked by a friend or having it stolen,\u201d he told Threatpost.\n\nReSwitched said the recommended mitigation is to correct the USB control request handler so that it \u201calways correctly constrains the length to be transmitted,\u201d which must be handled according to the type of device.\n\nHowever, \u201cfor a device already in consumer hands, no solution is proposed. Unfortunately, access to the fuses needed to configure the device\u2019s ipatches was blocked when the ODM_PRODUCTION fuse was burned, so no bootROM update is possible. It is suggested that consumers be made aware of the situation so they can move to other devices, where possible,\u201d said the company.\n", "published": "2018-04-24T19:40:01", "modified": "2018-04-24T19:40:01", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://threatpost.com/exploit-targets-nvidia-tegra-based-nintendo-systems/131377/", "reporter": "Lindsey O'Donnell", "references": ["http://nvidia.custhelp.com/app/answers/detail/a_id/4660", "http://www.ktemkin.com/faq-fusee-gelee/?_ga=2.244932365.923496745.1524579881-1628290284.1524579881", "https://fail0verflow.com/blog/2018/shofel2/", "https://github.com/reswitched/fusee-launcher/blob/master/report/fusee_gelee.md", "https://mashable.com/2017/06/15/nintendo-switch-saves-reggie/#m.P68w2oAaqi"], "cvelist": [], "immutableFields": [], "lastseen": "2019-04-25T05:50:12", "viewCount": 3, "enchantments": {"score": {"value": 1.6, "vector": "NONE"}, "dependencies": {}, "backreferences": {}, "exploitation": null, "vulnersScore": 1.6}, "_state": {"dependencies": 1678917980, "score": 1678916296, "epss": 1678938645}, "_internal": {"score_hash": "efc27de652456e3352d749bb90a12e17"}}
Exploit Targets Nvidia Tegra-Based Nintendo Systems