Fusee gelee is used to overflow something in RCM, which allows you to write and execute in it (might be totally wrong). So you first need to boot to RCM (on every boot) via fusee gelee and then do everything else.

 

No he's asking about fuse galee which is a warm boot exploit on 5.1

 

I know nothing about any 5.1 exploit...

But fusee gelee is an overflow based stack smash attack. It works by sending a "very large" status control message to the USB stack running inside the tegra that is enabled in RCM mode. The control message also contains some executable code (the payload) which the stack pointer gets pushed to.

For a general overview of what a stack smash attack *IS*, I suggest you examine the august bit of literature on the topic: "Smashing the stack for fun and profit."

http://insecure.org/stf/smashstack.html

Basically, the software in the Tegra expects status control messages to be smaller than a certain size, but makes no effort to sanitize when larger ones are sent. When a large one is sent, it accepts the whole message and writes it to memory so that it can be parsed. This writes data that is larger than what it expects, which then writes over adjacent memory. When execution continues, the stack pointer references the overwritten memory (which contains the exploit) and the exploit executes.

Patched units are either able to accept a very large control frame without overflowing the variable intended to hold it (and thus, are immune to the stack getting smashed), or truncate large messages to fit what is a sensible size, and detect incomplete messages appropriately.