Issue in bootROM allows arbitrary code execution

Due to a recently published exploit for Nvidia’s Tegra X1, developers and hardware hackers at ReSwitched and Fail0verflow have been able to demonstrate arbitrary code execution on the Nintendo Switch. The Fusée Gelée (or rather Frozen Rocket) coldboot vulnerability allows for nearly full reign over the device by inserting data into the protected application stack.

The issue stems from a problem with how the Tegra X1 handles USB recovery mode. By shorting a pin on the Joy-Con connnector, a payload is able to be delivered during a check made to the USB, forcing up to 65,535 bytes to be copied. This in turn causes a direct memory access buffer overflow in the bootROM, allowing for arbitrary code execution to occur in the application stack.