1. Deleted-442439

    OP Deleted-442439 Newbie

    Thought it would be useful to have a thread with a collection of everything that can be used on Fusee Gelee / RCM exploits

    message edited by a moderator.

    The payload injectors and binaries are now listed on Wikitemp.
    https://wiki.gbatemp.net/wiki/List_of_Switch_payloads



    If you know any missing payload or tool, you can add it or post here and someone with wiki access will update the list.


    Launchers:

    Fusee Launcher:
    https://t.co/UGqtMeHR13


    Payloads:


    Sample payload: https://t.co/d5nCLNa7E5

    shofEL2: https://github.com/fail0verflow/shofel2

    Fuse Dump https://github.com/moriczgergo/fusedump

    GRAnimated's info payload: https://github.com/GRAnimated/FG-CustomPayload/


    Key dumper: https://github.com/rajkosto/biskeydump

    hekate_ipl source: https://github.com/nwert/hekate (binaries: https://github.com/rajkosto/hekate/releases)

    Custom Firmware (CFW)

    Atmosphere: https://github.com/Atmosphere-NX/Atmosphere
    Note: Only for devs


    Other resources:

    Linux resources: https://fail0verflow.com/blog/2018/shofel2/
    Note: This is also NOT for the end user.

    The thread will be updated as more payloads are released.
     
    Last edited by Cyan, Sep 13, 2018
  2. Natehaxx

    Natehaxx GBAtemp Maniac
    Member

    Joined:
    Jul 26, 2017
    Messages:
    1,137
    Country:
    Eritrea
    is there anyway to write fail0verfl0ws exploit to the bootrom /nand
     
  3. ShroomKing

    ShroomKing Somebody
    Member

    Joined:
    Mar 3, 2017
    Messages:
    393
    Country:
    United States
    The bootrom is read-only, you can't write anything to it.

    Without access to NAND/eMMC drivers(with write abilities) you can't write anything to it.
     
  4. Natehaxx

    Natehaxx GBAtemp Maniac
    Member

    Joined:
    Jul 26, 2017
    Messages:
    1,137
    Country:
    Eritrea
    i think on rcm we could with linux write to the consoles emmc but that would be dangerous
     
  5. Deathscreton

    Deathscreton GBAtemp Advanced Fan
    Member

    Joined:
    Oct 1, 2009
    Messages:
    826
    Country:
    United States
    It could possibly be detected as well. Extra partitions or missing space could show as unauthorized access.
     
    Dr.doom likes this.
  6. Deleted-442439

    OP Deleted-442439 Newbie

    Why do that anyways, emunand is much better and less risky, the tools we have now are to unstable, would not risk it.
     
  7. Jayro

    Jayro MediCat USB and Mini Windows 10 Developer
    Member

    Joined:
    Jul 23, 2012
    Messages:
    7,609
    Country:
    United States
    *Waits patiently for user-friendly payloads while Splatoon gets the best update ever*
     
  8. Deleted-442439

    OP Deleted-442439 Newbie

    Update: Added a NAND dump payload, and a Animated version of the test payload.
     
    Jayro likes this.
  9. Mnecraft368

    Mnecraft368 I hate my name.
    Member

    Joined:
    Aug 8, 2015
    Messages:
    1,721
    Country:
    United Kingdom
    Spelling mistake
     
  10. Deleted-442439

    OP Deleted-442439 Newbie

    Thanks!
     
    Mnecraft368 likes this.
  11. marice

    marice GBAtemp Regular
    Member

    Joined:
    Mar 14, 2009
    Messages:
    170
    Country:
    Netherlands
    It doesn't actually dump the NAND right?
     
  12. Deleted-442439

    OP Deleted-442439 Newbie

    It said it did, but turns out it just shows some more protected data.
     
  13. Crazy-S

    Crazy-S Pessimist
    Member

    Joined:
    Jun 18, 2007
    Messages:
    222
    Country:
    Germany

    Title is a bit misleading, the Payload is not Animated (No fancy eyecandyfor you), but it's made by a guy called GRAnimated.

    EDIT:
    There is a new Payload
    https://github.com/rajkosto/biskeydump
    Dumps all your Switch BIS keys for eMMC contents decryption
     
    Last edited by Crazy-S, Apr 26, 2018
    Sasori, Deleted-442439 and Natehaxx like this.
  14. Deleted-442439

    OP Deleted-442439 Newbie

    BL4Z3D247 likes this.
  15. Naked_Snake

    Naked_Snake Constant Miscreant
    Member

    Joined:
    Oct 6, 2013
    Messages:
    1,747
    Country:
    Australia
    We need a payload to dump and restore our saves
     
    OkazakiTheOtaku likes this.
  16. kombos

    kombos GBAtemp Regular
    Member

    Joined:
    Apr 24, 2018
    Messages:
    140
    Country:
    Ukraine
  17. Stoned

    Stoned GBAtemp Addict
    Member

    Joined:
    Mar 26, 2014
    Messages:
    2,270
    Country:
    Germany
    How to do that?

    1. Place your own tsec fw as a C hex array or escaped string into the file src/hwinit/tsecfw.inl
     
  18. kombos

    kombos GBAtemp Regular
    Member

    Joined:
    Apr 24, 2018
    Messages:
    140
    Country:
    Ukraine
    You have to dump your TSEC (Tegra Security Co-processor) firmware with total size 3840 bytes (get it from your pkg1ldr.bin (at offset 0x00001900) or boot0.bin (at offset 0x00101900), and place it as a C hex array in src/hwinit/tsecfw.inl :unsure:
     
  19. nWo

    nWo The Game Master
    Member

    Joined:
    Oct 20, 2016
    Messages:
    458
    Country:
    Mexico
    Great. Thank you. Keep ´em coming. All I want is to reach the end of the tunnel and, have a CFW, and a decent, great list of apps / payloads. I want one to dump / inject saves, and maybe convert the ones from Wii U games to their Switch counterpart the easy way. (Apart from emulating my favorite consoles) Waiting patiently.... Very... very insanely... but patiently...
     
  20. Stoned

    Stoned GBAtemp Addict
    Member

    Joined:
    Mar 26, 2014
    Messages:
    2,270
    Country:
    Germany
    Who can i find pkg1ldr.bin or boot0bin?
     
Draft saved Draft deleted
Loading...

Hide similar threads Similar threads with keywords - payloads, Fusee, Gelee