Nintendo Switch: ktemkin releases Fusée Gelée exploit chain (compatible with all firmwares) + writeup
A flow of releases happened over the past 24h in the Switch scene, and I’m slowly catching up here while trying to digest the news. A few hours ago, team Fail0verflow released their exploit + linux port for the Switch, but before them yesterday, Kate Temkin released her own version of the exploit chain, named Fusée Gelée.
Fusée Gelée is an exploit chain for the Nintendo Switch, relying on Nvidia Tegra vulnerabilities, that lets you load unsigned code on the Nintendo Switch. Fusée Gelée was intended to launch on June 15th, along with Custom Firmware Atmosphere, but the release of the exploit has been precipitated due to a leak that happened overnight.
As for everything related to this massive Nvidia Tegra hack, the exploit is compatible with all firmwares of the Nintendo Switch, on current hardware. Nintendo have no software-based way to patch this, so the firmware of your console does not matter, now or in the future. If you bought your console before this release, it is basically exploitable. But Nintendo/Nvidia have known about the exploit for some time now, so it is possible that patched Switch hardware will be available at retailers soon, if not already.
Bottom line, this release in itself is not extremely useful for the end user, except for the fact that it will let you run a test payload and see how to trigger the exploit on your console. Long term however, today marks the day the Switch scene can exponentially grow, as virtually all switch owners can now hack their consoles.
To summarize, Fail0verflow and ktemkin have released launchers based on the exact same exploit today, with Fail0verflow adding a Linux port on top of that. Most of the Switch scene will most likely be waiting for a proper release of the Atmosphere Custom Firmware, but giving the exploit a try should be fun nonetheless.
In order to run the exploit, you’ll have to boot the Nintendo Switch in recovery mode. It seems the easiest way to do that is by making a tiny hardware manipulation with a simple piece of wire + pressing volume up and power buttons at the same time. (the wire trick actually triggers the press of a “hidden” home button on the device). Once in recovery mode, the Switch needs to be connected bia USB to a PC that will be serving the exploit.
In parallel with the exploit release, ktemkin has shared a technical writeup of the exploit. This is a very interesting read if you want to understand the underlying mechanisms of the hack. It is in particular interesting to see how easy it is to enter recovery mode, and how the exploit is then based on what seems to be a pretty “simple” buffer overflow after a failure to properly verify signed commands sent through the recovery mode.
Download Fusée Gelée
You can Download Fusée Gelée from the reswitched github here. Keep in mind that this was released a bit in a hurry due to the leak last night, and therefore things such as documentation are pretty much nonexistent for now.
Kate has also shared a sample payload here.
Source: @ktemkin
So wait.. we have to do the wire trick every single time we want to run unsigned code etc including atmosphere or will there be a permanent solution?
Seems like you need to do it every single time, but that in itself can be permanent: as mentioned in the writeup, one option is to remove the eMMC board. (+ imagine plugging in a tiny usb dongle to feed the payload). That’s pretty permanent.
Am I missing something? I can’t find any description of this wire trick anywhere.
Fail0verflow are mentioning it on their twitter account. It’s the “home” button that’s actually a bit trick to “press” given that it’s not actually a button.
Unless ur on 3.0 wich uses the webkit exploit to launch other exploits
There will be permanent solutions, fail0verflow already showed off an unreleased coldboot hack
Does this means that we o 4.1.0 can update to 5.0.1 or shall we stay on 4.1 for now?
Interesting how the her write up is pretty much a “how to fix”. The last 2 paragraphs pretty much say Nintendo you are *** without a hardware revision.
Stay on 4.1 if you want the coldboot hack.
what? coldboot works on any firmware
Any reason to stay on 3.0.0 any more or can I update to get support for my 200 GB ad card?
Imo 3.0 is still better until the cfm is out.
Again, kate temkin is a he. You can’t hack your dna. A dude in drag is still a he