Hacking PSA: Reports of Fusee gelee patched units in the wild

  • Thread starter Deleted-442439
  • Start date
  • Views 85,543
  • Replies 315
  • Likes 10
bitteorca

bitteorca

Member
Newcomer
Level 1
Joined
Jul 12, 2018
Messages
21
Trophies
0
Age
28
XP
100
Country
United States
gnilwob said:
Can you try tegrarcmsmash with biskeydump ?

And run this command when you connect your RCM switch to your pc.

TegraRcmSmash.exe -w biskeydump.bin BOOT:0x0

Then capture the output on the command line windows and post it here please.
Click to expand...
My bad it wasn't letting me reply to your post but I figured it out I had to remove your hyperlink

Here's the output:
tegrasmash.png
 
  • Like
Reactions: gnilwob and Draxzelex
Draxzelex

Draxzelex

Well-Known Member
Member
Level 23
Joined
Aug 6, 2017
Messages
19,012
Trophies
2
Age
29
Location
New York City
XP
13,391
Country
United States
bitteorca said:
I purchased a Switch with the serial number XAW700183***** and I can confirm that payload injection doesn't work.

Steps to recreate:
1. Copied the Switch Starterkit root files to the root of my FAT32 SDcard from my PC
2. Inserted SDcard into Switch, then booted into RCM mode with paperclip jig
3. Plugged Switch into PC, used Zandig to install the libusbK drivers, confirmed APX came up as a device in device manager
4. Tried to run the NX bootkit 64-bit executable, the Switch screen remains black and the cmd prompt window displayed some code then counted down from 5 seconds to close the window

Is it possible that my USB-C cable (came with my phone) is the culprit here or is it likely that I have a patched Switch?
Click to expand...

bitteorca said:
My bad it wasn't letting me reply to your post but I figured it out I had to remove your hyperlink

Here's the output:
View attachment 135507
Click to expand...
So it appears these units have been smuggled into the US but we have another problem: we don't know the serial number cut-off for un-patched units...I think. Need to double check that spreadsheet...
 
G

gnilwob

Well-Known Member
Member
Level 5
Joined
Mar 16, 2008
Messages
204
Trophies
1
XP
644
Country
Hong Kong
bitteorca said:
Lucky me.
Click to expand...
Just to explain.

This is from a working console.
2018-07-13_5-20-39.png

I asked you to run the biskeydump because you were not sure about your cable.
But from the command line output, it can send data using your cable.

Next, see the different 0x0000(not working) and 0x7000(working) output?
 
bitteorca

bitteorca

Member
Newcomer
Level 1
Joined
Jul 12, 2018
Messages
21
Trophies
0
Age
28
XP
100
Country
United States
gnilwob said:
Just to explain.

This is from a working console.
View attachment 135511

I asked you to run the biskeydump because you were not sure about your cable.
But from the command line output, it can send data using your cable.

Next, see the different 0x0000(not working) and 0x7000(working) output?
Click to expand...
That's right, it also looked identical to the screen that came up when I ran Hekate. I know for a fact it said "Smashed with 0x0000 stack" as well

The girl at the counter even offered me a used unit, damn. Does anyone have any news on the webkit exploit Deja vu?
 
S

Scoob0

New Member
Newbie
Level 2
Joined
Jul 12, 2018
Messages
4
Trophies
0
Age
40
XP
141
Country
United States
First time posting, but wanted to include info on my switch I bought on June 29 through Newegg. Its very close to the serial bitteorca posted, but mine does work im running SX Pro and been playing backups and even updated to 5.1. Hope this helps in figuring out where the line is between patched and unpatched.

Serial: XAW700119XXX
Serial on device matches serial on box: Yes
Region: US
Firmware: 4.1.0
Color option: Blue / Red
Store: Newegg
Was a bundle (if yes, which): No
Purchase date: June 29 2018
Fusée Gelée works: Yes
 
Last edited by Scoob0,
  • Like
Reactions: Draxzelex and gnilwob
G

gnilwob

Well-Known Member
Member
Level 5
Joined
Mar 16, 2008
Messages
204
Trophies
1
XP
644
Country
Hong Kong
Scoob0 said:
First time posting, but wanted to include info on my switch I bought on June 29 through Newegg. Its very close to the serial bitteorca posted, but mine does work im running SX Pro and been playing backups and even updated to 5.1. Hope this helps in figuring out where the line is between patched and unpatched.

Serial: XAW700119XXX
Serial on device matches serial on box: Yes
Region: US
Firmware: 4.1.0
Color option: Blue / Red
Store: Newegg
Was a bundle (if yes, which): No
Purchase date: June 29 2018
Fusée Gelée works: Yes
Click to expand...

If it is ok, can you also post it here please, https://gbatemp.net/threads/switch-firmware-by-serial-number.481215/page-59
So people who checks on serial number can use yours as an indicator.
Thanks.


bitteorca said:
That's right, it also looked identical to the screen that came up when I ran Hekate. I know for a fact it said "Smashed with 0x0000 stack" as well

The girl at the counter even offered me a used unit, damn. Does anyone have any news on the webkit exploit Deja vu?
Click to expand...
Please also post your serial and model information here, https://gbatemp.net/threads/switch-firmware-by-serial-number.481215/page-59
Thanks.
 
Last edited by gnilwob,
  • Like
Reactions: Draxzelex
Draxzelex

Draxzelex

Well-Known Member
Member
Level 23
Joined
Aug 6, 2017
Messages
19,012
Trophies
2
Age
29
Location
New York City
XP
13,391
Country
United States
XAW700119XXX = not patched
XAW700183XXXXX = patched
So 11 is still safe, but 18 isn't. That leaves like 7 more possible Switch serial numbers, at least. And while there is no word yet on when Deja Vu will be released, this is what it looks like in action:
 
Essometer

Essometer

Needs data
Member
Level 13
Joined
Oct 22, 2010
Messages
732
Trophies
1
Age
33
Location
Bielefeld
Website
none.de
XP
3,594
Country
Germany
gamesquest1 said:
seems to be a low serial, whats the date code on the switch?

might be worth trying a different USB port/pc, unfortunately I feel like anyone having troubles with setup at this point are going to be "arrrgh its a patched switch!!!!"
Click to expand...
XAW700183 is actually a really high serial number. It is just that assembly line XAW7 is pretty slow in producing switches. According to my
serial list, it is very possible that this serial is another cutoff point for patched switches.
 
Last edited by Essometer,
S

SuppaMario

Member
Newcomer
Level 1
Joined
Jul 11, 2018
Messages
9
Trophies
0
Age
34
XP
76
Country
United States
Draxzelex

Draxzelex

Well-Known Member
Member
Level 23
Joined
Aug 6, 2017
Messages
19,012
Trophies
2
Age
29
Location
New York City
XP
13,391
Country
United States
Essometer said:
XAW700183 is actually a really high serial number. It is just that assembly line XAW7 is pretty slow in producing switches. According to
serial list, it is very possible that this serial is another cutoff point for patched switches.
Click to expand...
An XAW700119XX doesn't have it patched so its a little more specific. Similar to the Japanese ones, the cutoff point is not XAJX004, butXAJX0043 since there were people who could still do the exploit on the former serial number.
 
gamesquest1

gamesquest1

Nabnut
Former Staff
Level 22
Joined
Sep 23, 2013
Messages
15,153
Trophies
2
XP
12,247
Essometer said:
XAW700183 is actually a really high serial number. It is just that assembly line XAW7 is pretty slow in producing switches. According to
serial list, it is very possible that this serial is another cutoff point for patched switches.
Click to expand...
oh, no I know that, I meant the previous patched systems were 7004, but his was 7001 with others with 7003 being ok, but with it being a US console the "patched/no-patched" serials are going to be different
 
Essometer

Essometer

Needs data
Member
Level 13
Joined
Oct 22, 2010
Messages
732
Trophies
1
Age
33
Location
Bielefeld
Website
none.de
XP
3,594
Country
Germany
Draxzelex said:
An XAW700119XX doesn't have it patched so its a little more specific. Similar to the Japanese ones, the cutoff point is not XAJX004, butXAJX0043 since there were people who could still do the exploit on the former serial number.
Click to expand...
Yes, this is what I think as well that the cutoff point for the XAJ7 line is more specific as for XAW7. We definitely need more serials to get a cutoff point for all assembly lines.
Also, we have a confirmed unpatched switch @ XAW700164.

gamesquest1 said:
oh, no I know that, I meant the previous patched systems were 7004, but his was 7001 with others with 7003 being ok, but with it being a US console the "patched/no-patched" serials are going to be different
Click to expand...
When we talk about serials, it doesn't make sense to compare a XAW7 serial to a XAJ7 serial, since they are completely different form each other.
The same is true for XAJ7 and XAJ4 or XAJ1. The produce at different places in different rates, some slower, some faster.
 
Last edited by Essometer,
  • Like
Reactions: Draxzelex

Site & Scene News

Go to forum More news

Popular threads in this forum

Hacking Misc  Getting the MIG Switch to load an XCI dump without its original Initial Data

DBI language error

Emulation Homebrew  duckstation for Switch

Can you trade in a banned switch for an unbanned one?

Why is Atmosphere so dominant?

Last switch firmware blocking MIG SWITCH?

Crosscode Hacking thread

Hacking  Loader.kip for AMS 1.7.0 with FW 17.0.1 - sys-clk error ??

General chit-chat
Help Users
    K3Nv2 @ K3Nv2: A type of fish