From WikiTemp, the GBAtemp wiki
(added PegaSwitch, change table size, reworded Fusée gelée boot sequence)
(Updated some informations)
Line 46: Line 46:
 
Fusée gélée exploit a vulnerability in the Recovery mode of the Nintendo Switch, allowing early code execution on the console. The Recovery mode is launched before Horizon OS, the switch's operating system (the user interface).
 
Fusée gélée exploit a vulnerability in the Recovery mode of the Nintendo Switch, allowing early code execution on the console. The Recovery mode is launched before Horizon OS, the switch's operating system (the user interface).
  
Grahical representation of the launch sequence:
+
Graphical representation of the launch sequence:
  Cold boot > Boot mode > Boot loader > Horizon OS
+
  Cold boot > Recovery mode > Boot loader > Horizon OS
 +
This might not be the exact launch sequence, but it's good enough to get a quick understanding of what happens before the main console's interface is displayed.
  
  
Fusée Gelée runs in the Boot mode step and allows code execution before the Boot loader.
+
Fusée Gelée runs in the Recovery mode step and allows code execution before the Boot loader.
 
It can be used to either:
 
It can be used to either:
 
* Run standalone applications (key dumpers, display console information, etc.),
 
* Run standalone applications (key dumpers, display console information, etc.),
Line 80: Line 81:
  
 
====Maintenance mode====
 
====Maintenance mode====
There is another menu called ''Recovery Mode'', also known as Maintenance Mode. It has an onscreen menu to update or format the console and delete user preferences. A different pressed buttons combination is used to boot into this menu.
+
There is another menu called ''Recovery Mode'', also known as Maintenance Mode. The maintenance mode is part of the Horizon OS, and can be launched after RCM, for example, after choosing which firmware to launch from Hekate in RCM.
  
Console power OFF : keep pressed Vol+ and Vol-, press and release Power button.
+
It has an onscreen menu to update the console, format and delete user preferences, or just exit and launch Horizon OS. Additionally, entering this menu automatically clears temporarily downloaded files, such as a complete or partial system update.
  
 +
A different pressed buttons combination is used to boot into this menu.
 +
 +
Console power OFF : keep pressed Vol+ and Vol-, press and release Power button
 +
or
 +
Just after selecting Launch Firmware from RCM's custom bootloader : keep pressed Vol+ and Vol-
 
Accessing this Maintenance mode screen has the effect of deleting temporary downloaded update files and stop displaying the update nag on Horizon OS.
 
Accessing this Maintenance mode screen has the effect of deleting temporary downloaded update files and stop displaying the update nag on Horizon OS.
 
 
'''Q.''' Is this menu part of the Bootloader code or triggered before it? Can it be accessed if using AutoRCM?
 
 
'''A.''' ...
 
  
  

Revision as of 11:56, 29 September 2018

*Draft page* please help improving and fixing missing information.

List of Switch's Exploits

Name Compatible firmware versions Author(s) Link Status
PegaSwitch 1.0.0 - 3.0.0 ReSwitched Team (SciresM, and more) website, Sources Fixed
Fusée Gelée 1.0.0 - 5.1.0 Independently discovered by ReSwitched Team (Kate Temkin), fail0verflow (shuffle2). Fixed, june2018
Déjà Vue (unreleased) 1.0.0 - 4.1.0 SciresM



PegaSwitch

PegaSwitch exploit a vulnerability in the Internet navigator WebKit module. PegaSwitch does not allow homebrew launching.

PegaSwitch is triggered by using a computer's program serving as DNS server.


Fusée gelée

(en: Frozen Space Rocket)


Fusée gélée exploit a vulnerability in the Recovery mode of the Nintendo Switch, allowing early code execution on the console. The Recovery mode is launched before Horizon OS, the switch's operating system (the user interface).

Graphical representation of the launch sequence:

Cold boot > Recovery mode > Boot loader > Horizon OS

This might not be the exact launch sequence, but it's good enough to get a quick understanding of what happens before the main console's interface is displayed.


Fusée Gelée runs in the Recovery mode step and allows code execution before the Boot loader. It can be used to either:

  • Run standalone applications (key dumpers, display console information, etc.),
  • Replace the bootloader and allows launching of custom OS running on native tegra chipset (Linux, Lakka, etc.)
  • Act as a bootloader and launches Horizon OS, stock (OFW) or with temporary memory patches (CFW),


Q. Why use Fusée gelée to boot an official firmware?

A. The official Nintendo's bootloader is responsible for checking and burning eFuse. eFuses are burned when upgrading the firmware to prevent you to downgrade your console. Horizon checks how many eFuses has been burned, if it doesn't match the expected eFuse number the OS will refuse to launch. Bypassing the official bootloader prevents eFuse burning when booting a higher (official or patched) firmware version, allowing the user to return to the lowest installed fused firmware (eMMC restoration or firmware downgrade).


Boot modes

There are different Boot Modes the console can access: Normal launch, Recovery mode, Maintenance mode, Safe mode. Fusée gelée uses the Recovery Mode, commonly called "RCM".

Recovery mode

The console enters this Recovery mode for three different reasons:

  • The internal memory is corrupted or the entire eMMC board is missing ;
  • The bootloader program is corrupted ;
  • A specific key combination is pressed on cold boot : with the console fully shutdown, keep pressed both Vol+ while bridging right joycon's pin 10 with Ground (with pin1, 7 or 9) and switch on the console.

Entering this recovery mode (RCM) puts the console on a black screen, where the console waits for USB sent signed commands for secure communication. Fusée gelée uses a vulnerability in the command verification process to send non signed data and execute unsigned code.

This vulnerability has been fixed on consoles sold after june 2018.


Maintenance mode

There is another menu called Recovery Mode, also known as Maintenance Mode. The maintenance mode is part of the Horizon OS, and can be launched after RCM, for example, after choosing which firmware to launch from Hekate in RCM.

It has an onscreen menu to update the console, format and delete user preferences, or just exit and launch Horizon OS. Additionally, entering this menu automatically clears temporarily downloaded files, such as a complete or partial system update.

A different pressed buttons combination is used to boot into this menu.

Console power OFF : keep pressed Vol+ and Vol-, press and release Power button
or
Just after selecting Launch Firmware from RCM's custom bootloader : keep pressed Vol+ and Vol-

Accessing this Maintenance mode screen has the effect of deleting temporary downloaded update files and stop displaying the update nag on Horizon OS.


Safe mode

Safe mode is used to boot Horizon OS using a slightly different firmware. You can see this mode like booting into Windows' safe mode on your computer to disable drivers and network configuration to resolve conflicts.

There is no reason to use this mode for homebrew or Fusée Gelée. For more information, read switchbrew's boot modes page.


Usage

When the console is in RCM, waiting for USB data reception, you can use a payload launcher to send a non signed payload binaries (program) to the Switch.

There are different payload launchers program (on computers, android Phones or standalone dongles), and different payload binaries which can be sent to the console.


  • Fully shutdown the console (not in sleep mode)
  • Launch RCM (shortcut joycon pin10 with any GND pin, press Vol+ and power button)
  • Plug your Nintendo Switch through USB OTG compatible device (computer, phone or dongle)
  • Run the payload Launcher and select the payload to send to the console, or let the dongle do it automatically.

List of Fusée Gelée Code launchers, dongles and payloads

Payload senders (Software)

Name System Description Author Link sources
Fusée Launcher Python3 Proof-of-concept code loader for Fusée Gelée exploit. Works on Windows, Linux, macOS and FreeBSD. Kate Temkin, Qyriad github
Fusée Launcher for MacOS OSX This is a simple fork of the original fusee-launcher for OSX. OkazakiTheOtaku Thread github
CrystalRCM OSX This is a graphical front-end to fusee-launcher for macOS. Works without any other installs. Mistyhands Thread GitHub
iOUSB iOS An iOS code loader for Fusée Gelée exploit, based on NXLauncher? Brandon-T post github
nxboot iOS, OSX Fusée Gelée / ShofEL2 for jailbroken iOS10+ & macOS. mologie Thread, website GitHub
NXLauncher Android An Android code loader for Fusée Gelée exploit, based on Fusée Gelée and ShofEL2. Has the fusee.bin payload bundled. Can load any other payload binary from your android device. DavidBuchanan Github
NXLauncher mod (SXLoader) Android A modded version of NXLauncher with (an old) SX OS payload set as default. Not available anymore. annson24 Thread Github
Rekado Android An Android code loader for Fusée Gelée exploit, based on NXLauncher. Has the SX-Loader payload bundled. Can load any other payload binary from your android device. MenosGrantes Thread Github
TegraRcmSmash Windows A Windows code loader for Fusée Gelée exploit. rajkosto download Github
TegraRCMGUI Windows C++ GUI for TegraRcmSmash. Eliboa Thread github
TegraRCMTool Windows Batch file to TegraRCMSmash Midstor Thread github
AutoRCMSmasher Windows Auto send the payload using TegraRCMSmasher when it detects RCM mode. PRAGMA Thread
Web fusée launcher Web, javascript A javascript based payload sender using WebUSB API on ChromeOS/Linux/Mac/Android. List of compatible browsers. Does not work on Windows due to USB restriction. Atlas44 demo,

Mods by: netfreak, elijah, switchbru

github

Payload senders (Hardware)

Name System Description Author Link
Fusée à la framboise Dongle A dongle made using RaspberryPi. Open source, do it yourself. moriczgergo Thread
R4S Dongle A dongle to launch a payload for Fusée Gelée exploit.
AceNS Dongle A dongle to launch a payload for Fusée Gelée exploit. Clone of Xkit design, both first and OneB version. website,
1st model Review
AceNS Pro Dongle A SX dongle Clone, using an outdated SXOS firmware, with its identical features and bugs. Beware of clone detection brick code! use at your own risk. website,
Review
Dragon Injector Dongle A trinket M0 clone dongle to launch a payload for Fusée Gelée exploit. Open source, do it yourself. MatinatorX thread
XKit RCM Loader, first model Dongle A dongle to launch a payload for Fusée Gelée exploit. website
XKit RCM Loader, Model One B Dongle A dongle to launch a payload for Fusée Gelée exploit. New version, smaller with integrated jig slot. website, thread
Nerdonic Exen Mini (tiny SAMD21 device) Chipset An internal chipset using SAMD21 device to launch a payload for Fusée Gelée exploit. Open source, do it yourself. mooglazer Thread
NS-Atmosphère Dongle A dongle to launch a payload for Fusée Gelée exploit.
SAMD Dongle A dongle to launch a payload for Fusée Gelée exploit. Open source, do it yourself. electronrancher Thread
SAMD v2 Dongle A dongle to launch a payload for Fusée Gelée exploit. Open source, do it yourself. electronrancher Thread
SwitchMe UP Chipset A modchip to launch a payload for Fusée Gelée exploit.
SX Dongle A dongle to launch a payload for Fusée Gelée exploit. Team Xecuter Website
Trinket Dongle/Chipset A dongle (can be installed internally as a modchip) to launch a payload for Fusée Gelée exploit.
Feather M0 express Dongle/Chipset A dongle (can be installed internally as a modchip) to launch a payload for Fusée Gelée exploit. SAM/Arduino board. thread
Do It Yourself Dongle/Chipset Multiple programmable boards (Adafruit Gemma M0, Adafruit Trinket M0, etc.) Share or find self-created dongles or internal modification chipset (modchip). Multi users Thread

Hardware payload sender related links

Payload (Binaries)

Name Description Author Link Source
Fusée Gelée sample payload A sample payload binary to use with Fusée Launcher. Kate Temkin Download github
Argon-NX A payload launcher. Autoboot another payload.bin from your SD card, or displays a list of next payloads to launch from your SD. Guillem96 Unofficial thread, Releases github
Argon-NX-mod by mattytrog A mod of Argon, with some fixes and new features. mattytrog thread
Argon-NX-sx-mod by mrdude A mod of Argon, with new GUI and features, such as SXOS license management. mrdude thread
Atmosphère:fusée-primary Fusée launches the console into the atmosphère. Fusée is the paylod replacing the console's bootloader to boots Atmosphère CFW and its different modules (Exosphère, Thermosphère, Stratosphère, Troposphère). SciresM Releases github
BiskeyDump A Switch key dumper. rajkosto Download github
BriccMii A Payload used to corrupt (or fix) your boot0, preventing the Switch from loading the bootload and forcing the console to automatically enter RCM at boot. rajkosto Download github
fusedump An eFuse dumper. (deprecated, see MoonFlower) moriczgergo Download github
gptrestore Restores the original Nintendo Switch GPT to your eMMC if you somehow messed it up. rajkosto Download, usage example github
GRAnimated payload A customized fusée Gelée binary modded by GRAnimated. GRAnimated download github
Hekate A multi-tool payload. Serves as SD binary payload loader, a bootloader and Firmware Patcher (CFW) allowing homebrew launching from Horizon OS. Contains multiple tools such as NAND backup/restore. naehrwert (original code), CTCaer, multiple users Thread, Download github
Hekate-Nyx An optional frontend for Hekate version 5.0+. CTCaer, multiple users Thread, Download github
Lakka A Linux booter, used to boot Lakka, a Linux distribution specialized in emulators. Natinusala Thread github
Lockpick_RCM A key derivation and dumper. Works on 7.x if you have sept-primary.bin and sept-secondary.enc present in /sept/ folder. Shchmue Thread github
memloader A fail0verflow's u-boot binary loader. Used to mount emmc/boot0/boot1/sd as UMS drive on your computer. rajkosto Download, usage example github
moonflower An eFuse and GPIO dumper for the Switch. Based on Fusedump. moriczgergo Download github
Painless Linux A linux booter payload. Boot Linux on the Switch without imx_usb_loader - Windows, Linux, Mac OS & Android Natinusala download github
ReiNX Reisyukaku's custom firmware booter, based on Atmostphère CFW. Reisyukaku Official guide,
Thread, Guide
github
ROMDump Dumps the RAW FUSE, KFUSE and BOOTROM bytes to your microSD/HOST PC via USB/console screen rajkosto Download github
ShofEL2 A Linux booter. fail0verflow (shuffle2) website github
Shutdown Switch A homebrew+payload bundle to fully shutdown the Switch using homebrew instead of power button. Works with autoRCM units. mrdude Thread
SwitchBlade Deprecated payload based on an old hekate payload version which added splash screen support and removed function to keep only homebrew launching feature. Instantly loads Horizon with homebrew enabled without any menus. StevenMattera Thread github
SX OS A bootloader and Firmware Patcher (CFW) allowing homebrew launching from Horizon OS. Requires a License to unlock backup loader features. Team Xecuter Website no

Payload (Malwares / Brickers)

/!\ATTENTION/!\ THESE PAYLOADS ARE MALWARE. YOU CAN BRICK YOUR CONSOLE. YOU SHOULD NOT USE THEM.

Read more about safe practices here.

Déjà vu

Déjà vu is an unreleased exploit.

Compatible firmwares from 1.0.0 up to 4.1.0 ?

Name Description Author Link Source
TotallyNotVurnabbleFuseelauncher A sample payload binary and sources to demonstrate any payload you find shouldn't be trusted, even if the sources are provided doesn't mean it's safe to compile and run. It contains an attempt to connect a socket to your computer on 192.168.1.59:21. DavidTatikashvili123 Thread github
switchFuckerUpper.nro A Switch bricker! DO NOT LAUNCH!!! This replaces your BIS with "80082" effectively rendering your Switch useless. Crusatyr No link, as this is malicious software. No link, as this is malicious software.
SX OS Crack / PozzNX A Switch bricker! DO NOT LAUNCH!!! This replaces your PRODINFO with a clean gpt essentially rendering your Switch useless. Kanna No link, as this is malicious software. No link, as this is malicious software.
PokerusNX / Fake Pokemon: Let's Go! Pikachu / switchFuckerUpper.nsp A Switch bricker! DO NOT LAUNCH!!! This replaces your BIS with "80082" effectively rendering your Switch useless. SwitchFuckerUpper stuffed into an NSP.]. No link, as this is malicious software. No link, as this is malicious software.