From WikiTemp, the GBAtemp wiki
(List of Switch's Exploits: added links)
(List of Switch's Exploits: updated compatible versions)
Line 30: Line 30:
| Déjà Vu / Caffeine
| Déjà Vu / Caffeine
| 1.0.0 - 4.1.0
| 1.0.0 - 4.1.0, partially up to 7.0.1
| SciresM
| SciresM
| [ Unofficial Thread], [ Unofficial Thread], [ github for 3.0.0], [ unofficial thread caffeine for 4.1.0 released]
| [ Unofficial Thread], [ Unofficial Thread], [ github for 3.0.0], [ unofficial thread caffeine for 4.1.0 released]
Line 36: Line 36:
| Fusée Gelée
| Fusée Gelée
| 1.0.0 - 5.1.0
| All (non iPatched consoles only)
| Independently discovered by ReSwitched Team (Kate Temkin), fail0verflow (shuffle2).
| Independently discovered by ReSwitched Team (Kate Temkin), fail0verflow (shuffle2).
| [ Unofficial Thread]
| [ Unofficial Thread]

Latest revision as of 10:36, 7 August 2019

*Draft page* please help improving and fixing missing information.

List of Switch's Exploits

Name Compatible firmware versions Author(s) Link Status
Jamais vu 1.0.0 ReSwitched Team (SciresM, and Motezazer) Thread, reddit Fixed
PegaSwitch 1.0.0 - 3.0.0 ReSwitched Team (SciresM, and more) website, Sources Fixed
Nereba 1.0.0 - 3.0.0 ReSwitched Team (Stuckpixel) Unofficial Thread, Sources Fixed
Déjà Vu / Caffeine 1.0.0 - 4.1.0, partially up to 7.0.1 SciresM Unofficial Thread, Unofficial Thread, github for 3.0.0, unofficial thread caffeine for 4.1.0 released Fixed
Fusée Gelée All (non iPatched consoles only) Independently discovered by ReSwitched Team (Kate Temkin), fail0verflow (shuffle2). Unofficial Thread Fixed, june2018

Jamais vu

Jamais vu exploit a warmboot vulnerability in the TrustZone to allow code execution.


PegaSwitch exploit a vulnerability in the Internet navigator WebKit module. PegaSwitch does not allow homebrew launching.

PegaSwitch is triggered by using a computer's program serving as DNS server.


released in April 2019, this exploit is compatible with old firmwares 1.0.0 to 3.0.0 only.

It's exploiting a warm boot RAM access vulnerability which allows the console to reboot from OFW to any Fusée Gelée payloads using the web applet.

Déjà vu

Déjà vu was an old known but unreleased exploit. It has finally been released in April 2019.

Compatible firmwares from 1.0.0 up to 4.1.0. The vulnerability was only partially fixed in 6.0.0. The vulnerability was kept secret as long as it wasn't fully fixed in eventuality that it could be useful later to exploit units with patched known exploits.

Nintendo definitely fixed that vulnerability in 2019 with firmware 8.x

Fusée gelée

(en: Frozen Space Rocket)

Fusée gélée exploit a vulnerability in the Recovery mode of the Nintendo Switch, allowing early code execution on the console. The Recovery mode is launched before Horizon OS, the switch's operating system (the user interface).

A simplified graphical representation of the launch sequence:

Cold boot > Recovery mode > Boot loader > Horizon OS

This might not be the exact launch sequence, but it's good enough to get a quick understanding of what happens before the main console's interface is displayed.

Fusée Gelée runs in the Recovery mode step and allows code execution before the Boot loader. It can be used to either:

  • Run standalone applications (key dumpers, display console information, etc.),
  • Replace the bootloader and allows launching of custom OS running on native tegra chipset (Linux, Lakka, etc.)
  • Act as a bootloader and launches Horizon OS, stock (OFW) or with temporary memory patches (CFW),

Q. Why use Fusée gelée to boot an official firmware?

A. The official Nintendo's bootloader is responsible for checking and burning eFuse. eFuses are burned when upgrading the firmware to prevent you to downgrade your console. Horizon checks how many eFuses has been burned, if it doesn't match the expected eFuse number the OS will refuse to launch. Bypassing the official bootloader prevents eFuse burning when booting a higher (official or patched) firmware version, allowing the user to return to the lowest installed fused firmware (eMMC restoration or firmware downgrade).

Boot modes

There are different Boot Modes the console can access: Normal launch, Recovery mode, Maintenance mode, Safe mode. Fusée gelée uses the Recovery Mode, commonly called "RCM".

Recovery mode

The console enters this Recovery mode for three different reasons:

  • The internal memory is corrupted or the entire eMMC board is missing ;
  • The bootloader program is corrupted ;
  • A specific key combination is pressed on cold boot : with the console fully shutdown, keep pressed both Vol+ while bridging right joycon's pin 10 with Ground (with pin1, 7 or 9) and switch on the console.

Entering this recovery mode (RCM) puts the console on a black screen, where the console waits for USB sent signed commands for secure communication. Fusée gelée uses a vulnerability in the command verification process to send non signed data and execute unsigned code.

This vulnerability has been fixed on consoles sold after june 2018.

Maintenance mode

There is another menu called Recovery Mode, also known as Maintenance Mode. The maintenance mode is part of the Horizon OS, and can be launched after RCM, for example, after choosing which firmware to launch from Hekate in RCM.

It has an onscreen menu to update the console, format and delete user preferences, or just exit and launch Horizon OS. Additionally, entering this menu automatically clears temporarily downloaded files, such as a complete or partial system update.

A different pressed buttons combination is used to boot into this menu.

Console power OFF : keep pressed Vol+ and Vol-, press and release Power button
Just after selecting Launch Firmware from RCM's custom bootloader : keep pressed Vol+ and Vol-

Accessing this Maintenance mode screen has the effect of deleting temporary downloaded update files and stop displaying the update nag on Horizon OS.

Safe mode

Safe mode is used to boot Horizon OS using a slightly different firmware. You can see this mode like booting into Windows' safe mode on your computer to disable drivers and network configuration to resolve conflicts.

There is no reason to use this mode for homebrew or Fusée Gelée. For more information, read switchbrew's boot modes page.


When the console is in RCM, waiting for USB data reception, you can use a payload launcher to send a non signed payload binaries (program) to the Switch.

There are different payload launchers program (on computers, Phones or standalone dongles), and different payload binaries which can be sent to the console.

  • Fully shutdown the console (not in sleep mode)
  • Launch RCM (shortcut joycon pin10 with any GND pin, press Vol+ and power button)
  • Plug your Nintendo Switch through USB OTG compatible device (computer, phone or dongle)
  • Run the payload Launcher and select the payload to send to the console, or let the dongle do it automatically.

A list of Fusée Gelée Code launchers, dongles and payloads are available here