Nintendo Switch: ktemkin releases Fusée Gelée exploit chain (compatible with all firmwares) + writeup
A flow of releases happened over the past 24h in the Switch scene, and I’m slowly catching up here while trying to digest the news. A few hours ago, team Fail0verflow released their exploit + linux port for the Switch, but before them yesterday, Kate Temkin released her own version of the exploit chain, named Fusée Gelée.
Fusée Gelée is an exploit chain for the Nintendo Switch, relying on Nvidia Tegra vulnerabilities, that lets you load unsigned code on the Nintendo Switch. Fusée Gelée was intended to launch on June 15th, along with Custom Firmware Atmosphere, but the release of the exploit has been precipitated due to a leak that happened overnight.
As for everything related to this massive Nvidia Tegra hack, the exploit is compatible with all firmwares of the Nintendo Switch, on current hardware. Nintendo have no software-based way to patch this, so the firmware of your console does not matter, now or in the future. If you bought your console before this release, it is basically exploitable. But Nintendo/Nvidia have known about the exploit for some time now, so it is possible that patched Switch hardware will be available at retailers soon, if not already.
Bottom line, this release in itself is not extremely useful for the end user, except for the fact that it will let you run a test payload and see how to trigger the exploit on your console. Long term however, today marks the day the Switch scene can exponentially grow, as virtually all switch owners can now hack their consoles.
To summarize, Fail0verflow and ktemkin have released launchers based on the exact same exploit today, with Fail0verflow adding a Linux port on top of that. Most of the Switch scene will most likely be waiting for a proper release of the Atmosphere Custom Firmware, but giving the exploit a try should be fun nonetheless.
In order to run the exploit, you’ll have to boot the Nintendo Switch in recovery mode. It seems the easiest way to do that is by making a tiny hardware manipulation with a simple piece of wire + pressing volume up and power buttons at the same time. (the wire trick actually triggers the press of a “hidden” home button on the device). Once in recovery mode, the Switch needs to be connected bia USB to a PC that will be serving the exploit.
In parallel with the exploit release, ktemkin has shared a technical writeup of the exploit. This is a very interesting read if you want to understand the underlying mechanisms of the hack. It is in particular interesting to see how easy it is to enter recovery mode, and how the exploit is then based on what seems to be a pretty “simple” buffer overflow after a failure to properly verify signed commands sent through the recovery mode.
Download Fusée Gelée
You can Download Fusée Gelée from the reswitched github here. Keep in mind that this was released a bit in a hurry due to the leak last night, and therefore things such as documentation are pretty much nonexistent for now.
Kate has also shared a sample payload here.