Hacking PSA: Reports of Fusee gelee patched units in the wild

[MrLucariox]

Oh, this will be a good fight. Grab your popcorns and favourite drinks everyone!

 

[bitteorca]

Can you try tegrarcmsmash with biskeydump ?

And run this command when you connect your RCM switch to your pc.

TegraRcmSmash.exe -w biskeydump.bin BOOT:0x0

Then capture the output on the command line windows and post it here please.

My bad it wasn't letting me reply to your post but I figured it out I had to remove your hyperlink

Here's the output:

 

[gnilwob]

My bad it wasn't letting me reply to your post but I figured it out I had to remove your hyperlink

Here's the output:
View attachment 135507

I think you are the first in US who reported a patched unit.
Welcome to the club

 

[bitteorca]

I think you are the first in US who reported a patched unit.
Welcome to the club

Lucky me.

 

[Skylinedeadline]

so for america xaw7 onwards is the risk point then? I've got a xaw4 but haven't gotten to try rcm yet but I assume they're safe anyways.

 

[Draxzelex]

I purchased a Switch with the serial number XAW700183***** and I can confirm that payload injection doesn't work.

Steps to recreate:
1. Copied the Switch Starterkit root files to the root of my FAT32 SDcard from my PC
2. Inserted SDcard into Switch, then booted into RCM mode with paperclip jig
3. Plugged Switch into PC, used Zandig to install the libusbK drivers, confirmed APX came up as a device in device manager
4. Tried to run the NX bootkit 64-bit executable, the Switch screen remains black and the cmd prompt window displayed some code then counted down from 5 seconds to close the window

Is it possible that my USB-C cable (came with my phone) is the culprit here or is it likely that I have a patched Switch?

My bad it wasn't letting me reply to your post but I figured it out I had to remove your hyperlink

Here's the output:
View attachment 135507

So it appears these units have been smuggled into the US but we have another problem: we don't know the serial number cut-off for un-patched units...I think. Need to double check that spreadsheet...

 

[gnilwob]

Lucky me.

Just to explain.

This is from a working console.


I asked you to run the biskeydump because you were not sure about your cable.
But from the command line output, it can send data using your cable.

Next, see the different 0x0000(not working) and 0x7000(working) output?

 

[SuppaMario]

starts with xaw40012 came with 4.1
i got in to the sx payload bootscreen.

i guess im fine

Good to hear. Mine is XAW100697xxx. I suppose mine is earlier than yours? Haven’t tested it tho I have no tools atm.

 

[bitteorca]

Just to explain.

This is from a working console.
View attachment 135511

I asked you to run the biskeydump because you were not sure about your cable.
But from the command line output, it can send data using your cable.

Next, see the different 0x0000(not working) and 0x7000(working) output?

That's right, it also looked identical to the screen that came up when I ran Hekate. I know for a fact it said "Smashed with 0x0000 stack" as well

The girl at the counter even offered me a used unit, damn. Does anyone have any news on the webkit exploit Deja vu?

 

[Scoob0]

First time posting, but wanted to include info on my switch I bought on June 29 through Newegg. Its very close to the serial bitteorca posted, but mine does work im running SX Pro and been playing backups and even updated to 5.1. Hope this helps in figuring out where the line is between patched and unpatched.

Serial: XAW700119XXX
Serial on device matches serial on box: Yes
Region: US
Firmware: 4.1.0
Color option: Blue / Red
Store: Newegg
Was a bundle (if yes, which): No
Purchase date: June 29 2018
Fusée Gelée works: Yes

 

[gnilwob]

First time posting, but wanted to include info on my switch I bought on June 29 through Newegg. Its very close to the serial bitteorca posted, but mine does work im running SX Pro and been playing backups and even updated to 5.1. Hope this helps in figuring out where the line is between patched and unpatched.

Serial: XAW700119XXX
Serial on device matches serial on box: Yes
Region: US
Firmware: 4.1.0
Color option: Blue / Red
Store: Newegg
Was a bundle (if yes, which): No
Purchase date: June 29 2018
Fusée Gelée works: Yes

If it is ok, can you also post it here please, https://gbatemp.net/threads/switch-firmware-by-serial-number.481215/page-59
So people who checks on serial number can use yours as an indicator.
Thanks.

That's right, it also looked identical to the screen that came up when I ran Hekate. I know for a fact it said "Smashed with 0x0000 stack" as well

The girl at the counter even offered me a used unit, damn. Does anyone have any news on the webkit exploit Deja vu?

Please also post your serial and model information here, https://gbatemp.net/threads/switch-firmware-by-serial-number.481215/page-59
Thanks.

 

[Draxzelex]

XAW700119XXX = not patched
XAW700183XXXXX = patched
So 11 is still safe, but 18 isn't. That leaves like 7 more possible Switch serial numbers, at least. And while there is no word yet on when Deja Vu will be released, this is what it looks like in action:

Got some good news (sorry that it takes over a minute for the lennies): https://t.co/hGdPOchTVo

Anyway, I would strongly recommend not updating when new firmwares release.

— Michael (@SciresM) February 16, 2018

 

[Essometer]

seems to be a low serial, whats the date code on the switch?

might be worth trying a different USB port/pc, unfortunately I feel like anyone having troubles with setup at this point are going to be "arrrgh its a patched switch!!!!"

XAW700183 is actually a really high serial number. It is just that assembly line XAW7 is pretty slow in producing switches. According to my
serial list, it is very possible that this serial is another cutoff point for patched switches.

 

[SuppaMario]

XAW700119XXX = not patched
XAW700183XXXXX = patched
So 11 is still safe, but 18 isn't. That leaves like 7 more possible Switch serial numbers, at least. And while there is no word yet on when Deja Vu will be released, this is what it looks like in action: https://twitter.com/SciresM/status/964619151913336833

If the serial numbers are ordered simply like this then this is great news.

 

[Draxzelex]

XAW700183 is actually a really high serial number. It is just that assembly line XAW7 is pretty slow in producing switches. According to
serial list, it is very possible that this serial is another cutoff point for patched switches.

An XAW700119XX doesn't have it patched so its a little more specific. Similar to the Japanese ones, the cutoff point is not XAJX004, butXAJX0043 since there were people who could still do the exploit on the former serial number.

 

[gamesquest1]

XAW700183 is actually a really high serial number. It is just that assembly line XAW7 is pretty slow in producing switches. According to
serial list, it is very possible that this serial is another cutoff point for patched switches.

oh, no I know that, I meant the previous patched systems were 7004, but his was 7001 with others with 7003 being ok, but with it being a US console the "patched/no-patched" serials are going to be different

 

[Essometer]

An XAW700119XX doesn't have it patched so its a little more specific. Similar to the Japanese ones, the cutoff point is not XAJX004, butXAJX0043 since there were people who could still do the exploit on the former serial number.

Yes, this is what I think as well that the cutoff point for the XAJ7 line is more specific as for XAW7. We definitely need more serials to get a cutoff point for all assembly lines.
Also, we have a confirmed unpatched switch @ XAW700164.

oh, no I know that, I meant the previous patched systems were 7004, but his was 7001 with others with 7003 being ok, but with it being a US console the "patched/no-patched" serials are going to be different

When we talk about serials, it doesn't make sense to compare a XAW7 serial to a XAJ7 serial, since they are completely different form each other.
The same is true for XAJ7 and XAJ4 or XAJ1. The produce at different places in different rates, some slower, some faster.

 

[bitteorca]

Someone buy my Switch? If you live in Northeast Ohio I'll drop it off

 

[Essometer]

Someone buy my Switch? If you live in Northeast Ohio I'll drop it off

Give TX a call, they are shitting them selfs right now.

 

[V-Temp]

Give TX a call, they are shitting them selfs right now.

What did they think was going to happen though...? f0f submitted a full disclosure report, that means they submitted the flaw and solutions.