Hacking Fusee Gelee: All the payloads

Deleted-442439 · Apr 25, 2018

Thought it would be useful to have a thread with a collection of everything that can be used on Fusee Gelee / RCM exploits

message edited by a moderator.

The payload injectors and binaries are now listed on Wikitemp.
https://wiki.gbatemp.net/wiki/List_of_Switch_payloads

If you know any missing payload or tool, you can add it or post here and someone with wiki access will update the list.

Launchers:

Fusee Launcher: https://t.co/UGqtMeHR13

TegraRcmSmash: source: https://github.com/rajkosto/TegraRcmSmash) (binaries: https://switchtools.sshnuke.net/)

NXLauncher (Android) : https://github.com/DavidBuchanan314/NXLoader/releases/tag/alpha-0.2

Payloads:

Sample payload: https://t.co/d5nCLNa7E5

shofEL2: https://github.com/fail0verflow/shofel2

Fuse Dump https://github.com/moriczgergo/fusedump

GRAnimated's info payload: https://github.com/GRAnimated/FG-CustomPayload/

Key dumper: https://github.com/rajkosto/biskeydump

hekate_ipl source: https://github.com/nwert/hekate (binaries: https://github.com/rajkosto/hekate/releases)

Custom Firmware (CFW)

Atmosphere: https://github.com/Atmosphere-NX/Atmosphere
Note: Only for devs

Other resources:

Linux resources: https://fail0verflow.com/blog/2018/shofel2/
Note: This is also NOT for the end user.

The thread will be updated as more payloads are released.

Deleted User · Apr 25, 2018

is there anyway to write fail0verfl0ws exploit to the bootrom /nand

ShroomKing · Apr 25, 2018

The bootrom is read-only, you can't write anything to it.

Without access to NAND/eMMC drivers(with write abilities) you can't write anything to it.

Deleted User · Apr 25, 2018

ShroomKing said:
The bootrom is read-only, you can't write anything to it.

Without access to NAND/eMMC drivers(with write abilities) you can't write anything to it.

i think on rcm we could with linux write to the consoles emmc but that would be dangerous

Deathscreton · Apr 25, 2018

Natehaxx said:
i think on rcm we could with linux write to the consoles emmc but that would be dangerous

It could possibly be detected as well. Extra partitions or missing space could show as unauthorized access.

Deleted-442439 · Apr 25, 2018

Natehaxx said:
i think on rcm we could with linux write to the consoles emmc but that would be dangerous

Why do that anyways, emunand is much better and less risky, the tools we have now are to unstable, would not risk it.

Jayro · Apr 25, 2018

*Waits patiently for user-friendly payloads while Splatoon gets the best update ever*

Deleted-442439 · Apr 25, 2018

Update: Added a NAND dump payload, and a Animated version of the test payload.

Mnecraft368 · Apr 25, 2018

jjbredesen said:
The tread will be updated as more payloads are released.

Spelling mistake

Deleted-442439 · Apr 25, 2018

Mnecraft368 said:
Spelling mistake

Thanks!

marice · Apr 25, 2018

jjbredesen said:
Update: Added a NAND dump payload, and a Animated version of the test payload.

It doesn't actually dump the NAND right?

Deleted-442439 · Apr 25, 2018

marice said:
It doesn't actually dump the NAND right?

It said it did, but turns out it just shows some more protected data.

Crazy-S · Apr 26, 2018

jjbredesen said:
Thought it would be useful to have a thread with a collection of everything that can be used on Fusee Gelee / RCM exploits

Animated Payload: https://github.com/GRAnimated/FG-CustomPayload/

Title is a bit misleading, the Payload is not Animated (No fancy eyecandyfor you), but it's made by a guy called GRAnimated.

EDIT:
There is a new Payload
https://github.com/rajkosto/biskeydump
Dumps all your Switch BIS keys for eMMC contents decryption

Deleted-442439 · Apr 26, 2018

UPDATE: Key dumping payload added: https://github.com/rajkosto/biskeydump

Naked_Snake · Apr 26, 2018

We need a payload to dump and restore our saves

kombos · Apr 26, 2018

jjbredesen said:
UPDATE: Key dumping payload added: https://github.com/rajkosto/biskeydump

Probably thats the one.

Stoned · Apr 26, 2018

jjbredesen said:
UPDATE: Key dumping payload added: https://github.com/rajkosto/biskeydump

How to do that?

Place your own tsec fw as a C hex array or escaped string into the file src/hwinit/tsecfw.inl

kombos · Apr 26, 2018

Naked_Snake said:
We need a payload to dump and restore our saves

Stoned said:
How to do that?

Place your own tsec fw as a C hex array or escaped string into the file src/hwinit/tsecfw.inl

You have to dump your TSEC (Tegra Security Co-processor) firmware with total size 3840 bytes (get it from your pkg1ldr.bin (at offset 0x00001900) or boot0.bin (at offset 0x00101900), and place it as a C hex array in src/hwinit/tsecfw.inl

nWo · Apr 26, 2018

Great. Thank you. Keep ´em coming. All I want is to reach the end of the tunnel and, have a CFW, and a decent, great list of apps / payloads. I want one to dump / inject saves, and maybe convert the ones from Wii U games to their Switch counterpart the easy way. (Apart from emulating my favorite consoles) Waiting patiently.... Very... very insanely... but patiently...

Stoned · Apr 26, 2018

kombos said:
You have to dump your TSEC (Tegra Security Co-processor) firmware with total size 3840 bytes (get it from your pkg1ldr.bin (at offset 0x00001900) or boot0.bin (at offset 0x00101900), and place it as a C hex array in src/hwinit/tsecfw.inl

Who can i find pkg1ldr.bin or boot0bin?

Hacking Fusee Gelee: All the payloads

Deleted-442439

Guest

Deleted User

Guest

Somebody

Deleted User

Guest

Well-Known Member

Deleted-442439

Guest

MediCat USB Dev

Deleted-442439

Guest

I hate my name.

Deleted-442439

Guest

Well-Known Member

Deleted-442439

Guest

Pessimist

Deleted-442439

Guest

Constant Miscreant

Well-Known Member

Well-Known Member

Well-Known Member

The Game Master

Well-Known Member

Similar threads

Popular threads in this forum