Hacking Fusee Gelee: All the payloads

  • Thread starter Thread starter Deleted-442439
  • Start date Start date
  • Views Views 195,881
  • Replies Replies 68
  • Likes Likes 37
You have to dump your TSEC (Tegra Security Co-processor) firmware with total size 3840 bytes (get it from your pkg1ldr.bin (at offset 0x00001900) or boot0.bin (at offset 0x00101900), and place it as a C hex array in src/hwinit/tsecfw.inl :unsure:
Is there a tutorial for this
 
Bruh imma just wait for the guide to drop ive been this patient, im definitely not about to risk my system yet when its not even managed by the teams yet. Take yall time and get it right cuz i knoooow hella folks are about to try this shit and fuck up their switch lol
 
Last edited by MarzDaindigo,
  • Like
Reactions: Maximilious
It contains console specific SBK key.
Do you know at which offset ?

EDIT: anyway to transform extracted TSEC fw.bin into an usable array use this command:

Code:
hexdump -v -e '", " "0x" 1/1 "%02X"' fw.bin >array.txt

just remember to remove the 1st 2 chars (", ") from obtained array.txt
 
Last edited by asper,
No, the TSEC FW does not contain anything console specific, and it's the same binary regardless of what switch firmware version you have. (It's in boot0, search for the first 4 bytes mentioned in tsecfw.inl to find it)
Obviously the TSEC KEY you get out of the dumper is console specific, as are all the keys dumped by biskeydump.

ehnoah, did you type them all out by hand ? Because you no longer have to (QR Code output in v3) :P
 
Last edited by rajkosto,
  • Like
Reactions: asper
No, the TSEC FW does not contain anything console specific, and it's the same binary regardless of what switch firmware version you have. (It's in boot0, search for the first 4 bytes mentioned in tsecfw.inl to find it)
Obviously the TSEC KEY you get out of the dumper is console specific, as are all the keys dumped by biskeydump.

ehnoah, did you type them all out by hand ? Because you no longer have to (QR Code output in v3) :P
My fw offset was 0x101A00 and not 0x101900
 
yes, the offsets mentioned are for 1.0.0. newer firmwares (like 3.0.0) have a bit more code before the tsec fw starts, thats why its recommended to just search for the 4 bytes instead
 
I found the first bits mentioned, but I don't know how many of these things to copy. I know it's 3840 bytes but I'm not sure how man 2 digit numbers make that up
 
  • Like
Reactions: kombos
Well i finally was able to compile biskeydump.bin with absolutely no errors (my problem was related to a missing/invalid devkitarm path) but obtained keys give error in the HacDiskMount "FAIL! Entropy: 8.989 (tested 16348 out of 16348)"; i tested with 2 kinds of data array, always with the same keys results but they seems not to work... any hint ? Is it possible that tsec fw is different in size between 1.0.0 and 3.0.0 switch fw ?
 
do you get a different tsec key if you run SciresM tsec_key_stub.bin (with properly filled in tsecfw instead of the XXXXXXXs, of course) ? If you do, then there might be some weirdness going on where different payloads read different tsec keys (and there's no consistency which one is the right one, on like 90% switches they both give out the same key)

and no, tsec fw is identical for all switches, all fw revisions, if the CRC32 says its CORRECT! then that's not the problem
 

Site & Scene News

Popular threads in this forum