Hacking Fusee payloads and not a wire in sight (1.0.0 only)

[snoofly]

How to run Fusee payloads thru software only (1.0.0 only).

Credit to @ihaveamac and @OkazakiTheOtaku
for the repo and instructions which I've basically copy pastad albeit to make a complete A-B flow if you have already a Pegaswitch env setup in a VM on Windows and have access to a Mac for loading the payloads.
Also @TerraPhantm for fixing my usb import error.

On Mac, open Terminal:
$ /usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"
Install Python 3 and libusb:
$ brew install python libusb
Install pyusb:
$ pip3.6 install pyusb
Set up the scripts:
$ mkdir rcm
$ cd rcm
$ git clone https://github.com/SuperOkazaki/fusee-launcher

Pega:

>> In a VM, run Pegaswitch.
On Switch:
Go to News/Launch Pegaswitch/Play (see elsewhere for setup of fakenews)
Wait for VM pega terminal to show connected

Enter RCM mode

In Pega terminal run:
>> evalfile usefulscripts/rcm.js (see note below)
Get no output
Back out on Switch and enter Album app
- get black screen - you are now in RCM mode

Connect USB A-C lead from USB3 on Mac to Switch.

On Mac terminal, enure in rcm directory
(I just went to Finder/All My Files)
Double click on
macOS FuseDump Boot.command
Switch screen will show Fuse dump info.

-----------------
Note on rcm.js:
-----------------
Grab file reboot_to_rcm.nsp from Reswitched Discord pin
- credit to stuck_pixel for the precompiled nsp
Put this nsp file in the root of your SD.
Alter the nspwn script at
https://pastebin.com/UBLJsgse
to point to this file
change line:
var path = utils.str2ab("@Sdcard:/loader.nsp");
to
var path = utils.str2ab("@Sdcard:/reboot_to_rcm.nsp");
and save as rcm.js in your VM setup at pegaswitch/usefulscripts

 

[Cava]

Good news, keep up the good work for higher fw too.

 

[Jayro]

Most of us don't use a Mac... Got a Linux or Windows tutorial for the rest of us?

 

[snoofly]

Most of us don't use a Mac... Got a Linux or Windows tutorial for the rest of us?

As i had my son's Mac handy it was the quickest way for me to test.
For Linux, I expect most of this is the same, but instead of using the Mac scripts to run the payloads, just use something like
"python3 fusee_launcher.py Payloads/fusee.bin" directly from terminal.
I did search for ways of enabling USB3 in VirtualBox but got no luck in setting it up.

 

[Jayro]

As i had my son's Mac handy it was the quickest way for me to test.
For Linux, I expect most of this is the same, but instead of using the Mac scripts to run the payloads, just use something like
"python3 fusee_launcher.py Payloads/fusee.bin" directly from terminal.
I did search for ways of enabling USB3 in VirtualBox but got no luck in setting it up.

I wonder if it can be done via VMware.

 

[subcon959]

If it uses nspwn doesn't that mean it could work upto 4.1 eventually?

 

[snoofly]

If it uses nspwn doesn't that mean it could work upto 4.1 eventually?

The nsp/js script doesn't work past 1.0.0 as it requires something that was fixed in 2.0.0 (PMC register space being blacklisted on 2.0+)
https://github.com/pixel-stuck/reboot_to_rcm

 

[snoofly]

In case you want to start building pfs0 yourself direct from source instead of relying for prebuilds, some quick and easy steps for your VirtualBox setup:

sudo apt-get install git curl
curl -L https://raw.githubusercontent.com/devkitPro/installer/master/perl/devkitA64update.pl -o devkitA64update.pl
chmod +x ./devkitA64update.pl
sudo ./devkitA64update.pl

vi ~/.bashrc
Add line:
export DEVKITPRO=/opt/devkitpro
Save and exit
Quit and restart terminal
Run
$ env
to check new setting is present.

Clone a source repo, for ex.:
cd
git clone https://github.com/pixel-stuck/reboot_to_rcm
cd reboot_to_rcm
make

Should get a bunch of files including the reboot_to_rcm.pfs0 file which you rename to .nsp ext

Again, all this stuff is dotted around elsewhere, but I thought it useful to have everything in one place, with each instruction laid out exactly as I did it from scratch.

 

[BL4Z3D247]

Awesome, this is what I was waiting for. Thanks for posting and thanks for those involved in bringing this to reality so quickly.

Edit: Jumped the gun, just noticed it was for Mac, I'm a PC. I guess I'll be trying to figure out the Windows way when I get home from work(if it's not already figured out by someone else). Either way, thanks for doing this for those who can use it.

 

[Xandroz]

pardon my igonorance, will i need a mac after that or can i use windows.

 

[Lumince]

Now I really regret updating to play Odyssey when it came out. Hopefully something like this can come to 4.1.0 in the future... For now its wires galore!

 

[ehnoah]

It should be possible to port this to 3.0 and below or not?

 

[Lumince]

It should be possible to port this to 3.0 and below or not?

\/\/\/

The nsp/js script doesn't work past 1.0.0 as it requires something that was fixed in 2.0.0 (PMC register space being blacklisted on 2.0+)
https://github.com/pixel-stuck/reboot_to_rcm

^^^

 

[TheGreek Boy]

\/\/\/

^^^

its possibly with kexploit i think

 

[Lumince]

its possibly with kexploit i think

I sure hope it is.

 

[snoofly]

OK, here's what'll get you running on Windows ONLY
Much trial and error to get this going..
This is every step from a naked VM install all the way to payload push along with some fixes you may need for the typical errors that may happen.

Download VM player 12
https://my.vmware.com/en/web/vmware/free#desktop_end_user_computing/vmware_workstation_player/12_0
and an ubuntu iso - I used ubuntu-16.04.4-desktop-amd64.iso

Run VMWare
New virtual machine
Enable USB3 support
Briged network adapter (I had to go to Adapter settings and ensure only my network card was selected)

Wait to install ubuntu

Terminal:

sudo apt-get update (all below commands fail prior to this)

sudo apt install curl
sudo apt-get install git npm

For nodejs I needed the following else I got a node-gyp error running npm install):
cd ~
curl -sL https://deb.nodesource.com/setup_8.x -o nodesource_setup.sh
sudo bash nodesource_setup.sh
sudo apt-get install nodejs

git clone https://github.com/reswitched/pegaswitch
cd ~/pegaswitch
npm install

Addn step to kill port 53 being used:

service network-manager stop
sudo killall dnsmasq
sudo node start.js --webapplet
Check you can connect with Pega
Run the rcm.js script and boot your Switch into RCM as before

Now to setup the USB3 support and push the payload:

Connect your USB cable from Switch to Windows PC
Reboot VM in order to reconfig network.
service network-manager start (may also work)

sudo apt-get install ruby

Now you'll need to install LinuxBrew as opposed to Homebrew which is MacOS specific
A lot of the following steps are slightly different to the above for MacOS so..

sh -c "$(curl -fsSL https://raw.githubusercontent.com/Linuxbrew/install/master/install.sh)"
/home/linuxbrew/.linuxbrew/bin/brew install python libusb
sudo apt-get install python3-pip
pip3 install pyusb
git clone https://github.com/SuperOkazaki/fusee-launcher
cd fusee-launcher
sudo python3 fusee-launcher.py Payloads/fusee.bin

Reswitch hax stuff appears on Switch - YAY!

 

[Deleted User]

And now we wait for a variant that works on 4.1.0.......

 

[kramer987]

pardon my ignorance, but you say "not a wire in site." however, in reading your tutorial, i am noticing that you need not only to enter RCM (which would require you to short the pin to enter RCM) and you also need to use a usb cable connected from the switch to the PC. so which wire are you referring to? maybe i'm missing something though. i'm not trying to stir controversy... just trying to understand.

 

[charlieb]

pardon my ignorance, but you say "not a wire in site." however, in reading your tutorial, i am noticing that you need not only to enter RCM (which would require you to short the pin to enter RCM) and you also need to use a usb cable connected from the switch to the PC. so which wire are you referring to? maybe i'm missing something though. i'm not trying to stir controversy... just trying to understand.

The whole point of this is that there is no need to short pins, the USB part is still needed unfortunately, still no risk of damaging pins. Perhaps in the future a pure no wires solution might appear.

 

[snoofly]

pardon my ignorance, but you say "not a wire in site." however, in reading your tutorial, i am noticing that you need not only to enter RCM (which would require you to short the pin to enter RCM) and you also need to use a usb cable connected from the switch to the PC. so which wire are you referring to? maybe i'm missing something though. i'm not trying to stir controversy... just trying to understand.

Hah - yes well OK you need a USB cable to push payloads atm but if on 1.0.0 you can enter RCM thru software only without need to tamper with any pins/thin wires/shorting or anything.
That's the gist of this as well as the later instruction to document how to do it all from scratch on Windows only.