List of Switch exploits
| Switch Homebrew | |
|---|---|
| Introduction • Homebrew Development • Homebrew Bounty • Glossary | |
| Release Lists | All Homebrew • Applications • Games • Emulators • Demos • Exploits • Payloads • CFWs • Development libraries & tools • PC Utilities |
| Information | • Homebrew TitleID • Game patches and mods • Savegames • Websites |
*Draft page* please help improving and fixing missing information.
List of Switch's Exploits
| Name | Compatible firmware versions | Author(s) | Link | Status |
|---|---|---|---|---|
| PegaSwitch | 1.0.0 - 3.0.0 | ReSwitched Team (SciresM, and more) | website, Sources | Fixed |
| Fusée Gelée | 1.0.0 - 5.1.0 | Independently discovered by ReSwitched Team (Kate Temkin), fail0verflow (shuffle2). | Fixed, june2018 | |
| Déjà Vue (unreleased) | 1.0.0 - 4.1.0 | SciresM |
PegaSwitch
PegaSwitch exploit a vulnerability in the Internet navigator WebKit module. PegaSwitch does not allow homebrew launching.
PegaSwitch is triggered by using a computer's program serving as DNS server.
Fusée gelée
(en: Frozen Space Rocket)
Fusée gélée exploit a vulnerability in the Recovery mode of the Nintendo Switch, allowing early code execution on the console. The Recovery mode is launched before Horizon OS, the switch's operating system (the user interface).
Grahical representation of the launch sequence:
Cold boot > Boot mode > Boot loader > Horizon OS
Fusée Gelée runs in the Boot mode step and allows code execution before the Boot loader.
It can be used to either:
- Run standalone applications (key dumpers, display console information, etc.),
- Replace the bootloader and allows launching of custom OS running on native tegra chipset (Linux, Lakka, etc.)
- Act as a bootloader and launches Horizon OS, stock (OFW) or with temporary memory patches (CFW),
Q. Why use Fusée gelée to boot an official firmware?
A. The official Nintendo's bootloader is responsible for checking and burning eFuse. eFuses are burned when upgrading the firmware to prevent you to downgrade your console. Horizon checks how many eFuses has been burned, if it doesn't match the expected eFuse number the OS will refuse to launch. Bypassing the official bootloader prevents eFuse burning when booting a higher (official or patched) firmware version, allowing the user to return to the lowest installed fused firmware (eMMC restoration or firmware downgrade).
Boot modes
There are different Boot Modes the console can access: Normal launch, Recovery mode, Maintenance mode, Safe mode. Fusée gelée uses the Recovery Mode, commonly called "RCM".
Recovery mode
The console enters this Recovery mode for three different reasons:
- The internal memory is corrupted or the entire eMMC board is missing ;
- The bootloader program is corrupted ;
- A specific key combination is pressed on cold boot : with the console fully shutdown, keep pressed both Vol+ while bridging right joycon's pin 10 with Ground (with pin1, 7 or 9) and switch on the console.
Entering this recovery mode (RCM) puts the console on a black screen, where the console waits for USB sent signed commands for secure communication. Fusée gelée uses a vulnerability in the command verification process to send non signed data and execute unsigned code.
This vulnerability has been fixed on consoles sold after june 2018.
Maintenance mode
There is another menu called Recovery Mode, also known as Maintenance Mode. It has an onscreen menu to update or format the console and delete user preferences. A different pressed buttons combination is used to boot into this menu.
Console power OFF : keep pressed Vol+ and Vol-, press and release Power button.
Accessing this Maintenance mode screen has the effect of deleting temporary downloaded update files and stop displaying the update nag on Horizon OS.
Q. Is this menu part of the Bootloader code or triggered before it? Can it be accessed if using AutoRCM?
A. ...
Safe mode
Safe mode is used to boot Horizon OS using a slightly different firmware. You can see this mode like booting into Windows' safe mode on your computer to disable drivers and network configuration to resolve conflicts.
There is no reason to use this mode for homebrew or Fusée Gelée. For more information, read switchbrew's boot modes page.
Usage
When the console is in RCM, waiting for USB data reception, you can use a payload launcher to send a non signed payload binaries (program) to the Switch.
There are different payload launchers program (on computers, android Phones or standalone dongles), and different payload binaries which can be sent to the console.
- Fully shutdown the console (not in sleep mode)
- Launch RCM (shortcut joycon pin10 with any GND pin, press Vol+ and power button)
- Plug your Nintendo Switch through USB OTG compatible device (computer, phone or dongle)
- Run the payload Launcher and select the payload to send to the console, or let the dongle do it automatically.
List of Fusée Gelée Code launchers, dongles and payloads
Payload senders (Software)
| Name | System | Description | Author | Link | sources |
|---|---|---|---|---|---|
| Fusée Launcher | Python3 | Proof-of-concept code loader for Fusée Gelée exploit. Works on Windows, Linux, macOS and FreeBSD. | Kate Temkin, Qyriad | github | |
| Fusée Launcher for MacOS | OSX | This is a simple fork of the original fusee-launcher for OSX. | OkazakiTheOtaku | Thread | github |
| CrystalRCM | OSX | This is a graphical front-end to fusee-launcher for macOS. Works without any other installs. | Mistyhands | Thread | GitHub |
| iOUSB | iOS | An iOS code loader for Fusée Gelée exploit, based on NXLauncher? | Brandon-T | post | github |
| nxboot | iOS, OSX | Fusée Gelée / ShofEL2 for jailbroken iOS10+ & macOS. | mologie | Thread, website | GitHub |
| NXLauncher | Android | An Android code loader for Fusée Gelée exploit, based on Fusée Gelée and ShofEL2. Has the fusee.bin payload bundled. Can load any other payload binary from your android device. | DavidBuchanan | Github | |
| NXLauncher mod (SXLoader) | Android | A modded version of NXLauncher with (an old) SX OS payload set as default. Not available anymore. | annson24 | Thread | Github |
| Rekado | Android | An Android code loader for Fusée Gelée exploit, based on NXLauncher. Has the SX-Loader payload bundled. Can load any other payload binary from your android device. | MenosGrantes | Thread | Github |
| TegraRcmSmash | Windows | A Windows code loader for Fusée Gelée exploit. | rajkosto | download | Github |
| TegraRCMGUI | Windows | C++ GUI for TegraRcmSmash. | Eliboa | Thread | github |
| TegraRCMTool | Windows | Batch file to TegraRCMSmash | Midstor | Thread | github |
| AutoRCMSmasher | Windows | Auto send the payload using TegraRCMSmasher when it detects RCM mode. | PRAGMA | Thread | |
| Web fusée launcher | Web, javascript | A javascript based payload sender using WebUSB API on ChromeOS/Linux/Mac/Android. List of compatible browsers. Does not work on Windows due to USB restriction. | Atlas44 | demo, | github |
Payload senders (Hardware)
| Name | System | Description | Author | Link |
|---|---|---|---|---|
| Fusée à la framboise | Dongle | A dongle made using RaspberryPi. Open source, do it yourself. | moriczgergo | Thread |
| R4S | Dongle | A dongle to launch a payload for Fusée Gelée exploit. | ||
| AceNS | Dongle | A dongle to launch a payload for Fusée Gelée exploit. Clone of Xkit design, both first and OneB version. | website, 1st model Review | |
| AceNS Pro | Dongle | A SX dongle Clone, using an outdated SXOS firmware, with its identical features and bugs. Beware of clone detection brick code! use at your own risk. | website, Review | |
| Dragon Injector | Dongle | A trinket M0 clone dongle to launch a payload for Fusée Gelée exploit. Open source, do it yourself. | MatinatorX | thread |
| XKit RCM Loader, first model | Dongle | A dongle to launch a payload for Fusée Gelée exploit. | website | |
| XKit RCM Loader, Model One B | Dongle | A dongle to launch a payload for Fusée Gelée exploit. New version, smaller with integrated jig slot. | website, thread | |
| Nerdonic Exen Mini (tiny SAMD21 device) | Chipset | An internal chipset using SAMD21 device to launch a payload for Fusée Gelée exploit. Open source, do it yourself. | mooglazer | Thread |
| NS-Atmosphère | Dongle | A dongle to launch a payload for Fusée Gelée exploit. | ||
| SAMD | Dongle | A dongle to launch a payload for Fusée Gelée exploit. Open source, do it yourself. | electronrancher | Thread |
| SAMD v2 | Dongle | A dongle to launch a payload for Fusée Gelée exploit. Open source, do it yourself. | electronrancher | Thread |
| SwitchMe UP | Chipset | A modchip to launch a payload for Fusée Gelée exploit. | ||
| SX | Dongle | A dongle to launch a payload for Fusée Gelée exploit. | Team Xecuter | Website |
| Trinket | Dongle/Chipset | A dongle (can be installed internally as a modchip) to launch a payload for Fusée Gelée exploit. | ||
| Feather M0 express | Dongle/Chipset | A dongle (can be installed internally as a modchip) to launch a payload for Fusée Gelée exploit. SAM/Arduino board. | thread | |
| Do It Yourself | Dongle/Chipset | Multiple programmable boards (Adafruit Gemma M0, Adafruit Trinket M0, etc.) Share or find self-created dongles or internal modification chipset (modchip). | Multi users | Thread |
Hardware payload sender related links
Payload (Binaries)
| Name | Description | Author | Link | Source |
|---|---|---|---|---|
| Fusée Gelée sample payload | A sample payload binary to use with Fusée Launcher. | Kate Temkin | Download | github |
| Argon-NX | A payload launcher. Autoboot another payload.bin from your SD card, or displays a list of next payloads to launch from your SD. | Guillem96 | Unofficial thread, Releases | github |
| Argon-NX-mod by mattytrog | A mod of Argon, with some fixes and new features. | mattytrog | thread | |
| Argon-NX-sx-mod by mrdude | A mod of Argon, with new GUI and features, such as SXOS license management. | mrdude | thread | |
| Atmosphère:fusée-primary | Fusée launches the console into the atmosphère. Fusée is the paylod replacing the console's bootloader to boots Atmosphère CFW and its different modules (Exosphère, Thermosphère, Stratosphère, Troposphère). | SciresM | Releases | github |
| BiskeyDump | A Switch key dumper. | rajkosto | Download | github |
| BriccMii | A Payload used to corrupt (or fix) your boot0, preventing the Switch from loading the bootload and forcing the console to automatically enter RCM at boot. | rajkosto | Download | github |
| fusedump | An eFuse dumper. (deprecated, see MoonFlower) | moriczgergo | Download | github |
| gptrestore | Restores the original Nintendo Switch GPT to your eMMC if you somehow messed it up. | rajkosto | Download, usage example | github |
| GRAnimated payload | A customized fusée Gelée binary modded by GRAnimated. | GRAnimated | download | github |
| Hekate | A multi-tool payload. Serves as SD binary payload loader, a bootloader and Firmware Patcher (CFW) allowing homebrew launching from Horizon OS. Contains multiple tools such as NAND backup/restore. | naehrwert (original code), CTCaer, multiple users | Thread, Download | github |
| Hekate-Nyx | An optional frontend for Hekate version 5.0+. | CTCaer, multiple users | Thread, Download | github |
| Lakka | A Linux booter, used to boot Lakka, a Linux distribution specialized in emulators. | Natinusala | Thread | github |
| Lockpick_RCM | A key derivation and dumper. Works on 7.x if you have sept-primary.bin and sept-secondary.enc present in /sept/ folder. | Shchmue | Thread | github |
| memloader | A fail0verflow's u-boot binary loader. Used to mount emmc/boot0/boot1/sd as UMS drive on your computer. | rajkosto | Download, usage example | github |
| moonflower | An eFuse and GPIO dumper for the Switch. Based on Fusedump. | moriczgergo | Download | github |
| Painless Linux | A linux booter payload. Boot Linux on the Switch without imx_usb_loader - Windows, Linux, Mac OS & Android | Natinusala | download | github |
| ReiNX | Reisyukaku's custom firmware booter, based on Atmostphère CFW. | Reisyukaku | Official guide, Thread, Guide |
github |
| ROMDump | Dumps the RAW FUSE, KFUSE and BOOTROM bytes to your microSD/HOST PC via USB/console screen | rajkosto | Download | github |
| ShofEL2 | A Linux booter. | fail0verflow (shuffle2) | website | github |
| Shutdown Switch | A homebrew+payload bundle to fully shutdown the Switch using homebrew instead of power button. Works with autoRCM units. | mrdude | Thread | |
| SwitchBlade | Deprecated payload based on an old hekate payload version which added splash screen support and removed function to keep only homebrew launching feature. Instantly loads Horizon with homebrew enabled without any menus. | StevenMattera | Thread | github |
| SX OS | A bootloader and Firmware Patcher (CFW) allowing homebrew launching from Horizon OS. Requires a License to unlock backup loader features. | Team Xecuter | Website | no |
Payload (Malwares / Brickers)
/!\ATTENTION/!\ THESE PAYLOADS ARE MALWARE. YOU CAN BRICK YOUR CONSOLE. YOU SHOULD NOT USE THEM.
Read more about safe practices here.
| Name | Description | Author | Link | Source |
|---|---|---|---|---|
| TotallyNotVurnabbleFuseelauncher | A sample payload binary and sources to demonstrate any payload you find shouldn't be trusted, even if the sources are provided doesn't mean it's safe to compile and run. It contains an attempt to connect a socket to your computer on 192.168.1.59:21. | DavidTatikashvili123 | Thread | github |
| switchFuckerUpper.nro | A Switch bricker! DO NOT LAUNCH!!! This replaces your BIS with "80082" effectively rendering your Switch useless. | Crusatyr | No link, as this is malicious software. | No link, as this is malicious software. |
| SX OS Crack / PozzNX | A Switch bricker! DO NOT LAUNCH!!! This replaces your PRODINFO with a clean gpt essentially rendering your Switch useless. | Kanna | No link, as this is malicious software. | No link, as this is malicious software. |
| PokerusNX / Fake Pokemon: Let's Go! Pikachu / switchFuckerUpper.nsp | A Switch bricker! DO NOT LAUNCH!!! This replaces your BIS with "80082" effectively rendering your Switch useless. SwitchFuckerUpper stuffed into an NSP.]. | No link, as this is malicious software. | No link, as this is malicious software. |
