Thanks JaRocker, fixed your quote (your closing bracket is missing 
)
Looking for something like that Rune? ^^ He flips it over to show there's nothing hiding underneath or near the usb port! What we can do is have our pcm payload injector not a dongle but a permanently soldered into the system payload injector! Until / unless a new exploit is discovered that allows a true coldboot, this I would be satisfied with.
Or as others have said in other threads, if you're on 1.0 or 3.0 - 4.1, you can boot into stock firmware and then launch an exploit (when released) to boot rcm payload without needing a dongle or anything, but it's still not coldboot since you have to boot stock to get to the exploit to boot into cfw. That's another option though, that may still be more comfortable to people than having to use a dongle all the time!
Hope that answers your question, we're working on the permanent hard mods to retire our dongles! (And as shown, some of us have already achieved it)
)Looking for something like that Rune? ^^ He flips it over to show there's nothing hiding underneath or near the usb port! What we can do is have our pcm payload injector not a dongle but a permanently soldered into the system payload injector! Until / unless a new exploit is discovered that allows a true coldboot, this I would be satisfied with.
Or as others have said in other threads, if you're on 1.0 or 3.0 - 4.1, you can boot into stock firmware and then launch an exploit (when released) to boot rcm payload without needing a dongle or anything, but it's still not coldboot since you have to boot stock to get to the exploit to boot into cfw. That's another option though, that may still be more comfortable to people than having to use a dongle all the time!
Hope that answers your question, we're working on the permanent hard mods to retire our dongles!
(And as shown, some of us have already achieved it)I reckon it's probably doable & I think someone has probably already done it. Nobody is releasing any new exploits until at least mariko is out and even then it will probably be after it's been patched out.
I intend to be fully transparent about this shit, especially going forwards. At present, I'm not aware of any non-RCM means of getting code execution from coldboot. To the best of my knowledge, nobody else is, either.
Last edited by SciresM,
this is completely false and very deceiving
there are several methods that allow you to use USB 2.0
like i can think of at least 3 different methods
USB 2.0 Cables and ports are ok
I just live for moments when Scires goes into a random thread and delivers the 411 on someone spreading misinformation
The linux EHCI driver has a (completely reasonable!) sanity check that prevents you from sending absurdly large control messages. The FoF patch simply deletes this perfectly reasonable flow control code. FG cannot execute properly with the flow control code in place.
A similar story exists on windows boxes, where one of the USB implementations has such a sanity check.
--------------------- MERGED ---------------------------
It's a case of "Nintendo took security seriously. They use layout randomization to prevent you from just poking at a magic address (or overflowing to a specific address), They use proper digital signature checking/signing, they use eFuses, etc. You have to get your foot into the door before the OS loads. FG is the only known way in on firmware greater than 5.xxx"
This means that if you want a cold booting switch, you will need FG and a dongle (Retr0id has beat me to the punch, and has his cheap chinese dongle booting his switch already), or you need to integrate a hardware modchip that does the FG injection for you. I am not going to design an internal modchip, it is not my area of expertise. However, there are a number of very small SoM's out there that could do the job quite nicely, and I see no real obstacle to seeing such things on the market besides inertia.
Retr0id's dongle (since he beat me to the punch, and I don't mind) has the benefit of being user-updatable with whatever IPL you want the injector to send.
Good info, thanks. I'd been starting to doubt my decision to update from 4.x to 5.x (which was based on misleading answers from Kate on twatter before she posted her faq, ambiguity about "doesn't need tether" and "works on 5.x" not being the same exploit), as everyone keeps saying "ooh wait for magic things that are bound to come later", but if the only thing I'm missing out on is something like a websploit to reboot from clean OS to RCM then I'm content, as I have no interest in doing that.
I intend to be fully transparent about this shit, especially going forwards. At present, I'm not aware of any non-RCM means of getting code execution from coldboot. To the best of my knowledge, nobody else is, either.
I intend to be fully transparent about this shit, especially going forwards. At present, I'm not aware of any non-RCM means of getting code execution from coldboot. To the best of my knowledge, nobody else is, either.
How about the next best thing?, booting into Atmosphere from the news webapplet on a 1.0.0 console (or anywhere else for that matter if not news applet). Basically, I'm asking if you're planning to leverage 1.0.0 fails ?. Sure they (we) could use the RCM route but it seems 1.0.0 was supposed to be the best when following the lower is better route. So, is someone cooking up something special for lower FWs or 1.0.0 with that being the lowest thats out there with retail units for some users.
A silly question comes to mind:
Is it possible to push the individual system-default applications from an older firmware, into a newer one, using an FG paylad? Seeing as some of these bugs exist in the user applications of the switch in older firmwares, and those applications are legitimately signed by Nintendo, would it be possible to boot a custom payload using FG that downgrades *JUST* the vulnerable user applications, and not the other bits of the firmware? (EG, the checked portions in the boot chain are left completely alone, we just replace, say, the gallery app?)
If so, we could re-introduce some of the exploits using a one-time FG boot on newer firmwares.
Last edited by Wierd_w,
There is an arbitrary limit in the Linux EHCI driver, but there doesn't appear to be an arbitrary limit in the Linux XHCI driver, MacOS drivers or libusbk on Windows.
You can remove the arbitrary limit in the Linux EHCI driver.
You don't need USB3.
What do you know about fail0verflows claim "There are actually many Boot ROM bugs, several of which have been found by multiple people."
Last edited by smf,
Just a guess but I'd imagine the FW image is signed and as such you can't "inject" apps into the existing FW without breaking the signature envelope.
If as you said you're booting f-g then there is little to no point modifying an old FW because you already have total control of the system. I'm talking about getting to thate state on a 1.0.0 console without using dongles from the main dashboard; not necessarily from coldboot if thats not possible.
Last edited by charlieb,
Seems reasonable; Perhaps as a title injection then? (installed as a game, but still a signed binary?)
Yes and it will work fine, because fusee gelee works with USB 2 & does not require USB 3
Downgrading titles was done on the Wii & DSi etc, so it might be possible. Although they may have learned and signed the system applications with a per OS version key that gets revoked each time. I'm not sure why you'd want to do it though.
Last edited by smf,
Similar threads
- No one is chatting at the moment.
-
-
-
-
-
-
-
-
@
Psionic Roshambo:
Some snake lady was showing nipples in one of the games lol I think it was an RPG lol -
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
@
NinStar:
unless nintendo is going to start selling consoles at a loss that thing won't be cheap based on everything mentioned so far
