Toggle sidebar

Hacking Can someone help explain Fusee galee

  • Thread starter Thread starter Powerful
  • Start date Start date
  • Views Views 3,008
  • Replies Replies 5
Powerful

Powerful

GOD
Member
Level 12
Joined
Dec 7, 2016
Messages
554
Reaction score
119
Trophies
0
Age
28
Location
Washington
XP
2,818
Country
United States
Okay so I have got my hands on a switch that is unpathched for the fusee galee coldboot exploit. Can someone explain what exactly this does, and how I can use it? Do I Homebrew like usual, and set up Rei, then set up the fuse galee or what do I do with this exploit?
 
Fusee gelee is used to overflow something in RCM, which allows you to write and execute in it (might be totally wrong). So you first need to boot to RCM (on every boot) via fusee gelee and then do everything else.
 
Last edited by Kubas_inko,
  • Like
Reactions: Powerful
Kubas_inko said:
Fusee gelee is used to overflow something in RCM, which allows you to write and execute in it. So you first need to boot to RCM (on every boot) via fusee gelee and then do everything else.
Click to expand...
No he's asking about fuse galee which is a warm boot exploit on 5.1
 
I know nothing about any 5.1 exploit...

But fusee gelee is an overflow based stack smash attack. It works by sending a "very large" status control message to the USB stack running inside the tegra that is enabled in RCM mode. The control message also contains some executable code (the payload) which the stack pointer gets pushed to.

For a general overview of what a stack smash attack *IS*, I suggest you examine the august bit of literature on the topic: "Smashing the stack for fun and profit."

http://insecure.org/stf/smashstack.html

Basically, the software in the Tegra expects status control messages to be smaller than a certain size, but makes no effort to sanitize when larger ones are sent. When a large one is sent, it accepts the whole message and writes it to memory so that it can be parsed. This writes data that is larger than what it expects, which then writes over adjacent memory. When execution continues, the stack pointer references the overwritten memory (which contains the exploit) and the exploit executes.

Patched units are either able to accept a very large control frame without overflowing the variable intended to hold it (and thus, are immune to the stack getting smashed), or truncate large messages to fit what is a sensible size, and detect incomplete messages appropriately.
 
  • Like
Reactions: Draxzelex, Boot_8046 and Powerful
If you are launching Rei then you are already using fusee. That's what launches the payload when you're in RCM
 

Site & Scene News

Go to forum More news

Popular threads in this forum

Feedback Homebrew  Essential Homebrew

Homebrew Homebrew game  Half Life 2 (Source Engine) - Switch Port

Homebrew Homebrew game  GTA: Chinatown Wars - Switch port

Homebrew Homebrew game  Lego Star Wars: The Complete Saga · Switch Port

Emulation Homebrew PS1/2 Emulator  ARMSX2-NX Initial Release

Homebrew Homebrew game Project  So... Dan didn't want to reveal his Vulkan, so I made mine.

Homebrew Homebrew game  Final Fantasy IV 3D Remake - Switch port

running 20.5 Is it worth upgrading my firmware...?