In wake of the recent announcement regarding ReSwitched's release timeline, I've been asked a lot of questions-- and observed a lot of speculation-- about the nature of Fusée Gelée, my coldboot "hack" software launcher for the Nintendo Switch. Accordingly, I've decided to gather the most common questions in one place-- which I think should prove helpful.
These questions have been gathered from Twitter, from ReSwitched, and from a briefly-open web-form where I solicited questions. Many of the answers have been adapted from things I've said informally around the ReSwitched discord. Thanks much to Qyriad for gathering most of these in one place.
Frequently Asked Questions
Q: What's setting the timeline and release cadence for Fusée Gelée?
Fusée Gelée was responsibly disclosed to NVIDIA earlier, and forwarded to several vendors (including Nintendo) as a courtesy. When submitting the formal reports, I've dictated my own disclosure deadline at a point in the future that I think gives NVIDIA and vendors an adequate window to communicate with their downstream customers and to accomplish as much remediation as is possible for an unpatchable bootrom bug.
Q: Why disclose this at all? Why not hold onto this in order to increase the number of affected Switch consoles?
Unfortunately, this bug affects a significant number of Tegra devices beyond the Switch, and beyond even the X1 included in the Switch. I can tell you, it wasn't fun to find a bug with such a broad impact; it significantly complicated the ethics involved.
In the end, given the potential for a lot of bad to be done by any parties who independently discover these vulnerabilities, I thought it best to disclose this immediately and under terms that ensured that the vulnerability reached the public quickly.
Q: Have you accepted any rewards/payouts/compensation for this vulnerability? Have you signed any NDAs?
No, I've not accepted any rewards/money/bounties in exchange for this vulnerability. Accordingly, I've not signed anything regarding the vulnerabilities. I can honestly say I've never signed any NDA related to the Nintendo Switch, and don't currently have plans to.
Q: Is Fusée Gelée really future-proof? That is, will all current model switches always be able to use it, regardless of firmware?
That's correct. The relevant vulnerability is the result of a 'coding mistake' in the read-only bootrom found in most Tegra devices. This bootrom can have minor patches made to it in the factory ('ipatches'), but cannot be patched once a device has left the factory.
This immutability is actually a good thing in terms of security. If it were possible to apply patches to the bootrom after a unit had been shipped, anyone with a sufficiently powerful exploit would be able to make their own patches, bypassing boot security. It also means that any Switch currently affected will continue to be able to use Fusée Gelée throughout its life.
Q: I've upgraded my Switch to a version higher than 4.1. Any chance I'm still going to get CFW e.g. via Fusée Gelée?
Assuming you have the switch in your hands at the time this is posted-- and thus a current hardware revision-- you'll still get access to Atmosphère at the same time as everyone else. The core Fusée Gelée vulnerability doesn't care about firmware version.
Q: Several people who seem to be 'in the know' regarding upcoming modchips have suggested that e.g. Team Xecuter (TX) have a modchip that has advantages over Fusée Gelée. Is this the case? Are there advantages to a modchip solution over Fusée Gelée?
It's important to note that we typically name exploit chains, rather than exploits themselves-- it's much simpler for the end user if they know the "package" they're using, rather than all of the individual parts. Accordingly, there are several related end-user options that fall under the "Fusée Gelée" umbrella, each with their own advantages and disadvantages.
You can, for example, opt to use a modchip to implement Fusée Gelée. I have a software stack for an existing board that I think makes a pretty neat modchip. I plan to release that into the open-source world; and I think it makes for a pretty darned inexpensive modchip.
I honestly don't think as many people will opt for that solution, but people do seem to like the idea of TX and what they're offering, so I'll tell the community straight up that, unless I'm very much mistaken, I've independently discovered their vulnerability and have exactly equivalent 'stuff'.
Either way, the 'modchip' variant is one of many, and has its own benefits and detriments. I discuss some of the other variants in questions below.
Q: Does that mean your modchip is 'solderless'-- that is, can it be used without tapping into lines not exposed on connectors?
Yes, there will be a solderless version; but also note that the Switch is great at bringing signals out to test points, so soldery versions are super easy. No tiny soldering required.
Q: Will a hardmod be required to use Fusée Gelée?
I do have a "hardmod"-assisted variant, where the hardmod is approximately equivalent to shorting a couple of pins with tweezers. No soldering or dangerousness required, and there's a very minor thing you can do (think the equivalent of snipping a pin) to make the assistance permanent.
There's also a neat twist on things that allows you to do the above with no permanent modifications to your Switch.
Q: Wait, what would you define as 'dangerousness'?
I mean things that could easily lead to an unskilled person damaging their device. For example, I'd consider soldering to test points or doing significant disassembly of the Switch 'dangerous'.
Q: So, is there a variant that you can apply without disassembling the device? Or a hardmod-less variant?
The answer to both questions is "yes"; though I'm not going to be more specific until after the disclosure window ends.
I will say that pure-software implementations of Fusée Gelée exist, but they're some of the ones I'm least excited about, especially on higher firmwares.
Q: Is it true there are disadvantages to Fusée Gelée?
Fusée Gelée isn't a perfect, 'holy grail' exploit-- though in some cases it can be pretty damned close. The different variants of Fusée Gelée will each come with their own advantages and disadvantages. We'll work to make sure you have enough information to decide which version is right for you around when we release Fusée Gelée to the public, so you can decide how to move forward.
Q: I'm currently on a firmware between 3.0.1 and 4.0.0. Should I find a way to upgrade to 4.1.0?
I don't see any particular technical reason to upgrade your unit to 4.1.0 specifically. These versions are mostly equivalent from my perspective, and SciresM, Motezazer, and I have collaborated on non-coldboot hacks that still give us full system access on versions up to 4.1.0.
Q: Is it reasonable to upgrade from
<console version here> to the latest?
This is always a question that depends on what matters to you. In general, I'd say a there are a few heuristics that help to make the decision:
- I'd never upgrade a 1.0.0 console-- these are a rare firmware version with software that's filled with delightful issues. If you have one and want a latest-firmware version now, I'd suggest selling it and buying a new console-- currently, this appears to be profitable.
- Versions below 3.0.1 but above 1.0.0 still have some pretty neat value to them-- they have a very powerful vulnerability that allows access to most of the system. However, it's up to you if you want to hold on to these versions. I'd suggest it, but it's entirely possible that it is worth more to you be able to e.g. use your switch online right now than it is to have the possibility of using those software exploits in the future.
- Versions between 3.0.1 and 4.1.0 still have vulnerabilities that we've proven to work, but they don't give you the immediate fun that switches in the previous two categories do. There's still a case for holding onto these until all details regarding Fusée Gelée are released, so you can understand what the advantages and disadvantages are of Fusée Gelée before upgrading.
It's always up to you whether you want to upgrade. We've used the mantra "lower is better" for some time, and I think that still generally applies, but the situation obviously has a lot more subtleties than can be fit in a three-word phrase.
Q: What do I need to use Fusée Gelée? Does this vary between firmware versions? Between hardware revisions?
Fusée Gelée has roughly the same modes of operation on all current hardware revisions, no matter the firmware version.
Here's a rough list of things that you might want to have on hand come release:
- The normal things you use to play with your Switch-- you know, your Switch, some Joycons.
- A nicely-sized microSD card. I can't yet tell you for sure what size or speed-class you should get at the moment, but I wouldn't go smaller than 64GiB.
- A USB A-to-C cable-- like the one that comes with the Pro Controller. One of the first payloads you'll want to run with Fusée Gelée is my "mass storage" payload, which will allow you to mount your Switch's internal memory and backup your NAND. This will prevent any further mishaps, and should be considered mandatory.
- A tri-wing screwdriver set that other people attest works on the Switch. This isn't a mandatory component in some cases, but if you decide you want to e.g. go the 'easy hard-mod' option, you'll likely want to have this on hand.
Q: What's the release date for Fusée Gelée?
We don't have a solid date set, but SciresM and I have agreed "sometime this summer", referring to summer in the Northern Hemisphere.
I still need to write a bunch of supporting materials for it (usage guides). I like good documentation, and don't plan on releasing Fusée Gelée without an abundance of documentation.
Q: Some people (e.g. Team Xecuter supporters) have suggested that they know exactly what vulnerabilities you have. Is it true that e.g. TX knows everything you do?
These folks seem to be under the impression that there's only one vulnerability present in the T210 / Tegra X1 bootrom. This isn't correct, though not all of the vulnerabilities in that binary are my discoveries, so I'm not going to provide any hints about vulnerabilities beyond Fusée Gelée.
Q: What about suggestions that you only have a "tethered vulnerability" that's inherently weaker than TX's modchip?
Some people keep wanting to suggest that Fusée Gelée is hindered by a reliance on a host PC, or a 'tethered' exploit, and that solutions like TX's are the "true way" to avoid that. The idea that TX is the only one with a "truly portable" solution is really convenient for TX, but that theory's hindered a bit by the minor inconvenience of it not being true.
Q: You seem to be opposed to Team Xecuter. What are your thoughts on them, as a group?
While it's cool that they want to build technical solutions to Switch-hacking problems, I completely detest what I've seen of their practices and methods. Not just do they publicly endorse piracy, and seek to profit from keeping information to a few people, but they're also willing to drop a 0-day that affects a broad swathe of devices on the public without any responsible disclosure.
All in all, I think that Team Xecuter seems to be without morals or scruples, and I am happy to do as much as I can to reduce their profitability and thus disincentivize these kinds of awful behaviors.
Q: Do the different versions of Fusée Gelée provide different final feature-sets? That is, are there limitations on the capabilities granted when using software versions or on systems with higher firmware versions?
The versions differ mostly in the amount of work required to reach a state where you're running CFW ("they vary in how convenient they are"). Once CFW is booted, there won't be a difference in the final experience or what you can do from that CFW.
Q: There's been a ton of meme'ing around joyconhax. Do the JoyCons actually have direct kernel access, or do they give you access to something you need in Horizon?
The JoyCons definitely do not have direct kernel access. The Switch operating system, Horizon, is based on a microkernel architecture, and thus drivers for most hardware peripherals are run as less-privileged (EL0/userland) system applications called sysmodules. The JoyCon interfacing is mostly handled by the
hid sysmodule, though the
bus and the
bluetooth system modules help to ferry data along. None of these play any role in launching Fusée Gelée.
While software modifications to the JoyCon can be fun and useful-- and we do have the capability to arbitrarily hack the JoyCon firmware-- custom JoyCon firmware is currently not involved at all in launching any of the Fusée Gelée variants.
(But, hey-- if you come up with a clever solution that patches JoyCon software to do something exploity, I'd love to hear it.)