1. Powerful

    OP Powerful GBAtemp Fan
    Member

    Joined:
    Dec 7, 2016
    Messages:
    442
    Country:
    United States
    Okay so I have got my hands on a switch that is unpathched for the fusee galee coldboot exploit. Can someone explain what exactly this does, and how I can use it? Do I Homebrew like usual, and set up Rei, then set up the fuse galee or what do I do with this exploit?
     
  2. Kubas_inko

    Kubas_inko "Something funny goes here."
    Member

    Joined:
    Feb 3, 2017
    Messages:
    6,254
    Country:
    Czech Republic
    Fusee gelee is used to overflow something in RCM, which allows you to write and execute in it (might be totally wrong). So you first need to boot to RCM (on every boot) via fusee gelee and then do everything else.
     
    Last edited: Sep 2, 2018
    Powerful likes this.
  3. Powerful

    OP Powerful GBAtemp Fan
    Member

    Joined:
    Dec 7, 2016
    Messages:
    442
    Country:
    United States
    Okay thanks!
     
  4. Bocchuoi

    Bocchuoi Advanced Member
    Newcomer

    Joined:
    Jun 15, 2018
    Messages:
    94
    Country:
    Singapore
    No he's asking about fuse galee which is a warm boot exploit on 5.1
     
  5. Kubas_inko
    This message by Kubas_inko has been removed from public view by Quantumcat, Sep 2, 2018, Reason: Requested.
    Sep 2, 2018 Show
  6. Bocchuoi
    This message by Bocchuoi has been removed from public view by Quantumcat, Sep 2, 2018, Reason: Reply to deleted post.
    Sep 2, 2018 Show
  7. Kubas_inko
    This message by Kubas_inko has been removed from public view by Quantumcat, Sep 2, 2018, Reason: Reply to deleted post.
    Sep 2, 2018 Show
  8. Wierd_w

    Wierd_w GBAtemp Fan
    Member

    Joined:
    May 12, 2018
    Messages:
    406
    Country:
    United States
    I know nothing about any 5.1 exploit...

    But fusee gelee is an overflow based stack smash attack. It works by sending a "very large" status control message to the USB stack running inside the tegra that is enabled in RCM mode. The control message also contains some executable code (the payload) which the stack pointer gets pushed to.

    For a general overview of what a stack smash attack *IS*, I suggest you examine the august bit of literature on the topic: "Smashing the stack for fun and profit."

    http://insecure.org/stf/smashstack.html

    Basically, the software in the Tegra expects status control messages to be smaller than a certain size, but makes no effort to sanitize when larger ones are sent. When a large one is sent, it accepts the whole message and writes it to memory so that it can be parsed. This writes data that is larger than what it expects, which then writes over adjacent memory. When execution continues, the stack pointer references the overwritten memory (which contains the exploit) and the exploit executes.

    Patched units are either able to accept a very large control frame without overflowing the variable intended to hold it (and thus, are immune to the stack getting smashed), or truncate large messages to fit what is a sensible size, and detect incomplete messages appropriately.
     
  9. Kafluke

    Kafluke GBAtemp Guru
    Member

    Joined:
    May 6, 2006
    Messages:
    5,403
    Country:
    United States
    If you are launching Rei then you are already using fusee. That's what launches the payload when you're in RCM
     
Draft saved Draft deleted
Loading...

Hide similar threads Similar threads with keywords - someone, explain, Fusee