Hacking Fusee Gelee: All the payloads

[Deleted-442439]

Thought it would be useful to have a thread with a collection of everything that can be used on Fusee Gelee / RCM exploits

message edited by a moderator.

The payload injectors and binaries are now listed on Wikitemp.
https://wiki.gbatemp.net/wiki/List_of_Switch_payloads



If you know any missing payload or tool, you can add it or post here and someone with wiki access will update the list.

Spoiler: original thread

Launchers:

Fusee Launcher: https://t.co/UGqtMeHR13​

TegraRcmSmash: source: https://github.com/rajkosto/TegraRcmSmash) (binaries: https://switchtools.sshnuke.net/)

NXLauncher (Android) : https://github.com/DavidBuchanan314/NXLoader/releases/tag/alpha-0.2​

Payloads:

Sample payload: https://t.co/d5nCLNa7E5

shofEL2: https://github.com/fail0verflow/shofel2

Fuse Dump https://github.com/moriczgergo/fusedump

GRAnimated's info payload: https://github.com/GRAnimated/FG-CustomPayload/

Key dumper: https://github.com/rajkosto/biskeydump

hekate_ipl source: https://github.com/nwert/hekate (binaries: https://github.com/rajkosto/hekate/releases)

Custom Firmware (CFW)

Atmosphere: https://github.com/Atmosphere-NX/Atmosphere
Note: Only for devs

Other resources:

Linux resources: https://fail0verflow.com/blog/2018/shofel2/
Note: This is also NOT for the end user.​

The thread will be updated as more payloads are released.

 

[Deleted User]

is there anyway to write fail0verfl0ws exploit to the bootrom /nand

 

[ShroomKing]

The bootrom is read-only, you can't write anything to it.

Without access to NAND/eMMC drivers(with write abilities) you can't write anything to it.

 

[Deleted User]

The bootrom is read-only, you can't write anything to it.

Without access to NAND/eMMC drivers(with write abilities) you can't write anything to it.

i think on rcm we could with linux write to the consoles emmc but that would be dangerous

 

[Deathscreton]

i think on rcm we could with linux write to the consoles emmc but that would be dangerous

It could possibly be detected as well. Extra partitions or missing space could show as unauthorized access.

 

[Deleted-442439]

i think on rcm we could with linux write to the consoles emmc but that would be dangerous

Why do that anyways, emunand is much better and less risky, the tools we have now are to unstable, would not risk it.

 

[Jayro]

*Waits patiently for user-friendly payloads while Splatoon gets the best update ever*

 

[Deleted-442439]

Update: Added a NAND dump payload, and a Animated version of the test payload.

 

[Mnecraft368]

The tread will be updated as more payloads are released.

Spelling mistake

 

[Deleted-442439]

Spelling mistake

Thanks!

 

[marice]

Update: Added a NAND dump payload, and a Animated version of the test payload.

It doesn't actually dump the NAND right?

 

[Deleted-442439]

It doesn't actually dump the NAND right?

It said it did, but turns out it just shows some more protected data.

 

[Crazy-S]

Thought it would be useful to have a thread with a collection of everything that can be used on Fusee Gelee / RCM exploits

Animated Payload: https://github.com/GRAnimated/FG-CustomPayload/

​

​

Title is a bit misleading, the Payload is not Animated (No fancy eyecandyfor you), but it's made by a guy called GRAnimated.

EDIT:
There is a new Payload
https://github.com/rajkosto/biskeydump
Dumps all your Switch BIS keys for eMMC contents decryption

 

[Deleted-442439]

UPDATE: Key dumping payload added: https://github.com/rajkosto/biskeydump

 

[Naked_Snake]

We need a payload to dump and restore our saves

 

[kombos]

UPDATE: Key dumping payload added: https://github.com/rajkosto/biskeydump

Probably thats the one.

 

[Stoned]

UPDATE: Key dumping payload added: https://github.com/rajkosto/biskeydump

How to do that?

1. Place your own tsec fw as a C hex array or escaped string into the file src/hwinit/tsecfw.inl

 

[kombos]

We need a payload to dump and restore our saves

How to do that?

1. Place your own tsec fw as a C hex array or escaped string into the file src/hwinit/tsecfw.inl

You have to dump your TSEC (Tegra Security Co-processor) firmware with total size 3840 bytes (get it from your pkg1ldr.bin (at offset 0x00001900) or boot0.bin (at offset 0x00101900), and place it as a C hex array in src/hwinit/tsecfw.inl

 

[nWo]

Great. Thank you. Keep ´em coming. All I want is to reach the end of the tunnel and, have a CFW, and a decent, great list of apps / payloads. I want one to dump / inject saves, and maybe convert the ones from Wii U games to their Switch counterpart the easy way. (Apart from emulating my favorite consoles) Waiting patiently.... Very... very insanely... but patiently...

 

[Stoned]

You have to dump your TSEC (Tegra Security Co-processor) firmware with total size 3840 bytes (get it from your pkg1ldr.bin (at offset 0x00001900) or boot0.bin (at offset 0x00101900), and place it as a C hex array in src/hwinit/tsecfw.inl

Who can i find pkg1ldr.bin or boot0bin?