Can someone help explain Fusee galee

Discussion in 'Switch - Exploits, Custom Firmwares & Soft Mods' started by Powerful, Sep 2, 2018.

  1. Powerful
    OP

    Powerful GBAtemp Fan

    Member
    4
    Dec 7, 2016
    United States
    Okay so I have got my hands on a switch that is unpathched for the fusee galee coldboot exploit. Can someone explain what exactly this does, and how I can use it? Do I Homebrew like usual, and set up Rei, then set up the fuse galee or what do I do with this exploit?
     
  2. Kubas_inko

    Kubas_inko "Something funny goes here."

    Member
    13
    Feb 3, 2017
    Czech Republic
    I gues on earth.
    Fusee gelee is used to overflow something in RCM, which allows you to write and execute in it (might be totally wrong). So you first need to boot to RCM (on every boot) via fusee gelee and then do everything else.
     
    Last edited by Kubas_inko, Sep 2, 2018
    Powerful likes this.
  3. Powerful
    OP

    Powerful GBAtemp Fan

    Member
    4
    Dec 7, 2016
    United States
    Okay thanks!
     
  4. Bocchuoi

    Bocchuoi Advanced Member

    Newcomer
    3
    Jun 15, 2018
    Singapore
    No he's asking about fuse galee which is a warm boot exploit on 5.1
     
  5. Kubas_inko
    This message by Kubas_inko has been removed from public view by Quantumcat, Sep 2, 2018, Reason: Requested.
    Sep 2, 2018
  6. Bocchuoi
    This message by Bocchuoi has been removed from public view by Quantumcat, Sep 2, 2018, Reason: Reply to deleted post.
    Sep 2, 2018
  7. Kubas_inko
    This message by Kubas_inko has been removed from public view by Quantumcat, Sep 2, 2018, Reason: Reply to deleted post.
    Sep 2, 2018
  8. Wierd_w

    Wierd_w GBAtemp Fan

    Member
    4
    May 12, 2018
    United States
    I know nothing about any 5.1 exploit...

    But fusee gelee is an overflow based stack smash attack. It works by sending a "very large" status control message to the USB stack running inside the tegra that is enabled in RCM mode. The control message also contains some executable code (the payload) which the stack pointer gets pushed to.

    For a general overview of what a stack smash attack *IS*, I suggest you examine the august bit of literature on the topic: "Smashing the stack for fun and profit."

    http://insecure.org/stf/smashstack.html

    Basically, the software in the Tegra expects status control messages to be smaller than a certain size, but makes no effort to sanitize when larger ones are sent. When a large one is sent, it accepts the whole message and writes it to memory so that it can be parsed. This writes data that is larger than what it expects, which then writes over adjacent memory. When execution continues, the stack pointer references the overwritten memory (which contains the exploit) and the exploit executes.

    Patched units are either able to accept a very large control frame without overflowing the variable intended to hold it (and thus, are immune to the stack getting smashed), or truncate large messages to fit what is a sensible size, and detect incomplete messages appropriately.
     
  9. Kafluke

    Kafluke GBAtemp Guru

    Member
    13
    May 6, 2006
    United States
    If you are launching Rei then you are already using fusee. That's what launches the payload when you're in RCM
     
Loading...