Hacking Fusee Gelee: All the payloads

  • Thread starter Deleted-442439
  • Start date
  • Views 179,481
  • Replies 68
  • Likes 37
D

Deleted-442439

Guest
OP
Thought it would be useful to have a thread with a collection of everything that can be used on Fusee Gelee / RCM exploits

message edited by a moderator.

The payload injectors and binaries are now listed on Wikitemp.
https://wiki.gbatemp.net/wiki/List_of_Switch_payloads



If you know any missing payload or tool, you can add it or post here and someone with wiki access will update the list.


Launchers:

Fusee Launcher:
https://t.co/UGqtMeHR13


Payloads:


Sample payload: https://t.co/d5nCLNa7E5

shofEL2: https://github.com/fail0verflow/shofel2

Fuse Dump https://github.com/moriczgergo/fusedump

GRAnimated's info payload: https://github.com/GRAnimated/FG-CustomPayload/


Key dumper: https://github.com/rajkosto/biskeydump

hekate_ipl source: https://github.com/nwert/hekate (binaries: https://github.com/rajkosto/hekate/releases)

Custom Firmware (CFW)

Atmosphere: https://github.com/Atmosphere-NX/Atmosphere
Note: Only for devs


Other resources:

Linux resources: https://fail0verflow.com/blog/2018/shofel2/
Note: This is also NOT for the end user.

The thread will be updated as more payloads are released.
 
Last edited by Cyan,

ShroomKing

Somebody
Member
Joined
Mar 3, 2017
Messages
470
Trophies
0
Age
27
Location
in bed
XP
1,796
Country
United States
The bootrom is read-only, you can't write anything to it.

Without access to NAND/eMMC drivers(with write abilities) you can't write anything to it.
 
D

Deleted User

Guest
OP
The bootrom is read-only, you can't write anything to it.

Without access to NAND/eMMC drivers(with write abilities) you can't write anything to it.

i think on rcm we could with linux write to the consoles emmc but that would be dangerous
 
D

Deleted-442439

Guest
OP
i think on rcm we could with linux write to the consoles emmc but that would be dangerous

Why do that anyways, emunand is much better and less risky, the tools we have now are to unstable, would not risk it.
 
D

Deleted-442439

Guest
OP
Update: Added a NAND dump payload, and a Animated version of the test payload.
 
  • Like
Reactions: Jayro

Crazy-S

Pessimist
Member
Joined
Jun 18, 2007
Messages
230
Trophies
0
Location
Ask NSA, FSB, or BND
Website
dasbutterschnitzel.com
XP
1,396
Country
Germany
Last edited by Crazy-S,

kombos

Well-Known Member
Member
Joined
Apr 24, 2018
Messages
140
Trophies
0
Location
Universe
XP
147
Country
Ukraine
We need a payload to dump and restore our saves
How to do that?

  1. Place your own tsec fw as a C hex array or escaped string into the file src/hwinit/tsecfw.inl

You have to dump your TSEC (Tegra Security Co-processor) firmware with total size 3840 bytes (get it from your pkg1ldr.bin (at offset 0x00001900) or boot0.bin (at offset 0x00101900), and place it as a C hex array in src/hwinit/tsecfw.inl :unsure:
 

nWo

The Game Master
Member
Joined
Oct 20, 2016
Messages
787
Trophies
0
Website
www.facebook.com
XP
2,106
Country
Mexico
Great. Thank you. Keep ´em coming. All I want is to reach the end of the tunnel and, have a CFW, and a decent, great list of apps / payloads. I want one to dump / inject saves, and maybe convert the ones from Wii U games to their Switch counterpart the easy way. (Apart from emulating my favorite consoles) Waiting patiently.... Very... very insanely... but patiently...
 

Stoned

Well-Known Member
Member
Joined
Mar 26, 2014
Messages
2,604
Trophies
1
Age
44
XP
3,556
Country
Germany
You have to dump your TSEC (Tegra Security Co-processor) firmware with total size 3840 bytes (get it from your pkg1ldr.bin (at offset 0x00001900) or boot0.bin (at offset 0x00101900), and place it as a C hex array in src/hwinit/tsecfw.inl :unsure:

Who can i find pkg1ldr.bin or boot0bin?
 
General chit-chat
Help Users
    KenniesNewName @ KenniesNewName: He's a billionaire