From WikiTemp, the GBAtemp wiki
(added the switch navbox)
(List of Switch's Exploits: updated compatible versions)
 
(16 intermediate revisions by the same user not shown)
Line 1: Line 1:
<noinclude>{{NXNav}}__NOTOC__{{Newpagepreload|Template:P/Switch Homebrew}}
+
{{NXNav}}__NOTOC__{{Newpagepreload|Template:P/Switch Homebrew}}
  
 
  *Draft page* please help improving and fixing missing information.
 
  *Draft page* please help improving and fixing missing information.
Line 5: Line 5:
 
==List of Switch's Exploits==
 
==List of Switch's Exploits==
 
{| class="prettytable sortable" style="width:100%"
 
{| class="prettytable sortable" style="width:100%"
! style="width:25%" | Name
+
! style="width:10%" | Name
! class="unsortable" | Compatible firmwares
+
! style="width:10%" | Compatible firmware versions
! style="width:20%" | Author
+
! class="unsortable" style="width:20%" | Author(s)
! style="width:20%" | Fixed
+
! style="width:8%" | Link
 +
! style="width:8%" | Status
 
|-
 
|-
| ?
+
| Jamais vu
| 1.x
+
| 1.0.0
|  
+
| ReSwitched Team (SciresM, and Motezazer)
 +
| [https://gbatemp.net/threads/494712/ Thread], [https://www.reddit.com/r/SwitchHacks/comments/7rq0cu/jamais_vu_a_100_trustzone_code_execution_exploit/ reddit]
 
| Fixed
 
| Fixed
 
|-
 
|-
| Fusée Gelée
+
| PegaSwitch
| 1.x - 5.1
+
| 1.0.0 - 3.0.0
| Kate Temkin
+
| ReSwitched Team (SciresM, and more)
| Fixed, june2018
+
| [https://pegaswitch.com/ website], [https://github.com/ReSwitched/PegaSwitch Sources]
 +
| Fixed
 
|-
 
|-
| Déjà Vue (unreleased)
+
| Nereba
| 1.x - 4.1
+
| 1.0.0 - 3.0.0
 +
| ReSwitched Team (Stuckpixel)
 +
| [https://gbatemp.net/threads/536409/ Unofficial Thread], [https://github.com/pixel-stuck/nereba/ Sources]
 +
| Fixed
 +
|-
 +
| Déjà Vu / Caffeine
 +
| 1.0.0 - 4.1.0, partially up to 7.0.1
 
| SciresM
 
| SciresM
|  
+
| [https://gbatemp.net/threads/496799/ Unofficial Thread], [https://gbatemp.net/threads/537361/ Unofficial Thread], [https://github.com/liuervehc/caffeine github for 3.0.0], [https://gbatemp.net/threads/541826/ unofficial thread caffeine for 4.1.0 released]
 +
| Fixed
 +
|-
 +
| Fusée Gelée
 +
| All (non iPatched consoles only)
 +
| Independently discovered by ReSwitched Team (Kate Temkin), fail0verflow (shuffle2).
 +
| [https://gbatemp.net/threads/496838/ Unofficial Thread]
 +
| Fixed, june2018
 
|}
 
|}
  
 +
==Jamais vu==
 +
Jamais vu exploit a warmboot vulnerability in the TrustZone to allow code execution.
  
 +
==PegaSwitch==
 +
PegaSwitch exploit a vulnerability in the Internet navigator WebKit module. PegaSwitch does not allow homebrew launching.
  
 +
PegaSwitch is triggered by using a computer's program serving as DNS server.
  
==?==
+
==Nereba==
A software triggered exploit on early firmware, allowing unsigned code execution (homebrew).
+
released in April 2019, this exploit is compatible with old firmwares 1.0.0 to 3.0.0 only.
  
 +
It's exploiting a warm boot RAM access vulnerability which allows the console to reboot from OFW to any Fusée Gelée payloads using the web applet.
 +
 +
 +
==Déjà vu==
 +
 +
Déjà vu was an old known but unreleased exploit. It has finally been released in April 2019.
 +
 +
Compatible firmwares from 1.0.0 up to 4.1.0. The vulnerability was only partially fixed in 6.0.0. The vulnerability was kept secret as long as it wasn't fully fixed in eventuality that it could be useful later to exploit units with patched known exploits.
 +
 +
Nintendo definitely [https://twitter.com/SciresM/status/1117955638863130624 fixed that vulnerability] in 2019 with firmware 8.x
  
  
 
==Fusée gelée==
 
==Fusée gelée==
Fusée gélée exploit a vulnerability in the Recovery mode of the Nintendo Switch, allowing early code execution on the console. The Recovery mode is launched before Horizon OS (the switch's operating system, the user interface).
+
(en: Frozen Space Rocket)
  
Grahical representation of the launch sequence:
 
Console shut down : Power > Boot mode > Boot loader > Horizon OS
 
  
 +
Fusée gélée exploit a vulnerability in the Recovery mode of the Nintendo Switch, allowing early code execution on the console. The Recovery mode is launched before Horizon OS, the switch's operating system (the user interface).
  
Fusée Gelée allows code execution before the Boot loader.
+
A ''simplified'' graphical representation of the launch sequence:
 +
Cold boot > Recovery mode > Boot loader > Horizon OS
 +
This might not be the exact launch sequence, but it's good enough to get a quick understanding of what happens before the main console's interface is displayed.
 +
 
 +
 
 +
Fusée Gelée runs in the Recovery mode step and allows code execution before the Boot loader.
 
It can be used to either:
 
It can be used to either:
* run standalone programs (key dumpers, console information, etc.),
+
* Run standalone applications (key dumpers, display console information, etc.),
* replace the bootloader and launches Horizon OS, stock (OFW) or with temporary memory patches (CFW).
+
* Replace the bootloader and allows launching of custom OS running on native tegra chipset (Linux, Lakka, etc.)
* replace the bootloader and allows custom OS launching (Linux, Lakka)
+
* Act as a bootloader and launches Horizon OS, stock (OFW) or with temporary memory patches (CFW),
  
The official Nintendo's bootloader is responsible for checking and burning eFuse. Bypassing the official bootloader prevent burning eFuse when booting a higher (official or patched) firmware version, allowing future backuped NAND restoration or firmware downgrade.
+
 
 +
'''Q.''' Why use Fusée gelée to boot an official firmware?
 +
 
 +
'''A.''' The official Nintendo's bootloader is responsible for checking and burning [https://switchbrew.org/wiki/Fuses#Anti-downgrade eFuse]. eFuses are burned when upgrading the firmware to prevent you to downgrade your console.
 +
Horizon checks how many eFuses has been burned, if it doesn't match the expected eFuse number the OS will refuse to launch.
 +
Bypassing the official bootloader prevents eFuse burning when booting a higher (official or patched) firmware version, allowing the user to return to the lowest installed fused firmware (eMMC restoration or firmware downgrade).
  
  
 
===Boot modes===
 
===Boot modes===
There are three different [http://switchbrew.org/index.php/Boot_Modes Boot Modes] the console can access: Recovery mode, Maintenance mode, Safe mode.
+
There are different [http://switchbrew.org/index.php/Boot_Modes Boot Modes] the console can access: Normal launch, Recovery mode, Maintenance mode, Safe mode.
 
Fusée gelée uses the Recovery Mode, commonly called "RCM".
 
Fusée gelée uses the Recovery Mode, commonly called "RCM".
  
'''Recovery mode'''
+
====Recovery mode====
The console enters this Recovery mode for three different reasons :
+
The console enters this Recovery mode for three different reasons:
 
* The internal memory is corrupted or the entire eMMC board is missing ;
 
* The internal memory is corrupted or the entire eMMC board is missing ;
 
* The bootloader program is corrupted ;
 
* The bootloader program is corrupted ;
* A specific key combination is pressed on boot.
+
* A specific key combination is pressed on cold boot : with the console fully shutdown, keep pressed both Vol+ while bridging right joycon's pin 10 with Ground (with pin1, 7 or 9) and switch on the console.
  
Console shut down : keep pressed both Vol+ and power buttons while shorting pin 1 and pin 10 of the right joycon connector.
+
Entering this recovery mode (RCM) puts the console on a black screen, where the console waits for USB sent signed commands for secure communication. Fusée gelée uses a vulnerability in the command verification process to send non signed data and execute unsigned code.
 
+
Entering this recovery mode (RCM) puts the console on a black screen, where the console waits for USB sent signed commands for secure communication. Fusée gelée uses a vulnerability in the command verification process to send non signed data and execute arbitrary code.
+
  
 
This vulnerability has been fixed on consoles sold after june 2018.
 
This vulnerability has been fixed on consoles sold after june 2018.
  
  
'''Maintenance mode'''
+
====Maintenance mode====
There is another menu called ''Recovery Mode'', also known as Maintenance Mode. It has an onscreen menu to update or format the console and delete user preferences. A different pressed buttons combination is used to boot into this menu.
+
There is another menu called ''Recovery Mode'', also known as Maintenance Mode. The maintenance mode is part of the Horizon OS, and can be launched after RCM, for example, after choosing which firmware to launch from Hekate in RCM.
 +
 
 +
It has an onscreen menu to update the console, format and delete user preferences, or just exit and launch Horizon OS. Additionally, entering this menu automatically clears temporarily downloaded files, such as a complete or partial system update.
  
Console shut down : keep pressed Vol+ and Vol-, press and release Power button.
+
A different pressed buttons combination is used to boot into this menu.
  
 +
Console power OFF : keep pressed Vol+ and Vol-, press and release Power button
 +
or
 +
Just after selecting Launch Firmware from RCM's custom bootloader : keep pressed Vol+ and Vol-
 
Accessing this Maintenance mode screen has the effect of deleting temporary downloaded update files and stop displaying the update nag on Horizon OS.
 
Accessing this Maintenance mode screen has the effect of deleting temporary downloaded update files and stop displaying the update nag on Horizon OS.
  
  
'''Safe mode'''
+
====Safe mode====
Safe mode is used to boot Horizon OS using a slightly different firmware. You can see this mode like booting Windows safe mode on your computer, disabling drivers and network configuration to resolve conflicts.
+
Safe mode is used to boot Horizon OS using a slightly different firmware. You can see this mode like booting into Windows' safe mode on your computer to disable drivers and network configuration to resolve conflicts.
  
There is no advantage to use this mode for homebrew. for more information, read switchbrew's boot modes page.
+
There is no reason to use this mode for homebrew or Fusée Gelée. For more information, read switchbrew's boot modes page.
  
  
Line 84: Line 127:
 
===Usage===
 
===Usage===
  
When the console is put in RCM, waiting for USB data reception, you can use a Launcher to send a non signed payload (program).
+
When the console is in RCM, waiting for USB data reception, you can use a payload launcher to send a non signed payload binaries (program) to the Switch.
  
There are different Launchers program (on computers or android Phones), and different payload binaries (switch program) which can be sent to the console.
+
There are different payload launchers program (on computers, Phones or standalone dongles), and different payload binaries which can be sent to the console.
 
+
You can also use USB dongle which contains the payload to send and replace the need of a computer or a phone.
+
  
  
 
* Fully shutdown the console (not in sleep mode)
 
* Fully shutdown the console (not in sleep mode)
* launch RCM (shortcut joycon pin 1-10, press Vol+ and power button)
+
* Launch RCM (shortcut joycon pin10 with any GND pin, press Vol+ and power button)
* Plug your Nintendo Switch through USB OTG compatible device (computer, phone, or dongle)
+
* Plug your Nintendo Switch through USB OTG compatible device (computer, phone or dongle)
 
* Run the payload Launcher and select the payload to send to the console, or let the dongle do it automatically.
 
* Run the payload Launcher and select the payload to send to the console, or let the dongle do it automatically.
  
 
+
A list of Fusée Gelée Code launchers, dongles and payloads are available [[List of Switch payloads|here]]
List of Launchers, Dongle and Payloads here (add link to lists here)
+
 
+
temporary list on the forum until wiki page is created.
+
https://gbatemp.net/threads/fusee-gelee-all-the-payloads.502028/
+
 
+
 
+
 
+
==déjà vu==
+
unreleased exploit up to 4.1 ?
+

Latest revision as of 10:36, 7 August 2019

*Draft page* please help improving and fixing missing information.

List of Switch's Exploits

Name Compatible firmware versions Author(s) Link Status
Jamais vu 1.0.0 ReSwitched Team (SciresM, and Motezazer) Thread, reddit Fixed
PegaSwitch 1.0.0 - 3.0.0 ReSwitched Team (SciresM, and more) website, Sources Fixed
Nereba 1.0.0 - 3.0.0 ReSwitched Team (Stuckpixel) Unofficial Thread, Sources Fixed
Déjà Vu / Caffeine 1.0.0 - 4.1.0, partially up to 7.0.1 SciresM Unofficial Thread, Unofficial Thread, github for 3.0.0, unofficial thread caffeine for 4.1.0 released Fixed
Fusée Gelée All (non iPatched consoles only) Independently discovered by ReSwitched Team (Kate Temkin), fail0verflow (shuffle2). Unofficial Thread Fixed, june2018

Jamais vu

Jamais vu exploit a warmboot vulnerability in the TrustZone to allow code execution.

PegaSwitch

PegaSwitch exploit a vulnerability in the Internet navigator WebKit module. PegaSwitch does not allow homebrew launching.

PegaSwitch is triggered by using a computer's program serving as DNS server.

Nereba

released in April 2019, this exploit is compatible with old firmwares 1.0.0 to 3.0.0 only.

It's exploiting a warm boot RAM access vulnerability which allows the console to reboot from OFW to any Fusée Gelée payloads using the web applet.


Déjà vu

Déjà vu was an old known but unreleased exploit. It has finally been released in April 2019.

Compatible firmwares from 1.0.0 up to 4.1.0. The vulnerability was only partially fixed in 6.0.0. The vulnerability was kept secret as long as it wasn't fully fixed in eventuality that it could be useful later to exploit units with patched known exploits.

Nintendo definitely fixed that vulnerability in 2019 with firmware 8.x


Fusée gelée

(en: Frozen Space Rocket)


Fusée gélée exploit a vulnerability in the Recovery mode of the Nintendo Switch, allowing early code execution on the console. The Recovery mode is launched before Horizon OS, the switch's operating system (the user interface).

A simplified graphical representation of the launch sequence:

Cold boot > Recovery mode > Boot loader > Horizon OS

This might not be the exact launch sequence, but it's good enough to get a quick understanding of what happens before the main console's interface is displayed.


Fusée Gelée runs in the Recovery mode step and allows code execution before the Boot loader. It can be used to either:

  • Run standalone applications (key dumpers, display console information, etc.),
  • Replace the bootloader and allows launching of custom OS running on native tegra chipset (Linux, Lakka, etc.)
  • Act as a bootloader and launches Horizon OS, stock (OFW) or with temporary memory patches (CFW),


Q. Why use Fusée gelée to boot an official firmware?

A. The official Nintendo's bootloader is responsible for checking and burning eFuse. eFuses are burned when upgrading the firmware to prevent you to downgrade your console. Horizon checks how many eFuses has been burned, if it doesn't match the expected eFuse number the OS will refuse to launch. Bypassing the official bootloader prevents eFuse burning when booting a higher (official or patched) firmware version, allowing the user to return to the lowest installed fused firmware (eMMC restoration or firmware downgrade).


Boot modes

There are different Boot Modes the console can access: Normal launch, Recovery mode, Maintenance mode, Safe mode. Fusée gelée uses the Recovery Mode, commonly called "RCM".

Recovery mode

The console enters this Recovery mode for three different reasons:

  • The internal memory is corrupted or the entire eMMC board is missing ;
  • The bootloader program is corrupted ;
  • A specific key combination is pressed on cold boot : with the console fully shutdown, keep pressed both Vol+ while bridging right joycon's pin 10 with Ground (with pin1, 7 or 9) and switch on the console.

Entering this recovery mode (RCM) puts the console on a black screen, where the console waits for USB sent signed commands for secure communication. Fusée gelée uses a vulnerability in the command verification process to send non signed data and execute unsigned code.

This vulnerability has been fixed on consoles sold after june 2018.


Maintenance mode

There is another menu called Recovery Mode, also known as Maintenance Mode. The maintenance mode is part of the Horizon OS, and can be launched after RCM, for example, after choosing which firmware to launch from Hekate in RCM.

It has an onscreen menu to update the console, format and delete user preferences, or just exit and launch Horizon OS. Additionally, entering this menu automatically clears temporarily downloaded files, such as a complete or partial system update.

A different pressed buttons combination is used to boot into this menu.

Console power OFF : keep pressed Vol+ and Vol-, press and release Power button
or
Just after selecting Launch Firmware from RCM's custom bootloader : keep pressed Vol+ and Vol-

Accessing this Maintenance mode screen has the effect of deleting temporary downloaded update files and stop displaying the update nag on Horizon OS.


Safe mode

Safe mode is used to boot Horizon OS using a slightly different firmware. You can see this mode like booting into Windows' safe mode on your computer to disable drivers and network configuration to resolve conflicts.

There is no reason to use this mode for homebrew or Fusée Gelée. For more information, read switchbrew's boot modes page.


Usage

When the console is in RCM, waiting for USB data reception, you can use a payload launcher to send a non signed payload binaries (program) to the Switch.

There are different payload launchers program (on computers, Phones or standalone dongles), and different payload binaries which can be sent to the console.


  • Fully shutdown the console (not in sleep mode)
  • Launch RCM (shortcut joycon pin10 with any GND pin, press Vol+ and power button)
  • Plug your Nintendo Switch through USB OTG compatible device (computer, phone or dongle)
  • Run the payload Launcher and select the payload to send to the console, or let the dongle do it automatically.

A list of Fusée Gelée Code launchers, dongles and payloads are available here