Difference between revisions of "List of Switch exploits"
(added the switch navbox) |
(updates, some fixes, new tables, etc.) |
||
Line 1: | Line 1: | ||
− | + | {{NXNav}}__NOTOC__{{Newpagepreload|Template:P/Switch Homebrew}} | |
− | + | *Draft page* please help improving and fixing missing information. | |
==List of Switch's Exploits== | ==List of Switch's Exploits== | ||
Line 7: | Line 7: | ||
! style="width:25%" | Name | ! style="width:25%" | Name | ||
! class="unsortable" | Compatible firmwares | ! class="unsortable" | Compatible firmwares | ||
− | ! style="width:20%" | Author | + | ! style="width:20%" | Author(s) |
! style="width:20%" | Fixed | ! style="width:20%" | Fixed | ||
|- | |- | ||
| ? | | ? | ||
− | | 1.x | + | | 1.x 3.0x? |
− | | | + | | |
| Fixed | | Fixed | ||
|- | |- | ||
| Fusée Gelée | | Fusée Gelée | ||
− | | | + | | v1.x - v5.1 |
− | | Kate Temkin | + | | Independently discovered by ReSwitchTeam (Kate Temkin), fail0verflow (shuffle2). |
| Fixed, june2018 | | Fixed, june2018 | ||
|- | |- | ||
Line 23: | Line 23: | ||
| 1.x - 4.1 | | 1.x - 4.1 | ||
| SciresM | | SciresM | ||
− | | | + | | |
|} | |} | ||
Line 35: | Line 35: | ||
==Fusée gelée== | ==Fusée gelée== | ||
− | Fusée gélée exploit a vulnerability in the Recovery mode of the Nintendo Switch, allowing early code execution on the console. The Recovery mode is launched before Horizon OS | + | Fusée gélée exploit a vulnerability in the Recovery mode of the Nintendo Switch, allowing early code execution on the console. The Recovery mode is launched before Horizon OS, the switch's operating system (the user interface). |
Grahical representation of the launch sequence: | Grahical representation of the launch sequence: | ||
− | + | Power ON > Boot mode > Boot loader > Horizon OS | |
− | Fusée Gelée allows code execution before the Boot loader. | + | Fusée Gelée runs in the Boot mode step and allows code execution before the Boot loader. |
It can be used to either: | It can be used to either: | ||
− | * | + | * Run standalone applications (key dumpers, display console information, etc.), |
− | * | + | * Replace the bootloader and allows launching of custom OS running on native tegra chipset (Linux, Lakka, etc.) |
− | + | * Act as a bootloader and launches Horizon OS, stock (OFW) or with temporary memory patches (CFW), | |
− | The official Nintendo's bootloader is responsible for checking and burning eFuse. Bypassing the official bootloader | + | |
+ | '''Q.''' Why use Fusée gelée to boot an official firmware? | ||
+ | |||
+ | '''A.''' The official Nintendo's bootloader is responsible for checking and burning eFuse. eFuses are burned when upgrading the firmware to prevent you to downgrade your console. | ||
+ | Horizon checks how many eFuses has been burned, if it doesn't match the expected eFuse number the OS will refuse to launch. | ||
+ | Bypassing the official bootloader prevents eFuse burning when booting a higher (official or patched) firmware version, allowing the user to return to the lowest installed fused firmware (eMMC restoration or firmware downgrade). | ||
===Boot modes=== | ===Boot modes=== | ||
− | There are | + | There are different [http://switchbrew.org/index.php/Boot_Modes Boot Modes] the console can access: Normal launch, Recovery mode, Maintenance mode, Safe mode. |
Fusée gelée uses the Recovery Mode, commonly called "RCM". | Fusée gelée uses the Recovery Mode, commonly called "RCM". | ||
− | + | ====Recovery mode==== | |
− | The console enters this Recovery mode for three different reasons : | + | The console enters this Recovery mode for three different reasons: |
* The internal memory is corrupted or the entire eMMC board is missing ; | * The internal memory is corrupted or the entire eMMC board is missing ; | ||
* The bootloader program is corrupted ; | * The bootloader program is corrupted ; | ||
* A specific key combination is pressed on boot. | * A specific key combination is pressed on boot. | ||
− | Console | + | Console power OFF : keep pressed both Vol+ and power buttons while shorting pin 1 and pin 10 on the right joycon connector. |
− | Entering this recovery mode (RCM) puts the console on a black screen, where the console waits for USB sent signed commands for secure communication. Fusée gelée uses a vulnerability in the command verification process to send non signed data and execute | + | Entering this recovery mode (RCM) puts the console on a black screen, where the console waits for USB sent signed commands for secure communication. Fusée gelée uses a vulnerability in the command verification process to send non signed data and execute unsigned code. |
This vulnerability has been fixed on consoles sold after june 2018. | This vulnerability has been fixed on consoles sold after june 2018. | ||
− | + | ====Maintenance mode==== | |
There is another menu called ''Recovery Mode'', also known as Maintenance Mode. It has an onscreen menu to update or format the console and delete user preferences. A different pressed buttons combination is used to boot into this menu. | There is another menu called ''Recovery Mode'', also known as Maintenance Mode. It has an onscreen menu to update or format the console and delete user preferences. A different pressed buttons combination is used to boot into this menu. | ||
− | Console | + | Console power OFF : keep pressed Vol+ and Vol-, press and release Power button. |
Accessing this Maintenance mode screen has the effect of deleting temporary downloaded update files and stop displaying the update nag on Horizon OS. | Accessing this Maintenance mode screen has the effect of deleting temporary downloaded update files and stop displaying the update nag on Horizon OS. | ||
− | ''' | + | '''Q.''' Is this menu part of the Bootloader code or triggered before it? Can it be accessed if using AutoRCM? |
− | + | ||
− | + | '''A.''' ... | |
+ | ====Safe mode==== | ||
+ | Safe mode is used to boot Horizon OS using a slightly different firmware. You can see this mode like booting into Windows' safe mode on your computer to disable drivers and network configuration to resolve conflicts. | ||
− | + | There is no reason to use this mode for homebrew or fusée Gelée. For more information, read switchbrew's boot modes page. | |
− | |||
− | |||
− | + | ===Usage=== | |
+ | |||
+ | When the console is in RCM, waiting for USB data reception, you can use a payload launcher to send a non signed payload binaries (program) to the Switch. | ||
+ | |||
+ | There are different payload launchers program (on computers, android Phones or standalone dongles), and different payload binaries which can be sent to the console. | ||
* Fully shutdown the console (not in sleep mode) | * Fully shutdown the console (not in sleep mode) | ||
− | * | + | * Launch RCM (shortcut joycon pin10 with any GND pin, press Vol+ and power button) |
− | * Plug your Nintendo Switch through USB OTG compatible device (computer, phone | + | * Plug your Nintendo Switch through USB OTG compatible device (computer, phone or dongle) |
* Run the payload Launcher and select the payload to send to the console, or let the dongle do it automatically. | * Run the payload Launcher and select the payload to send to the console, or let the dongle do it automatically. | ||
List of Launchers, Dongle and Payloads here (add link to lists here) | List of Launchers, Dongle and Payloads here (add link to lists here) | ||
+ | |||
+ | < include Switch_FuseeGelee_launchers > | ||
+ | currently listed here. | ||
+ | |||
+ | ====Payload Loaders (programs)==== | ||
+ | {| class="prettytable sortable" style="width:100%" | ||
+ | ! style="width:25%" | Name | ||
+ | ! style="width:20%" | System | ||
+ | ! style="width:20%" | description | ||
+ | ! style="width:20%" | Author | ||
+ | ! style="width:20%" | Link | ||
+ | ! style="width:20%" | sources | ||
+ | |- | ||
+ | | [[Fusée Launcher]] | ||
+ | | Python | ||
+ | | Proof-of-concept code loader for Fusée Gelée exploit. Works on Windows, Linux, macOS and FreeBSD. | ||
+ | | Kate Temkin, Qyriad | ||
+ | | | ||
+ | | [https://github.com/Cease-and-DeSwitch/fusee-launcher github] | ||
+ | |- | ||
+ | | [[TegraRcmSmash]] | ||
+ | | Windows | ||
+ | | A Windows code loader for Fusée Gelée exploit. | ||
+ | | [[User:rajkosto|rajkosto]] | ||
+ | | [https://switchtools.sshnuke.net/ download] | ||
+ | | [https://github.com/rajkosto/TegraRcmSmash Github] | ||
+ | |- | ||
+ | | [[NXLauncher]] | ||
+ | | Android | ||
+ | | An Android code loader for Fusée Gelée exploit. | ||
+ | | | ||
+ | | | ||
+ | | [https://github.com/DavidBuchanan314/NXLoader/ Github] | ||
+ | |} | ||
+ | |||
+ | ====Payload Loaders (Dongle)==== | ||
+ | {| class="prettytable sortable" style="width:100%" | ||
+ | ! style="width:25%" | Name | ||
+ | ! style="width:20%" | System | ||
+ | ! style="width:20%" | description | ||
+ | ! style="width:20%" | Author | ||
+ | ! style="width:20%" | Link | ||
+ | ! style="width:20%" | sources | ||
+ | |- | ||
+ | | SX | ||
+ | | Dongle | ||
+ | | - | ||
+ | | A dongle to launch a payload for Fusée Gelée exploit. | ||
+ | | | ||
+ | | | ||
+ | |- | ||
+ | | Other open source/retail dongle name here | ||
+ | | Dongle | ||
+ | | - | ||
+ | | A dongle to launch a payload for Fusée Gelée exploit. | ||
+ | | | ||
+ | | | ||
+ | |} | ||
+ | |||
+ | ====Payload (binaries)==== | ||
+ | {| class="prettytable sortable" style="width:100%" | ||
+ | ! style="width:25%" | Name | ||
+ | ! style="width:20%" | description | ||
+ | ! style="width:20%" | Author | ||
+ | ! style="width:20%" | Link | ||
+ | ! style="width:20%" | sources | ||
+ | |- | ||
+ | | Fusée Gelée sample payload | ||
+ | | A sample payload binary to use with Fusée Launcher. | ||
+ | | Kate Temkin | ||
+ | | [http://misc.ktemkin.com/fusee.bin Download] | ||
+ | | [https://github.com/Cease-and-DeSwitch/fusee-launcher github] | ||
+ | |- | ||
+ | | [[ShofEL2]] | ||
+ | | A Linux booter. | ||
+ | | fail0verflow (shuffle2) | ||
+ | | [https://fail0verflow.com/blog/2018/shofel2/ info], no binary download? | ||
+ | | [https://github.com/fail0verflow/shofel2 github] | ||
+ | |- | ||
+ | | [[SX OS]] | ||
+ | | A bootloader and Firmware Patcher (CFW) allowing homebrew launching from Horizon OS. Requires a License to unlock backup loader features. | ||
+ | | Team Xecuter | ||
+ | | https://team-xecuter.com/ | ||
+ | | closedsource | ||
+ | |- | ||
+ | | [[Hekate]] | ||
+ | | A multi-tool payload. Serves as SD binary payload loader?, a bootloader and Firmware Patcher (CFW) allowing homebrew launching from Horizon OS. Contains multiple tools such as NAND backup/restore. | ||
+ | | Nwert ? | ||
+ | | | ||
+ | | | ||
+ | |- | ||
+ | | [[Lakka (Switch)|Lakka]] | ||
+ | | A Linux booter, used to boot Lakka, a Linux distribution specialized in emulators. | ||
+ | | | ||
+ | | | ||
+ | | | ||
+ | |- | ||
+ | | [[fusedump]] | ||
+ | | An eFuse dumper. (deprecated) | ||
+ | | moriczgergo | ||
+ | | [https://github.com/moriczgergo/fusedump/releases Download] | ||
+ | | [https://github.com/moriczgergo/fusedump github] | ||
+ | |- | ||
+ | | [[moonflower]] | ||
+ | | An eFuse and GPIO dumper for the Switch. Based on Fusedump. | ||
+ | | moriczgergo | ||
+ | | [https://github.com/moriczgergo/moonflower/releases Download] | ||
+ | | [https://github.com/moriczgergo/moonflower github] | ||
+ | |- | ||
+ | | [[GRAnimated payload]] | ||
+ | | A customized fusée Gelée binary modded by GRAnimated. | ||
+ | | GRAnimated | ||
+ | | [https://github.com/GRAnimated/FG-CustomPayload/raw/master/fusee/out/fusee.bin download] | ||
+ | | [https://github.com/GRAnimated/FG-CustomPayload/ github] | ||
+ | |- | ||
+ | | [[BiskeyDump]] | ||
+ | | A Switch key dumper. | ||
+ | | rajkosto | ||
+ | | [https://switchtools.sshnuke.net/ Download] | ||
+ | | [https://github.com/rajkosto/biskeydump guthub] | ||
+ | |- | ||
+ | | [[Lakka (Switch)|Lakka]] | ||
+ | | A Linux booter, used to boot Lakka, a Linux distribution specialized in emulators. | ||
+ | | | ||
+ | | | ||
+ | | | ||
+ | |} | ||
+ | |||
+ | |||
+ | |||
+ | |||
temporary list on the forum until wiki page is created. | temporary list on the forum until wiki page is created. |
Revision as of 15:11, 6 September 2018
Switch Homebrew | |
---|---|
Introduction • Homebrew Development • Homebrew Bounty • Glossary | |
Release Lists | All Homebrew • Applications • Games • Emulators • Demos • Exploits • Payloads • CFWs • Development libraries & tools • PC Utilities |
Information | • Homebrew TitleID • Game patches and mods • Savegames • Websites |
- Draft page* please help improving and fixing missing information.
List of Switch's Exploits
Name | Compatible firmwares | Author(s) | Fixed |
---|---|---|---|
? | 1.x 3.0x? | Fixed | |
Fusée Gelée | v1.x - v5.1 | Independently discovered by ReSwitchTeam (Kate Temkin), fail0verflow (shuffle2). | Fixed, june2018 |
Déjà Vue (unreleased) | 1.x - 4.1 | SciresM |
?
A software triggered exploit on early firmware, allowing unsigned code execution (homebrew).
Fusée gelée
Fusée gélée exploit a vulnerability in the Recovery mode of the Nintendo Switch, allowing early code execution on the console. The Recovery mode is launched before Horizon OS, the switch's operating system (the user interface).
Grahical representation of the launch sequence:
Power ON > Boot mode > Boot loader > Horizon OS
Fusée Gelée runs in the Boot mode step and allows code execution before the Boot loader.
It can be used to either:
- Run standalone applications (key dumpers, display console information, etc.),
- Replace the bootloader and allows launching of custom OS running on native tegra chipset (Linux, Lakka, etc.)
- Act as a bootloader and launches Horizon OS, stock (OFW) or with temporary memory patches (CFW),
Q. Why use Fusée gelée to boot an official firmware?
A. The official Nintendo's bootloader is responsible for checking and burning eFuse. eFuses are burned when upgrading the firmware to prevent you to downgrade your console. Horizon checks how many eFuses has been burned, if it doesn't match the expected eFuse number the OS will refuse to launch. Bypassing the official bootloader prevents eFuse burning when booting a higher (official or patched) firmware version, allowing the user to return to the lowest installed fused firmware (eMMC restoration or firmware downgrade).
Boot modes
There are different Boot Modes the console can access: Normal launch, Recovery mode, Maintenance mode, Safe mode. Fusée gelée uses the Recovery Mode, commonly called "RCM".
Recovery mode
The console enters this Recovery mode for three different reasons:
- The internal memory is corrupted or the entire eMMC board is missing ;
- The bootloader program is corrupted ;
- A specific key combination is pressed on boot.
Console power OFF : keep pressed both Vol+ and power buttons while shorting pin 1 and pin 10 on the right joycon connector.
Entering this recovery mode (RCM) puts the console on a black screen, where the console waits for USB sent signed commands for secure communication. Fusée gelée uses a vulnerability in the command verification process to send non signed data and execute unsigned code.
This vulnerability has been fixed on consoles sold after june 2018.
Maintenance mode
There is another menu called Recovery Mode, also known as Maintenance Mode. It has an onscreen menu to update or format the console and delete user preferences. A different pressed buttons combination is used to boot into this menu.
Console power OFF : keep pressed Vol+ and Vol-, press and release Power button.
Accessing this Maintenance mode screen has the effect of deleting temporary downloaded update files and stop displaying the update nag on Horizon OS.
Q. Is this menu part of the Bootloader code or triggered before it? Can it be accessed if using AutoRCM?
A. ...
Safe mode
Safe mode is used to boot Horizon OS using a slightly different firmware. You can see this mode like booting into Windows' safe mode on your computer to disable drivers and network configuration to resolve conflicts.
There is no reason to use this mode for homebrew or fusée Gelée. For more information, read switchbrew's boot modes page.
Usage
When the console is in RCM, waiting for USB data reception, you can use a payload launcher to send a non signed payload binaries (program) to the Switch.
There are different payload launchers program (on computers, android Phones or standalone dongles), and different payload binaries which can be sent to the console.
- Fully shutdown the console (not in sleep mode)
- Launch RCM (shortcut joycon pin10 with any GND pin, press Vol+ and power button)
- Plug your Nintendo Switch through USB OTG compatible device (computer, phone or dongle)
- Run the payload Launcher and select the payload to send to the console, or let the dongle do it automatically.
List of Launchers, Dongle and Payloads here (add link to lists here)
< include Switch_FuseeGelee_launchers > currently listed here.
Payload Loaders (programs)
Name | System | description | Author | Link | sources |
---|---|---|---|---|---|
Fusée Launcher | Python | Proof-of-concept code loader for Fusée Gelée exploit. Works on Windows, Linux, macOS and FreeBSD. | Kate Temkin, Qyriad | github | |
TegraRcmSmash | Windows | A Windows code loader for Fusée Gelée exploit. | rajkosto | download | Github |
NXLauncher | Android | An Android code loader for Fusée Gelée exploit. | Github |
Payload Loaders (Dongle)
Name | System | description | Author | Link | sources |
---|---|---|---|---|---|
SX | Dongle | - | A dongle to launch a payload for Fusée Gelée exploit. | ||
Other open source/retail dongle name here | Dongle | - | A dongle to launch a payload for Fusée Gelée exploit. |
Payload (binaries)
Name | description | Author | Link | sources |
---|---|---|---|---|
Fusée Gelée sample payload | A sample payload binary to use with Fusée Launcher. | Kate Temkin | Download | github |
ShofEL2 | A Linux booter. | fail0verflow (shuffle2) | info, no binary download? | github |
SX OS | A bootloader and Firmware Patcher (CFW) allowing homebrew launching from Horizon OS. Requires a License to unlock backup loader features. | Team Xecuter | https://team-xecuter.com/ | closedsource |
Hekate | A multi-tool payload. Serves as SD binary payload loader?, a bootloader and Firmware Patcher (CFW) allowing homebrew launching from Horizon OS. Contains multiple tools such as NAND backup/restore. | Nwert ? | ||
Lakka | A Linux booter, used to boot Lakka, a Linux distribution specialized in emulators. | |||
fusedump | An eFuse dumper. (deprecated) | moriczgergo | Download | github |
moonflower | An eFuse and GPIO dumper for the Switch. Based on Fusedump. | moriczgergo | Download | github |
GRAnimated payload | A customized fusée Gelée binary modded by GRAnimated. | GRAnimated | download | github |
BiskeyDump | A Switch key dumper. | rajkosto | Download | guthub |
Lakka | A Linux booter, used to boot Lakka, a Linux distribution specialized in emulators. |
temporary list on the forum until wiki page is created. https://gbatemp.net/threads/fusee-gelee-all-the-payloads.502028/
déjà vu
unreleased exploit up to 4.1 ?