Hacking Fusee Gelee: All the payloads
Is there a tutorial for thisYou have to dump your TSEC (Tegra Security Co-processor) firmware with total size 3840 bytes (get it from your pkg1ldr.bin (at offset 0x00001900) or boot0.bin (at offset 0x00101900), and place it as a C hex array in src/hwinit/tsecfw.inl
D
Deleted-442439
Guest
OP
Bruh imma just wait for the guide to drop ive been this patient, im definitely not about to risk my system yet when its not even managed by the teams yet. Take yall time and get it right cuz i knoooow hella folks are about to try this shit and fuck up their switch lol
Last edited by MarzDaindigo,
Do you know at which offset ?
EDIT: anyway to transform extracted TSEC fw.bin into an usable array use this command:
Code:
hexdump -v -e '", " "0x" 1/1 "%02X"' fw.bin >array.txtjust remember to remove the 1st 2 chars (", ") from obtained array.txt
Last edited by asper,
No, the TSEC FW does not contain anything console specific, and it's the same binary regardless of what switch firmware version you have. (It's in boot0, search for the first 4 bytes mentioned in tsecfw.inl to find it)
Obviously the TSEC KEY you get out of the dumper is console specific, as are all the keys dumped by biskeydump.
ehnoah, did you type them all out by hand ? Because you no longer have to (QR Code output in v3)
Obviously the TSEC KEY you get out of the dumper is console specific, as are all the keys dumped by biskeydump.
ehnoah, did you type them all out by hand ? Because you no longer have to (QR Code output in v3)
Last edited by rajkosto,
My fw offset was 0x101A00 and not 0x101900No, the TSEC FW does not contain anything console specific, and it's the same binary regardless of what switch firmware version you have. (It's in boot0, search for the first 4 bytes mentioned in tsecfw.inl to find it)
Obviously the TSEC KEY you get out of the dumper is console specific, as are all the keys dumped by biskeydump.
ehnoah, did you type them all out by hand ? Because you no longer have to (QR Code output in v3)
If you're still struggling with getting firmware, offsets, keys to make biskeydump payload working take a look at the update on the NAND Dump thread
https://gbatemp.net/threads/tutorial-how-to-dump-switch-nand-using-linux.502201/
Well i finally was able to compile biskeydump.bin with absolutely no errors (my problem was related to a missing/invalid devkitarm path) but obtained keys give error in the HacDiskMount "FAIL! Entropy: 8.989 (tested 16348 out of 16348)"; i tested with 2 kinds of data array, always with the same keys results but they seems not to work... any hint ? Is it possible that tsec fw is different in size between 1.0.0 and 3.0.0 switch fw ?
do you get a different tsec key if you run SciresM tsec_key_stub.bin (with properly filled in tsecfw instead of the XXXXXXXs, of course) ? If you do, then there might be some weirdness going on where different payloads read different tsec keys (and there's no consistency which one is the right one, on like 90% switches they both give out the same key)
and no, tsec fw is identical for all switches, all fw revisions, if the CRC32 says its CORRECT! then that's not the problem
and no, tsec fw is identical for all switches, all fw revisions, if the CRC32 says its CORRECT! then that's not the problem
Similar threads
-
- Article
-
Xdqwerty
what are you looking at?
-
-
-
-
-
-
-
-
-
-
@
Xdqwerty:
@realtimesave, hey there buddy chum pal friend buddy pal chum bud friend fella bruther amigo pal buddy friend chummy chum chum pal
-
@
Xdqwerty:
@realtimesave, hey there buddy chum pal friend buddy pal chum bud friend fella bruther amigo pal buddy friend chummy chum chum pal
-
-
-
-
-
-
-
-
-
-
-
@
Sicklyboy:
@Xdqwerty, Osu! Tatakae! Ouendan! is the Japanese version of the game, different settings/characters/songs but otherwise identical mechanics. I played that before I knew about Elite Beat Agents lol. Both fantastic games https://en.wikipedia.org/wiki/Osu!_Tatakae!_Ouendan+1 -
-
-
