Hacking PSA: Reports of Fusee gelee patched units in the wild

MrLucariox · Jul 12, 2018

Oh, this will be a good fight. Grab your popcorns and favourite drinks everyone!

bitteorca · Jul 12, 2018

gnilwob said:
Can you try tegrarcmsmash with biskeydump ?

And run this command when you connect your RCM switch to your pc.

TegraRcmSmash.exe -w biskeydump.bin BOOT:0x0

Then capture the output on the command line windows and post it here please.

My bad it wasn't letting me reply to your post but I figured it out I had to remove your hyperlink

Here's the output:

gnilwob · Jul 12, 2018

bitteorca said:
My bad it wasn't letting me reply to your post but I figured it out I had to remove your hyperlink

Here's the output:
View attachment 135507

I think you are the first in US who reported a patched unit.
Welcome to the club :cry:

bitteorca · Jul 12, 2018

gnilwob said:
I think you are the first in US who reported a patched unit.
Welcome to the club

Lucky me.

Skylinedeadline · Jul 12, 2018

so for america xaw7 onwards is the risk point then? I've got a xaw4 but haven't gotten to try rcm yet but I assume they're safe anyways.

Draxzelex · Jul 12, 2018

bitteorca said:
I purchased a Switch with the serial number XAW700183***** and I can confirm that payload injection doesn't work.

Steps to recreate:
1. Copied the Switch Starterkit root files to the root of my FAT32 SDcard from my PC
2. Inserted SDcard into Switch, then booted into RCM mode with paperclip jig
3. Plugged Switch into PC, used Zandig to install the libusbK drivers, confirmed APX came up as a device in device manager
4. Tried to run the NX bootkit 64-bit executable, the Switch screen remains black and the cmd prompt window displayed some code then counted down from 5 seconds to close the window

Is it possible that my USB-C cable (came with my phone) is the culprit here or is it likely that I have a patched Switch?

bitteorca said:
My bad it wasn't letting me reply to your post but I figured it out I had to remove your hyperlink

Here's the output:
View attachment 135507

So it appears these units have been smuggled into the US but we have another problem: we don't know the serial number cut-off for un-patched units...I think. Need to double check that spreadsheet...

gnilwob · Jul 12, 2018

bitteorca said:
Lucky me.

Just to explain.

This is from a working console.

I asked you to run the biskeydump because you were not sure about your cable.
But from the command line output, it can send data using your cable.

Next, see the different 0x0000(not working) and 0x7000(working) output?

SuppaMario · Jul 12, 2018

Xandroz said:
starts with xaw40012 came with 4.1
i got in to the sx payload bootscreen.

i guess im fine

Good to hear. Mine is XAW100697xxx. I suppose mine is earlier than yours? Haven’t tested it tho I have no tools atm.

bitteorca · Jul 12, 2018

gnilwob said:
Just to explain.

This is from a working console.
View attachment 135511

I asked you to run the biskeydump because you were not sure about your cable.
But from the command line output, it can send data using your cable.

Next, see the different 0x0000(not working) and 0x7000(working) output?

That's right, it also looked identical to the screen that came up when I ran Hekate. I know for a fact it said "Smashed with 0x0000 stack" as well

The girl at the counter even offered me a used unit, damn. Does anyone have any news on the webkit exploit Deja vu?

Scoob0 · Jul 12, 2018

First time posting, but wanted to include info on my switch I bought on June 29 through Newegg. Its very close to the serial bitteorca posted, but mine does work im running SX Pro and been playing backups and even updated to 5.1. Hope this helps in figuring out where the line is between patched and unpatched.

Serial: XAW700119XXX
Serial on device matches serial on box: Yes
Region: US
Firmware: 4.1.0
Color option: Blue / Red
Store: Newegg
Was a bundle (if yes, which): No
Purchase date: June 29 2018
Fusée Gelée works: Yes

gnilwob · Jul 12, 2018

Scoob0 said:
First time posting, but wanted to include info on my switch I bought on June 29 through Newegg. Its very close to the serial bitteorca posted, but mine does work im running SX Pro and been playing backups and even updated to 5.1. Hope this helps in figuring out where the line is between patched and unpatched.

Serial: XAW700119XXX
Serial on device matches serial on box: Yes
Region: US
Firmware: 4.1.0
Color option: Blue / Red
Store: Newegg
Was a bundle (if yes, which): No
Purchase date: June 29 2018
Fusée Gelée works: Yes

If it is ok, can you also post it here please, https://gbatemp.net/threads/switch-firmware-by-serial-number.481215/page-59
So people who checks on serial number can use yours as an indicator.
Thanks.

bitteorca said:
That's right, it also looked identical to the screen that came up when I ran Hekate. I know for a fact it said "Smashed with 0x0000 stack" as well

The girl at the counter even offered me a used unit, damn. Does anyone have any news on the webkit exploit Deja vu?

Please also post your serial and model information here, https://gbatemp.net/threads/switch-firmware-by-serial-number.481215/page-59
Thanks.

Draxzelex · Jul 12, 2018

XAW700119XXX = not patched
XAW700183XXXXX = patched
So 11 is still safe, but 18 isn't. That leaves like 7 more possible Switch serial numbers, at least. And while there is no word yet on when Deja Vu will be released, this is what it looks like in action:

Got some good news (sorry that it takes over a minute for the lennies): https://t.co/hGdPOchTVo

Anyway, I would strongly recommend not updating when new firmwares release.
— Michael (@SciresM) February 16, 2018

Essometer · Jul 12, 2018

gamesquest1 said:
seems to be a low serial, whats the date code on the switch?

might be worth trying a different USB port/pc, unfortunately I feel like anyone having troubles with setup at this point are going to be "arrrgh its a patched switch!!!!"

XAW700183 is actually a really high serial number. It is just that assembly line XAW7 is pretty slow in producing switches. According to my
serial list, it is very possible that this serial is another cutoff point for patched switches.

SuppaMario · Jul 12, 2018

Draxzelex said:
XAW700119XXX = not patched
XAW700183XXXXX = patched
So 11 is still safe, but 18 isn't. That leaves like 7 more possible Switch serial numbers, at least. And while there is no word yet on when Deja Vu will be released, this is what it looks like in action: https://twitter.com/SciresM/status/964619151913336833

If the serial numbers are ordered simply like this then this is great news.

Draxzelex · Jul 12, 2018

Essometer said:
XAW700183 is actually a really high serial number. It is just that assembly line XAW7 is pretty slow in producing switches. According to
serial list, it is very possible that this serial is another cutoff point for patched switches.

An XAW700119XX doesn't have it patched so its a little more specific. Similar to the Japanese ones, the cutoff point is not XAJX004, butXAJX0043 since there were people who could still do the exploit on the former serial number.

gamesquest1 · Jul 12, 2018

Essometer said:
XAW700183 is actually a really high serial number. It is just that assembly line XAW7 is pretty slow in producing switches. According to
serial list, it is very possible that this serial is another cutoff point for patched switches.

oh, no I know that, I meant the previous patched systems were 7004, but his was 7001 with others with 7003 being ok, but with it being a US console the "patched/no-patched" serials are going to be different

Essometer · Jul 12, 2018

Draxzelex said:
An XAW700119XX doesn't have it patched so its a little more specific. Similar to the Japanese ones, the cutoff point is not XAJX004, butXAJX0043 since there were people who could still do the exploit on the former serial number.

Yes, this is what I think as well that the cutoff point for the XAJ7 line is more specific as for XAW7. We definitely need more serials to get a cutoff point for all assembly lines.
Also, we have a confirmed unpatched switch @ XAW700164.

gamesquest1 said:
oh, no I know that, I meant the previous patched systems were 7004, but his was 7001 with others with 7003 being ok, but with it being a US console the "patched/no-patched" serials are going to be different

When we talk about serials, it doesn't make sense to compare a XAW7 serial to a XAJ7 serial, since they are completely different form each other.
The same is true for XAJ7 and XAJ4 or XAJ1. The produce at different places in different rates, some slower, some faster.

bitteorca · Jul 12, 2018

Someone buy my Switch? If you live in Northeast Ohio I'll drop it off

Essometer · Jul 12, 2018

bitteorca said:
Someone buy my Switch? If you live in Northeast Ohio I'll drop it off

Give TX a call, they are shitting them selfs right now.

V-Temp · Jul 13, 2018

Essometer said:
Give TX a call, they are shitting them selfs right now.

What did they think was going to happen though...? f0f submitted a full disclosure report, that means they submitted the flaw and solutions.

Hacking PSA: Reports of Fusee gelee patched units in the wild

Well-Known Member

Member

Well-Known Member

Member

Shitposter

Well-Known Member

Well-Known Member

Member

Member

New Member

Well-Known Member

Well-Known Member

Needs data

Member

Well-Known Member

Nabnut

Needs data

Member

Needs data

Well-Known Member

Similar threads

Popular threads in this forum