Hacking [Tool] Fusée Gelée Launcher for MacOS

OkazakiTheOtaku

no thanks, I don't want a custom title
OP
Member
Joined
Jul 20, 2016
Messages
1,456
Trophies
1
Location
127.0.0.1
XP
2,999
Country
Japan
Please Note::: This project still works, and will likely continue to work, but it has been deprecated in favor of NXBoot for macOS users. My apologies.

Fusée Gelée Launcher for MacOS

(Last Updated September 28, 2018)

This is a simple fork of the original fusee-launcher.

It contains *no payloads*. You must download and place the payloads in the "Payloads" directory.

Note: Payload-specific launchers have been removed for now. If demand is there, I will bring them back. I just do not see a point to them with one unified GUI.

Dependencies:

- Python 3
- libusb
- pyusb
- tkinter

1. Install brew via https://brew.sh
2. Install Python 3 and libusb: brew install python libusb
3. Install pyusb: python3 -mpip install pyusb
4. Install tkinter: python3 -mpip install tkinter
--note-- tkinter is installed on most Python3 installations by default

Usage:

0. Install everything in the above Dependencies area
1. Look at the top of this repository page
2. Click the green button that says "Clone or download"
3. Download ZIP
4. Find where the ZIP downloaded and extract it
5. In the folder that was extracted, place your Fusée payloads in the payloads folder.
4. Enter RCM mode on the Switch (this will not be covered here)
5. While in RCM mode, connect the Switch to a USB port on the computer (using a hub will likely not work!)
6. Doubleclick on macOS launch.command
7. Use the arrow buttons in the window that opens to find your payloads.
8. Press Run.

Troubleshooting
Recieving this error? usb.core.NoBackendError: No backend available
Run the command: brew link --overwrite libusb

If you are recieving issues and wish for help, please open a GitHub issue or let me know on the GBATemp thread.

Include the following information:

  1. MacOS Version String (e.g., 10.14.x). Just giving me the name of the release ("High Sierra") does not help as much.
  2. Mac hardware. Include the model and year, so I know what ports and interfaces you are using.

Credit

- ReSwitched
- Ktemkin
- SciresM
- @gbazone on GBATemp and his OS X tutorial
- @trainboy2019 on GitHub for making the tkinter GUI and submitting a pull request
- @Ickerday on GitHub for code cleanup, general improvements, and submitting a pull request
- If I forgot anyone else I'm sorry - I love you too, don't worry! Let me know and I'll credit you here.
 
Last edited by OkazakiTheOtaku,
D

Deleted-442439

Guest
Great job! Simplifying the process for end users is a must right now and scripts are a good place to start! I would simplify the language a bit though: not everyone understands what "cd" does or what a repository is etc. like we do

Anyways keep it up!
 

OkazakiTheOtaku

no thanks, I don't want a custom title
OP
Member
Joined
Jul 20, 2016
Messages
1,456
Trophies
1
Location
127.0.0.1
XP
2,999
Country
Japan
Great job! Simplifying the process for end users is a must right now and scripts are a good place to start! I would simplify the language a bit though: not everyone understands what "cd" does or what a repository is etc. like we do

Anyways keep it up!
Thank you! I did some last-minute debugging before making the GBATemp post and I'm gonna get to bed right now, but I plan on writing a Usage info with simpler language tomorrow.
Thanks for the feedback :D
 
  • Like
Reactions: Deleted-442439

OkazakiTheOtaku

no thanks, I don't want a custom title
OP
Member
Joined
Jul 20, 2016
Messages
1,456
Trophies
1
Location
127.0.0.1
XP
2,999
Country
Japan
There was a bug with a non-terminated double quote in the macOS launch.command file. This has now been fixed, and git pushed. I have also updated the usage guide to use a method that is more user friendly and does not require Xcode Command Line Tools.
 

StageProps

Active Member
Newcomer
Joined
Mar 29, 2018
Messages
31
Trophies
0
Age
29
XP
177
Country
United States
This is awesome! The way the scene has exploded over the last few days can probably make things even more daunting for people who are only kind of keeping track of things or who have no experience using the command line. This will be very useful as more payloads start to trickle out!
 

sarkwalvein

There's hope for a Xenosaga port.
Member
Joined
Jun 29, 2007
Messages
8,202
Trophies
1
Age
38
Location
Niedersachsen
XP
9,801
Country
Germany
why? i mean python is available for windows
It is related to how Windows manages the USB, as far as I know.
It has to be implemented in a different way, and it is still not there.

You can find some info in the writings from ktemkin (somewhere) and in the python script itself.
Both the macOS and Linux backend implementations are different, macOS is straightforward, while the Linux one needs some very hacky workaround.

Let me check and quote the relevant parts of the code itself...

macOS Backend, very straightforward:
Code:
class MacOSBackend(HaxBackend):
    """
    Simple vulnerability trigger for macOS: we simply ask libusb to issue
    the broken control request, and it'll do it for us. :)
    We also support platforms with a hacked libusb.
    """

    BACKEND_NAME = "macOS"
    SUPPORTED_SYSTEMS = ['Darwin', 'libusbhax', 'macos']

    def trigger_vulnerability(self, length):

        # Triggering the vulnerability is simplest on macOS; we simply issue the control request as-is.
        return self.dev.ctrl_transfer(self.STANDARD_REQUEST_DEVICE_TO_HOST_TO_ENDPOINT, self.GET_STATUS, 0, 0, length)

Linux Backend:
Code:
class LinuxBackend(HaxBackend):

    """
    More complex vulnerability trigger for Linux: we can't go through libusb,
    as it limits control requests to a single page size, the limitation expressed
    by the usbfs. More realistically, the usbfs seems fine with it, and we just
    need to work around libusb.
    """

    BACKEND_NAME = "Linux"
    SUPPORTED_SYSTEMS = ['Linux', 'linux']
    SUPPORTED_USB_CONTROLLERS = ['pci/drivers/xhci_hcd', 'platform/drivers/dwc_otg']

# (a really long block of code follows and has been snipped)
And somewhere below in the code, you will find a comment stating that the windows backend still has to be implemented:
Code:
# FIXME: Implement a Windows backend that talks to a patched version of libusbK
#        so we can inject WdfUsbTargetDeviceSendControlTransferSynchronously to
#        trigger the exploit.

If you ran this script in a windows machine it will fail in the create_appropriate_backend method:
Code:
class HaxBackend:
    """
    Base class for backends for the TegraRCM vuln.
    """
    # (portion of code snipped)

    @classmethod
    def create_appropriate_backend(cls, usb_device):
        """ Creates a backend object appropriate for the current OS. """

        # Search for a supportive backend, and try to create one.
        for subclass in cls.__subclasses__():
            if subclass.supported():
                return subclass(usb_device)

        # ... if we couldn't, bail out.
        raise IOError("No backend to trigger the vulnerability-- it's likely we don't support your OS!")

As you can see in the code, it will go through the defined subclasses trying to find one that supports the Windows OS, it will not find one because no one was defined, and then will raise an error, that will later result in the "It doesn't look like we support your OS, currently. Sorry about that!" message (line 309 of the script).

I hope that answers your question of "why it won't run on windows?"
 

Damon_girl

Well-Known Member
Member
Joined
Oct 27, 2015
Messages
960
Trophies
0
Age
28
XP
498
Country
United States
Damn, I'd use this if I knew how to enter RCM mode on the Switch. I think it requires shorting of certain pins and I'm not skilled enough to do that. Guess it's back to waiting until a more user-friendly interface is out.
 

sarkwalvein

There's hope for a Xenosaga port.
Member
Joined
Jun 29, 2007
Messages
8,202
Trophies
1
Age
38
Location
Niedersachsen
XP
9,801
Country
Germany
Damn, I'd use this if I knew how to enter RCM mode on the Switch. I think it requires shorting of certain pins and I'm not skilled enough to do that. Guess it's back to waiting until a more user-friendly interface is out.
Look for one of the many threads offering the 3d printing "pin shorting" accessory for less than $10.
I think someone posted an ebay link of someone that could do the job in the USA for $2 or so.

PS: You can also check the very generous offer of this user here https://gbatemp.net/threads/nintendo-switch-rcm-jigs.502091/
He is proposing to do mostly all of the work and send it to you, practically for free (just postage cost).
 
Last edited by sarkwalvein,
  • Like
Reactions: OkazakiTheOtaku

OkazakiTheOtaku

no thanks, I don't want a custom title
OP
Member
Joined
Jul 20, 2016
Messages
1,456
Trophies
1
Location
127.0.0.1
XP
2,999
Country
Japan
Damn, I'd use this if I knew how to enter RCM mode on the Switch. I think it requires shorting of certain pins and I'm not skilled enough to do that. Guess it's back to waiting until a more user-friendly interface is out.
It's really not that hard. I just stripped a Cat5 ethernet cable and bridged two pins in the joycon. Takes 10 minutes to test.
 

gbazone

Well-Known Member
Member
Joined
Jun 6, 2014
Messages
210
Trophies
0
XP
672
Country
Fusée Gelée Launcher for MacOS
This is a simple launcher for the ReSwitched team's fusee-launcher.

It contains no payloads. You must download and place the payloads in the "Payloads" directory.

Updated on April 26 to not require Xcode Command Line tools.

Dependencies:
(All of these can be installed using ihaveamac's guide here.)
  • Python 3
  • libusb
  • pyusb
Usage
  1. Navigate to my repository here
  2. Click the green button that says "Clone or download"
  3. Download ZIP
  4. Find where the ZIP file downloaded and extract it.
  5. In the folder that was extracted place your Fusée payloads in the "Payload" folder.
  6. Enter RCM mode on the Switch (this will not be covered here)
  7. While in RCM mode, connect the Switch to a USB port on the computer (using a hub will likely not work!)
  8. Run one of the .command files by double-clicking on them.
  9. If using macOS launch.command, the script will list the available payloads (make sure they're in the Payloads folder).
  10. Type the name of the payload, including the .bin
Notes
- I'm doing my best to learn scripting and programming. I know this isn't the most professional thing in the world and can be improved. I just made something for myself to use and figured it would work well for others, too. My work pales in comparison to that which I'm building off of.
- The FuseDump .command is for use with FuseDump by Móricz Gergő.

Credit
  • The entire ReSwitched team, of course
  • SciresM in particular, whom I really look up to as a programmer and as a person
  • @gbazone on GBATemp and his OS X tutorial
  • If I forgot anyone else I'm sorry - I love you too, don't worry! Let me know and I'll credit you here.
Download: Here
Just wanted to say nice work! And thank you for the credit. It's a shame we can't launch Switch Linux from OSX yet.
 
  • Like
Reactions: OkazakiTheOtaku

Centergaming

Well-Known Member
Member
Joined
Apr 17, 2016
Messages
695
Trophies
0
XP
883
Country
United States
Tested this on my macos high sierra 10.13.2 and it cannot detect TegraRCM. I made sure I installed the dependancies properly. Have to say, great job so far!
 
General chit-chat
Help Users
    chrisrlink @ chrisrlink: it's a dns issue for sure changed my adapters dns to google fixed it