List of Switch exploits
*Draft page* please help improving and fixing missing information.
List of Switch's Exploits
Name | Compatible firmwares | Author | Fixed |
---|---|---|---|
? | 1.x | Fixed | |
Fusée Gelée | 1.x - 5.1 | Kate Temkin | Fixed, june2018 |
Déjà Vue (unreleased) | 1.x - 4.1 | SciresM |
?
A software triggered exploit on early firmware, allowing unsigned code execution (homebrew).
Fusée gelée
Fusée gélée exploit a vulnerability in the Recovery mode of the Nintendo Switch, allowing early code execution on the console. The Recovery mode is launched before Horizon OS (the switch's operating system, the user interface).
Grahical representation of the launch sequence:
Console shut down : Power > Boot mode > Boot loader > Horizon OS
Fusée Gelée allows code execution before the Boot loader.
It can be used to either:
- run standalone programs (key dumpers, console information, etc.),
- replace the bootloader and launches Horizon OS, stock (OFW) or with temporary memory patches (CFW).
- replace the bootloader and allows custom OS launching (Linux, Lakka)
The official Nintendo's bootloader is responsible for checking and burning eFuse. Bypassing the official bootloader prevent burning eFuse when booting a higher (official or patched) firmware version, allowing future backuped NAND restoration or firmware downgrade.
Boot modes
There are three different Boot Modes the console can access: Recovery mode, Maintenance mode, Safe mode. Fusée gelée uses the Recovery Mode, commonly called "RCM".
Recovery mode The console enters this Recovery mode for three different reasons :
- The internal memory is corrupted or the entire eMMC board is missing ;
- The bootloader program is corrupted ;
- A specific key combination is pressed on boot.
Console shut down : keep pressed both Vol+ and power buttons while shorting pin 1 and pin 10 of the right joycon connector.
Entering this recovery mode (RCM) puts the console on a black screen, where the console waits for USB sent signed commands for secure communication. Fusée gelée uses a vulnerability in the command verification process to send non signed data and execute arbitrary code.
This vulnerability has been fixed on consoles sold after june 2018.
Maintenance mode
There is another menu called Recovery Mode, also known as Maintenance Mode. It has an onscreen menu to update or format the console and delete user preferences. A different pressed buttons combination is used to boot into this menu.
Console shut down : keep pressed Vol+ and Vol-, press and release Power button.
Accessing this Maintenance mode screen has the effect of deleting temporary downloaded update files and stop displaying the update nag on Horizon OS.
Safe mode
Safe mode is used to boot Horizon OS using a slightly different firmware. You can see this mode like booting Windows safe mode on your computer, disabling drivers and network configuration to resolve conflicts.
There is no advantage to use this mode for homebrew. for more information, read switchbrew's boot modes page.
Usage
When the console is put in RCM, waiting for USB data reception, you can use a Launcher to send a non signed payload (program).
There are different Launchers program (on computers or android Phones), and different payload binaries (switch program) which can be sent to the console.
You can also use USB dongle which contains the payload to send and replace the need of a computer or a phone.
- Fully shutdown the console (not in sleep mode)
- launch RCM (shortcut joycon pin 1-10, press Vol+ and power button)
- Plug your Nintendo Switch through USB OTG compatible device (computer, phone, or dongle)
- Run the payload Launcher and select the payload to send to the console, or let the dongle do it automatically.
List of Launchers, Dongle and Payloads here (add link to lists here)
temporary list on the forum until wiki page is created. https://gbatemp.net/threads/fusee-gelee-all-the-payloads.502028/
déjà vu
unreleased exploit up to 4.1 ?